public static void RunScoutServiceSerialized(string scout_np, string simulator_np, string log)
{
//Based on https://github.com/malcomvetter/NamedPipes
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Logger logger = new Logger(currentPath + log);
bool running = true;
bool privileged = false;
string duser, simulator_full_path, user, simulator_binary;
duser = simulator_full_path = user = simulator_binary = "";
Process parentprocess = null;
SimulationPlaybook PlaybookForSimulator = null;
Thread.Sleep(1500);
try
{
using (var pipeServer = new NamedPipeServerStream(scout_np, PipeDirection.InOut, NamedPipeServerStream.MaxAllowedServerInstances, PipeTransmissionMode.Message))
{
logger.TimestampInfo("Starting scout namedpipe service with PID:" + Process.GetCurrentProcess().Id);
while (running)
{
SimulationResponse sim_response;
logger.TimestampInfo("Waiting for client connection...");
pipeServer.WaitForConnection();
logger.TimestampInfo("Client connected.");
var messageBytes = ReadMessage(pipeServer);
var line = Encoding.UTF8.GetString(messageBytes);
logger.TimestampInfo("Received from client: " + line);
SimulationRequest sim_request = JsonConvert.DeserializeObject <SimulationRequest>(line);
ScoutResponse scout_response = null;
// Scout recon actions
if (sim_request.header.Equals("SCT"))
{
logger.TimestampInfo("Received SCT");
switch (sim_request.recon_type)
{
case "auditpol":
scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(Recon.GetAuditPolicy())));
break;
case "wef":
scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(Recon.GetWefSettings())));
break;
case "pws":
scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(Recon.GetPwsLoggingSettings())));
break;
case "ps":
scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(Recon.GetProcs())));
break;
case "svcs":
scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(Recon.GetServices())));
break;
case "cmdline":
scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(Recon.GetCmdlineAudittingSettings())));
break;
case "all":
string results = Recon.GetAuditPolicy() + "\n" + Recon.GetWefSettings() + "\n" + Recon.GetPwsLoggingSettings() + "\n" + Recon.GetProcs() + "\n" + Recon.GetServices() + "\n" + Recon.GetCmdlineAudittingSettings();
scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(results)));
break;
default:
break;
}
sim_response = new SimulationResponse("SYN/ACK", null, scout_response);
byte[] bytes_sim_response = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(sim_response));
pipeServer.Write(bytes_sim_response, 0, bytes_sim_response.Length);
logger.TimestampInfo(String.Format("Sent SimulationResponse object"));
running = false;
}
else if (sim_request.header.Equals("SYN"))
{
logger.TimestampInfo("Received SYN");
PlaybookForSimulator = sim_request.playbook;
ReconResponse recon_response;
if (sim_request.recon_type.Equals("privileged"))
{
privileged = true;
}
parentprocess = Recon.GetHostProcess(privileged);
if (parentprocess != null && Recon.GetExplorer() != null)
{
duser = Recon.GetProcessOwnerWmi(Recon.GetExplorer());
recon_response = new ReconResponse(duser, parentprocess.ProcessName, parentprocess.Id.ToString(), privileged.ToString());
user = duser.Split('\\')[1];
logger.TimestampInfo(String.Format("Recon identified {0} logged in. Process to Spoof: {1} PID: {2}", duser, parentprocess.ProcessName, parentprocess.Id));
}
else
{
recon_response = new ReconResponse("", "", "", "");
logger.TimestampInfo("Recon did not identify any logged users");
}
simulator_full_path = "C:\\Users\\" + user + "\\" + sim_request.playbook.simulator_relative_path;
int index = sim_request.playbook.simulator_relative_path.LastIndexOf(@"\");
simulator_binary = sim_request.playbook.simulator_relative_path.Substring(index + 1);
sim_response = new SimulationResponse("SYN/ACK", recon_response);
byte[] bytes_sim_response = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(sim_response));
pipeServer.Write(bytes_sim_response, 0, bytes_sim_response.Length);
logger.TimestampInfo(String.Format("Sent SimulationResponse object"));
}
else if (sim_request.header.Equals("ACT"))
{
logger.TimestampInfo("Received ACT");
if (PlaybookForSimulator.opsec.Equals("ppid"))
{
logger.TimestampInfo("Using Parent Process Spoofing technique for Opsec");
logger.TimestampInfo("Spoofing " + parentprocess.ProcessName + " PID: " + parentprocess.Id.ToString());
logger.TimestampInfo("Executing: " + simulator_full_path + " /n");
