Replies: 1 comment 7 replies
-
|
Hi, thanks for checking out the project. As a quick test, I would remove all the handlers except RDP and see if you get the same problem. Handlers can absolutely conflict with one another — in this case, the potential problem ones could be the command line or Powershell. clicks are another, but I see you don't have those configured. Let me know what you find please. |
Beta Was this translation helpful? Give feedback.
-
|
Yes, they are in the original post. It looks like GHOSTS finds the password prompt but then fails to find the opened RDP window. That is why I think something is interrupting the handler while entering the credentials. Any known differences between changing the timeline in /config/ vs ./instance/? |
Beta Was this translation helpful? Give feedback.
-
|
Oh sorry, I see it now, diving in... |
Beta Was this translation helpful? Give feedback.
-
For every handler in a timeline, and new thread is spawned. Now, the default timeline is ./config/timeline.json — this one will execute whether the agent has internet access or anything. Those in instance are JIT (just in time) and execute right alongside whatever the agent is doing in their default timeline. Think of instance as "do this right now". |
Beta Was this translation helpful? Give feedback.
-
|
S'all good, I'm playing with swapping the timelines on the fly now. I split my handlers in to multiple files and included a command handler (below) that changes the content of timeline.json in each. I am changing the one in /config/ The content swap in the json goes off as expected but the handlers for other things seems to have issues after the second use of a handler. For example Ill swap to my outlookv2 timeline, it will start outlook, swap to office timeline and outlook closes, but when it swaps back to either it doesnt seem to launch the applications. The logs dont seem to have attempts to launch the applications either or ay errors for specific handlers but I get a lot of repeated timeline handler errors(below). Also Ive just noticed that outlookv2 seems slow to start actions, roughly about 3 mins after launching outlook. Is that normal?
|
Beta Was this translation helpful? Give feedback.
-
|
Also noticed outlookv2 sometimes get stuck in a loop, replying to the same email. Seems similar to #215 |
Beta Was this translation helpful? Give feedback.
-
Playing around with the client version on my computer. I have a timeline that uses 8 handlers and it all seems to work, except intermittently RDP will get stuck unable to find the window. I built the timeline handler by handler, it all works individually but as I start to put them together RDP starts to struggle with this error and the RDP login window is left open. Watching it makes me think either one of the handlers is interrupting the cred entry (if thats even possible)?
Also any recs for timeline changes are welcome. I was thinking of changing the chrome browsing to a crawl but not sure yet.
2024/01/23 19:29:58.578|Ghosts.Client.Handlers.Rdp.checkPasswordPrompt|RDP:: Found user/password prompt for 192.168.57.2. 2024/01/23 19:29:58.578|Ghosts.Client.Handlers.Rdp.findRdpWindow|RDP:: Unable to find desktop window for 192.168.57.2, sleeping 1 minute{ "Status": "Run", "TimeLineHandlers": [ { "HandlerType": "Rdp", "Initial": "", "UtcTimeOn": "00:00:00", "UtcTimeOff": "24.00:00:00", "UtcTimeBlocks": null, "HandlerArgs": { "CredentialsFile": "C:\\Tools\\Ghost_Win\\config\\creds.json", "mouse-sleep-time": 10000, "execution-time": 60000, "execution-probability": 100, "delay-jitter": 0 }, "Loop": true, "TimeLineEvents": [ { "TrackableId": null, "Command": "random", "CommandArgs": [ "192.168.57.2|credkey1", "192.168.57.3|credkey1" ], "DelayAfter": 0, "DelayBefore": 0 } ], "ScheduleType": "Other", "Schedule": null }, { "HandlerType": "BrowserChrome", "Initial": "about:blank", "UtcTimeOn": "00:00:00", "UtcTimeOff": "24.00:00:00", "UtcTimeBlocks": null, "HandlerArgs": { "isheadless": "false", "delay-jitter": 50, "browser-id": "ghosts-client-outlook", "outlook-credentials-file": "C:\\Tools\\Ghost_Win\\config\\creds.json", "outlook-delete-probability": 