From ab2f33f6adc4a239798f0cddd4741b92cade0310 Mon Sep 17 00:00:00 2001 From: Ads Dawson <104169244+GangGreenTemperTatum@users.noreply.github.com> Date: Thu, 28 Nov 2024 10:30:01 -0500 Subject: [PATCH 1/8] fix: fix regression in continue on error --- .github/workflows/validate_robopages.yml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/.github/workflows/validate_robopages.yml b/.github/workflows/validate_robopages.yml index c38e59f..7ac2286 100644 --- a/.github/workflows/validate_robopages.yml +++ b/.github/workflows/validate_robopages.yml @@ -27,11 +27,11 @@ jobs: - name: Validate Contribution Files id: robopages-validation - continue-on-error: true run: | validate_file() { local file="$1" local tmp_file="/tmp/$(basename $file)" + local validation_status=0 if [[ ! "$file" =~ ^([a-zA-Z0-9_\-]+/)*[a-zA-Z0-9_\-]+\.yml$ ]]; then echo "Invalid file path characters: $file" @@ -54,18 +54,22 @@ jobs: docker pull dreadnode/robopages:latest - # Run validation with Docker socket mounted using temp file + # Run validation and capture the exit status docker run --rm \ -v $(pwd):/workspace \ -v /var/run/docker.sock:/var/run/docker.sock \ -v "$tmp_file:/workspace/$(basename $file)" \ -w /workspace \ --privileged \ - dreadnode/robopages:latest validate --path "$(basename $file)" --skip-docker + dreadnode/robopages:latest validate --path "$(basename $file)" --skip-docker || validation_status=$? rm "$tmp_file" + return $validation_status } + # Initialize overall status + overall_status=0 + # Get changed files using GitHub's provided variables changed_files=$(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }} | \ grep '\.yml$' | grep -v '^.github/' || true) @@ -73,9 +77,14 @@ jobs: # Validate each changed file for file in $changed_files; do echo "Validating $file..." - validate_file "$file" || exit 1 + if ! validate_file "$file"; then + overall_status=1 + echo "::error::Validation failed for $file" + fi done + exit $overall_status + - name: Post validation status if: always() uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #7.0.1 From 22664ffc40ef8553981f81ff66047d77a188a7ce Mon Sep 17 00:00:00 2001 From: Ads Dawson <104169244+GangGreenTemperTatum@users.noreply.github.com> Date: Thu, 28 Nov 2024 10:31:13 -0500 Subject: [PATCH 2/8] chore: test use case --- .github/workflows/validate_robopages.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/validate_robopages.yml b/.github/workflows/validate_robopages.yml index 7ac2286..465f143 100644 --- a/.github/workflows/validate_robopages.yml +++ b/.github/workflows/validate_robopages.yml @@ -7,6 +7,7 @@ on: - '!.github/**' branches: - main + - will/feature-mythic-apollo jobs: validate: From 5e9ab63965484871735bddff069bc06ab1755567 Mon Sep 17 00:00:00 2001 From: Ads Dawson <104169244+GangGreenTemperTatum@users.noreply.github.com> Date: Thu, 28 Nov 2024 10:31:43 -0500 Subject: [PATCH 3/8] chore: revert test branch --- .github/workflows/validate_robopages.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/validate_robopages.yml b/.github/workflows/validate_robopages.yml index 465f143..7ac2286 100644 --- a/.github/workflows/validate_robopages.yml +++ b/.github/workflows/validate_robopages.yml @@ -7,7 +7,6 @@ on: - '!.github/**' branches: - main - - will/feature-mythic-apollo jobs: validate: From 5812224e5cbef54cc6fd065620258d0ba5ea4506 Mon Sep 17 00:00:00 2001 From: Ads Dawson <104169244+GangGreenTemperTatum@users.noreply.github.com> Date: Thu, 28 Nov 2024 10:39:28 -0500 Subject: [PATCH 4/8] chore: update the post validation step --- .github/workflows/validate_robopages.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/validate_robopages.yml b/.github/workflows/validate_robopages.yml index 7ac2286..10bbeeb 100644 --- a/.github/workflows/validate_robopages.yml +++ b/.github/workflows/validate_robopages.yml @@ -90,7 +90,9 @@ jobs: uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #7.0.1 with: script: | - const validation_status = '${{ steps.robopages-validation.outcome }}' === 'success' ? '✅ Validation successful' : '❌ Validation failed'; + const validation_status = process.env.STATE_validation === '0' + ? '✅ Validation successful' + : '❌ Validation failed'; const runUrl = `${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}`; const timestamp = new Date().toISOString(); const body = [ @@ -113,4 +115,4 @@ jobs: pull_number: context.issue.number, body: body, event: 'COMMENT' - }); \ No newline at end of file + });� \ No newline at end of file From 8208201d279e02619a54527182d9bde2710acc86 Mon Sep 17 00:00:00 2001 From: Ads Dawson <104169244+GangGreenTemperTatum@users.noreply.github.com> Date: Thu, 28 Nov 2024 10:40:35 -0500 Subject: [PATCH 5/8] chore: test with apollo from 27 --- cybersecurity/offensive/c2 /apollo.yml | 746 +++++++++++++++++++++++++ 1 file changed, 746 insertions(+) create mode 100644 cybersecurity/offensive/c2 /apollo.yml diff --git a/cybersecurity/offensive/c2 /apollo.yml b/cybersecurity/offensive/c2 /apollo.yml new file mode 100644 index 0000000..57d85d3 --- /dev/null +++ b/cybersecurity/offensive/c2 /apollo.yml @@ -0,0 +1,746 @@ +description: Apollo is a Windows agent written in C# using the 4.0 .NET Framework designed to be used in SpecterOps training offerings. The agent is designed to be used with the Mythic C2 server. + +functions: + assembly_inject: + description: Execute .NET assembly in remote process. + parameters: + pid: + type: integer + description: The process ID to inject into. + assembly: + type: string + description: The assembly to inject. + args: + type: string + description: Arguments to pass to the assembly. + cmdline: + - assembly_inject + - -PID + - ${pid} + - -Assembly + - ${assembly} + - -Arguments + - ${args} + blockdlls: + description: Block non-Microsoft signed DLLs from loading into post-ex jobs. + parameters: + enable: + type: boolean + description: Enable or disable blockdlls. + cmdline: + - blockdlls + - -EnableBlock + - ${enable} + + cat: + description: Retrieve the output of a file. + parameters: + file: + type: string + description: The file to retrieve. + cmdline: + - cat + - -Path + - ${file} + cd: + description: Change working directory. + parameters: + dir: + type: string + description: The directory to change to. + cmdline: + - cd + - -Path + - ${dir} + cp: + description: Copy a file from path to destination. + parameters: + source: + type: string + description: The source file to copy. + destination: + type: string + description: The destination to copy the file to. + cmdline: + - cp + - -Path + - ${source} + - -Destination + - ${destination} + dcsync: + description: DCSync one or more user credentials. + parameters: + domain: + type: string + description: The domain to DCSync. + user: + type: string + description: The user to DCSync. + dc: + type: string + description: The domain controller to DCSync. + cmdline: + - dcsync + - -Domain + - ${domain} + - -User + - ${user} + - -DC + - ${dc} + download: + description: Download a file off the target system. + parameters: + Path: + type: string + description: The path to download the file to. + Host: + type: string + description: The hostname to download the file from. + cmdline: + - download + - -Path + - ${Path} + - -Host + - ${Host} + execute_assembly: + description: Execute a .NET assembly registered with register_file. + parameters: + assembly: + type: string + description: The assembly to execute. + args: + type: string + description: Arguments to pass to the assembly. + cmdline: + - execute_assembly + - -Assembly + - ${assembly} + - -Arguments + - ${args} + execute_coff: + description: Execute a object file (BOF) that's been registered with register_file. + parameters: + object: + type: string + description: The object file to execute. + function: + type: string + description: The function to execute. + timeout: + type: integer + description: The timeout for the execution. + args: + type: string + description: Arguments to pass to the object file. + cmdline: + - execute_coff + - -Coff + - ${object} + - -Function + - ${function} + - -Timeout + - ${timeout} + - -Arguments + - ${args} + execute_pe: + description: Execute a statically compiled executable that's been registered with register_file. + parameters: + binary: + type: string + description: The binary to execute. + args: + type: string + description: Arguments to pass to the binary. + cmdline: + - execute_pe + - -PE + - ${binary} + - -Arguments + - ${args} + exit: + description: Task agent to exit. + cmdline: + - exit + get_injection_techniques: + description: Show currently registered injection techniques as well as the current technique. + cmdline: + - get_injection_techniques + get_privs: + description: Enable as many privileges as possible for the current access token. + cmdline: + - getprivs + ifconfig: + description: Get Network Adapters and Interfaces + cmdline: + - ifconfig + inject: + description: Inject a new payload into a remote process. + parameters: + pid: + type: integer + description: The process ID to inject into. + payload: + type: string + description: The payload to inject. + cmdline: + - inject + - -PID + - ${pid} + - -Payload + - ${payload} + inline_assembly: + description: Execute a .NET assembly in the currently executing process that's been registered with register_file. + parameters: + Assembly: + type: string + description: The assembly to execute. + Arguments: + type: string + description: Additional arguments to pass to the assembly. + cmdline: + - inline_assembly + - -Assembly + - ${Assembly} + - -Arguments + - ${Arguments} + jobkill: + description: Kill a running job in the agent. + parameters: + jid: + type: integer + description: The job ID to kill. + cmdline: + - jobkill + - ${jid} + jobs: + description: List all running jobs. + cmdline: + - jobs + keylog_inject: + description: Inject a keylogger into a remote process. + parameters: + pid: + type: integer + description: The process ID to inject into. + cmdline: + - keylog_inject + - -PID + - ${pid} + kill: + description: Attempt to kill the process specified by [pid]. + parameters: + pid: + type: integer + description: The process ID