Skip to content

Commit

Permalink
adding variation as a parameter
Browse files Browse the repository at this point in the history
  • Loading branch information
mvelazco committed Aug 22, 2020
1 parent a059b1e commit d1f84d9
Show file tree
Hide file tree
Showing 6 changed files with 45 additions and 39 deletions.
4 changes: 2 additions & 2 deletions PurpleSharp/Lib/Ldap.cs
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,9 @@ public static List<User> GetADUsers(int count, string dc = "", bool Enabled=true
// (!(userAccountControl:1.2.840.113556.1.4.803:=2)) - get active users only
// badPwdCount<=3 minimize the risk of locking accounts

//if (Enabled) search.Filter = "(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
if (Enabled) search.Filter = "(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
//if (Enabled) search.Filter = "(&(objectCategory=person)(objectClass=user)(lastLogon>=" + ftAccountExpires.ToString() + ")(badPwdCount<=3)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
if (Enabled) search.Filter = "(&(objectCategory=person)(objectClass=user)(lastLogon>=" + ftAccountExpires.ToString() + ")(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
//if (Enabled) search.Filter = "(&(objectCategory=person)(objectClass=user)(lastLogon>=" + ftAccountExpires.ToString() + ")(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
else search.Filter = "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))";
search.PropertiesToLoad.Add("samaccountname");
search.PropertiesToLoad.Add("usergroup");
Expand Down
31 changes: 21 additions & 10 deletions PurpleSharp/Lib/NamedPipes.cs
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,9 @@ public static void RunScoutService(string scout_np, string simulator_np, string
string technique, opsec, simpfath, simrpath, duser, user, simbinary, cleanup;
technique = opsec = simpfath = simrpath = duser = user = simbinary = cleanup = "";
Process parentprocess = null;
int pbsleep, tsleep;
int pbsleep, tsleep, variation;
pbsleep = tsleep = 0;
variation = 1;
System.Threading.Thread.Sleep(1500);

try
Expand Down Expand Up @@ -117,6 +118,14 @@ public static void RunScoutService(string scout_np, string simulator_np, string
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.ToLower().StartsWith("variation:"))
{
variation = Int32.Parse(line.Replace("variation:", ""));
//logger.TimestampInfo("Got params from client");
//logger.TimestampInfo("sending back to client: " + "ACK");
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.ToLower().StartsWith("pbsleep:"))
{
pbsleep = Int32.Parse(line.Replace("pbsleep:", ""));
Expand Down Expand Up @@ -179,7 +188,7 @@ public static void RunScoutService(string scout_np, string simulator_np, string

System.Threading.Thread.Sleep(3000);
logger.TimestampInfo("Sending payload to Scout Aggent through namedpipe: " + "technique:" + technique + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:" + cleanup);
RunNoAuthClient(simulator_np, "technique:" + technique + " pbsleep:" + pbsleep.ToString() + " tsleep:"+tsleep.ToString() + " cleanup:" + cleanup);
RunNoAuthClient(simulator_np, "technique:" + technique +" variation:"+ variation.ToString() + " pbsleep:" + pbsleep.ToString() + " tsleep:"+tsleep.ToString() + " cleanup:" + cleanup);
System.Threading.Thread.Sleep(2000);
}
}
Expand All @@ -203,15 +212,15 @@ public static void RunScoutService(string scout_np, string simulator_np, string
}
public static string[] RunSimulationService(string npipe, string log)
{
string[] result = new string[4];
string[] result = new string[5];
try
{
//https://helperbyte.com/questions/171742/how-to-connect-to-a-named-pipe-without-administrator-rights
PipeSecurity ps = new PipeSecurity();
ps.SetAccessRule(new PipeAccessRule(new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null), PipeAccessRights.ReadWrite, AccessControlType.Allow));

//logger.TimestampInfo("starting!");
string technique, pbsleep, tsleep, cleanup;
string technique, pbsleep, tsleep, cleanup, variation;
using (var pipeServer = new NamedPipeServerStream(npipe, PipeDirection.InOut, 1, PipeTransmissionMode.Message, PipeOptions.Asynchronous, 4028, 4028, ps))

