public static void StartProcess_old(string binary, string cmdline, Lib.Logger logger, bool cleanup = false)
{
if (!cleanup)
{
logger.TimestampInfo("Executing Command: " + cmdline);
}
else
{
logger.TimestampInfo("Executing Cleanup Command: " + cmdline);
}
const uint NORMAL_PRIORITY_CLASS = 0x0020;
bool retValue;
Structs.PROCESS_INFORMATION pInfo = new Structs.PROCESS_INFORMATION();
Structs.STARTUPINFO sInfo = new Structs.STARTUPINFO();
Structs.SECURITY_ATTRIBUTES pSec = new Structs.SECURITY_ATTRIBUTES();
Structs.SECURITY_ATTRIBUTES tSec = new Structs.SECURITY_ATTRIBUTES();
pSec.nLength = Marshal.SizeOf(pSec);
tSec.nLength = Marshal.SizeOf(tSec);
retValue = WinAPI.CreateProcess(null, cmdline, ref pSec, ref tSec, false, NORMAL_PRIORITY_CLASS, IntPtr.Zero, null, ref sInfo, out pInfo);
if (retValue && cleanup == false)
{
logger.TimestampInfo(String.Format("Process successfully created. (PID): " + pInfo.dwProcessId));
}
else if (retValue != false && cleanup == false)
{
logger.TimestampInfo("Could not start process!");
}
}
public static void StartProcess(string binary, string cmdline)
{
const uint NORMAL_PRIORITY_CLASS = 0x0020;
bool retValue;
string Application;
if (binary == "powershell")
{
Application = Environment.GetEnvironmentVariable("windir") + @"\System32\WindowsPowerShell\v1.0\" + binary + ".exe " + cmdline;
Console.WriteLine(Environment.GetEnvironmentVariable("windir") + @"\System32\WindowsPowerShell\v1.0\" + binary + ".exe " + cmdline);
}
else
{
Application = Environment.GetEnvironmentVariable("windir") + @"\" + binary + ".exe " + @cmdline;
}
string CommandLine = @cmdline;
Structs.PROCESS_INFORMATION pInfo = new Structs.PROCESS_INFORMATION();
Structs.STARTUPINFO sInfo = new Structs.STARTUPINFO();
Structs.SECURITY_ATTRIBUTES pSec = new Structs.SECURITY_ATTRIBUTES();
Structs.SECURITY_ATTRIBUTES tSec = new Structs.SECURITY_ATTRIBUTES();
pSec.nLength = Marshal.SizeOf(pSec);
tSec.nLength = Marshal.SizeOf(tSec);
retValue = WinAPI.CreateProcess(null, cmdline, ref pSec, ref tSec, false, NORMAL_PRIORITY_CLASS, IntPtr.Zero, null, ref sInfo, out pInfo);
Console.WriteLine("Process ID (PID): " + pInfo.dwProcessId);
Console.WriteLine("Process Handle : " + pInfo.hProcess);
}
public static void StartProcessAsUser(string binary, string cmdline, string domain, string username, string password)
{
Structs.STARTUPINFO startupInfo = new Structs.STARTUPINFO();
Structs.LogonFlags lflags = new Structs.LogonFlags();
//UInt32 exitCode = 123456;
Structs.PROCESS_INFORMATION processInfo = new Structs.PROCESS_INFORMATION();
String command = @"c:\windows\notepad.exe";
String currentDirectory = System.IO.Directory.GetCurrentDirectory();
WinAPI.CreateProcessWithLogonW(username, domain, password, lflags, command, command, (UInt32)0, (UInt32)0, currentDirectory, ref startupInfo, out processInfo);
}
public static void StartProcessApi(string binary, string cmdline, Lib.Logger logger)
{
const uint NORMAL_PRIORITY_CLASS = 0x0020;
bool retValue;
Structs.PROCESS_INFORMATION pInfo = new Structs.PROCESS_INFORMATION();
Structs.STARTUPINFO sInfo = new Structs.STARTUPINFO();
Structs.SECURITY_ATTRIBUTES pSec = new Structs.SECURITY_ATTRIBUTES();
Structs.SECURITY_ATTRIBUTES tSec = new Structs.SECURITY_ATTRIBUTES();
pSec.nLength = Marshal.SizeOf(pSec);
tSec.nLength = Marshal.SizeOf(tSec);
logger.TimestampInfo(String.Format("Using the Win32 API call CreateProcess to execute: '{0}'", cmdline));
retValue = WinAPI.CreateProcess(null, cmdline, ref pSec, ref tSec, false, NORMAL_PRIORITY_CLASS, IntPtr.Zero, null, ref sInfo, out pInfo);
if (retValue)
{
logger.TimestampInfo(String.Format("Process successfully created. (PID): " + pInfo.dwProcessId));
}
else
{
logger.TimestampInfo("Could not start process!");
}
}