//Launcher.SpoofParent(parentprocess.Id, simpath, simbin + " " + cmdline);
//Launcher.SpoofParent(parentprocess.Id, simpfath, simrpath + " /s");
Launcher.SpoofParent(parentprocess.Id, simulator_full_path, simulator_binary + " /n");
//Launcher.SpoofParent(parentprocess.Id, simpfath, simbinary + " /s");
//logger.TimestampInfo("Sending payload to Simulation Agent through namedpipe: " + "technique:" + s_payload.techniques + " pbsleep:" + s_payload.playbook_sleep + " tsleep:" + s_payload.task_sleep + " cleanup:" + s_payload.cleanup);
logger.TimestampInfo("Sending Simulation Playbook to Simulation Agent through namedpipe: " + PlaybookForSimulator.simulator_relative_path);
byte[] bytes_sim_rqeuest = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(new SimulationRequest("ACK", "", PlaybookForSimulator)));
string result = NamedPipes.RunNoAuthClientSerialized(simulator_np, bytes_sim_rqeuest);
logger.TimestampInfo("Received back from Simulator " + result);
}
sim_response = new SimulationResponse("ACK");
byte[] bytes_sim_response = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(sim_response));
pipeServer.Write(bytes_sim_response, 0, bytes_sim_response.Length);
logger.TimestampInfo(String.Format("Sent SimulationResponse object 2"));
running = false;
}
else if (sim_request.header.Equals("FIN"))
{
logger.TimestampInfo("Received a FIN command");
sim_response = new SimulationResponse("ACK");
byte[] bytes_sim_response = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(sim_response));
pipeServer.Write(bytes_sim_response, 0, bytes_sim_response.Length);
running = false;
}
pipeServer.Disconnect();
}
}
}
catch (Exception ex)
{
logger.TimestampInfo(ex.ToString());
logger.TimestampInfo(ex.Message.ToString());
}
}
//Based on https://github.com/malcomvetter/NamedPipes
public static void RunScoutService(string npipe, string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
bool running = true;
bool privileged = false;
string technique, opsec, simpfath, simrpath, duser, user, simbinary;
technique = opsec = simpfath = simrpath = duser = user = simbinary = "";
Process parentprocess = null;
int sleep = 0;
try
{
using (var pipeServer = new NamedPipeServerStream(npipe, PipeDirection.InOut, NamedPipeServerStream.MaxAllowedServerInstances, PipeTransmissionMode.Message))
{
logger.TimestampInfo("Starting scout namedpipe service with PID:" + Process.GetCurrentProcess().Id);
while (running)
{
var reader = new StreamReader(pipeServer);
var writer = new StreamWriter(pipeServer);
//logger.TimestampInfo("Waiting for client connection...");
pipeServer.WaitForConnection();
//logger.TimestampInfo("Client connected!");
var line = reader.ReadLine();
logger.TimestampInfo("Received from client: " + line);
if (line.ToLower().Equals("syn"))
{
//logger.TimestampInfo("sending back to client: " + "SYN/ACK");
writer.WriteLine("SYN/ACK");
writer.Flush();
}
else if (line.ToLower().Equals("auditpol"))
{
string output = "";
Process p = new Process();
// Redirect the output stream of the child process.
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.FileName = "auditpol.exe";
p.StartInfo.Arguments = "/get /category:*";
p.Start();
//logger.TimestampInfo(output);
p.WaitForExit();
output = p.StandardOutput.ReadToEnd();
writer.WriteLine(System.Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(output)));
writer.Flush();
}
else if (line.ToLower().StartsWith("recon:"))
{
string payload = "";
if (line.Replace("recon:", "").Equals("privileged"))
{
privileged = true;
}
parentprocess = Recon.GetHostProcess(privileged);
if (parentprocess != null && Recon.GetExplorer() != null)
{
//loggeduser = Recon.GetProcessOwner(Recon.GetExplorer()).Split('\\')[1];
//duser = Recon.GetProcessOwnerWmi(Recon.GetExplorer()).Split('\\')[1];
duser = Recon.GetProcessOwnerWmi(Recon.GetExplorer());
user = duser.Split('\\')[1];
logger.TimestampInfo(String.Format("Recon identified {0} logged in. Process to Spoof: {1} PID: {2}", duser, parentprocess.ProcessName, parentprocess.Id));
payload = String.Format("{0},{1},{2},{3}", duser, parentprocess.ProcessName, parentprocess.Id, privileged.ToString());
//logger.TimestampInfo("sending back to client: " + payload);
}
else
{
payload = ",,,";
logger.TimestampInfo("Recon did not identify any logged users");
}
writer.WriteLine(payload);
writer.Flush();
}
else if (line.ToLower().StartsWith("sc:"))
{
//logger.TimestampInfo("Got shellcode from client");
//logger.TimestampInfo("sending back to client: " + "ACK");
