infosecn1nja
/
AggressorScripts
mirror of https://github.com/infosecn1nja/AggressorScripts.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated Logging output/Added Export Op Logs menu

Logging
Harley Lebeau 2017-04-25 15:16:44 -04:00 committed by GitHub
parent 6b61173f68
commit 8de5a93b0a
1 changed files with 110 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

123
All_In_One.cna
View File

@ -12,6 +12,7 @@
# TO DO: Add in Custom output for Net sessions/Net user "domain admins" /domain/netstat connections # TO DO: Add in Custom output for Net sessions/Net user "domain admins" /domain/netstat connections
# TO DO: Easy to use Registry Editor using command line. (PowerShell) # TO DO: Easy to use Registry Editor using command line. (PowerShell)
# TO DO: Add in Reverse Brute Force Script based on net user. # TO DO: Add in Reverse Brute Force Script based on net user.
# TO DO: Implement Invoke-Hash from https://github.com/Kevin-Robertson/Invoke-TheHash
# #
# #
##Update 2/22/17: Added DCOM Lateral Movement and removed Hyperion Persistence ##Update 2/22/17: Added DCOM Lateral Movement and removed Hyperion Persistence
@ -29,6 +30,7 @@
##Update 4/4/17: Updated Enumeration Alias. ##Update 4/4/17: Updated Enumeration Alias.
##Update 4/5/17: Updated Wmic_Enum Alias. ##Update 4/5/17: Updated Wmic_Enum Alias.
##Update 4/6/17: Added mimikatz-timestamp sub function. Thanks to bluescreenofjeff for source code. ##Update 4/6/17: Added mimikatz-timestamp sub function. Thanks to bluescreenofjeff for source code.
##Update 4/25/17: Updated logging timestamps/output and added Export Op Logs menu.
# needed imports for custom menu creation # needed imports for custom menu creation
import java.awt.*; # for borderlayout import java.awt.*; # for borderlayout
@ -73,6 +75,17 @@ global('%sleepsettings');
%sleepsettings["to_h"] = "06"; %sleepsettings["to_h"] = "06";
%sleepsettings["to_m"] = "00"; %sleepsettings["to_m"] = "00";
#Logging
menubar("Export OP Logs", "exportlogs", 2);
popup exportlogs {
item "&Export OP Logs to HTML" {
prompt_confirm("Do you want to consolidate all OP Logs? (Recommended for Post Operation)", "Log Consolidation", {
show_message("Consolidating all OP Logs...");
exec("/opt/cobaltstrike/logs.py " . mynick());
});
}
}
#Task All Menu #Task All Menu
menubar("Task All", "taskall", 2); menubar("Task All", "taskall", 2);
popup taskall { popup taskall {
@ -179,9 +192,9 @@ global(@avlist);
set BEACON_INPUT { set BEACON_INPUT {
$bd = bdata($1); $bd = bdata($1);
if ($2 eq mynick()) { if ($2 eq mynick()) {
return "\U" . mynick() . "\U" . "\U[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . tstamp(ticks()) . "\o> $3"; return "\U" . mynick() . "\U" . "\U[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($4, 'yyyyMMMdd HH:mm:ss') . "\o> $3";
} else { } else {
return "\U" . mynick() . "\U" . "$2 \U[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . tstamp(ticks()) ."\o> $3"; return "\U" . mynick() . "\U" . "$2 \U[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($4, 'yyyyMMMdd HH:mm:ss') ."\o> $3";
} }
} }
@ -192,7 +205,7 @@ on beacon_input {
if($2 eq mynick()) { if($2 eq mynick()) {
$in = openf(">>/opt/cobaltstrike/logs/operator_logs/operator_input/" . formatDate($4, 'yyyyMMMdd') . "_" . mynick() . ".log"); $in = openf(">>/opt/cobaltstrike/logs/operator_logs/operator_input/" . formatDate($4, 'yyyyMMMdd') . "_" . mynick() . ".log");
writeb($in, mynick() . "[" . $bd['internal'] . "_" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . tstamp(ticks()) . "> $3" . "\n"); writeb($in, mynick() . "[" . $bd['internal'] . "_" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($4, 'yyyyMMMdd HH:mm:ss') . "> $3" . "\n");
closef($in); closef($in);
} }
@ -204,30 +217,66 @@ on beacon_output {
$out = openf(">>/opt/cobaltstrike/logs/operator_logs/beacon_output/" . formatDate($3, 'yyyyMMMdd') . "_" . $bd['internal'] . "_" . $bd['computer'] . "_output.log"); $out = openf(">>/opt/cobaltstrike/logs/operator_logs/beacon_output/" . formatDate($3, 'yyyyMMMdd') . "_" . $bd['internal'] . "_" . $bd['computer'] . "_output.log");
println($out, mynick() . "[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . tstamp(ticks()) . "\n"); println($out, mynick() . "[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($3, 'yyyyMMMdd HH:mm:ss') . "\n");
println($out, "$2" . "\n"); println($out, "$2" . "\n");
