Add powershell command execution method instead of using powershell in normal exec

NeffIsBack · NeffIsBack · commit cb3564117d12 · 2025-07-23T15:34:04.000-04:00
diff --git a/nxc/protocols/wmi.py b/nxc/protocols/wmi.py
@@ -208,7 +208,7 @@ def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="",
             username = ccache.credentials[0].header["client"].prettyPrint().decode().split("@")[0]
             self.username = username
         used_ccache = " from ccache" if useCache else f":{process_secret(kerb_pass)}"
-        
+
         try:
             self.logger.debug(f"Attempting to connect via WMI to {self.host}")
             self.conn.set_credentials(username=username, password=password, domain=domain, lmhash=lmhash, nthash=nthash, aesKey=self.aesKey)
@@ -369,7 +369,7 @@ def hash_login(self, domain, username, ntlm_hash):
     @requires_admin
     def wmi(self, wql=None, namespace=None):
         """Execute WQL syntax via WMI
-        
+
         This is done via the --wmi flag
         """
         records = []
diff --git a/nxc/protocols/wmi/wmiexec.py b/nxc/protocols/wmi/wmiexec.py
@@ -51,9 +51,17 @@ def __init__(self, target, username, password, domain, lmhash, nthash, doKerbero
         iWbemLevel1Login.RemRelease()
         self.__win32Process, _ = self.__iWbemServices.GetObject("Win32_Process")
 
-    def execute(self, command, output=False):
+    def execute(self, command, output=False, use_powershell=False):
+        """Execute a command on the remote host using WMI.
+        Options:
+        - No output
+        - Output with bash (limited to ~1MB)
+        - Output with PowerShell (recommended for larger outputs)
+        """
         if output:
             self.execute_WithOutput(command)
+        elif output and use_powershell:
+            self.execute_WithOutput_psh(command)
         else:
             command = self.__shell + command
             self.execute_remote(command)
@@ -80,13 +88,54 @@ def execute_WithOutput(self, command):
         self.logger.info(f"Waiting {self.__exec_timeout}s for command to complete.")
         time.sleep(self.__exec_timeout)
 
+        # 2. Base64 encode the file
+        self.execute_remote(f"{self.__shell} certutil -encodehex -f {result_output} {result_output_b64} 0x40000001")
+        time.sleep(0.5)
+
+        # 3. Store content in registry
+        self.execute_remote(f'{self.__shell} for /F "usebackq" %G in ("{result_output_b64}") do reg add HKLM\\{self.__registry_Path} /v {keyName} /t REG_SZ /d "%G" /f')
+        time.sleep(0.1)
+
+        self.queryRegistry(keyName)
+        self.clean_up(result_output, result_output_b64)
+
+    def queryRegistry(self, keyName):
+        try:
+            # Spawn an instance of StdRegProv to access the registry
+            self.logger.debug(f"Retrieving output from: HKLM\\{self.__registry_Path}")
+            descriptor, _ = self.__iWbemServices.GetObject("StdRegProv")
+            descriptor = descriptor.SpawnInstance()
+
+            # Retrieve the base64 content from the registry
+            for _ in range(10):
+                self.logger.debug(f"Retrieving key: {keyName}")
+                outputBuffer_b64 = descriptor.GetStringValue(0x80000002, self.__registry_Path, keyName).sValue
+                if outputBuffer_b64 is not None:
+                    break
+                time.sleep(1)
+            self.__outputBuffer = base64.b64decode(outputBuffer_b64).decode(self.__codec, errors="replace").rstrip("\r\n")
+        except Exception:
+            self.logger.fail("WMIEXEC: Could not retrieve output file! Either command timed out or AV killed the process. Please try increasing the timeout: '--exec-timeout 10'")
+
+    def execute_WithOutput_psh(self, command):
+        """Same functionality as execute_WithOutput, but uses PowerShell to handle larger outputs by splitting the base64 content into chunks and storing it in the registry."""
+        result_output = f"C:\\windows\\temp\\{uuid.uuid4()!s}.txt"
+        result_output_b64 = f"C:\\windows\\temp\\{uuid.uuid4()!s}.txt"
+        keyName = str(uuid.uuid4())
+        self.__registry_Path = f"Software\\Classes\\test_nxc_{gen_random_string(6)}"
+
+        # 1. Run the command and write output to file
+        self.execute_remote(f'powershell {command} 1> "{result_output}" 2>&1')
+        self.logger.info(f"Waiting {self.__exec_timeout}s for command to complete.")
+        time.sleep(self.__exec_timeout)
+
         # 2. Base64 encode the file using PowerShell
-        self.execute_remote(f'{self.__shell} powershell -Command "[Convert]::ToBase64String([IO.File]::ReadAllBytes(\'{result_output}\')) | Out-File -Encoding ASCII \'{result_output_b64}\'"')
+        self.execute_remote(f'powershell -Command "[Convert]::ToBase64String([IO.File]::ReadAllBytes(\'{result_output}\')) | Out-File -Encoding ASCII \'{result_output_b64}\'"')
         time.sleep(0.5)
 
         # 3. Use PowerShell to split base64 content into 16KB chunks and store in registry
         self.execute_remote(
-            f'{self.__shell} powershell -Command "$b64 = Get-Content -Raw \'{result_output_b64}\'; '
+            f'powershell -Command "$b64 = Get-Content -Raw \'{result_output_b64}\'; '
             f'$chunksize = 16000; '
             f'$count = [math]::Ceiling($b64.Length / $chunksize); '
             f'for ($i = 0; $i -lt $count; $i++) {{ '
@@ -97,10 +146,10 @@ def execute_WithOutput(self, command):
         )
         time.sleep(0.1)
 
-        self.queryRegistry(keyName)
+        self.queryRegistry_psh(keyName)
         self.clean_up(result_output, result_output_b64)
 
-    def queryRegistry(self, keyName):
+    def queryRegistry_psh(self, keyName):
         try:
             # Spawn an instance of StdRegProv to access the registry
             self.logger.debug(f"Retrieving output from: HKLM\\{self.__registry_Path}")
