From 70d68dd08fb23d5b51c50c6450d7a3650cc8b92d Mon Sep 17 00:00:00 2001 From: Harley Lebeau Date: Wed, 21 Mar 2018 21:10:00 -0600 Subject: [PATCH] Written by @001SPARTaN --- logvis.cna | 128 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 128 insertions(+) create mode 100644 logvis.cna diff --git a/logvis.cna b/logvis.cna new file mode 100644 index 0000000..44f2524 --- /dev/null +++ b/logvis.cna @@ -0,0 +1,128 @@ +# Beacon Log visualization +# 001SPARTaN (for r3dqu1nn) + +import ui.*; +import table.*; + +import java.awt.*; +import javax.swing.*; +import javax.swing.table.*; + +global('$model $console $table'); + +sub updateTable { + fork({ + local('$entry'); + + # Clear the model so we can put new stuff in it. + [$model clear: 1024]; + + foreach @entry (data_query('beaconlog')) { + if (@entry[0] eq "beacon_input") { + %modelEntry['operator'] = @entry[2]; + $bid = @entry[1]; + %modelEntry['ip'] = binfo($bid, "internal"); + %modelEntry['hostname'] = binfo($bid, "computer"); + %modelEntry['user'] = binfo($bid, "user"); + %modelEntry['pid'] = binfo($bid, "pid"); + %modelEntry['command'] = @entry[3]; + %modelEntry['timestamp'] = formatDate(@entry[4], "MMM D HH:mm:ss z"); + # Add the new entry to $model + [$model addEntry: %modelEntry]; + } + } + # Update with the new table + [$model fireListeners]; + }, \$model); +} + +# setupPopupMenu provided by Raphael Mudge +# https://gist.github.com/rsmudge/87ce80cd8d8d185c5870d559af2dc0c2 +sub setupPopupMenu { + # we're using fork({}) to run this in a separate Aggressor Script environment. + # This reduces deadlock potential due to Sleep's global interpreter lock + # + # this especially matters as our mouse listener will be fired for *everything* + # to include mouse movements. + fork({ + [$component addMouseListener: lambda({ + if ([$1 isPopupTrigger]) { + # If right click, show popup + show_popup($1, $name, $component); + } + }, \$component, \$name)]; + }, $component => $1, $name => $2, $model => $model, $table => $table); +} + +sub createVisualization { + this('$client'); + # GenericTableModel from table.* + # Has columns for email and token, defaults to sorting by token + $model = [new GenericTableModel: @("operator", "ip", "hostname", "user", "pid", "command", "timestamp"), "beacon", 16]; + + # Create a table from the GenericTableModel + $table = [new ATable: $model]; + + # Controls how the column headers will sort the table + $sorter = [new TableRowSorter: $model]; + [$sorter toggleSortOrder: 3]; + # setComparator for email + [$sorter setComparator: 0, { + return $1 cmp $2; + }]; + # setComparator for token + [$sorter setComparator: 1, { + return $1 cmp $2; + }]; + # setComparator for timestamp + [$sorter setComparator: 2, { + return $1 cmp $2; + }]; + # setComparator for click count + [$sorter setComparator: 3, { + return $1 <=> $2; + }]; + + # Set $sorter as the row sorter for $table + [$table setRowSorter: $sorter]; + + # Create a split pane (divider you can drag around) + $content = [new JScrollPane: $table]; + + # Set popup menu for the table + setupPopupMenu($table, "command_log"); + + updateTable(); + + # Register the visualization with CS + addVisualization("Beacon Command Log", $content); +} + +createVisualization(); + +popup command_log { + item "Copy" { + println("Right click captured!"); + $selected = ""; + foreach $row ([$table getSelectedRows]) { + # operator [ip_hostname] user/proc | timestamp> command + $operator = [$model getValueAt: $row, 0]; + $ip = [$model getValueAt: $row, 1]; + $hostname = [$model getValueAt: $row, 2]; + $user = [$model getValueAt: $row, 3]; + $proc = [$model getValueAt: $row, 4]; + $time = [$model getValueAt: $row, 6]; + $command = [$model getValueAt: $row, 5]; + + $selected .= "$operator \[$ip\_$hostname\] $user\/$proc | $time\> $command\n"; + } + add_to_clipboard($selected); + } +} + +popup view { + item "Command Log" { + # Show the visualization + showVisualization("Beacon Command Log"); + } +}