Skip to content

Commit

Permalink
Tweaked and split wmi, dcom, and bypassuac tasks to command/grunt tasks
Browse files Browse the repository at this point in the history
  • Loading branch information
@cobbr
cobbr committed Mar 14, 2019
1 parent d0f89b3 commit 5f28606
Show file tree
Hide file tree
Showing 7 changed files with 209 additions and 138 deletions.
4 changes: 3 additions & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,13 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [v0.1.3] - 2019-03-03
## [v0.1.3] - 2019-03-14
### Added
- Added Credential Manager and mimikatz/rubeus parser

### Changed
- Split wmi, dcom, and bypassuac tasks to wmicommand, wmigrunt, dcomcommand, dcomgrunt, bypassuaccommand, bypassuacgrunt tasks
- Updated SharpSploit to latest commit
- Updated Rubeus to latest commit
- Changed Grunts to use CookieContainer WebClient for Cookie authentication

Expand Down
124 changes: 57 additions & 67 deletions Covenant/Controllers/GruntTaskingController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,110 +74,100 @@ public ActionResult<GruntTasking> CreateGruntTasking(int id, [FromBody] GruntTas
}
task.Options = _context.GruntTaskOptions.Where(O => O.TaskId == task.Id).ToList();
List<string> parameters = task.Options.OrderBy(O => O.OptionId).Select(O => O.Value).ToList();
if (task.Name.ToLower() == "wmi")
if (task.Name.ToLower() == "wmigrunt")
{
Launcher l = _context.Launchers.FirstOrDefault(L => L.Name.ToLower() == parameters[3].ToLower());
if ((parameters[4] != null && parameters[4] != "") || l == null || l.LauncherString == null || l.LauncherString.Trim() == "")
Launcher l = _context.Launchers.FirstOrDefault(L => L.Name.ToLower() == parameters[1].ToLower());
if (l == null || l.LauncherString == null || l.LauncherString.Trim() == "")
{
// If using custom command
// Remove the "Launcher" parameter
parameters.RemoveAt(3);
return NotFound();
}
else
{
// If using Launcher
// Remove the "Command" parameter
parameters.RemoveAt(4);

// Set LauncherString to WMI command parameter
parameters[3] = l.LauncherString;
parameters[1] = l.LauncherString;
}
}
else if (task.Name.ToLower() == "dcom")
else if (task.Name.ToLower() == "dcomgrunt")
{
Launcher l = _context.Launchers.FirstOrDefault(L => L.Name.ToLower() == parameters[1].ToLower());
if ((parameters[2] != null && parameters[2] != "") || l == null || l.LauncherString == null || l.LauncherString.Trim() == "")
if (l == null || l.LauncherString == null || l.LauncherString.Trim() == "")
{
// If using custom command
// Remove the "Launcher" parameter
parameters.RemoveAt(1);

// Add .exe exetension if needed
List<string> split = parameters[1].Split(" ").ToList();
parameters[1] = split[0];
if (!parameters[1].EndsWith(".exe")) { parameters[1] += ".exe"; }

split.RemoveAt(0);
parameters.Insert(2, String.Join(" ", split.ToArray()));
string Directory = "C:\\WINDOWS\\System32\\";
if (parameters[1].ToLower().Contains("powershell.exe")) { Directory += "WindowsPowerShell\\v1.0\\"; }
else if (parameters[1].ToLower().Contains("wmic.exe")) { Directory += "wbem\\"; }

parameters.Insert(3, Directory);
return NotFound();
}
else
{
// If using Launcher
// Remove the "Command" parameter
parameters.RemoveAt(2);

// Set LauncherString to DCOM command parameter
parameters[1] = l.LauncherString;

// Add .exe exetension if needed
List<string> split = parameters[1].Split(" ").ToList();
parameters[1] = split[0];
List<string> split = l.LauncherString.Split(" ").ToList();
parameters[1] = split.FirstOrDefault();
if (!parameters[1].EndsWith(".exe")) { parameters[1] += ".exe"; }

