Execute each command seperatly so files are still deleted when previous commands fail

NeffIsBack · NeffIsBack · commit ffa46360a7d8 · 2025-07-20T14:04:52.000-04:00
diff --git a/nxc/protocols/wmi/proto_args.py b/nxc/protocols/wmi/proto_args.py
@@ -17,7 +17,7 @@ def proto_args(parser, parents):
     cgroup.add_argument("--no-output", action="store_true", help="do not retrieve command output")
     cgroup.add_argument("-x", metavar="COMMAND", dest="execute", type=str, help="Creates a new cmd process and executes the specified command with output")
     cgroup.add_argument("--exec-method", choices={"wmiexec", "wmiexec-event"}, default="wmiexec", help="method to execute the command. (default: wmiexec). [wmiexec (win32_process + StdRegProv)]: get command results over registry instead of using smb connection. [wmiexec-event (T1546.003)]: this method is not very stable, highly recommend use this method in single host, using on multiple hosts may crash (just try again if it crashed).")
-    cgroup.add_argument("--exec-timeout", default=5, metavar="exec_timeout", dest="exec_timeout", type=int, help="Set timeout (in seconds) when executing a command, minimum 5 seconds is recommended. Default: %(default)s")
+    cgroup.add_argument("--exec-timeout", default=3, metavar="exec_timeout", dest="exec_timeout", type=int, help="Set timeout (in seconds) when executing a command, minimum 5 seconds is recommended. Default: %(default)s")
     cgroup.add_argument("--codec", default="utf-8", help="Set encoding used (codec) from the target's output (default: utf-8). If errors are detected, run chcp.com at the target & map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute again with --codec and the corresponding codec")
     return parser
 
diff --git a/nxc/protocols/wmi/wmiexec.py b/nxc/protocols/wmi/wmiexec.py
@@ -39,7 +39,6 @@ def __init__(self, target, username, password, domain, lmhash, nthash, doKerbero
         self.__exec_timeout = exec_timeout
         self.__registry_Path = ""
         self.__outputBuffer = ""
-        self.__retOutput = True
 
         self.__shell = "cmd.exe /Q /c "
         self.__pwd = "C:\\"
@@ -53,8 +52,7 @@ def __init__(self, target, username, password, domain, lmhash, nthash, doKerbero
         self.__win32Process, _ = self.__iWbemServices.GetObject("Win32_Process")
 
     def execute(self, command, output=False):
-        self.__retOutput = output
-        if self.__retOutput:
+        if output:
             self.execute_WithOutput(command)
         else:
             command = self.__shell + command
@@ -77,9 +75,16 @@ def execute_WithOutput(self, command):
         keyName = str(uuid.uuid4())
         self.__registry_Path = f"Software\\Classes\\{gen_random_string(6)}"
 
-        command = rf"""{self.__shell} {command} 1> {result_output} 2>&1 && certutil -encodehex -f {result_output} {result_output_b64} 0x40000001 && for /F "usebackq" %G in ("{result_output_b64}") do reg add HKLM\{self.__registry_Path} /v {keyName} /t REG_SZ /d "%G" /f && del /q /f /s {result_output} {result_output_b64}"""
+        commands = [
+            f"{self.__shell} {command} 1> {result_output} 2>&1",
+            f"{self.__shell} certutil -encodehex -f {result_output} {result_output_b64} 0x40000001",
+            f'{self.__shell} for /F "usebackq" %G in ("{result_output_b64}") do reg add HKLM\\{self.__registry_Path} /v {keyName} /t REG_SZ /d "%G" /f',
+            f"{self.__shell} del /q /f /s {result_output} {result_output_b64}",
+        ]
 
-        self.execute_remote(command)
+        for cmd in commands:
+            self.execute_remote(cmd)
+            time.sleep(0.5)
         self.logger.info(f"Waiting {self.__exec_timeout}s for command completely executed.")
         time.sleep(self.__exec_timeout)
 
@@ -90,13 +95,13 @@ def queryRegistry(self, keyName):
             self.logger.debug(f"Querying registry key: HKLM\\{self.__registry_Path}")
             descriptor, _ = self.__iWbemServices.GetObject("StdRegProv")
             descriptor = descriptor.SpawnInstance()
-            retVal = descriptor.GetStringValue(2147483650, self.__registry_Path, keyName)
+            retVal = descriptor.GetStringValue(0x80000002, self.__registry_Path, keyName)
             self.__outputBuffer = base64.b64decode(retVal.sValue).decode(self.__codec, errors="replace").rstrip("\r\n")
         except Exception:
             self.logger.fail("WMIEXEC: Could not retrieve output file, it may have been detected by AV. Please try increasing the timeout with the '--exec-timeout' option. If it is still failing, try the 'smb' protocol or another exec method")
 
         try:
             self.logger.debug(f"Removing temporary registry path: HKLM\\{self.__registry_Path}")
-            retVal = descriptor.DeleteKey(2147483650, self.__registry_Path)
+            retVal = descriptor.DeleteKey(0x80000002, self.__registry_Path)
         except Exception as e:
             self.logger.debug(f"Target: {self.__target} removing temporary registry path error: {e!s}")
