Example #1
0
        public static void RunScoutServiceSerialized(string scout_np, string simulator_np, string log)
        {
            //Based on https://github.com/malcomvetter/NamedPipes

            string currentPath = AppDomain.CurrentDomain.BaseDirectory;
            Logger logger      = new Logger(currentPath + log);
            bool   running     = true;
            bool   privileged  = false;

            string duser, simulator_full_path, user, simulator_binary;

            duser = simulator_full_path = user = simulator_binary = "";
            Process            parentprocess        = null;
            SimulationPlaybook PlaybookForSimulator = null;

            Thread.Sleep(1500);

            try
            {
                using (var pipeServer = new NamedPipeServerStream(scout_np, PipeDirection.InOut, NamedPipeServerStream.MaxAllowedServerInstances, PipeTransmissionMode.Message))
                {
                    logger.TimestampInfo("Starting scout namedpipe service with PID:" + Process.GetCurrentProcess().Id);
                    while (running)
                    {
                        SimulationResponse sim_response;
                        logger.TimestampInfo("Waiting for client connection...");
                        pipeServer.WaitForConnection();
                        logger.TimestampInfo("Client connected.");
                        var messageBytes = ReadMessage(pipeServer);
                        var line         = Encoding.UTF8.GetString(messageBytes);
                        logger.TimestampInfo("Received from client: " + line);
                        SimulationRequest sim_request    = JsonConvert.DeserializeObject <SimulationRequest>(line);
                        ScoutResponse     scout_response = null;

                        // Scout recon actions
                        if (sim_request.header.Equals("SCT"))
                        {
                            logger.TimestampInfo("Received SCT");
                            switch (sim_request.recon_type)
                            {
                            case "auditpol":
                                scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(Recon.GetAuditPolicy())));
                                break;

                            case "wef":
                                scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(Recon.GetWefSettings())));
                                break;

                            case "pws":
                                scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(Recon.GetPwsLoggingSettings())));
                                break;

                            case "ps":
                                scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(Recon.GetProcs())));
                                break;

                            case "svcs":
                                scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(Recon.GetServices())));
                                break;

                            case "cmdline":
                                scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(Recon.GetCmdlineAudittingSettings())));
                                break;

                            case "all":
                                string results = Recon.GetAuditPolicy() + "\n" + Recon.GetWefSettings() + "\n" + Recon.GetPwsLoggingSettings() + "\n" + Recon.GetProcs() + "\n" + Recon.GetServices() + "\n" + Recon.GetCmdlineAudittingSettings();
                                scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(results)));
                                break;

                            default:
                                break;
                            }
                            sim_response = new SimulationResponse("SYN/ACK", null, scout_response);
                            byte[] bytes_sim_response = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(sim_response));
                            pipeServer.Write(bytes_sim_response, 0, bytes_sim_response.Length);
                            logger.TimestampInfo(String.Format("Sent SimulationResponse object"));
                            running = false;
                        }

                        else if (sim_request.header.Equals("SYN"))
                        {
                            logger.TimestampInfo("Received SYN");
                            PlaybookForSimulator = sim_request.playbook;
                            ReconResponse recon_response;
                            if (sim_request.recon_type.Equals("privileged"))
                            {
                                privileged = true;
                            }
                            parentprocess = Recon.GetHostProcess(privileged);
                            if (parentprocess != null && Recon.GetExplorer() != null)
                            {
                                duser          = Recon.GetProcessOwnerWmi(Recon.GetExplorer());
                                recon_response = new ReconResponse(duser, parentprocess.ProcessName, parentprocess.Id.ToString(), privileged.ToString());
                                user           = duser.Split('\\')[1];
                                logger.TimestampInfo(String.Format("Recon identified {0} logged in. Process to Spoof: {1} PID: {2}", duser, parentprocess.ProcessName, parentprocess.Id));
                            }
                            else
                            {
                                recon_response = new ReconResponse("", "", "", "");
                                logger.TimestampInfo("Recon did not identify any logged users");
                            }

                            simulator_full_path = "C:\\Users\\" + user + "\\" + sim_request.playbook.simulator_relative_path;
                            int index = sim_request.playbook.simulator_relative_path.LastIndexOf(@"\");
                            simulator_binary = sim_request.playbook.simulator_relative_path.Substring(index + 1);

                            sim_response = new SimulationResponse("SYN/ACK", recon_response);
                            byte[] bytes_sim_response = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(sim_response));
                            pipeServer.Write(bytes_sim_response, 0, bytes_sim_response.Length);
                            logger.TimestampInfo(String.Format("Sent SimulationResponse object"));
                        }
                        else if (sim_request.header.Equals("ACT"))
                        {
                            logger.TimestampInfo("Received ACT");
                            if (PlaybookForSimulator.opsec.Equals("ppid"))
                            {
                                logger.TimestampInfo("Using Parent Process Spoofing technique for Opsec");
                                logger.TimestampInfo("Spoofing " + parentprocess.ProcessName + " PID: " + parentprocess.Id.ToString());
                                logger.TimestampInfo("Executing: " + simulator_full_path + " /n");
                                //Launcher.SpoofParent(parentprocess.Id, simpath, simbin + " " + cmdline);
                                //Launcher.SpoofParent(parentprocess.Id, simpfath, simrpath + " /s");

