Updated Logging output/Added Export Op Logs menu

2017-04-25 15:16:44 -04:00 · 2017-04-25 15:16:44 -04:00 · 8de5a93b0a
parent 6b61173f68
commit 8de5a93b0a
1 changed files with 110 additions and 15 deletions
--- a/All_In_One.cna
+++ b/All_In_One.cna
@ -12,6 +12,7 @@
 #	TO DO: Add in Custom output for Net sessions/Net user "domain admins" /domain/netstat connections
 #	TO DO: Easy to use Registry Editor using command line. (PowerShell)
 #	TO DO: Add in Reverse Brute Force Script based on net user.
+#	TO DO: Implement Invoke-Hash from https://github.com/Kevin-Robertson/Invoke-TheHash
 #
 #
 ##Update 2/22/17: Added DCOM Lateral Movement and removed Hyperion Persistence
@ -29,6 +30,7 @@
 ##Update 4/4/17: Updated Enumeration Alias.
 ##Update 4/5/17: Updated Wmic_Enum Alias.
 ##Update 4/6/17: Added mimikatz-timestamp sub function. Thanks to bluescreenofjeff for source code.
+##Update 4/25/17: Updated logging timestamps/output and added Export Op Logs menu.

 # needed imports for custom menu creation
 import java.awt.*; # for borderlayout
@ -73,6 +75,17 @@ global('%sleepsettings');
 %sleepsettings["to_h"] = "06";
 %sleepsettings["to_m"] = "00";

+#Logging
+menubar("Export OP Logs", "exportlogs", 2);
+popup exportlogs {
+	item "&Export OP Logs to HTML" {
+		prompt_confirm("Do you want to consolidate all OP Logs? (Recommended for Post Operation)", "Log Consolidation", {
+			show_message("Consolidating all OP Logs...");
+			exec("/opt/cobaltstrike/logs.py " . mynick());
+		});
+	}
+}
+
 #Task All Menu
 menubar("Task All", "taskall", 2);
 popup taskall {
@ -179,9 +192,9 @@ global(@avlist);
 set BEACON_INPUT {
    $bd = bdata($1);
    if ($2 eq mynick()) {
-        return "\U" . mynick() . "\U" . "\U[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . tstamp(ticks()) . "\o> $3";
+        return "\U" . mynick() . "\U" . "\U[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($4, 'yyyyMMMdd HH:mm:ss') . "\o> $3";
    } else {
-        return "\U" . mynick() . "\U" . "$2 \U[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . tstamp(ticks()) ."\o> $3";
+        return "\U" . mynick() . "\U" . "$2 \U[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($4, 'yyyyMMMdd HH:mm:ss') ."\o> $3";
    }
 }

@ -192,7 +205,7 @@ on beacon_input {
 	if($2 eq mynick()) {
 		$in = openf(">>/opt/cobaltstrike/logs/operator_logs/operator_input/" . formatDate($4, 'yyyyMMMdd') . "_" . mynick() . ".log");

-		writeb($in, mynick() . "[" . $bd['internal'] . "_" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . tstamp(ticks()) . "> $3" . "\n");
+		writeb($in, mynick() . "[" . $bd['internal'] . "_" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($4, 'yyyyMMMdd HH:mm:ss') . "> $3" . "\n");

 		closef($in);
 	}
@ -204,30 +217,66 @@ on beacon_output {

 	$out = openf(">>/opt/cobaltstrike/logs/operator_logs/beacon_output/" . formatDate($3, 'yyyyMMMdd') . "_" . $bd['internal'] . "_" . $bd['computer'] . "_output.log");

-	println($out, mynick() . "[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . tstamp(ticks()) . "\n");
+	println($out, mynick() . "[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($3, 'yyyyMMMdd HH:mm:ss') . "\n");
 	println($out, "$2" . "\n");

 	closef($out);
 }

+on beacon_output_alt {
+
+	$bd = bdata($1);
+	local('$out');
+
+	$out = openf(">>/opt/cobaltstrike/logs/operator_logs/beacon_output/" . formatDate($3, 'yyyyMMMdd') . "_" . $bd['internal'] . "_" . $bd['computer'] . "_output.log");
+
+	println($out, mynick() . "[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($3, 'yyyyMMMdd HH:mm:ss') . "\n");
+	println($out, "$2" . "\n");
+
+	closef($out);
+
+}
+
+on beacon_tasked {
+
+	$bd = bdata($1);
+	local('$out');
+
+	$out = openf(">>/opt/cobaltstrike/logs/operator_logs/beacon_output/" . formatDate($3, 'yyyyMMMdd') . "_" . $bd['internal'] . "_" . $bd['computer'] . "_output.log");
+
+	println($out, mynick() . "[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($3, 'yyyyMMMdd HH:mm:ss') . "\n");
+	println($out, "$2" . "\n");
+
+	closef($out);
+
+}
 # output for the ps command too
 set BEACON_OUTPUT_PS {