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.ToLower().StartsWith("technique:"))
{
technique = line.Replace("technique:", "");
//logger.TimestampInfo("Got params from client");
//logger.TimestampInfo("sending back to client: " + "ACK");
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.ToLower().StartsWith("sleep:"))
{
sleep = Int32.Parse(line.Replace("sleep:", ""));
//logger.TimestampInfo("Got params from client");
//logger.TimestampInfo("sending back to client: " + "ACK");
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.ToLower().StartsWith("opsec:"))
{
opsec = line.Replace("opsec:", "");
//logger.TimestampInfo("Got opsec technique from client");
//logger.TimestampInfo("sending back to client: " + "ACK");
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.ToLower().StartsWith("simrpath:"))
{
simrpath = line.Replace("simrpath:", "");
//logger.TimestampInfo("sending back to client: " + "ACK");
//simpath = "C:\\Users\\" + loggeduser + "\\Downloads\\" + simbin;
simpfath = "C:\\Users\\" + user + "\\" + simrpath;
int index = simrpath.LastIndexOf(@"\");
simbinary = simrpath.Substring(index + 1);
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.Equals("act"))
{
logger.TimestampInfo("Received act!");
//logger.TimestampInfo("sending back to client: " + "ACK");
writer.WriteLine("ACK");
writer.Flush();
if (opsec.Equals("ppid"))
{
logger.TimestampInfo("Using Parent Process Spoofing technique for Opsec");
logger.TimestampInfo("Spoofing " + parentprocess.ProcessName + " PID: " + parentprocess.Id.ToString());
//logger.TimestampInfo("Executing: " + simpath + " " + cmdline);
logger.TimestampInfo("Executing: " + simpfath + " /n");
//Launcher.SpoofParent(parentprocess.Id, simpath, simbin + " " + cmdline);
//Launcher.SpoofParent(parentprocess.Id, simpfath, simrpath + " /s");
Launcher.SpoofParent(parentprocess.Id, simpfath, simbinary + " /n");
//Launcher.SpoofParent(parentprocess.Id, simpfath, simbinary + " /s");
System.Threading.Thread.Sleep(3000);
//logger.TimestampInfo("Sending technique through namedpipe:"+ technique.Replace("/technique ", ""));
logger.TimestampInfo("Sending technique through namedpipe:" + technique);
//RunNoAuthClient("simargs", "technique:" + technique.Replace("/technique ", ""));
RunNoAuthClient("simargs", "technique:" + technique + " sleep:" + sleep.ToString());
System.Threading.Thread.Sleep(2000);
}
}
else if (line.ToLower().Equals("quit"))
{
logger.TimestampInfo("Received quit! Exitting namedpipe");
//logger.TimestampInfo("sending back to client: " + "quit");
writer.WriteLine("quit");
writer.Flush();
running = false;
}
pipeServer.Disconnect();
}
}
}
catch (Exception ex)
{
logger.TimestampInfo(ex.ToString());
logger.TimestampInfo(ex.Message.ToString());
}
}
//Based on https://github.com/malcomvetter/NamedPipes
public static void RunScoutService(string scout_np, string simulator_np, string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Logger logger = new Logger(currentPath + log);
bool running = true;
bool privileged = false;
string technique, opsec, simpfath, simrpath, duser, user, simbinary, cleanup;
technique = opsec = simpfath = simrpath = duser = user = simbinary = cleanup = "";
Process parentprocess = null;
int pbsleep, tsleep;
pbsleep = tsleep = 0;
System.Threading.Thread.Sleep(1500);
try
{
using (var pipeServer = new NamedPipeServerStream(scout_np, PipeDirection.InOut, NamedPipeServerStream.MaxAllowedServerInstances, PipeTransmissionMode.Message))
{
logger.TimestampInfo("Starting scout namedpipe service with PID:" + Process.GetCurrentProcess().Id);
while (running)
{
var reader = new StreamReader(pipeServer);
var writer = new StreamWriter(pipeServer);
//logger.TimestampInfo("Waiting for client connection...");
pipeServer.WaitForConnection();
//logger.TimestampInfo("Client connected!");
var line = reader.ReadLine();
logger.TimestampInfo("Received from client: " + line);
if (line.ToLower().Equals("syn"))
{
//logger.TimestampInfo("sending back to client: " + "SYN/ACK");
writer.WriteLine("SYN/ACK");
writer.Flush();
}
else if (line.ToLower().Equals("auditpol"))
{
writer.WriteLine(System.Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(Recon.GetAuditPolicy())));
writer.Flush();
}
else if (line.ToLower().Equals("wef"))
{
writer.WriteLine(System.Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(Recon.GetWefSettings())));
writer.Flush();
}
else if (line.ToLower().Equals("pws"))
{
