Add aliases for common sharp commands

Alias.py

@@ -14,6 +14,15 @@
 # C# Implant
 cs_alias = [
     ["s","get-screenshot"],
+]
+
+# Parts of commands to replace if command starts with the key
+cs_replace = [
     ["safetydump", "run-exe SafetyDump.Program SafetyDump"],
-    ["seatbelt", "run-exe Seatbelt.Program Seatbelt all"]
+    ["sharpup", "run-exe SharpUp.Program SharpUp"],
+    ["seatbelt", "run-exe Seatbelt.Program Seatbelt"],
+    ["rubeus", "run-exe Rubeus.Program Rubeus"],
+    ["sharpview", "run-exe SharpView.Program SharpView"],
+    ["sharphound", "run-exe Sharphound2.Sharphound Sharphound"],
+    ["watson", "run-exe Watson.Program Watson"]
 ]

Config.py

@@ -62,8 +62,4 @@
 ModulesDirectory = "%sModules%s" % (POSHDIR, os.sep)
 DownloadsDirectory = "%sdownloads%s" % (ROOTDIR, os.sep)
 ReportsDirectory = "%sreports%s" % (ROOTDIR, os.sep)
-Database = "%s%sPowershellC2.SQLite" % (ROOTDIR, os.sep)
-
-# DO NOT CHANGE #
-# These rules aren't needed as you'll find them auto-generated within the project folder now.
-# checkout <project-name>/rewrite-rules.txt but left them here just in case.
+Database = "%s%sPowershellC2.SQLite" % (ROOTDIR, os.sep)

Help.py

@@ -4,7 +4,7 @@
  __________            .__.     _________  ________
  \_______  \____  _____|  |__   \_   ___ \ \_____  \\
   |     ___/  _ \/  ___/  |  \  /    \  \/  /  ____/
-  |    |  ( <_>)___ \|   Y  \ \     \____/       \\
+  |    |  (  <_> )___ \|   Y  \ \     \____/       \\
   |____|   \____/____  >___|  /  \______  /\_______ \\
                      \/     \/          \/         \/
   =============== v4.8 www.PoshC2.co.uk =============
@@ -69,7 +69,6 @@
 searchhelp listmodules
 label-implant <newlabel>
 back
-safetydump
 
 Migration
 ===========
@@ -87,49 +86,38 @@
 testadcredential domain username password
 testlocalcredential username password
 cred-popper
-loadmodule SharpUp.exe
-run-exe SharpUp.Program SharpUp
-
-Privilege Escalation:
-=======================
-seatbelt
-loadmodule Seatbelt.exe
-run-exe Seatbelt.Program Seatbelt all
-run-exe Seatbelt.Program Seatbelt BasicOSInfo
-run-exe Seatbelt.Program Seatbelt SysmonConfig
-run-exe Seatbelt.Program Seatbelt PowerShellSettings
-run-exe Seatbelt.Program Seatbelt RegistryAutoRuns
-
-Credentials / Tokens / Local Hashes (Must be SYSTEM):
-=========================================================
+sharpup
+seatbelt all
+seatbelt BasicOSInfo
+seatbelt SysmonConfig
+seatbelt PowerShellSettings
+seatbelt RegistryAutoRuns
+watson
+
+Process Dumping:
+================
 safetydump
 safetydump <pid>
 
 Network Tasks / Lateral Movement:
 ====================================
-loadmodule Rubeus.exe
-run-exe Rubeus.Program Rubeus kerberoast
-run-exe Rubeus.Program Rubeus asreproast /user:username
-
-Network Tasks / Lateral Movement:
-====================================
-loadmodule SharpView.exe
-run-exe SharpView.Program SharpView Get-NetUser -SamAccountName ben
-run-exe SharpView.Program SharpView Get-NetGroup -Name *admin* -Domain -Properties samaccountname,member -Recurse
-run-exe SharpView.Program SharpView Get-NetGroupMember -LDAPFilter GroupName=*Admins* -Recurse -Properties samaccountname
-run-exe SharpView.Program SharpView Get-NetUser -Name deb -Domain blorebank.local
-run-exe SharpView.Program SharpView Get-NetSession -Domain blorebank.local
-run-exe SharpView.Program SharpView Get-DomainController -Domain blorebank.local
-run-exe SharpView.Program SharpView Get-DomainUser -LDAPFilter samaccountname=ben -Properties samaccountname,mail
-run-exe SharpView.Program SharpView Get-DomainUser -AdminCount -Properties samaccountname
-run-exe SharpView.Program SharpView Get-DomainComputer -LDAPFilter operatingsystem=*2012* -Properties samaccountname
-run-exe SharpView.Program Sharpview Find-InterestingFile -Path c:\\users\\ -Include *exe*
-run-exe SharpView.Program SharpView Find-InterestingDomainShareFile -ComputerName SERVER01
+rubeus kerberoast
+rubeus asreproast /user:username
+sharpview Get-NetUser -SamAccountName ben
+sharpview Get-NetGroup -Name *admin* -Domain -Properties samaccountname,member -Recurse
+sharpview Get-NetGroupMember -LDAPFilter GroupName=*Admins* -Recurse -Properties samaccountname
+sharpview Get-NetUser -Name deb -Domain blorebank.local
+sharpview Get-NetSession -Domain blorebank.local
+sharpview Get-DomainController -Domain blorebank.local
+sharpview Get-DomainUser -LDAPFilter samaccountname=ben -Properties samaccountname,mail
+sharpview Get-DomainUser -AdminCount -Properties samaccountname
+sharpview Get-DomainComputer -LDAPFilter operatingsystem=*2012* -Properties samaccountname
+sharpview Find-InterestingFile -Path c:\\users\\ -Include *exe*
+sharpview Find-InterestingDomainShareFile -ComputerName SERVER01
 