public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, ref Structs.SECURITY_ATTRIBUTES lpProcessAttributes, ref Structs.SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref Structs.STARTUPINFO lpStartupInfo, out Structs.PROCESS_INFORMATION lpProcessInformation);
public static extern bool CreateProcessWithLogonW(String userName, String domain, String password, Structs.LogonFlags logonFlags, String applicationName, String commandLine, Structs.CreationFlags creationFlags, UInt32 environment, String currentDirectory, ref Structs.STARTUPINFO startupInfo, out Structs.PROCESS_INFORMATION processInformation);
public static void Main(string[] args)
{
bool cleanup, opsec, verbose, scoutservice, simservice, newchild, scout, remote, navigator;
string techniques, rhost, domain, ruser, rpwd, scoutfpath, simrpath, log, dc, pb_file, nav_action, navfile, scout_action, scout_np, simulator_np;
int pbsleep, tsleep, nusers, nhosts;
pbsleep = tsleep = 0;
nusers = nhosts = 5;
opsec = cleanup = true;
verbose = scoutservice = simservice = newchild = scout = remote = navigator = false;
techniques = rhost = domain = ruser = rpwd = dc = pb_file = nav_action = navfile = scout_action = "";
scoutfpath = "C:\\Windows\\Temp\\Scout.exe";
simrpath = "Downloads\\Firefox_Installer.exe";
log = "0001.dat";
scout_np = "scoutpipe";
simulator_np = "simpipe";
//should move this to sqlite or a JSON file.
string[] execution = new string[] { "T1053.005", "T1059.003", "T1059.005", "T1059.007", "T1059.001", "T1569.002" };
string[] persistence = new string[] { "T1053.005", "T1136.001", "T1543.003", "T1547.001", "T1546.003", "T1197" };
string[] privelege_escalation = new string[] { "T1053.005", "T1543.003", "T1547.001", "T1546.003", "T1055.002", "T1055.004" };
string[] defense_evasion = new string[] { "T1218.010", "T1218.005", "T1218.003", "T1218.011", "T1070.001", "T1220", "T1055.002", "T1055.004", "T1140", "T1197", "T1218.009", "T1218.004" };
string[] credential_access = new string[] { "T1110.003", "T1558.003", "T1003.001" };
string[] discovery = new string[] { "T1135", "T1046", "T1087.001", "T1087.002", "T1007", "T1033", "T1049", "T1016", "T1083" };
string[] lateral_movement = new string[] { "T1021", "T1021.006", "T1047" };
string[] supported_techniques = execution.Union(persistence).Union(privelege_escalation).Union(defense_evasion).Union(credential_access).Union(discovery).Union(lateral_movement).ToArray();
if (args.Length == 0)
{
Usage();
return;
}
for (int i = 0; i < args.Length; i++)
{
try
{
switch (args[i])
{
//// User Parameters ////
case "/pb":
pb_file = args[i + 1];
break;
case "/rhost":
rhost = args[i + 1];
remote = true;
break;
case "/ruser":
ruser = args[i + 1];
break;
case "/d":
domain = args[i + 1];
break;
case "/rpwd":
rpwd = args[i + 1];
break;
case "/dc":
dc = args[i + 1];
break;
case "/t":
techniques = args[i + 1];
break;
case "/scoutpath":
scoutfpath = args[i + 1];
break;
case "/simpath":
simrpath = args[i + 1];
break;
case "/pbsleep":
pbsleep = Int32.Parse(args[i + 1]);
break;
case "/tsleep":
tsleep = Int32.Parse(args[i + 1]);
break;
case "/noopsec":
opsec = false;
break;
case "/v":
verbose = true;
break;
case "/nocleanup":
cleanup = false;
break;
case "/scout":
scout = true;
scout_action = args[i + 1];
break;
case "/navigator":
navigator = true;
nav_action = args[i + 1];
if (nav_action.Equals("import"))
{
navfile = args[i + 2];
}
break;
//// Internal Parameters ////
case "/o":
scoutservice = true;
break;
case "/s":
simservice = true;
break;
case "/n":
newchild = true;
break;
default:
break;
}
}
catch
{
Console.WriteLine("[*] Error parsing parameters :( ");
Console.WriteLine("[*] Exiting");
return;
}
}
//// Handling Internal Parameters ////
if (newchild)
{
const uint NORMAL_PRIORITY_CLASS = 0x0020;
Structs.PROCESS_INFORMATION pInfo = new Structs.PROCESS_INFORMATION();