                                Launcher.SpoofParent(parentprocess.Id, simulator_full_path, simulator_binary + " /n");
                                //Launcher.SpoofParent(parentprocess.Id, simpfath, simbinary + " /s");

                                //logger.TimestampInfo("Sending payload to Simulation Agent through namedpipe: " + "technique:" + s_payload.techniques + " pbsleep:" + s_payload.playbook_sleep + " tsleep:" + s_payload.task_sleep + " cleanup:" + s_payload.cleanup);
                                logger.TimestampInfo("Sending Simulation Playbook to Simulation Agent through namedpipe: " + PlaybookForSimulator.simulator_relative_path);

                                byte[] bytes_sim_rqeuest = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(new SimulationRequest("ACK", "", PlaybookForSimulator)));
                                string result            = NamedPipes.RunNoAuthClientSerialized(simulator_np, bytes_sim_rqeuest);
                                logger.TimestampInfo("Received back from Simulator " + result);
                            }

                            sim_response = new SimulationResponse("ACK");
                            byte[] bytes_sim_response = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(sim_response));
                            pipeServer.Write(bytes_sim_response, 0, bytes_sim_response.Length);
                            logger.TimestampInfo(String.Format("Sent SimulationResponse object 2"));
                            running = false;
                        }
                        else if (sim_request.header.Equals("FIN"))
                        {
                            logger.TimestampInfo("Received a FIN command");
                            sim_response = new SimulationResponse("ACK");
                            byte[] bytes_sim_response = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(sim_response));
                            pipeServer.Write(bytes_sim_response, 0, bytes_sim_response.Length);
                            running = false;
                        }

                        pipeServer.Disconnect();
                    }
                }
            }
            catch (Exception ex)
            {
                logger.TimestampInfo(ex.ToString());
                logger.TimestampInfo(ex.Message.ToString());
            }
        }
Example #2
0
        //Based on https://github.com/malcomvetter/NamedPipes
        public static void RunScoutService(string scout_np, string simulator_np, string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;
            Logger logger      = new Logger(currentPath + log);
            bool   running     = true;
            bool   privileged  = false;

            string technique, opsec, simpfath, simrpath, duser, user, simbinary, cleanup;

            technique = opsec = simpfath = simrpath = duser = user = simbinary = cleanup = "";
            Process parentprocess = null;
            int     pbsleep, tsleep;

            pbsleep = tsleep = 0;
            System.Threading.Thread.Sleep(1500);

            try
            {
                using (var pipeServer = new NamedPipeServerStream(scout_np, PipeDirection.InOut, NamedPipeServerStream.MaxAllowedServerInstances, PipeTransmissionMode.Message))
                {
                    logger.TimestampInfo("Starting scout namedpipe service with PID:" + Process.GetCurrentProcess().Id);
                    while (running)
                    {
                        var reader = new StreamReader(pipeServer);
                        var writer = new StreamWriter(pipeServer);

                        //logger.TimestampInfo("Waiting for client connection...");
                        pipeServer.WaitForConnection();
                        //logger.TimestampInfo("Client connected!");

                        var line = reader.ReadLine();

                        logger.TimestampInfo("Received from client: " + line);

                        if (line.ToLower().Equals("syn"))
                        {
                            //logger.TimestampInfo("sending back to client: " + "SYN/ACK");
                            writer.WriteLine("SYN/ACK");
                            writer.Flush();
                        }
                        else if (line.ToLower().Equals("auditpol"))
                        {
                            writer.WriteLine(System.Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(Recon.GetAuditPolicy())));
                            writer.Flush();
                        }
                        else if (line.ToLower().Equals("wef"))
                        {
                            writer.WriteLine(System.Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(Recon.GetWefSettings())));
                            writer.Flush();
                        }
                        else if (line.ToLower().Equals("pws"))
                        {
                            writer.WriteLine(System.Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(Recon.GetPwsLoggingSettings())));
                            writer.Flush();
                        }
                        else if (line.ToLower().Equals("ps"))
                        {
                            writer.WriteLine(System.Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(Recon.GetProcs())));
                            writer.Flush();
                        }
                        else if (line.ToLower().Equals("svcs"))
                        {
                            writer.WriteLine(System.Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(Recon.GetServices())));
                            writer.Flush();
                        }
                        else if (line.ToLower().Equals("cmdline"))
                        {
                            writer.WriteLine(System.Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(Recon.GetCmdlineAudittingSettings())));
                            writer.Flush();
                        }