writer.WriteLine(System.Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(Recon.GetPwsLoggingSettings())));
writer.Flush();
}
else if (line.ToLower().Equals("ps"))
{
writer.WriteLine(System.Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(Recon.GetProcs())));
writer.Flush();
}
else if (line.ToLower().Equals("svcs"))
{
writer.WriteLine(System.Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(Recon.GetServices())));
writer.Flush();
}
else if (line.ToLower().Equals("cmdline"))
{
writer.WriteLine(System.Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(Recon.GetCmdlineAudittingSettings())));
writer.Flush();
}
else if (line.ToLower().StartsWith("recon:"))
{
string payload = "";
if (line.Replace("recon:", "").Equals("privileged"))
{
privileged = true;
}
parentprocess = Recon.GetHostProcess(privileged);
if (parentprocess != null && Recon.GetExplorer() != null)
{
duser = Recon.GetProcessOwnerWmi(Recon.GetExplorer());
user = duser.Split('\\')[1];
logger.TimestampInfo(String.Format("Recon identified {0} logged in. Process to Spoof: {1} PID: {2}", duser, parentprocess.ProcessName, parentprocess.Id));
payload = String.Format("{0},{1},{2},{3}", duser, parentprocess.ProcessName, parentprocess.Id, privileged.ToString());
}
else
{
payload = ",,,";
logger.TimestampInfo("Recon did not identify any logged users");
}
writer.WriteLine(payload);
writer.Flush();
}
else if (line.ToLower().StartsWith("sc:"))
{
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.ToLower().StartsWith("technique:"))
{
technique = line.Replace("technique:", "");
//logger.TimestampInfo("Got params from client");
//logger.TimestampInfo("sending back to client: " + "ACK");
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.ToLower().StartsWith("pbsleep:"))
{
pbsleep = Int32.Parse(line.Replace("pbsleep:", ""));
//logger.TimestampInfo("Got params from client");
//logger.TimestampInfo("sending back to client: " + "ACK");
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.ToLower().StartsWith("tsleep:"))
{
tsleep = Int32.Parse(line.Replace("tsleep:", ""));
//logger.TimestampInfo("Got params from client");
//logger.TimestampInfo("sending back to client: " + "ACK");
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.ToLower().StartsWith("opsec:"))
{
opsec = line.Replace("opsec:", "");
//logger.TimestampInfo("Got opsec technique from client");
//logger.TimestampInfo("sending back to client: " + "ACK");
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.ToLower().StartsWith("cleanup:"))
{
cleanup = line.Replace("cleanup:", "");
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.ToLower().StartsWith("simrpath:"))
{
simrpath = line.Replace("simrpath:", "");
//logger.TimestampInfo("sending back to client: " + "ACK");
//simpath = "C:\\Users\\" + loggeduser + "\\Downloads\\" + simbin;
simpfath = "C:\\Users\\" + user + "\\" + simrpath;
int index = simrpath.LastIndexOf(@"\");
simbinary = simrpath.Substring(index + 1);
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.Equals("act"))
{
logger.TimestampInfo("Received act!");
//logger.TimestampInfo("sending back to client: " + "ACK");
writer.WriteLine("ACK");
writer.Flush();
if (opsec.Equals("ppid"))
{
logger.TimestampInfo("Using Parent Process Spoofing technique for Opsec");
logger.TimestampInfo("Spoofing " + parentprocess.ProcessName + " PID: " + parentprocess.Id.ToString());
logger.TimestampInfo("Executing: " + simpfath + " /n");
//Launcher.SpoofParent(parentprocess.Id, simpath, simbin + " " + cmdline);
//Launcher.SpoofParent(parentprocess.Id, simpfath, simrpath + " /s");
Launcher.SpoofParent(parentprocess.Id, simpfath, simbinary + " /n");
//Launcher.SpoofParent(parentprocess.Id, simpfath, simbinary + " /s");
System.Threading.Thread.Sleep(3000);
logger.TimestampInfo("Sending payload to Scout Aggent through namedpipe: " + "technique:" + technique + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:" + cleanup);
RunNoAuthClient(simulator_np, "technique:" + technique + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:" + cleanup);
System.Threading.Thread.Sleep(2000);
}
}
else if (line.ToLower().Equals("quit"))
{
logger.TimestampInfo("Received quit! Exitting namedpipe");
//logger.TimestampInfo("sending back to client: " + "quit");
writer.WriteLine("quit");
writer.Flush();
running = false;
}
pipeServer.Disconnect();
}
}
}
catch (Exception ex)
{
logger.TimestampInfo(ex.ToString());
logger.TimestampInfo(ex.Message.ToString());
}
}