to kill. + cmdline: + - kill + - -PID + - ${pid} + link: + description: Link to a P2P agent via SMB or TCP. + cmdline: + - link + load: + description: Load new commands into the agent. + parameters: + commands: + type: string + description: The commands to load. + cmdline: + - load + - ${commands} + ls: + description: List files and folders in [path]. Defaults to current working directory. + parameters: + path: + type: string + description: The path to list files and folders in. + cmdline: + - ls + - -Path + - ${path} + + make_token: + description: Impersonate a user using plaintext credentials. + cmdline: + - make_token + mimikatz: + description: Execute Mimikatz with the specified arguments. + parameters: + Command: + type: string + description: The command to execute + cmdline: + - mimikatz + - -Command + - ${Command} + mkdir: + description: Create a directory. + parameters: + dir: + type: string + description: The directory to create. + cmdline: + - mkdir + - -Path + - ${dir} + mv: + description: Move a file from source to destination. + parameters: + source: + type: string + description: The source file to move. + destination: + type: string + description: The destination to move the file to. + cmdline: + - mv + - -Path + - ${source} + - -Destination + - ${destination} + net_dclist: + description: List all domain controllers for the current or specified domain. + parameters: + domain: + type: string + description: The domain to list domain controllers for. + cmdline: + - net_dclist + - ${domain} + net_localgroup_member: + description: Retrieve membership information from a specified group on a given computer. + parameters: + Group: + type: string + description: The group to retrieve membership information from. + Computer: + type: string + description: The computer to retrieve membership information from. + cmdline: + - net_localgroup_member + - -Group + - ${Group} + - -Computer + - ${Computer} + net_localgroup: + description: Retrieve local groups known by a computer. Default to localhost. + parameters: + computer: + type: string + description: The computer to retrieve local groups from. + cmdline: + - net_localgroup + - ${computer} + net_shares: + description: Show shares of a remote PC. + parameters: + computer: + type: string + description: The computer to show shares from. + cmdline: + - net_shares + - -Computer + - ${computer} + netstat: + description: Get TCP and UDP connections. + parameters: + Tcp: + type: boolean + description: Get TCP connections. + Udp: + type: boolean + description: Get UDP connections. + Established: + type: boolean + description: Get established connections. + Listen: + type: boolean + description: Get listening connections. + cmdline: + - netstat + - -Tcp + - ${Tcp} + - -Udp + - ${Udp} + - -Established + - ${Established} + - -Listen + - ${Listen} + powerpick: + description: Executes PowerShell in a sacrificial process. + parameters: + command: + type: string + description: The command to execute. + cmdline: + - powerpick + - -Command + - ${command} + powershell: + description: Executes PowerShell in your currently running process. + parameters: + command: + type: string + description: The command to execute. + cmdline: + - powershell + - -Command + - ${command} + powershell_import: + description: Register a new .ps1 file to be used in other PowerShell jobs. + cmdline: + - powershell_import + ppid: + description: Set the PPID of sacrificial jobs to the specified PID. + parameters: + pid: + type: integer + description: The PID to set the PPID to. + cmdline: + - ppid + - -PID + - ${pid} + printspoofer: + description: Execute a command in SYSTEM integrity so long as you have SeImpersonate privileges. + parameters: + command: + type: string + description: The command to execute + cmdline: + - printspoofer + - -Command + - ${command} + ps: + description: List process information. + cmdline: + - ps + psinject: + description: Executes PowerShell in the process specified by [pid]. Currently stdout is not captured of child processes if not explicitly captured into a variable or via inline execution (such as $(whoami)). + parameters: + pid: + type: integer + description: The process ID to inject into. + command: + type: string + description: The command to execute + cmdline: + - psinject + - -PID + - ${pid} + - -Command + - ${command} + pth: + description: Use mimikatz's pth module to spawn a process with alternate credentials. + parameters: + domain: + type: string + description: The domain to use. + username: + type: string + description: The username to use. + ntlm_hash: + type: string + description: The NTLM hash to use. + aes128_key: + type: string + description: The AES128 key to use. + aes256_key: + type: string + description: The AES256 key to use. + program: + type: string + description: The program to run. + cmdline: + - pth + - -Domain + - ${domain} + - -User + - ${username} + - -NTLM + - ${ntlm_hash} + - -AES128 + - ${aes128_key} + - -AES256 + - ${aes256_key} + - -Run + - ${program} + pwd: + description: Print working directory. + cmdline: + - pwd + reg_query: + description: Query all subkeys of the specified registry path. Needs to be of the format HKCU:\, HKLM:\, or HKCR:\. + parameters: + Hive: + type: string + description: The registry hive to query. + Key: + type: string + description: The registry key to query. + cmdline: + - reg_query + - -Hive + - ${Hive} + - -Key + - ${Key} + reg_read_value: + description: Read specified values from the registry keys. + parameters: + Hive: + type: string + description: The registry hive to read from. + Key: + type: string + description: The registry key to read from. + Name: + type: string + description: The value name to read. + cmdline: + - reg_read_value + - -Hive + - ${Hive} + - -Key + - ${Key} + - -Name + - ${Name} + register_assembly: + description: Register a .NET assembly with the agent to be used in .NET post-exploitation activities + cmdline: + - register_assembly + + register_file: + description: Register a file to the agent's file cache. Used to store assemblies, executables, and PowerShell scripts. + cmdline: + - register_file + rev2self: + description: Revert the access token to the original access token. + cmdline: + - rev2self + rm: + description: Remove a file specified by [path]. Alternatively, if -File is provided, -Path will be used as the directory, and -File will be the filename. + parameters: + path: + type: string + description: The path to remove the file from. + Host: + type: string + description: The hostname to remove the file from. + File: + type: string + description: The file to remove. + cmdline: + - rm + - -Path + - ${path} + - -Host + - ${Host} + - -File + - ${File} + run: + description: Run the binary specified by [binary.exe] with passed arguments (if any). + parameters: + binary: + type: string + description: The binary to run. + args: + type: string + description: The arguments to pass to the binary. + cmdline: + - run + - -Executable + - ${binary} + - -Arguments + - ${args} + sc: + description: .NET implementation of the Service Control Manager. + parameters: + Query: + type: boolean + description: Query a service. + Start: + type: boolean + description: Start a service. + Stop: + type: boolean + description: Stop a service. + Create: + type: boolean + description: Create a service. + Delete: + type: boolean + description: Delete a service. + Computer: + type: string + description: The computer to perform the action on. + DisplayName: + type: string + description: The display name of the service. + ServiceName: + type: string + description: The service name. + BinPath: + type: string + description: The binary path of the service. + cmdline: + - sc + - -Query + - ${Query} + - -Start + - ${Start} + - -Stop + - ${Stop} + - -Create + - ${Create} + - -Delete + - ${Delete} + - -Computer + - ${Computer} + - -DisplayName + - ${DisplayName} + - -ServiceName + - ${ServiceName} + - -BinPath + - ${BinPath} + screenshot_inject: + description: Get a screenshot of the desktop session associated with PID every Interval seconds for Count screenshots. + parameters: + pid: + type: integer + description: The process ID to inject into. + Interval: + type: integer + description: The interval to take screenshots. + Count: + type: integer + description: The number of screenshots to take. + cmdline: + - screenshot_inject + - -PID + - ${pid} + - -Interval + - ${Interval} + - -Count + - ${Count} + screenshot: + description: Get a screenshot of the current screen. + cmdline: + - screenshot + set_injection_technique: + description: Set the injection technique used in post-ex jobs that require injection. + parameters: + technique: + type: string + description: The injection technique to use. + cmdline: + - set_injection_technique + - ${technique} + shell: + description: Run a shell command which will translate to a process being spawned with command line (cmd.exe /S /c [command]) + parameters: + command: + type: string + description: The command to execute + cmdline: + - shell + - ${command} + shinject: + description: Inject given shellcode into a specified pid. + parameters: + pid: + type: integer + description: The process ID to inject into. + shellcode: + type: string + description: The shellcode to inject. + cmdline: + - shinject + - -PID + - ${pid} + - -Shellcode + - ${shellcode} + sleep: + description: Set the callback interval of the agent in seconds. + parameters: + seconds: + type: integer + description: The number of seconds to sleep. + cmdline: + - sleep + - ${seconds} + socks: + description: Standup the socks server to proxy network traffic, routable via Mythic on [port]. + parameters: + port: + type: integer + description: The port to standup the socks server on. + cmdline: + - socks + - -Port + - ${port} + spawn: + description: Spawn a new callback in the postex process specified by spawnto_*. + cmdline: + - spawn + spawnto_x64: + description: Sets the process used in jobs requiring sacrificial processes to the specified [path] with arguments [args]. + parameters: + Application: + type: string + description: The path to the