closef($out); closef($out);
} }
on beacon_output_alt {
$bd = bdata($1);
local('$out');
$out = openf(">>/opt/cobaltstrike/logs/operator_logs/beacon_output/" . formatDate($3, 'yyyyMMMdd') . "_" . $bd['internal'] . "_" . $bd['computer'] . "_output.log");
println($out, mynick() . "[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($3, 'yyyyMMMdd HH:mm:ss') . "\n");
println($out, "$2" . "\n");
closef($out);
}
on beacon_tasked {
$bd = bdata($1);
local('$out');
$out = openf(">>/opt/cobaltstrike/logs/operator_logs/beacon_output/" . formatDate($3, 'yyyyMMMdd') . "_" . $bd['internal'] . "_" . $bd['computer'] . "_output.log");
println($out, mynick() . "[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($3, 'yyyyMMMdd HH:mm:ss') . "\n");
println($out, "$2" . "\n");
closef($out);
}
# output for the ps command too # output for the ps command too
set BEACON_OUTPUT_PS { set BEACON_OUTPUT_PS {
$bd = bdata($1); $bd = bdata($1);
local('$out');
$out = openf(">>/opt/cobaltstrike/logs/operator_logs/beacon_output/" . formatDate($3, 'yyyyMMMdd') . "_" . $bd['internal'] . "_" . $bd['computer'] . "_output.log");
println($out, mynick() . "[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($3, 'yyyyMMMdd HH:mm:ss') . "\n");
println($out, "$2" . "\n");
closef($out);
$handle = openf(script_resource("av_hips_executables.txt")); $handle = openf(script_resource("av_hips_executables.txt"));
while $line (readln($handle)) { while $line (readln($handle)) {
push(@avlist,$line); push(@avlist,$line);
} }
local('$out $temp $name $ppid $pid $arch $user $session @ps'); local('$outps $temp $name $ppid $pid $arch $user $session @ps');
$out .= "\cC[*]\o Process List with process highlighting of AV/HIPS, Browsers, Explorer/Winlogon, current processes\n"; $outps .= "\cC[*]\o Process List with process highlighting of AV/HIPS, Browsers, Explorer/Winlogon, current processes\n";
$out .= "\cC[*]\o Current Running PID: \c8 Yellow \o \n"; $outps .= "\cC[*]\o Current Running PID: \c8 Yellow \o \n";
$out .= "\cC[*]\o AV/HIPS: \c4 RED \o \n"; $outps .= "\cC[*]\o AV/HIPS: \c4 RED \o \n";
$out .= "\cC[*]\o Browsers: \c3 GREEN \o \n"; $outps .= "\cC[*]\o Browsers: \c3 GREEN \o \n";
$out .= "\cC[*]\o Explorer/Winlogon: \c2 BLUE \o \n\n"; $outps .= "\cC[*]\o Explorer/Winlogon: \c2 BLUE \o \n\n";
$out .= " PID PPID Name Arch Session User\n"; $outps .= " PID PPID Name Arch Session User\n";
$out .= "\cE --- ---- ---- ---- ------- -----\n"; $outps .= "\cE --- ---- ---- ---- ------- -----\n";
foreach $temp (split("\n", ["$2" trim])) { foreach $temp (split("\n", ["$2" trim])) {
($name, $ppid, $pid, $arch, $user, $session) = split("\t", $temp); ($name, $ppid, $pid, $arch, $user, $session) = split("\t", $temp);
@ -262,11 +311,57 @@ set BEACON_OUTPUT_PS {
# append to our outstring # append to our outstring
foreach $temp (@ps) { foreach $temp (@ps) {
$out .= "$temp['entry'] \n"; $outps .= "$temp['entry'] \n";
} }
return $out; return $outps;
}
set BEACON_OUTPUT_LS {
$bd = bdata($1);
local('$out');
$out = openf(">>/opt/cobaltstrike/logs/operator_logs/beacon_output/" . formatDate($3, 'yyyyMMMdd') . "_" . $bd['internal'] . "_" . $bd['computer'] . "_output.log");
println($out, mynick() . "[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($3, 'yyyyMMMdd HH:mm:ss') . "\n");
println($out, $outls . "$2" . "\n");
closef($out);
local('$outls @results $cwd $entry $type $size $modified $name');
@results = split("\n", ["$2" trim]);
$cwd = left(shift(@results), -1); # first entry is the current folder
# parse/process results
foreach $entry (@results) {
($type, $size, $modified, $name) = split("\t", $entry);
if ($type eq "F") {
$entry = %(type => "fil", size => format_size($size), modified => $modified, name => $name);
}
else if ($type eq "D" && $name ne "." && $name ne "..") {
$entry = %(type => "dir", size => "", modified => $modified, name => $name);
}
else {
remove();
}
}
# sort in alpha order with dir listings on top.
sort({ return ($1['type'] . lc($1['name'])) cmp ($2['type'] . lc($2['name'])); }, @results);
$outls .= "\cC[*]\o Listing: $cwd $+ \n\n";
$outls .= " Size Type Last Modified Name\n";
$outls .= "\cE ---- ---- ------------- ----\n";
foreach $entry (@results) {
($type, $size, $modified, $name) = values($entry, @('type', 'size', 'modified', 'name'));
$outls .= " $[8]size $[7]type $[21]modified $name $+ \n";
}
return $outls;
} }
sub getexplorerpid { sub getexplorerpid {