 	$bd = bdata($1);
+	local('$out');
+
+	$out = openf(">>/opt/cobaltstrike/logs/operator_logs/beacon_output/" . formatDate($3, 'yyyyMMMdd') . "_" . $bd['internal'] . "_" . $bd['computer'] . "_output.log");
+
+	println($out, mynick() . "[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($3, 'yyyyMMMdd HH:mm:ss') . "\n");
+	println($out, "$2" . "\n");
+
+	closef($out);
+
 	$handle = openf(script_resource("av_hips_executables.txt"));

 	while $line (readln($handle)) {
 		push(@avlist,$line);
 	}

-	local('$out $temp $name $ppid $pid $arch $user $session @ps');
-	$out .= "\cC[*]\o Process List with process highlighting of AV/HIPS, Browsers, Explorer/Winlogon, current processes\n";
-	$out .= "\cC[*]\o Current Running PID: \c8 Yellow \o \n";
-	$out .= "\cC[*]\o AV/HIPS: \c4 RED \o \n";
-	$out .= "\cC[*]\o Browsers: \c3 GREEN \o \n";
-	$out .= "\cC[*]\o Explorer/Winlogon: \c2 BLUE \o \n\n";
-	$out .= " PID   PPID  Name                         Arch  Session     User\n";
-	$out .= "\cE ---   ----  ----                         ----  -------     -----\n";
+	local('$outps $temp $name $ppid $pid $arch $user $session @ps');
+	$outps .= "\cC[*]\o Process List with process highlighting of AV/HIPS, Browsers, Explorer/Winlogon, current processes\n";
+	$outps .= "\cC[*]\o Current Running PID: \c8 Yellow \o \n";
+	$outps .= "\cC[*]\o AV/HIPS: \c4 RED \o \n";
+	$outps .= "\cC[*]\o Browsers: \c3 GREEN \o \n";
+	$outps .= "\cC[*]\o Explorer/Winlogon: \c2 BLUE \o \n\n";
+	$outps .= " PID   PPID  Name                         Arch  Session     User\n";
+	$outps .= "\cE ---   ----  ----                         ----  -------     -----\n";

 	foreach $temp (split("\n", ["$2" trim])) {
 		($name, $ppid, $pid, $arch, $user, $session) = split("\t", $temp);
@ -262,11 +311,57 @@ set BEACON_OUTPUT_PS {
 	# append to our outstring
 	foreach $temp (@ps) {

-		$out .= "$temp['entry'] \n";
+		$outps .= "$temp['entry'] \n";

 		}

-	return $out;
+	return $outps;
+}
+
+set BEACON_OUTPUT_LS {
+
+	$bd = bdata($1);
+	local('$out');
+
+	$out = openf(">>/opt/cobaltstrike/logs/operator_logs/beacon_output/" . formatDate($3, 'yyyyMMMdd') . "_" . $bd['internal'] . "_" . $bd['computer'] . "_output.log");
+
+	println($out, mynick() . "[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($3, 'yyyyMMMdd HH:mm:ss') . "\n");
+	println($out, $outls . "$2" . "\n");
+
+	closef($out);
+
+	local('$outls @results $cwd $entry $type $size $modified $name');
+	@results = split("\n", ["$2" trim]);
+
+	$cwd = left(shift(@results), -1);	# first entry is the current folder
+
+	# parse/process results
+	foreach $entry (@results) {
+		($type, $size, $modified, $name) = split("\t", $entry);
+		if ($type eq "F") {
+			$entry = %(type => "fil", size => format_size($size), modified => $modified, name => $name);
+		}
+		else if ($type eq "D" && $name ne "." && $name ne "..") {
+			$entry = %(type => "dir", size => "", modified => $modified, name => $name);
+		}
+		else {
+			remove();
+		}
+	}
+
+	# sort in alpha order with dir listings on top.
+	sort({ return ($1['type'] . lc($1['name'])) cmp ($2['type'] . lc($2['name'])); }, @results);
+
+	$outls .= "\cC[*]\o Listing: $cwd $+ \n\n";
+	$outls .= " Size     Type    Last Modified         Name\n";   
+	$outls .= "\cE ----     ----    -------------         ----\n";
+
+	foreach $entry (@results) {
+		($type, $size, $modified, $name) = values($entry, @('type', 'size', 'modified', 'name'));
+		$outls .= " $[8]size $[7]type $[21]modified $name $+ \n";
+	}
+
+	return $outls;
 }

 sub getexplorerpid {