@@ -115,36 +115,24 @@ private Map<String, String> buildExecutorCommands(OpenAEVConfig cfg) {
115115 "unsecured_certificate=\" " + cfg .isUnsecuredCertificate () + "\" " ;
116116 String withProxyVar = "with_proxy=\" " + cfg .isWithProxy () + "\" " ;
117117 if (previewFeatureService .isFeatureEnabled (PreviewFeature .PALO_ALTO_CORTEX_EXECUTOR )) {
118- commands .put (
119- Endpoint .PLATFORM_TYPE .Windows .name () + "." + Endpoint .PLATFORM_ARCH .x86_64 ,
120- "[Net.ServicePointManager]::SecurityProtocol += [Net.SecurityProtocolType]::Tls12;$x=\" #{location}\" ;$location=$x.Replace(\" \\ oaev-agent-caldera.exe\" , \" \" );[Environment]::CurrentDirectory = $location;$filename=\" oaev-implant-#{inject}-agent-#{agent}.exe\" ;$"
121- + tokenVar
122- + ";$"
123- + serverVar
124- + ";$"
125- + unsecuredCertificateVar
126- + ";$"
127- + withProxyVar
128- + ";$"
129- + maxSizeVar
130- + ";"
131- + dlVar (cfg , "windows" , "x86_64" )
132- + ";$wc=New-Object System.Net.WebClient;$data=$wc.DownloadData($url);[io.file]::WriteAllBytes($filename,$data) | Out-Null;Remove-NetFirewallRule -DisplayName \" Allow OpenAEV Inbound\" ;New-NetFirewallRule -DisplayName \" Allow OpenAEV Inbound\" -Direction Inbound -Program \" $location\\ $filename\" -Action Allow | Out-Null;Remove-NetFirewallRule -DisplayName \" Allow OpenAEV Outbound\" ;New-NetFirewallRule -DisplayName \" Allow OpenAEV Outbound\" -Direction Outbound -Program \" $location\\ $filename\" -Action Allow | Out-Null;$psi = New-Object System.Diagnostics.ProcessStartInfo;$psi.FileName = \" $location\\ $filename\" ;$psi.Arguments = \" --uri $server --token $token --unsecured-certificate $unsecured_certificate --with-proxy $with_proxy --agent-id #{agent} --inject-id #{inject}\" ;$psi.UseShellExecute = $false;$psi.RedirectStandardError = $true;$psi.RedirectStandardOutput = $true;$psi.RedirectStandardInput = $true;$proc = [System.Diagnostics.Process]::Start($psi);$stdout = $proc.StandardOutput.ReadToEndAsync();$stderr = $proc.StandardError.ReadToEndAsync();$proc.WaitForExit();exit $proc.ExitCode;" );
133- commands .put (
134- Endpoint .PLATFORM_TYPE .Windows .name () + "." + Endpoint .PLATFORM_ARCH .arm64 ,
135- "[Net.ServicePointManager]::SecurityProtocol += [Net.SecurityProtocolType]::Tls12;$x=\" #{location}\" ;$location=$x.Replace(\" \\ oaev-agent-caldera.exe\" , \" \" );[Environment]::CurrentDirectory = $location;$filename=\" oaev-implant-#{inject}-agent-#{agent}.exe\" ;$"
136- + tokenVar
137- + ";$"
138- + serverVar
139- + ";$"
140- + unsecuredCertificateVar
141- + ";$"
142- + withProxyVar
143- + ";$"
144- + maxSizeVar
145- + ";"
146- + dlVar (cfg , "windows" , "arm64" )
147- + ";$wc=New-Object System.Net.WebClient;$data=$wc.DownloadData($url);[io.file]::WriteAllBytes($filename,$data) | Out-Null;Remove-NetFirewallRule -DisplayName \" Allow OpenAEV Inbound\" ;New-NetFirewallRule -DisplayName \" Allow OpenAEV Inbound\" -Direction Inbound -Program \" $location\\ $filename\" -Action Allow | Out-Null;Remove-NetFirewallRule -DisplayName \" Allow OpenAEV Outbound\" ;New-NetFirewallRule -DisplayName \" Allow OpenAEV Outbound\" -Direction Outbound -Program \" $location\\ $filename\" -Action Allow | Out-Null;$psi = New-Object System.Diagnostics.ProcessStartInfo;$psi.FileName = \" $location\\ $filename\" ;$psi.Arguments = \" --uri $server --token $token --unsecured-certificate $unsecured_certificate --with-proxy $with_proxy --agent-id #{agent} --inject-id #{inject}\" ;$psi.UseShellExecute = $false;$psi.RedirectStandardError = $true;$psi.RedirectStandardOutput = $true;$psi.RedirectStandardInput = $true;$proc = [System.Diagnostics.Process]::Start($psi);$stdout = $proc.StandardOutput.ReadToEndAsync();$stderr = $proc.StandardError.ReadToEndAsync();$proc.WaitForExit();exit $proc.ExitCode;" );
118+ this .buildWindowsCommand (
119+ Endpoint .PLATFORM_ARCH .x86_64 ,
120+ cfg ,