{
Expand All @@ -225,16 +234,18 @@ public static string[] RunSimulationService(string npipe, string log)
{
string[] options = line.Split(' ');
technique = options[0].Replace("technique:", "");
pbsleep = options[1].Replace("pbsleep:", "");
tsleep = options[2].Replace("tsleep:", "");
cleanup = options[3].Replace("cleanup:", "");
variation = options[1].Replace("variation:", "");
pbsleep = options[2].Replace("pbsleep:", "");
tsleep = options[3].Replace("tsleep:", "");
cleanup = options[4].Replace("cleanup:", "");
writer.WriteLine("ACK");
writer.Flush();

result[0] = technique;
result[1] = pbsleep;
result[2] = tsleep;
result[3] = cleanup;
result[1] = variation;
result[2] = pbsleep;
result[3] = tsleep;
result[4] = cleanup;
return result;
}
pipeServer.Disconnect();
Expand Down
41 changes: 18 additions & 23 deletions PurpleSharp/Program.cs
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,8 @@ public static void Main(string[] args)
{
bool cleanup, opsec, verbose, scoutservice, simservice, newchild, scout, remote, navigator;
string techniques, rhost, domain, ruser, rpwd, scoutfpath, simrpath, log, dc, pb_file, nav_action, navfile, scout_action, scout_np, simulator_np;
int pbsleep, tsleep, nusers, nhosts;
int pbsleep, tsleep, nusers, nhosts, variation;
variation = 1;
pbsleep = tsleep = 0;
nusers = nhosts = 7;
opsec = cleanup = true;
Expand Down Expand Up @@ -112,6 +113,9 @@ public static void Main(string[] args)
case "/tsleep":
tsleep = Int32.Parse(args[i + 1]);
break;
case "/var":
variation = Int32.Parse(args[i + 1]);
break;
case "/noopsec":
opsec = false;
break;
Expand Down Expand Up @@ -179,7 +183,7 @@ public static void Main(string[] args)
if (simservice)
{
string[] options = NamedPipes.RunSimulationService(simulator_np, log);
ExecuteTechniques(options[0], nusers, nhosts, Int32.Parse(options[1]), Int32.Parse(options[2]), log, bool.Parse(options[3]));
ExecuteTechniques(options[0], Int32.Parse(options[1]), nusers, nhosts, Int32.Parse(options[2]), Int32.Parse(options[3]), log, bool.Parse(options[4]));
return;
}

Expand Down Expand Up @@ -364,7 +368,7 @@ public static void Main(string[] args)
}
if (!rhost.Equals("random"))
{
ExecuteRemoteTechniques(rhost, domain, ruser, rpwd, techniques, pbsleep, tsleep, scoutfpath, scout_np, simrpath, simulator_np, log, opsec, verbose, cleanup);
ExecuteRemoteTechniques(rhost, domain, ruser, rpwd, techniques, variation, pbsleep, tsleep, scoutfpath, scout_np, simrpath, simulator_np, log, opsec, verbose, cleanup);
return;
}
else if (!dc.Equals(""))
Expand All @@ -377,7 +381,7 @@ public static void Main(string[] args)
var random = new Random();
int index = random.Next(targets.Count);
Console.WriteLine("[+] Picked Random host for simulation: " + targets[index].Fqdn);
ExecuteRemoteTechniques(targets[index].Fqdn, domain, ruser, rpwd, techniques, pbsleep, tsleep, scoutfpath, scout_np, simrpath, simulator_np, log, opsec, verbose, cleanup);
ExecuteRemoteTechniques(targets[index].Fqdn, domain, ruser, rpwd, techniques, variation, pbsleep, tsleep, scoutfpath, scout_np, simrpath, simulator_np, log, opsec, verbose, cleanup);
return;
}
else
Expand All @@ -404,7 +408,7 @@ public static void Main(string[] args)
// running simulations locally
else if (!techniques.Equals(""))
{
ExecuteTechniques(techniques, nusers, nhosts, pbsleep, tsleep, log, cleanup);
ExecuteTechniques(techniques, variation, nusers, nhosts, pbsleep, tsleep, log, cleanup);
}

