Add -X for powershell execution

Author: NeffIsBack

nxc/protocols/wmi.py

@@ -409,7 +409,7 @@ def wmi(self, wql=None, namespace=None):
             return records
 
     @requires_admin
-    def execute(self, command=None, get_output=False):
+    def execute(self, command=None, get_output=False, use_powershell=False):
         output = ""
 
         # Execution via -x
@@ -428,18 +428,38 @@ def execute(self, command=None, get_output=False):
 
         if self.args.exec_method == "wmiexec":
             exec_method = wmiexec.WMIEXEC(self.remoteName, self.username, self.password, self.domain, self.lmhash, self.nthash, self.doKerberos, self.kdcHost, self.host, self.aesKey, self.logger, self.args.exec_timeout, self.args.codec)
-            output = exec_method.execute(command, get_output)
+            output = exec_method.execute(command, get_output, use_powershell=use_powershell)
 
         elif self.args.exec_method == "wmiexec-event":
             exec_method = wmiexec_event.WMIEXEC_EVENT(self.remoteName, self.username, self.password, self.domain, self.lmhash, self.nthash, self.doKerberos, self.kdcHost, self.host, self.aesKey, self.logger, self.args.exec_timeout, self.args.codec)
-            output = exec_method.execute(command, get_output)
+            output = exec_method.execute(command, get_output, use_powershell=use_powershell)
 
         self.conn.disconnect()
         if self.args.execute and get_output:
             self.logger.success(f'Executed command: "{command}" via {self.args.exec_method}')
             buf = StringIO(output).readlines()
             for line in buf:
-                self.logger.highlight(line.strip())
+                if line.strip():
+                    self.logger.highlight(line.strip())
             return output
         else:
             return output
+
+    def execute_psh(self, command=None, get_output=False):
+        # Execution via -X
+        if not command and self.args.execute_psh:
+            command = self.args.execute_psh
+            if not self.args.no_output:
+                get_output = True
+
+        output = self.execute(command, get_output, use_powershell=True)
+
+        if self.args.execute_psh and get_output:
+            self.logger.success(f'Executed PowerShell command: "{command}" via {self.args.exec_method}')
+            buf = StringIO(output).readlines()
+            for line in buf:
+                if line.strip().rstrip("\ufeff"):
+                    self.logger.highlight(line.strip())
+            return output
+        else:
+            return output

nxc/protocols/wmi/proto_args.py

@@ -16,6 +16,7 @@ def proto_args(parser, parents):
     cgroup = wmi_parser.add_argument_group("Command Execution", "Options for executing commands")
     cgroup.add_argument("--no-output", action="store_true", help="do not retrieve command output")
     cgroup.add_argument("-x", metavar="COMMAND", dest="execute", type=str, help="Creates a new cmd process and executes the specified command with output")
+    cgroup.add_argument("-X", metavar="COMMAND", dest="execute_psh", type=str, help="Creates a new PowerShell process and executes the specified command with output")
     cgroup.add_argument("--exec-method", choices={"wmiexec", "wmiexec-event"}, default="wmiexec", help="method to execute the command. (default: wmiexec). [wmiexec (win32_process + StdRegProv)]: get command results over registry instead of using smb connection. [wmiexec-event (T1546.003)]: this method is not very stable, highly recommend use this method in single host, using on multiple hosts may crash (just try again if it crashed).")
     cgroup.add_argument("--exec-timeout", default=2, metavar="exec_timeout", dest="exec_timeout", type=int, help="Set timeout (in seconds) when executing a command, minimum 5 seconds is recommended. Default: %(default)s")
     cgroup.add_argument("--codec", default="utf-8", help="Set encoding used (codec) from the target's output (default: utf-8). If errors are detected, run chcp.com at the target & map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute again with --codec and the corresponding codec")

nxc/protocols/wmi/wmiexec.py

@@ -58,7 +58,7 @@ def execute(self, command, output=False, use_powershell=False):
         - Output with bash (limited to ~1MB)
         - Output with PowerShell (recommended for larger outputs)
         """
-        if output:
+        if output and not use_powershell:
             self.execute_WithOutput(command)
         elif output and use_powershell:
             self.execute_WithOutput_psh(command)
@@ -125,7 +125,7 @@ def execute_WithOutput_psh(self, command):
         self.__registry_Path = f"Software\\Classes\\test_nxc_{gen_random_string(6)}"
 
         # 1. Run the command and write output to file
-        self.execute_remote(f'powershell {command} 1> "{result_output}" 2>&1')
+        self.execute_remote(f'powershell -Command {command} 1> "{result_output}" 2>&1')
         self.logger.info(f"Waiting {self.__exec_timeout}s for command to complete.")
         time.sleep(self.__exec_timeout)
 
@@ -173,7 +173,7 @@ def queryRegistry_psh(self, keyName):
                 chunk_name = f"{keyName}_chunk_{i}"
                 self.logger.debug(f"Retrieving chunk: {chunk_name}")
                 outputBuffer_b64 += descriptor.GetStringValue(0x80000002, self.__registry_Path, chunk_name).sValue
-            self.__outputBuffer = base64.b64decode(outputBuffer_b64).decode(self.__codec, errors="replace").rstrip("\r\n")
+            self.__outputBuffer = base64.b64decode(outputBuffer_b64).decode("utf-16le", errors="replace").rstrip("\r\n")
         except Exception:
             self.logger.fail("WMIEXEC: Could not retrieve output file! Either command timed out or AV killed the process. Please try increasing the timeout: '--exec-timeout 10'")
 

nxc/protocols/wmi/wmiexec_event.py

@@ -57,9 +57,11 @@ def __init__(self, target, username, password, domain, lmhash, nthash, doKerbero
         self.__iWbemServices = iWbemLevel1Login.NTLMLogin("//./root/subscription", NULL, NULL)
         iWbemLevel1Login.RemRelease()
 
-    def execute(self, command, output=False):
+    def execute(self, command, output=False, use_powershell=False):
         if "'" in command:
             command = command.replace("'", r'"')
+        if use_powershell:
+            command = f"powershell.exe -Command {command}"
         self.__retOutput = output
         self.execute_handler(command)