121+ commands ,
122+ tokenVar ,
123+ serverVar ,
124+ unsecuredCertificateVar ,
125+ withProxyVar ,
126+ maxSizeVar );
127+ this .buildWindowsCommand (
128+ Endpoint .PLATFORM_ARCH .arm64 ,
129+ cfg ,
130+ commands ,
131+ tokenVar ,
132+ serverVar ,
133+ unsecuredCertificateVar ,
134+ withProxyVar ,
135+ maxSizeVar );
148136 } else {
149137 commands .put (
150138 Endpoint .PLATFORM_TYPE .Windows .name () + "." + Endpoint .PLATFORM_ARCH .x86_64 ,
@@ -264,4 +252,60 @@ private Map<String, String> buildExecutorClearCommands() {
264252
265253 return clear ;
266254 }
255+
256+ /**
257+ * Build a Windows command
258+ *
259+ * @param arch targeted windows architecture
260+ * @param cfg OpenAEV configuration
261+ * @param commands list of commands to append the new command to
262+ * @param tokenVar token variable
263+ * @param serverVar serer URL variable
264+ * @param unsecuredCertificateVar enable unsecured certificate variable
265+ * @param withProxyVar enable proxy variable
266+ * @param maxSizeVar max size variable
267+ */
268+ private void buildWindowsCommand (
269+ Endpoint .PLATFORM_ARCH arch ,
270+ OpenAEVConfig cfg ,
271+ Map <String , String > commands ,
272+ String tokenVar ,
273+ String serverVar ,
274+ String unsecuredCertificateVar ,
275+ String withProxyVar ,
276+ String maxSizeVar ) {
277+ commands .put (
278+ Endpoint .PLATFORM_TYPE .Windows .name () + "." + arch .name (),
279+ "[Net.ServicePointManager]::SecurityProtocol += [Net.SecurityProtocolType]::Tls12;$x=\" #{location}\" ;$location=$x.Replace(\" \\ oaev-agent-caldera.exe\" , \" \" );[Environment]::CurrentDirectory = $location;$filename=\" oaev-implant-#{inject}-agent-#{agent}.exe\" ;$"
280+ + tokenVar
281+ + ";$"
282+ + serverVar
283+ + ";$"
284+ + unsecuredCertificateVar
285+ + ";$"
286+ + withProxyVar
287+ + ";$"
288+ + maxSizeVar
289+ + ";"
290+ + dlVar (cfg , "windows" , arch .name ())
291+ + ";$wc=New-Object System.Net.WebClient;$data=$wc.DownloadData($url);[io.file]::WriteAllBytes($filename,$data) | Out-Null;Remove-NetFirewallRule -DisplayName \" Allow OpenAEV Inbound\" ;New-NetFirewallRule -DisplayName \" Allow OpenAEV Inbound\" -Direction Inbound -Program \" $location\\ $filename\" -Action Allow | Out-Null;Remove-NetFirewallRule -DisplayName \" Allow OpenAEV Outbound\" ;New-NetFirewallRule -DisplayName \" Allow OpenAEV Outbound\" -Direction Outbound -Program \" $location\\ $filename\" -Action Allow | Out-Null;"
292+ + "$taskName = 'OpenAEV-Inject-#{inject}-Agent-#{agent}';"
293+ + "$taskDescription = 'OpenAEV EDR validation task - inject #{inject} - agent #{agent} - safe to ignore - will self-delete after execution';"
294+ + "$implantArgs = '--uri ' + $server + ' --token ' + $token + ' --unsecured-certificate ' + $unsecured_certificate + ' --with-proxy ' + $with_proxy + ' --agent-id #{agent} --inject-id #{inject}';"
295+ + "$action = New-ScheduledTaskAction -Execute \" $location\\ $filename\" -Argument $implantArgs;"
296+ + "$principal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount -RunLevel Highest;"
297+ + "$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit (New-TimeSpan -Hours 0);"
298+ + "Register-ScheduledTask -TaskName $taskName -Description $taskDescription -Action $action -Principal $principal -Settings $settings -Force | Out-Null;"
299+ + "Start-ScheduledTask -TaskName $taskName;"
300+ + "$timeout = 300; $elapsed = 0;"
301+ + "while($elapsed -lt $timeout) {"
302+ + " $state = (Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue).State;"
303+ + " if($state -eq 'Ready') { break }"
304+ + " Start-Sleep -Seconds 1; $elapsed++;"
305+ + "}"
306+ + "$info = Get-ScheduledTaskInfo -TaskName $taskName -ErrorAction SilentlyContinue;"
307+ + "$exitCode = $info.LastTaskResult;"
308+ + "Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue;"
309+ + "exit $exitCode;" );
310+ }
267311}
0 commit comments