}
Expand Down Expand Up @@ -495,7 +499,7 @@ public static void Scout(string rhost, string domain, string ruser, string rpwd,
}
}

public static void ExecuteRemoteTechniques(string rhost, string domain, string ruser, string rpwd, string techniques, int pbsleep, int tsleep, string scoutfpath, string scout_np, string simrpath, string simulator_np, string log, bool opsec, bool verbose, bool cleanup)
public static void ExecuteRemoteTechniques(string rhost, string domain, string ruser, string rpwd, string techniques, int variation, int pbsleep, int tsleep, string scoutfpath, string scout_np, string simrpath, string simulator_np, string log, bool opsec, bool verbose, bool cleanup)
{
// techniques that need to be executed from a high integrity process
string[] privileged_techniques = new string[] { "T1003.001", "T1136.001", "T1070.001", "T1543.003", "T1546.003" };
Expand Down Expand Up @@ -552,6 +556,8 @@ public static void ExecuteRemoteTechniques(string rhost, string domain, string r
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "simrpath:" + simrpath);
//Console.WriteLine("[+] Sending technique ...");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "technique:" + techniques);
//Console.WriteLine("[+] Sending variation...");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "variation:" + variation.ToString());
//Console.WriteLine("[+] Sending opsec techqniue...");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "opsec:" + "ppid");
//Console.WriteLine("[+] Sending sleep...");
Expand Down Expand Up @@ -632,8 +638,8 @@ public static void ExecuteRemoteTechniques(string rhost, string domain, string r
RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);
RemoteLauncher.wmiexec(rhost, scoutfpath, "/s", domain, ruser, rpwd);
Thread.Sleep(2000);
if (cleanup) NamedPipes.RunClient(rhost, domain, ruser, rpwd, simulator_np, "technique:" + techniques + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:True");
else NamedPipes.RunClient(rhost, domain, ruser, rpwd, simulator_np, "technique:" + techniques + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:False");
if (cleanup) NamedPipes.RunClient(rhost, domain, ruser, rpwd, simulator_np, "technique:" + techniques + " variation:" + variation.ToString() + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:True");
else NamedPipes.RunClient(rhost, domain, ruser, rpwd, simulator_np, "technique:" + techniques + " variation:"+ variation.ToString() + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:False");

Thread.Sleep(5000);
bool finished = false;
Expand Down Expand Up @@ -794,10 +800,9 @@ public static SimulationPlaybookResult ExecuteRemoteTechniquesJson(string rhost,
return Json.GetPlaybookResult(results);
}
}
public static void ExecuteTechnique(string technique, int nuser, int nhosts, int tsleep, string log, bool cleanup)
public static void ExecuteTechnique(string technique, int variation, int nuser, int nhosts, int tsleep, string log, bool cleanup)
{
var rand = new Random();
int variation = 1;

switch (technique)
{
Expand All @@ -806,8 +811,6 @@ public static void ExecuteTechnique(string technique, int nuser, int nhosts, int
//// Execution ////

case "T1059.001":
variation = 2;
//variation = rand.Next(1, 3);
if (variation == 1) Simulations.Execution.ExecutePowershellCmd(log);
else Simulations.Execution.ExecutePowershellNET(log);
break;
Expand Down Expand Up @@ -841,19 +844,16 @@ public static void ExecuteTechnique(string technique, int nuser, int nhosts, int
break;

case "T1136.001":
variation = rand.Next(1, 3);
if (variation == 1) Simulations.Persistence.CreateLocalAccountApi(log, cleanup);
else Simulations.Persistence.CreateLocalAccountCmd(log, cleanup);
break;

case "T1543.003":
variation = rand.Next(1, 3);
if (variation == 1) Simulations.Persistence.CreateWindowsServiceApi(log, cleanup);
else Simulations.Persistence.CreateWindowsServiceCmd(log, cleanup);
break;

case "T1547.001":
variation = rand.Next(1, 3);
if (variation == 1) Simulations.Persistence.CreateRegistryRunKeyNET(log, cleanup);
else Simulations.Persistence.CreateRegistryRunKeyCmd(log, cleanup);
break;
Expand Down Expand Up @@ -903,7 +903,6 @@ public static void ExecuteTechnique(string technique, int nuser, int nhosts, int
break;

case "T1070.001":
variation = rand.Next(1, 3);
if(variation ==1) Simulations.DefenseEvasion.ClearSecurityEventLogNET(log);
else Simulations.DefenseEvasion.ClearSecurityEventLogCmd(log);

Expand All @@ -928,9 +927,7 @@ public static void ExecuteTechnique(string technique, int nuser, int nhosts, int