Structs.STARTUPINFO sInfo = new Structs.STARTUPINFO();
Structs.SECURITY_ATTRIBUTES pSec = new Structs.SECURITY_ATTRIBUTES();
Structs.SECURITY_ATTRIBUTES tSec = new Structs.SECURITY_ATTRIBUTES();
pSec.nLength = Marshal.SizeOf(pSec);
tSec.nLength = Marshal.SizeOf(tSec);
string currentbin = System.Reflection.Assembly.GetEntryAssembly().Location;
//run the simulation agent
WinAPI.CreateProcess(null, currentbin + " /s", ref pSec, ref tSec, false, NORMAL_PRIORITY_CLASS, IntPtr.Zero, null, ref sInfo, out pInfo);
return;
}
if (scoutservice)
{
NamedPipes.RunScoutService(scout_np, simulator_np, log);
return;
}
if (simservice)
{
string[] options = NamedPipes.RunSimulationService(simulator_np, log);
ExecuteTechniques(options[0], nusers, nhosts, Int32.Parse(options[1]), Int32.Parse(options[2]), log, bool.Parse(options[3]));
return;
}
//// Handling User Parameters ////
if (navigator)
{
if (nav_action.Equals("export"))
{
try
{
Console.WriteLine("[+] PurpleSharp supports " + supported_techniques.Count() + " unique ATT&CK techniques.");
Console.WriteLine("[+] Generating an ATT&CK Navigator layer...");
Json.ExportAttackLayer(supported_techniques.Distinct().ToArray());
Console.WriteLine("[!] Open PurpleSharp.json on https://mitre-attack.github.io/attack-navigator");
return;
}
catch
{
Console.WriteLine("[!] Error generating JSON layer...");
Console.WriteLine("[!] Exitting...");
return;
}
}
else if (nav_action.Equals("import"))
{
Console.WriteLine("[+] Loading {0}", navfile);
string json = File.ReadAllText(navfile);
NavigatorLayer layer = Json.ReadNavigatorLayer(json);
Console.WriteLine("[!] Loaded attack navigator '{0}'", layer.name);
Console.WriteLine("[+] Converting ATT&CK navigator Json...");
SimulationExercise engagement = Json.ConvertNavigatorToSimulationExercise(layer, supported_techniques.Distinct().ToArray());
Json.CreateSimulationExercise(engagement);
Console.WriteLine("[!] Done");
Console.WriteLine("[+] Open simulation.json");
return;
}
else
{
Console.WriteLine("[!] Didnt recognize parameter...");
Console.WriteLine("[!] Exitting...");
return;
}
}
if (scout && !scout_action.Equals(""))
{
if (!rhost.Equals("") && !domain.Equals("") && !ruser.Equals(""))
{
if (rpwd == "")
{
Console.Write("Password for {0}\\{1}: ", domain, ruser);
rpwd = Utils.GetPassword();
Console.WriteLine();
}
if (!rhost.Equals("random"))
{
Scout(rhost, domain, ruser, rpwd, scoutfpath, log, scout_action, scout_np, verbose);
return;
}
else if (!dc.Equals(""))
{
List <Computer> targets = new List <Computer>();
targets = Ldap.GetADComputers(10, dc, ruser, rpwd);
if (targets.Count > 0)
{
Console.WriteLine("[+] Obtained {0} possible targets.", targets.Count);
var random = new Random();
int index = random.Next(targets.Count);
Console.WriteLine("[+] Picked Random host for simulation: " + targets[index].Fqdn);
Scout(targets[index].ComputerName, domain, ruser, rpwd, scoutfpath, log, scout_action, scout_np, verbose);
return;
}
else
{
Console.WriteLine("[!] Could not obtain targets for the simulation");
return;
}
}
else
{
Console.WriteLine("[*] Missing parameters :( ");
Console.WriteLine("[*] Exiting");
return;
}
}
else
{
Console.WriteLine("[*] Missing parameters :( ");
Console.WriteLine("[*] Exiting");
return;
}
}
if (!pb_file.Equals(""))
{
string json = File.ReadAllText(pb_file);
SimulationExercise engagement = Json.ReadSimulationPlaybook(json);
if (engagement != null)
{
Console.Write("Submit Password for {0}\\{1}: ", engagement.domain, engagement.username);
string pass = Utils.GetPassword();
Console.WriteLine("[+] PurpleSharp will execute {0} playbook(s)", engagement.playbooks.Count);
SimulationExerciseResult engagementResults = new SimulationExerciseResult();
engagementResults.playbookresults = new List <SimulationPlaybookResult>();
SimulationPlaybook lastPlaybook = engagement.playbooks.Last();