                        else if (line.ToLower().StartsWith("recon:"))
                        {
                            string payload = "";
                            if (line.Replace("recon:", "").Equals("privileged"))
                            {
                                privileged = true;
                            }
                            parentprocess = Recon.GetHostProcess(privileged);
                            if (parentprocess != null && Recon.GetExplorer() != null)
                            {
                                duser = Recon.GetProcessOwnerWmi(Recon.GetExplorer());
                                user  = duser.Split('\\')[1];
                                logger.TimestampInfo(String.Format("Recon identified {0} logged in. Process to Spoof: {1} PID: {2}", duser, parentprocess.ProcessName, parentprocess.Id));
                                payload = String.Format("{0},{1},{2},{3}", duser, parentprocess.ProcessName, parentprocess.Id, privileged.ToString());
                            }
                            else
                            {
                                payload = ",,,";
                                logger.TimestampInfo("Recon did not identify any logged users");
                            }
                            writer.WriteLine(payload);
                            writer.Flush();
                        }
                        else if (line.ToLower().StartsWith("sc:"))
                        {
                            writer.WriteLine("ACK");
                            writer.Flush();
                        }
                        else if (line.ToLower().StartsWith("technique:"))
                        {
                            technique = line.Replace("technique:", "");
                            //logger.TimestampInfo("Got params from client");
                            //logger.TimestampInfo("sending back to client: " + "ACK");
                            writer.WriteLine("ACK");
                            writer.Flush();
                        }
                        else if (line.ToLower().StartsWith("pbsleep:"))
                        {
                            pbsleep = Int32.Parse(line.Replace("pbsleep:", ""));
                            //logger.TimestampInfo("Got params from client");
                            //logger.TimestampInfo("sending back to client: " + "ACK");
                            writer.WriteLine("ACK");
                            writer.Flush();
                        }
                        else if (line.ToLower().StartsWith("tsleep:"))
                        {
                            tsleep = Int32.Parse(line.Replace("tsleep:", ""));
                            //logger.TimestampInfo("Got params from client");
                            //logger.TimestampInfo("sending back to client: " + "ACK");
                            writer.WriteLine("ACK");
                            writer.Flush();
                        }
                        else if (line.ToLower().StartsWith("opsec:"))
                        {
                            opsec = line.Replace("opsec:", "");
                            //logger.TimestampInfo("Got opsec technique from client");
                            //logger.TimestampInfo("sending back to client: " + "ACK");
                            writer.WriteLine("ACK");
                            writer.Flush();
                        }
                        else if (line.ToLower().StartsWith("cleanup:"))
                        {
                            cleanup = line.Replace("cleanup:", "");
                            writer.WriteLine("ACK");
                            writer.Flush();
                        }
                        else if (line.ToLower().StartsWith("simrpath:"))
                        {
                            simrpath = line.Replace("simrpath:", "");
                            //logger.TimestampInfo("sending back to client: " + "ACK");
                            //simpath = "C:\\Users\\" + loggeduser + "\\Downloads\\" + simbin;
                            simpfath = "C:\\Users\\" + user + "\\" + simrpath;
                            int index = simrpath.LastIndexOf(@"\");
                            simbinary = simrpath.Substring(index + 1);

                            writer.WriteLine("ACK");
                            writer.Flush();
                        }
                        else if (line.Equals("act"))
                        {
                            logger.TimestampInfo("Received act!");
                            //logger.TimestampInfo("sending back to client: " + "ACK");
                            writer.WriteLine("ACK");
                            writer.Flush();

                            if (opsec.Equals("ppid"))
                            {
                                logger.TimestampInfo("Using Parent Process Spoofing technique for Opsec");
                                logger.TimestampInfo("Spoofing " + parentprocess.ProcessName + " PID: " + parentprocess.Id.ToString());
                                logger.TimestampInfo("Executing: " + simpfath + " /n");
                                //Launcher.SpoofParent(parentprocess.Id, simpath, simbin + " " + cmdline);
                                //Launcher.SpoofParent(parentprocess.Id, simpfath, simrpath + " /s");

                                Launcher.SpoofParent(parentprocess.Id, simpfath, simbinary + " /n");
                                //Launcher.SpoofParent(parentprocess.Id, simpfath, simbinary + " /s");

                                System.Threading.Thread.Sleep(3000);
                                logger.TimestampInfo("Sending payload to Scout Aggent through namedpipe: " + "technique:" + technique + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:" + cleanup);
                                RunNoAuthClient(simulator_np, "technique:" + technique + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:" + cleanup);
                                System.Threading.Thread.Sleep(2000);
                            }
                        }
                        else if (line.ToLower().Equals("quit"))
                        {
                            logger.TimestampInfo("Received quit! Exitting namedpipe");
                            //logger.TimestampInfo("sending back to client: " + "quit");
                            writer.WriteLine("quit");
                            writer.Flush();
                            running = false;
                        }
                        pipeServer.Disconnect();
                    }
                }
            }
            catch (Exception ex)
            {
                logger.TimestampInfo(ex.ToString());
                logger.TimestampInfo(ex.Message.ToString());
            }
        }