//T1110.003 - Brute Force
case "T1110.003":
//variation = rand.Next(1, 3);
string password = "Summer2020";
variation = 1;
if (variation == 1) Simulations.CredAccess.LocalDomainPasswordSpray(nuser, tsleep, password, log);
else Simulations.CredAccess.RemotePasswordSpray(nhosts, nuser, tsleep, password, log);

Expand Down Expand Up @@ -973,8 +970,6 @@ public static void ExecuteTechnique(string technique, int nuser, int nhosts, int
break;

case "T1087.002":
variation = 1;
//variation = rand.Next(1, 3);
if (variation ==1 ) Simulations.Discovery.DomainAccountDiscoveryLdap(log);
else Simulations.Discovery.DomainAccountDiscoveryCmd(log);
break;
Expand Down Expand Up @@ -1027,7 +1022,7 @@ public static void ExecuteTechnique(string technique, int nuser, int nhosts, int

}
}
public static void ExecuteTechniques(string technique, int nuser, int nhosts, int pbsleep, int tsleep, string log, bool cleanup)
public static void ExecuteTechniques(string technique, int variation, int nuser, int nhosts, int pbsleep, int tsleep, string log, bool cleanup)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Logger logger = new Logger(currentPath + log);
Expand All @@ -1037,14 +1032,14 @@ public static void ExecuteTechniques(string technique, int nuser, int nhosts, in
string[] techniques = technique.Split(',');
for (int i=0; i < techniques.Length; i++)
{
ExecuteTechnique(techniques[i].Trim(), nuser, nhosts, tsleep, log, cleanup);
ExecuteTechnique(techniques[i].Trim(), variation, nuser, nhosts, tsleep, log, cleanup);
if (pbsleep > 0 && i != techniques.Length-1) Thread.Sleep(1000 * pbsleep);
}
logger.TimestampInfo("Playbook Finished");
}
else
{
ExecuteTechnique(technique, nuser, nhosts, tsleep, log, cleanup);
ExecuteTechnique(technique, variation, nuser, nhosts, tsleep, log, cleanup);
logger.TimestampInfo("Playbook Finished");
}
}
Expand Down
2 changes: 0 additions & 2 deletions PurpleSharp/Simulations/DefenseEvasion.cs
Original file line number Diff line number Diff line change
Expand Up @@ -225,9 +225,7 @@ public static void PortableExecutableInjection(string log)
proc.StartInfo.UseShellExecute = false;
proc.Start();
logger.TimestampInfo(String.Format("Process {0}.exe with PID:{1} started for the injection", proc.ProcessName, proc.Id));

DefenseEvasionHelper.ProcInjection_CreateRemoteThread(Convert.FromBase64String(Lib.Static.donut_ping), proc, logger);
//DefenseEvasionHelper.ProcInjection_APC(Convert.FromBase64String(Lib.Static.donut_ping), proc, logger);
logger.SimulationFinished();
}
catch(Exception ex)
Expand Down
4 changes: 3 additions & 1 deletion PurpleSharp/Simulations/DefenseEvasionHelper.cs
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,9 @@ public static void ProcInjection_CreateRemoteThread(byte[] shellcode, Process pr
public static void ProcInjection_APC(byte[] shellcode, Process proc, Lib.Logger logger)
{
logger.TimestampInfo(String.Format("Calling OpenProcess on PID:{0}", proc.Id));
IntPtr procHandle = WinAPI.OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, proc.Id);
IntPtr procHandle = WinAPI.OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, proc.Id);

//IntPtr procHandle = WinAPI.OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, proc.Id);
Int32 size = shellcode.Length;
logger.TimestampInfo(String.Format("Calling VirtualAllocEx on PID:{0}", proc.Id));
IntPtr spaceAddr = WinAPI.VirtualAllocEx(procHandle, new IntPtr(0), (uint)size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Expand Down
2 changes: 1 addition & 1 deletion PurpleSharp/Simulations/Discovery.cs
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,7 @@ public static void LocalAccountDiscoveryCmd(string log)
try
{
//ExecutionHelper.StartProcess("", "net group \"Domain Admins\" /domain", log);
ExecutionHelper.StartProcess("", "net user /domain", logger);
ExecutionHelper.StartProcess("", "net user", logger);
logger.SimulationFinished();
}
catch (Exception ex)
Expand Down

0 comments on commit d1f84d9

Please sign in to comment.