Update atexec.py to prevent detectino with hardcoded timestamp

Author: NeffIsBack

nxc/modules/schtask_as.py

@@ -166,7 +166,7 @@ def output_callback(self, data):
         self.__outputBuffer = data
 
     def get_end_boundary(self):
-        # Get current date and time
+        # Get current date and time + 5 minutes
         end_boundary = datetime.now() + timedelta(minutes=5)
 
         # Format it to match the format in the XML: "YYYY-MM-DDTHH:MM:SS.ssssss"

nxc/protocols/smb/atexec.py

@@ -4,6 +4,7 @@
 from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_LEVEL_PKT_PRIVACY
 from nxc.helpers.misc import gen_random_string
 from time import sleep
+from datetime import datetime, timedelta
 
 
 class TSCH_EXEC:
@@ -60,17 +61,20 @@ def execute(self, command, output=False):
     def output_callback(self, data):
         self.__outputBuffer = data
 
+    def get_end_boundary(self):
+        # Get current date and time + 5 minutes
+        end_boundary = datetime.now() + timedelta(minutes=5)
+
+        # Format it to match the format in the XML: "YYYY-MM-DDTHH:MM:SS.ssssss"
+        return end_boundary.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3]
+
     def gen_xml(self, command, fileless=False):
-        xml = """<?xml version="1.0" encoding="UTF-16"?>
+        xml = f"""<?xml version="1.0" encoding="UTF-16"?>
 <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
   <Triggers>
-    <CalendarTrigger>
-      <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary>
-      <Enabled>true</Enabled>
-      <ScheduleByDay>
-        <DaysInterval>1</DaysInterval>
-      </ScheduleByDay>
-    </CalendarTrigger>
+    <RegistrationTrigger>
+      <EndBoundary>{self.get_end_boundary()}</EndBoundary>
+    </RegistrationTrigger>
   </Triggers>
   <Principals>
     <Principal id="LocalSystem">