internal bool ResolveCollectionMethods()
{
// If the length is 1, either we only got 1 collection method, or we got this value from the powershell script and we need to split
var collMethodArray = CollectionMethods.ToArray();
if (collMethodArray.Length == 1)
{
collMethodArray = collMethodArray[0].Split(',');
}
var resolved = CollectionMethodResolved.None;
foreach (var baseString in collMethodArray)
{
var option = CollectionMethodOptions.None;
try
{
option =
(CollectionMethodOptions)Enum.Parse(typeof(CollectionMethodOptions), baseString, true);
}
catch
{
Console.WriteLine($"Failed to parse Collection Method {baseString}.");
return(false);
}
switch (option)
{
case CollectionMethodOptions.All:
resolved = resolved | CollectionMethodResolved.ACL | CollectionMethodResolved.Container |
CollectionMethodResolved.Group | CollectionMethodResolved.LocalGroups |
CollectionMethodResolved.ObjectProps | CollectionMethodResolved.Sessions |
CollectionMethodResolved.Trusts | CollectionMethodResolved.LoggedOn |
CollectionMethodResolved.SPNTargets;
break;
case CollectionMethodOptions.DCOnly:
resolved = resolved | CollectionMethodResolved.ACL | CollectionMethodResolved.Container |
CollectionMethodResolved.Group | CollectionMethodResolved.ObjectProps |
CollectionMethodResolved.Trusts | CollectionMethodResolved.DCOnly |
CollectionMethodResolved.GPOLocalGroup;
break;
case CollectionMethodOptions.Group:
resolved |= CollectionMethodResolved.Group;
break;
case CollectionMethodOptions.Session:
resolved |= CollectionMethodResolved.Sessions;
break;
case CollectionMethodOptions.LoggedOn:
resolved |= CollectionMethodResolved.LoggedOn;
break;
case CollectionMethodOptions.Trusts:
resolved |= CollectionMethodResolved.Trusts;
break;
case CollectionMethodOptions.ACL:
resolved |= CollectionMethodResolved.ACL;
break;
case CollectionMethodOptions.ObjectProps:
resolved |= CollectionMethodResolved.ObjectProps;
break;
case CollectionMethodOptions.RDP:
resolved |= CollectionMethodResolved.RDP;
break;
case CollectionMethodOptions.DCOM:
resolved |= CollectionMethodResolved.DCOM;
break;
case CollectionMethodOptions.LocalAdmin:
resolved |= CollectionMethodResolved.LocalAdmin;
break;
case CollectionMethodOptions.PSRemote:
resolved |= CollectionMethodResolved.PSRemote;
break;
case CollectionMethodOptions.SPNTargets:
resolved |= CollectionMethodResolved.SPNTargets;
break;
case CollectionMethodOptions.Container:
resolved |= CollectionMethodResolved.Container;
break;
case CollectionMethodOptions.GPOLocalGroup:
resolved |= CollectionMethodResolved.GPOLocalGroup;
break;
case CollectionMethodOptions.LocalGroup:
resolved |= CollectionMethodResolved.LocalGroups;
break;
case CollectionMethodOptions.Default:
resolved = resolved | CollectionMethodResolved.ACL | CollectionMethodResolved.Container |
CollectionMethodResolved.Group | CollectionMethodResolved.LocalGroups |
CollectionMethodResolved.ObjectProps | CollectionMethodResolved.Sessions |
CollectionMethodResolved.Trusts | CollectionMethodResolved.SPNTargets;
break;
case CollectionMethodOptions.ComputerOnly:
resolved = resolved | CollectionMethodResolved.LocalGroups | CollectionMethodResolved.Sessions;
break;
default:
throw new ArgumentOutOfRangeException();
}
}
if (Stealth)
{
var updates = new List <string>();
if ((resolved & CollectionMethodResolved.LoggedOn) != 0)
{
resolved ^= CollectionMethodResolved.LoggedOn;
updates.Add("[-] Removed LoggedOn Collection");
}
var localGroupRemoved = false;
if ((resolved & CollectionMethodResolved.RDP) != 0)
{
localGroupRemoved = true;
resolved ^= CollectionMethodResolved.RDP;
updates.Add("[-] Removed RDP Collection");
}
if ((resolved & CollectionMethodResolved.DCOM) != 0)
{
localGroupRemoved = true;
resolved ^= CollectionMethodResolved.DCOM;
updates.Add("[-] Removed DCOM Collection");
}
if ((resolved & CollectionMethodResolved.PSRemote) != 0)
{
localGroupRemoved = true;
resolved ^= CollectionMethodResolved.PSRemote;
updates.Add("[-] Removed PSRemote Collection");
}
if ((resolved & CollectionMethodResolved.LocalAdmin) != 0)
{