foreach (SimulationPlaybook playbook in engagement.playbooks)
{
SimulationPlaybookResult playbookResults = new SimulationPlaybookResult();
playbookResults.taskresults = new List <PlaybookTaskResult>();
playbookResults.name = playbook.name;
playbookResults.host = playbook.host;
Console.WriteLine("[+] Starting Execution of {0}", playbook.name);
PlaybookTask lastTask = playbook.tasks.Last();
List <string> techs = new List <string>();
foreach (PlaybookTask task in playbook.tasks)
{
techs.Add(task.technique);
}
string techs2 = String.Join(",", techs);
if (playbook.host.Equals("random"))
{
List <Computer> targets = Ldap.GetADComputers(10, engagement.dc, engagement.username, pass);
if (targets.Count > 0)
{
Console.WriteLine("[+] Obtained {0} possible targets.", targets.Count);
var random = new Random();
int index = random.Next(targets.Count);
Console.WriteLine("[+] Picked random host for simulation: " + targets[index].Fqdn);
Console.WriteLine("[+] Executing techniques {0} against {1}", techs2, targets[index].Fqdn);
playbookResults = ExecuteRemoteTechniquesJson(targets[index].Fqdn, engagement.domain, engagement.username, pass, techs2, playbook.pbsleep, playbook.tsleep, playbook.scoutfpath, scout_np, playbook.simrpath, log, true, false);
playbookResults.name = playbook.name;
}
else
{
Console.WriteLine("[!] Could not obtain targets for the simulation");
}
}
else
{
Console.WriteLine("[+] Executing techniques {0} against {1}", techs2, playbook.host);
playbookResults = ExecuteRemoteTechniquesJson(playbook.host, engagement.domain, engagement.username, pass, techs2, playbook.pbsleep, playbook.tsleep, playbook.scoutfpath, scout_np, playbook.simrpath, log, true, false);
playbookResults.name = playbook.name;
}
if (engagement.sleep > 0 && !playbook.Equals(lastPlaybook))
{
Console.WriteLine();
Console.WriteLine("[+] Sleeping {0} minutes until next playbook...", engagement.sleep);
Thread.Sleep(1000 * engagement.sleep * 60);
}
engagementResults.playbookresults.Add(playbookResults);
}
Console.WriteLine("Writting JSON results...");
string output_file = pb_file.Replace(".json", "") + "_results.json";
Json.WriteJsonPlaybookResults(engagementResults, output_file);
Console.WriteLine("DONE. Open " + output_file);
Console.WriteLine();
return;
}
else
{
Console.WriteLine("[!] Could not parse JSON input.");
Console.WriteLine("[*] Exiting");
return;
}
}
if (remote)
{
if (!rhost.Equals("") && !domain.Equals("") && !ruser.Equals("") && !techniques.Equals(""))
{
if (rpwd == "")
{
Console.Write("Password for {0}\\{1}: ", domain, ruser);
rpwd = Utils.GetPassword();
Console.WriteLine();
}
if (!rhost.Equals("random"))
{
ExecuteRemoteTechniques(rhost, domain, ruser, rpwd, techniques, pbsleep, tsleep, scoutfpath, scout_np, simrpath, simulator_np, log, opsec, verbose, cleanup);
return;
}
else if (!dc.Equals(""))
{
List <Computer> targets = new List <Computer>();
targets = Ldap.GetADComputers(10, dc, ruser, rpwd);
if (targets.Count > 0)
{
Console.WriteLine("[+] Obtained {0} possible targets.", targets.Count);
var random = new Random();
int index = random.Next(targets.Count);
Console.WriteLine("[+] Picked Random host for simulation: " + targets[index].Fqdn);
ExecuteRemoteTechniques(targets[index].Fqdn, domain, ruser, rpwd, techniques, pbsleep, tsleep, scoutfpath, scout_np, simrpath, simulator_np, log, opsec, verbose, cleanup);
return;
}
else
{
Console.WriteLine("[!] Could not obtain targets for the simulation");
return;
}
}
else
{
Console.WriteLine("[*] Missing dc :( ");
Console.WriteLine("[*] Exiting");
return;
}
}
else
{
Console.WriteLine("[*] Missing parameters :( ");
Console.WriteLine("[*] Exiting");
return;
}
}
// running simulations locally
else if (!techniques.Equals(""))
{
ExecuteTechniques(techniques, nusers, nhosts, pbsleep, tsleep, log, cleanup);
}
}
