Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add automatic ingestion of Mimikatz and Hashdump output to Cobalt Strike connector #63

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+61 −1
Open

Add automatic ingestion of Mimikatz and Hashdump output to Cobalt Strike connector #63

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 61 additions & 1 deletion cmd/connectors/cobaltstrike-nemesis-connector/nemesis-connector.cna
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -554,9 +554,28 @@ sub Handle_downloads {
}, \$LocalFilePath, \$BID, \$TargetFileFolder, \$TargetFileName, \$TargetFileSize, \$TimeStamp));
}

sub ExportToNemesis {
local('$username $type $data $command %RawData $command $MessageID $BID');
$username = $1;
$type = $2;
$data = $3;
$command = $4;

%RawData = %(
username => $username;
type => $type;
is_file => false;
data => $data;
notes => $command;
);

$MessageID = http::PostData($BID, "authentication_data", @(%RawData));
blog($BID, "Nemesis: Detected credentials");

}

sub Handle_beacon_output {
local('$IsHeadlessClient $ClientSyncedFromServer $1 %Args $BID $Output $FileID $DomainController $BackupkeyGuid $RandomName $BackupkeyB64 %JsonData $JsonString %RawData $MessageID');
local('$IsHeadlessClient $isHashdumpPattern $hashdumpPattern $ntlmPattern $credsPattern $isLogonPasswords $Size $isSamPattern $samPattern $BID %JsonCreds $ClientSyncedFromServer $1 %Args $BID $Output $FileID $search %JsonData $JsonString');

# don't process if things aren't initialized correctly yet
if(!$NemesisReady) {return $null;}
Expand All @@ -569,6 +588,47 @@ sub Handle_beacon_output {
$BID = %Args[0];
$Output = %Args[1];

$isLogonPasswords = '(?<=Authentication Id)([\s\S]*$)';
$isSamPattern = '(?<=SAMKey)([\s\S]*$)';
$isHashdumpPattern = '(?:[^:]+:\d+:[a-fA-F0-9]{32}:[a-fA-F0-9]{32}:::\n?)+';

$credsPattern = 'Username\s+:\s+(?!\(null\))(\S+)\s+\*\s+Domain\s+:\s+(?!\(null\))(\S+)\s+\*\s+Password\s+:\s+(?!\(null\))(\S+)';
$ntlmPattern = 'Username\s+:\s+(?!\(null\))(\S+)\s+\*\s+Domain\s+:\s+(?!\(null\))(\S+)\s+\*\s+NTLM\s+:\s+(?!\(null\))(\S+)';
$samPattern = 'User\s*:\s*([^\n]+)\s*Hash\s*NTLM\s*:\s*([a-fA-F0-9]{32})';
$hashdumpPattern = '([^:\n]+):[^:]+:([a-fA-F0-9]{32}):([a-fA-F0-9]{32}):::';


# Handle LogonPasswords output
if ($Output hasmatch $isLogonPasswords) {
$search = matched()[0];

# Retrieve credman credentials
while ($search hasmatch $credsPattern) {
ExportToNemesis(matched()[0], "password", matched()[2], "mimikatz logonpasswords");
}

# Retrieve NTLM hashes
while ($search hasmatch $ntlmPattern) {
ExportToNemesis(matched()[0], "ntlm_hash", matched()[2], "mimikatz logonpasswords");
}
}

# Handle SAM output
if ($Output hasmatch $isSamPattern) {
$search = matched()[0];

while ($search hasmatch $samPattern) {
ExportToNemesis(matched()[0], "ntlm_hash", matched()[1], "mimikatz sam");
}
}

# Handle Hashdump output
if ($Output hasmatch $isHashdumpPattern) {
while ($Output hasmatch $hashdumpPattern) {
ExportToNemesis(matched()[0], "ntlm_hash", matched()[2], "hashdump");
}
}

# Handle domain backupkey output from SharpDPAPI
if ($Output hasmatch '\[\*\] Using current domain controller : ([a-zA-Z0-9\.-]+)\s*\[\*\] Preferred backupkey Guid : ([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\s*\[\*\]') {

Expand Down