localGroupRemoved = true;
resolved ^= CollectionMethodResolved.LocalAdmin;
updates.Add("[-] Removed LocalAdmin Collection");
}
if (localGroupRemoved)
{
resolved |= CollectionMethodResolved.GPOLocalGroup;
updates.Add("[+] Added GPOLocalGroup");
}
if (updates.Count > 0)
{
Console.WriteLine("Updated Collection Methods to Reflect Stealth Options");
foreach (var update in updates)
{
Console.WriteLine(update);
}
Console.WriteLine();
}
}
Console.WriteLine($"Resolved Collection Methods: {resolved}");
Console.WriteLine();
ResolvedCollectionMethods = resolved;
return(true);
}
internal bool ResolveCollectionMethods(ILogger logger, out ResolvedCollectionMethod resolved, out bool dconly)
{
var arr = CollectionMethods.Count() == 1
? CollectionMethods.First().Split(',')
: CollectionMethods.ToArray();
resolved = ResolvedCollectionMethod.None;
dconly = false;
foreach (var baseMethod in arr)
{
CollectionMethodOptions option;
try
{
option = (CollectionMethodOptions)Enum.Parse(typeof(CollectionMethodOptions), baseMethod, true);
}
catch
{
logger.LogCritical("Failed to parse collection method {baseMethod}", baseMethod);
return(false);
}
resolved |= option switch
{
CollectionMethodOptions.Group => ResolvedCollectionMethod.Group,
CollectionMethodOptions.Session => ResolvedCollectionMethod.Session,
CollectionMethodOptions.LoggedOn => ResolvedCollectionMethod.LoggedOn,
CollectionMethodOptions.Trusts => ResolvedCollectionMethod.Trusts,
CollectionMethodOptions.ACL => ResolvedCollectionMethod.ACL,
CollectionMethodOptions.ObjectProps => ResolvedCollectionMethod.ObjectProps,
CollectionMethodOptions.RDP => ResolvedCollectionMethod.RDP,
CollectionMethodOptions.DCOM => ResolvedCollectionMethod.DCOM,
CollectionMethodOptions.LocalAdmin => ResolvedCollectionMethod.LocalAdmin,
CollectionMethodOptions.PSRemote => ResolvedCollectionMethod.PSRemote,
CollectionMethodOptions.SPNTargets => ResolvedCollectionMethod.SPNTargets,
CollectionMethodOptions.Container => ResolvedCollectionMethod.Container,
CollectionMethodOptions.GPOLocalGroup => ResolvedCollectionMethod.GPOLocalGroup,
CollectionMethodOptions.LocalGroup => ResolvedCollectionMethod.LocalGroups,
CollectionMethodOptions.Default => ResolvedCollectionMethod.Default,
CollectionMethodOptions.DCOnly => ResolvedCollectionMethod.DCOnly,
CollectionMethodOptions.ComputerOnly => ResolvedCollectionMethod.ComputerOnly,
CollectionMethodOptions.All => ResolvedCollectionMethod.All,
CollectionMethodOptions.None => ResolvedCollectionMethod.None,
_ => throw new ArgumentOutOfRangeException()
};
if (option == CollectionMethodOptions.DCOnly)
{
dconly = true;
}
}
if (Stealth)
{
var updates = new List <string>();
if ((resolved & ResolvedCollectionMethod.LoggedOn) != 0)
{
resolved ^= ResolvedCollectionMethod.LoggedOn;
updates.Add("[-] Removed LoggedOn");
}
var localGroupRemoved = false;
if ((resolved & ResolvedCollectionMethod.RDP) != 0)
{
localGroupRemoved = true;
resolved ^= ResolvedCollectionMethod.RDP;
updates.Add("[-] Removed RDP Collection");
}
if ((resolved & ResolvedCollectionMethod.DCOM) != 0)
{
localGroupRemoved = true;
resolved ^= ResolvedCollectionMethod.DCOM;
updates.Add("[-] Removed DCOM Collection");
}
if ((resolved & ResolvedCollectionMethod.PSRemote) != 0)
{
localGroupRemoved = true;
resolved ^= ResolvedCollectionMethod.PSRemote;
updates.Add("[-] Removed PSRemote Collection");
}
if ((resolved & ResolvedCollectionMethod.LocalAdmin) != 0)
{
localGroupRemoved = true;
resolved ^= ResolvedCollectionMethod.LocalAdmin;
updates.Add("[-] Removed LocalAdmin Collection");
}
if (localGroupRemoved)
{
resolved |= ResolvedCollectionMethod.GPOLocalGroup;
updates.Add("[+] Added GPOLocalGroup");
}
if (updates.Count > 0)
{
var updateString = new StringBuilder();
updateString.AppendLine("Updated Collection Methods to Reflect Stealth Options");
foreach (var update in updates)
{
updateString.AppendLine(update);
}
logger.LogInformation("{Update}", updateString.ToString());
}
}
logger.LogInformation("Resolved Collection Methods: {resolved}", resolved.GetIndividualFlags());
return(true);
}
}