// Add command parameters
split.RemoveAt(0);
parameters.Insert(2, String.Join(" ", split.ToArray()));
string Directory = "C:\\WINDOWS\\System32\\";
if (parameters[1].ToLower().Contains("powershell.exe")) { Directory += "WindowsPowerShell\\v1.0\\"; }
else if (parameters[1].ToLower().Contains("wmic.exe")) { Directory += "wbem\\"; }
if (parameters[1].ToLower() == "powershell.exe") { Directory += "WindowsPowerShell\\v1.0\\"; }
else if (parameters[1].ToLower() == "wmic.exe") { Directory += "wbem\\"; }

parameters.Insert(3, Directory);
}
}
else if (task.Name.ToLower() == "bypassuac")
else if (task.Name.ToLower() == "dcomcommand")
{
Launcher l = _context.Launchers.FirstOrDefault(L => L.Name.ToLower() == parameters[0].ToLower());
if ((parameters[1] != null && parameters[1] != "") || l == null || l.LauncherString == null || l.LauncherString.Trim() == "")
{
// If using custom command
// Remove the "Launcher" parameter
parameters.RemoveAt(0);
// Add .exe exetension if needed
List<string> split = parameters[1].Split(" ").ToList();
parameters[1] = split[0];
if (!parameters[1].EndsWith(".exe")) { parameters[1] += ".exe"; }

// Add .exe exetension if needed
string[] split = parameters[0].Split(" ");
parameters[0] = split.FirstOrDefault();
if (!parameters[0].EndsWith(".exe")) { parameters[0] += ".exe"; }
// Add command parameters
split.RemoveAt(0);
parameters.Insert(2, String.Join(" ", split.ToArray()));
string Directory = "C:\\WINDOWS\\System32\\";
if (parameters[1].ToLower() == "powershell.exe") { Directory += "WindowsPowerShell\\v1.0\\"; }
else if (parameters[1].ToLower() == "wmic.exe") { Directory += "wbem\\"; }

// Add parameters needed for BypassUAC Task
parameters.Add(String.Join(" ", split.ToList().GetRange(1, split.Count() - 1)));
parameters.Add("C:\\WINDOWS\\System32\\");
if (parameters[0].ToLower().Contains("powershell.exe")) { parameters[2] += "WindowsPowerShell\\v1.0\\"; }
else if (parameters[0].ToLower().Contains("wmic.exe")) { parameters[2] += "wbem\\"; }
parameters.Add("0");
parameters.Insert(3, Directory);
}
else if (task.Name.ToLower() == "bypassuacgrunt")
{
Launcher l = _context.Launchers.FirstOrDefault(L => L.Name.ToLower() == parameters[0].ToLower());
if (l == null || l.LauncherString == null || l.LauncherString.Trim() == "")
{
return NotFound();
}
else
{
// If using Launcher
// Remove the "Command" parameter
parameters.RemoveAt(1);

// Add .exe exetension if needed
string[] split = l.LauncherString.Split(" ");
parameters[0] = split.FirstOrDefault();
if (!parameters[0].EndsWith(".exe")) { parameters[0] += ".exe"; }

// Add parameters need for BypassUAC Task
parameters.Add(String.Join(" ", split.ToList().GetRange(1, split.Count() - 1)));
parameters.Add("C:\\WINDOWS\\System32\\");
if (l.Name.ToLower() == "powershell") { parameters[2] += "WindowsPowerShell\\v1.0\\"; }
else if (l.Name.ToLower() == "wmic") { parameters[2] += "wbem\\"; }
string ArgParams = String.Join(" ", split.ToList().GetRange(1, split.Count() - 1));
string Directory = "C:\\WINDOWS\\System32\\";
if (parameters[0].ToLower() == "powershell.exe") { Directory += "WindowsPowerShell\\v1.0\\"; }
else if (parameters[0].ToLower() == "wmic.exe") { Directory += "wbem\\"; }

parameters[0] = split.FirstOrDefault();
parameters.Add(ArgParams);
parameters.Add(Directory);
parameters.Add("0");
}
}
else if (task.Name.ToLower() == "bypassuaccommand")
{
// Add .exe exetension if needed
string[] split = parameters[0].Split(" ");
if (!parameters[0].EndsWith(".exe")) { parameters[0] += ".exe"; }

// Add parameters need for BypassUAC Task
string ArgParams = String.Join(" ", split.ToList().GetRange(1, split.Count() - 1));
string Directory = "C:\\WINDOWS\\System32\\";
if (parameters[0].ToLower() == "powershell.exe") { Directory += "WindowsPowerShell\\v1.0\\"; }
else if (parameters[0].ToLower() == "wmic.exe") { Directory += "wbem\\"; }

parameters[0] = split.FirstOrDefault();
parameters.Add(ArgParams);
parameters.Add(Directory);
parameters.Add("0");
}
try
{
gruntTasking.Compile(
Expand Down
Loading

0 comments on commit 5f28606

Please sign in to comment.