application. + Arguments: + type: string + description: The arguments to pass to the application. + cmdline: + - spawnto_x64 + - -Application + - ${Application} + - -Arguments + - ${Arguments} + spawnto_x86: + description: Sets the process used in jobs requiring sacrificial processes to the specified [path] with arguments [args]. + parameters: + Application: + type: string + description: The path to the application. + Arguments: + type: string + description: The arguments to pass to the application. + cmdline: + - spawnto_x86 + - -Application + - ${Application} + - -Arguments + - ${Arguments} + steal_token: + description: Attempts to steal the process's primary token specified by [pid] and apply it to our own session. + parameters: + pid: + type: integer + description: The process ID to steal the token from. + cmdline: + - steal_token + - ${pid} + unlink: + description: Unlink a callback linked to via the link command. Modal popup only. + cmdline: + - unlink + upload: + description: Upload a file to a remote path on the machine. Modal popup only. + parameters: + file: + type: string + description: The file to upload. + path: + type: string + description: The path to upload the file to. + cmdline: + - upload + - -File + - ${file} + - -Path + - ${path} + whoami: + description: Report access token for local and remote operations. + cmdline: + - whoami \ No newline at end of file From f850dbad944da2e67ec5a7001dfd1ac7ac488cb2 Mon Sep 17 00:00:00 2001 From: Ads Dawson <104169244+GangGreenTemperTatum@users.noreply.github.com> Date: Thu, 28 Nov 2024 10:43:37 -0500 Subject: [PATCH 6/8] chore: mooor tests --- cybersecurity/offensive/{c2 => c2}/apollo.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cybersecurity/offensive/{c2 => c2}/apollo.yml (100%) diff --git a/cybersecurity/offensive/c2 /apollo.yml b/cybersecurity/offensive/c2/apollo.yml similarity index 100% rename from cybersecurity/offensive/c2 /apollo.yml rename to cybersecurity/offensive/c2/apollo.yml From 56a4fa542d1341f1218306f084a9054246473c4f Mon Sep 17 00:00:00 2001 From: Ads Dawson <104169244+GangGreenTemperTatum@users.noreply.github.com> Date: Thu, 28 Nov 2024 10:48:16 -0500 Subject: [PATCH 7/8] fix: fix the pr comment last step --- .github/workflows/validate_robopages.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/validate_robopages.yml b/.github/workflows/validate_robopages.yml index 10bbeeb..fc70294 100644 --- a/.github/workflows/validate_robopages.yml +++ b/.github/workflows/validate_robopages.yml @@ -102,17 +102,16 @@ jobs: '', 'Please ensure your contribution follows the required format.', '', - `🔍 [View Full Validation Details](${runUrl})`, + `[View Full Validation Details](${runUrl})`, '', '---', `Run ID: \`${process.env.GITHUB_RUN_ID}\``, `Workflow: ${process.env.GITHUB_WORKFLOW}` ].join('\n'); - github.rest.pulls.createReview({ + github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, - pull_number: context.issue.number, - body: body, - event: 'COMMENT' - });� \ No newline at end of file + issue_number: context.issue.number, + body: body + }); \ No newline at end of file From 2e01869087e25aa5d3bca1c06a067262f8dca8d6 Mon Sep 17 00:00:00 2001 From: Ads Dawson <104169244+GangGreenTemperTatum@users.noreply.github.com> Date: Thu, 28 Nov 2024 10:49:27 -0500 Subject: [PATCH 8/8] chore: rm test --- cybersecurity/offensive/c2/apollo.yml | 746 -------------------------- 1 file changed, 746 deletions(-) delete mode 100644 cybersecurity/offensive/c2/apollo.yml diff --git a/cybersecurity/offensive/c2/apollo.yml b/cybersecurity/offensive/c2/apollo.yml deleted file mode 100644 index 57d85d3..0000000 --- a/cybersecurity/offensive/c2/apollo.yml +++ /dev/null @@ -1,746 +0,0 @@ -description: Apollo is a Windows agent written in C# using the 4.0 .NET Framework designed to be used in SpecterOps training offerings. The agent is designed to be used with the Mythic C2 server. - -functions: - assembly_inject: - description: Execute .NET assembly in remote process. - parameters: - pid: - type: integer - description: The process ID to inject into. - assembly: - type: string - description: The assembly to inject. - args: - type: string - description: Arguments to pass to the assembly. - cmdline: - - assembly_inject - - -PID - - ${pid} - - -Assembly - - ${assembly} - - -Arguments - - ${args} - blockdlls: - description: Block non-Microsoft signed DLLs from loading into post-ex jobs. - parameters: - enable: - type: boolean - description: Enable or disable blockdlls. - cmdline: - - blockdlls - - -EnableBlock - - ${enable} - - cat: - description: Retrieve the output of a file. - parameters: - file: - type: string - description: The file to retrieve. - cmdline: - - cat - - -Path - - ${file} - cd: - description: Change working directory. - parameters: - dir: - type: string - description: The directory to change to. - cmdline: - - cd - - -Path - - ${dir} - cp: - description: Copy a file from path to destination. - parameters: - source: - type: string - description: The source file to copy. - destination: - type: string - description: The destination to copy the file to. - cmdline: - - cp - - -Path - - ${source} - - -Destination - - ${destination} - dcsync: - description: DCSync one or more user credentials. - parameters: - domain: - type: string - description: The domain to DCSync. - user: - type: string - description: The user to DCSync. - dc: - type: string - description: The domain controller to DCSync. - cmdline: - - dcsync - - -Domain - - ${domain} - - -User - - ${user} - - -DC - - ${dc} - download: - description: Download a file off the target system. - parameters: - Path: - type: string - description: The path to download the file to. - Host: - type: string - description: The hostname to download the file from. - cmdline: - - download - - -Path - - ${Path} - - -Host - - ${Host} - execute_assembly: - description: Execute a .NET assembly registered with register_file. - parameters: - assembly: - type: string - description: The assembly to execute. - args: - type: string - description: Arguments to pass to the assembly. - cmdline: - - execute_assembly - - -Assembly - - ${assembly} - - -Arguments - - ${args} - execute_coff: - description: Execute a object file (BOF) that's been registered with register_file. - parameters: - object: - type: string - description: The object file to execute. - function: - type: string - description: The function to execute. - timeout: - type: integer - description: The timeout for the execution. - args: - type: string - description: Arguments to pass to the object file. - cmdline: - - execute_coff - - -Coff - - ${object} - - -Function - - ${function} - - -Timeout - - ${timeout} - - -Arguments - - ${args} - execute_pe: - description: Execute a statically compiled executable that's been registered with register_file. - parameters: - binary: - type: string - description: The binary to execute. - args: - type: string - description: Arguments to pass to the binary. - cmdline: - - execute_pe - - -PE - - ${binary} - - -Arguments - - ${args} - exit: - description: Task agent to exit. - cmdline: - - exit - get_injection_techniques: - description: Show currently registered injection techniques as well as the current technique. - cmdline: - - get_injection_techniques - get_privs: - description: Enable as many privileges as possible for the current access token. - cmdline: - - getprivs - ifconfig: - description: Get Network Adapters and Interfaces - cmdline: - - ifconfig - inject: - description: Inject a new payload into a remote process. - parameters: - pid: - type: integer - description: The process ID to inject into. - payload: - type: string - description: The payload to inject. - cmdline: - - inject - - -PID - - ${pid} - - -Payload - - ${payload} - inline_assembly: - description: Execute a .NET assembly in the currently executing process that's been registered with register_file. - parameters: - Assembly: - type: string - description: The assembly to execute. - Arguments: - type: string - description: Additional arguments to pass to the assembly. - cmdline: - - inline_assembly - - -Assembly - - ${Assembly} - - -Arguments - - ${Arguments} - jobkill: - description: Kill a running job in the agent. - parameters: - jid: - type: integer - description: The job ID to kill. - cmdline: - - jobkill - - ${jid} - jobs: - description: List all running jobs. - cmdline: - - jobs - keylog_inject: - description: Inject a keylogger into a remote process. - parameters: - pid: - type: integer - description: The process ID to inject into. - cmdline: - - keylog_inject - - -PID - - ${pid} - kill: - description: Attempt to kill the process specified by [pid]. - parameters: - pid: - type: integer - description: The process ID to kill. - cmdline: - - kill - - -PID - - ${pid} - link: - description: Link to a P2P agent via SMB or TCP. - cmdline: - - link - load: - description: Load new commands into the agent. - parameters: - commands: - type: string - description: The commands to load. - cmdline: - - load - - ${commands} - ls: - description: List files and folders in [path]. Defaults to current working directory. - parameters: - path: - type: string - description: The path to list files and folders in. - cmdline: - - ls - - -Path - - ${path} - - make_token: - description: Impersonate a user using plaintext credentials. - cmdline: - - make_token - mimikatz: - description: Execute Mimikatz with the specified arguments. - parameters: - Command: - type: string - description: The command to execute - cmdline: - - mimikatz - - -Command - - ${Command} - mkdir: - description: Create a directory. - parameters: - dir: - type: string - description: The directory to create. - cmdline: - - mkdir - - -Path - - ${dir} - mv: - description: Move a file from source to destination. - parameters: - source: - type: string - description: The source file to move. - destination: - type: string - description: The destination to move the file to. - cmdline: - - mv - - -Path - - ${source} - - -Destination - - ${destination} - net_dclist: - description: List all domain controllers for the current or specified domain. - parameters: - domain: - type: string - description: The domain to list domain controllers for. - cmdline: - - net_dclist - - ${domain} - net_localgroup_member: - description: Retrieve membership information from a specified group on a given computer. - parameters: - Group: - type: string - description: The group to retrieve membership information from. - Computer: - type: string - description: The computer to retrieve membership information from. - cmdline: - - net_localgroup_member - - -Group - - ${Group} - - -Computer - - ${Computer} - net_localgroup: - description: Retrieve local groups known by a computer. Default to localhost. - parameters: - computer: - type: string - description: The computer to retrieve local groups from. - cmdline: - - net_localgroup - - ${computer} - net_shares: - description: Show shares of a remote PC. - parameters: - computer: - type: string - description: The computer to show shares from. - cmdline: - - net_shares - - -Computer - - ${computer} - netstat: - description: Get TCP and UDP connections. - parameters: - Tcp: - type: boolean - description: Get TCP connections. - Udp: - type: boolean - description: Get UDP connections. - Established: - type: boolean - description: Get established connections. - Listen: - type: boolean - description: Get listening connections. - cmdline: - - netstat - - -Tcp - - ${Tcp} - - -Udp - - ${Udp} - - -Established - - ${Established} - - -Listen - - ${Listen} - powerpick: - description: Executes PowerShell in a sacrificial process. - parameters: - command: - type: string - description: The command to execute. - cmdline: - - powerpick - - -Command - - ${command} - powershell: - description: Executes PowerShell in your currently running process. - parameters: - command: - type: string - description: The command to execute. - cmdline: - - powershell - - -Command - - ${command} - powershell_import: - description: Register a new .ps1 file to be used in other PowerShell jobs. - cmdline: - - powershell_import - ppid: - description: Set the PPID of sacrificial jobs to the specified PID. - parameters: - pid: - type: integer - description: The PID to set the PPID to. - cmdline: - - ppid - - -PID - - ${pid} - printspoofer: - description: Execute a command in SYSTEM integrity so long as you have SeImpersonate privileges. - parameters: - command: - type: string - description: The command to execute - cmdline: - - printspoofer - - -Command - - ${command} - ps: - description: List process information. - cmdline: - - ps - psinject: - description: Executes PowerShell in the process specified by [pid]. Currently stdout is not captured of child processes if not explicitly captured into a variable or via inline execution (such as $(whoami)). - parameters: - pid: - type: integer - description: The process ID to inject into. - command: - type: string - description: The command to execute - cmdline: - - psinject - - -PID - - ${pid} - - -Command - - ${command} - pth: - description: Use mimikatz's pth module to spawn a process with alternate credentials. - parameters: - domain: - type: string - description: The domain to use. - username: - type: string - description: The username to use. - ntlm_hash: - type: string - description: The NTLM hash to use. - aes128_key: - type: string - description: The AES128 key to use. - aes256_key: - type: string - description: The AES256 key to use. - program: - type: string - description: The program to run. - cmdline: - - pth - - -Domain - - ${domain} - - -User - - ${username} - - -NTLM - - ${ntlm_hash} - - -AES128 - - ${aes128_key} - - -AES256 - - ${aes256_key} - - -Run - - ${program} - pwd: - description: Print working directory. - cmdline: - - pwd - reg_query: - description: Query all subkeys of the specified registry path. Needs to be of the format HKCU:\, HKLM:\, or HKCR:\. - parameters: - Hive: - type: string - description: The registry hive to query. - Key: - type: string - description: The registry key to query. - cmdline: - - reg_query - - -Hive - - ${Hive} - - -Key - - ${Key} - reg_read_value: - description: Read specified values from the registry keys. - parameters: - Hive: - type: string - description: The registry hive to read from. - Key: - type: string - description: The registry key to read from. - Name: - type: string - description: The value name to read. - cmdline: - - reg_read_value - - -Hive - - ${Hive} - - -Key - - ${Key} - - -Name - - ${Name} - register_assembly: - description: Register a .NET assembly with the agent to be used in .NET post-exploitation activities - cmdline: - - register_assembly - - register_file: - description: Register a file to the agent's file cache. Used to store assemblies, executables, and PowerShell scripts. - cmdline: - - register_file - rev2self: - description: Revert the access token to the original access token. - cmdline: - - rev2self - rm: - description: Remove a file specified by [path]. Alternatively, if -File is provided, -Path will be used as the directory, and -File will be the filename. - parameters: - path: - type: string - description: The path to remove the file from. - Host: - type: string - description: The hostname to remove the file from. - File: - type: string - description: The file to remove. - cmdline: - - rm - - -Path - - ${path} - - -Host - - ${Host} - - -File - - ${File} - run: - description: Run the binary specified by [binary.exe] with passed arguments (if any). - parameters: - binary: - type: string - description: The binary to run. - args: - type: string - description: The arguments to pass to the binary. - cmdline: - - run - - -Executable - - ${binary} - - -Arguments - - ${args} - sc: - description: .NET implementation of the Service Control Manager. - parameters: - Query: - type: boolean - description: Query a service. - Start: - type: boolean - description: Start a service. - Stop: - type: boolean - description: Stop a service. - Create: - type: boolean - description: Create a service. - Delete: - type: boolean - description: Delete a service. - Computer: - type: string - description: The computer to perform the action on. - DisplayName: - type: string - description: The display name of the service. - ServiceName: - type: string - description: The service name. - BinPath: - type: string - description: The binary path of the service. - cmdline: - - sc - - -Query - - ${Query} - - -Start - - ${Start} - - -Stop - - ${Stop} - - -Create - - ${Create} - - -Delete - - ${Delete} - - -Computer - - ${Computer} - - -DisplayName - - ${DisplayName} - - -ServiceName - - ${ServiceName} - - -BinPath - - ${BinPath} - screenshot_inject: - description: Get a screenshot of the desktop session associated with PID every Interval seconds for Count screenshots. - parameters: - pid: - type: integer - description: The process ID to inject into. - Interval: - type: integer - description: The interval to take screenshots. - Count: - type: integer - description: The number of screenshots to take. - cmdline: - - screenshot_inject - - -PID - - ${pid} - - -Interval - - ${Interval} - - -Count - - ${Count} - screenshot: - description: Get a screenshot of the current screen. - cmdline: - - screenshot - set_injection_technique: - description: Set the injection technique used in post-ex jobs that require injection. - parameters: - technique: - type: string - description: The injection technique to use. - cmdline: - - set_injection_technique - - ${technique} - shell: - description: Run a shell command which will translate to a process being spawned with command line (cmd.exe /S /c [command]) - parameters: - command: - type: string - description: The command to execute - cmdline: - - shell - - ${command} - shinject: - description: Inject given shellcode into a specified pid. - parameters: - pid: - type: integer - description: The process ID to inject into. - shellcode: - type: string - description: The shellcode to inject. - cmdline: - - shinject - - -PID - - ${pid} - - -Shellcode - - ${shellcode} - sleep: - description: Set the callback interval of the agent in seconds. - parameters: - seconds: - type: integer - description: The number of seconds to sleep. - cmdline: - - sleep - - ${seconds} - socks: - description: Standup the socks server to proxy network traffic, routable via Mythic on [port]. - parameters: - port: - type: integer - description: The port to standup the socks server on. - cmdline: - - socks - - -Port - - ${port} - spawn: - description: Spawn a new callback in the postex process specified by spawnto_*. - cmdline: - - spawn - spawnto_x64: - description: Sets the process used in jobs requiring sacrificial processes to the specified [path] with arguments [args]. - parameters: - Application: - type: string - description: The path to the application. - Arguments: - type: string - description: The arguments to pass to the application. - cmdline: - - spawnto_x64 - - -Application - - ${Application} - - -Arguments - - ${Arguments} - spawnto_x86: - description: Sets the process used in jobs requiring sacrificial processes to the specified [path] with arguments [args]. - parameters: - Application: - type: string - description: The path to the application. - Arguments: - type: string - description: The arguments to pass to the application. - cmdline: - - spawnto_x86 - - -Application - - ${Application} - - -Arguments - - ${Arguments} - steal_token: - description: Attempts to steal the process's primary token specified by [pid] and apply it to our own session. - parameters: - pid: - type: integer - description: The process ID to steal the token from. - cmdline: - - steal_token - - ${pid} - unlink: - description: Unlink a callback linked to via the link command. Modal popup only. - cmdline: - - unlink - upload: - description: Upload a file to a remote path on the machine. Modal popup only. - parameters: - file: - type: string - description: The file to upload. - path: - type: string - description: The path to upload the file to. - cmdline: - - upload - - -File - - ${file} - - -Path - - ${path} - whoami: - description: Report access token for local and remote operations. - cmdline: - - whoami \ No newline at end of file