 Bloodhound:
 =============
-loadmodule SharpHound.exe
-run-exe Sharphound2.Sharphound Sharphound --ZipFileName c:\\temp\\test.zip --JsonFolder c:\\temp\\
+sharphound --ZipFileName c:\\temp\\test.zip --JsonFolder c:\\temp\\
 """
 
 posh_help1 = """
@@ -462,4 +450,5 @@
 "download-file","get-content","ls-recurse","turtle","cred-popper","resolveip","resolvednsname","testadcredential",
 "testlocalcredential","get-screenshot","modulesloaded","get-serviceperms","unhide-implant","arpscan","ls","pwd","dir",
 "inject-shellcode","start-process","run-exe","run-dll","hide-implant","help","searchhelp","listmodules","loadmodule",
-"loadmoduleforce","back","ps","beacon","setbeacon","kill-implant","get-screenshotmulti", "safetydump", "seatbelt"]
+"loadmoduleforce","back","ps","beacon","setbeacon","kill-implant","get-screenshotmulti", "safetydump", "seatbelt", "sharpup",
+"sharphound", "rubeus", "sharpview", "watson"]

Install.ps1

@@ -4,7 +4,7 @@ Write-Host @'
    __________            .__.     _________  ________
    \_______  \____  _____|  |__   \_   ___ \ \_____  \\
     |     ___/  _ \/  ___/  |  \  /    \  \/  /  ____/
-    |    |  ( <_>)___ \|   Y  \ \     \____/       \\
+    |    |  (  <_> )___ \|   Y  \ \     \____/       \\
     |____|   \____/____  >___|  /  \______  /\_______ \\
                        \/     \/          \/         \/
     ================= www.PoshC2.co.uk ================

PSHandler.py

@@ -25,8 +25,8 @@ def handle_ps_command(command, user, randomuri, startup, createdaisypayload, cre
 
     # alias mapping
     for alias in ps_alias:
-      if alias[0] == command.lower()[:len(command.rstrip())]:
-        command = alias[1]
+      if command.lower().strip().startswith(alias[0]):
+        command.replace(alias[0], alias[1])
 
     # opsec failures
     for opsec in ps_opsec:

SharpHandler.py

@@ -1,9 +1,9 @@
 import base64, re, traceback, os
-from Alias import cs_alias
+from Alias import cs_alias, cs_replace
 from Colours import Colours
 from Utils import randomuri, validate_sleep_time
 from DB import new_task, update_sleep, update_label, unhide_implant, kill_implant, get_implantdetails, get_pid
-from AutoLoads import check_module_loaded
+from AutoLoads import check_module_loaded, run_autoloads
 from Help import sharp_help1
 from Config import ModulesDirectory, POSHDIR
 from Core import readfile_with_completion
@@ -19,7 +19,14 @@ def handle_sharp_command(command, user, randomuri, startup):
     for alias in cs_alias:
         if alias[0] == command.lower()[:len(command.rstrip())]:
           command = alias[1]
-
+
+     # alias replace
+    for alias in cs_replace:
+      if command.lower().strip().startswith(alias[0]):
+        command = command.replace(alias[0], alias[1])   
+
+    run_autoloads(command, randomuri, user)
+
     if "searchhelp" in command.lower():
         searchterm = (command.lower()).replace("searchhelp ","")
         import string

changelog.txt

@@ -16,6 +16,8 @@ Add NotificationsProjectName in Config.py which is displayed in notifications me
 Add fpc script which searches the Posh DB for a particular command
 Use pyreadline for Windows compatibility
 Modify InjectShellcode logged command to remove base64 encoded shellcode and instead just log loaded filename
+Add Windows install script
+Add aliases for common sharp modules
 
 4.8 (13/02/19)
 ==============