0, "outlook-read-probability": 33, "outlook-reply-probability": 34, "outlook-create-probability": 33, "outlook-attachment-probability": 100, "outlook-save-attachment-probability": 100, "outlook-min-attachments": 1, "outlook-max-attachments": 5, "outlook-max-attachments-size": 30, "outlook-url": "https://exch01.domain/owa", "outlook-credential-key": "credkey1", "exchange-version": "2016", "outlook-uploads-directory": "P:\\", "command-line-args": [ "--ignore-certificate-errors" ] }, "Loop": true, "TimeLineEvents": [ { "TrackableId": null, "Command": "outlook", "CommandArgs": [ "CurrentUser", "random", "random", "random", "Random", "Random", "PlainText", "" ], "DelayAfter": 10000, "DelayBefore": 10000 } ], "ScheduleType": "Other", "Schedule": null }, { "HandlerType": "Outlookv2", "Initial": "", "UtcTimeOn": "00:00:00", "UtcTimeOff": "24.00:00:00", "UtcTimeBlocks": null, "HandlerArgs": { "delay-jitter": 10, "delete-probability": 0, "create-probability": 50, "read-probability": 0, "reply-probability": 50, "click-probability": 0, "attachment-probability": 100, "save-attachment-probability": 100, "min-attachments": 0, "max-attachments": 5, "max-attachments-size": 10, "input-directory": "P:\\", "output-directory": "P:\\" }, "Loop": true, "TimeLineEvents": [ { "TrackableId": null, "Command": "Random", "CommandArgs": [ "CurrentUser", "Random", "Random", "Random", "Random", "Random", "PlainText", "" ], "DelayAfter": 10, "DelayBefore": 0 } ], "ScheduleType": "Other", "Schedule": null }, { "HandlerType": "Command", "Initial": "", "UtcTimeOn": "00:00:00", "UtcTimeOff": "24.00:00:00", "UtcTimeBlocks": null, "HandlerArgs": { "delay-jitter": 50 }, "Loop": false, "TimeLineEvents": [ { "TrackableId": null, "Command": "explorer \\\\file01\\Share", "CommandArgs": [ "exit" ], "DelayAfter": 999000, "DelayBefore": 0 }, { "TrackableId": null, "Command": "powershell.exe [System.environment]::setenvironmentvariable('ht', (get-random -InputObject (get-content 'C:/Tools/Ghosts_Win/config/hostnames.csv')), 'machine')", "CommandArgs": [ "" ], "DelayAfter": 999000, "DelayBefore": 0 }, { "TrackableId": null, "Command": "powershell icm -computername ([system.Environment]::GetEnvironmentVariable('ht', 'machine')) -ScriptBlock {hostname}", "CommandArgs": [ "" ], "DelayAfter": 999000, "DelayBefore": 0 }, { "TrackableId": null, "Command": "powershell icm -computername ([system.Environment]::GetEnvironmentVariable('ht', 'machine')) -ScriptBlock {get-hotfix}", "CommandArgs": [ "" ], "DelayAfter": 999000, "DelayBefore": 0 }, { "TrackableId": null, "Command": "powershell icm -computername ([system.Environment]::GetEnvironmentVariable('ht', 'machine')) -ScriptBlock {get-localuser}", "CommandArgs": [ "" ], "DelayAfter": 999000, "DelayBefore": 0 } ], "ScheduleType": "Other", "Schedule": null }, { "HandlerType": "Excel", "Initial": "", "UtcTimeOn": "00:00:00", "UtcTimeOff": "24.00:00:00", "UtcTimeBlocks": null, "HandlerArgs": { "delay-jitter": 50 }, "Loop": true, "TimeLineEvents": [ { "TrackableId": null, "Command": "create", "CommandArgs": [ "%homedrive%%homepath%\\Documents", "pdf", "pdf-vary-filenames", "save-array:['P:\\','\\\\file01\\Share']" ], "DelayAfter": 10000, "DelayBefore": 10000 } ], "ScheduleType": "Other", "Schedule": null }, { "HandlerType": "Word", "Initial": "", "UtcTimeOn": "00:00:00", "UtcTimeOff": "24.00:00:00", "UtcTimeBlocks": null, "HandlerArgs": { "delay-jitter": 50, "workingset": { "max": 20, "max-age-in-hours": 72 } }, "Loop": true, "TimeLineEvents": [ { "TrackableId": null, "Command": "create", "CommandArgs": [ "%homedrive%%homepath%\\Documents", "pdf", "pdf-vary-filenames", "save-array:['P:\\','\\\\file01\\Share']" ], "DelayAfter": 10000, "DelayBefore": 10000 } ], "ScheduleType": "Other", "Schedule": null }, { "HandlerType": "BrowserChrome", "Initial": "about:blank", "UtcTimeOn": "00:00:00", "UtcTimeOff": "24.00:00:00", "UtcTimeBlocks": null, "HandlerArgs": { "delay-jitter": 50, "executable-location": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "isheadless": "false", "blockimages": "false", "blockstyles": "false", "blockflash": "false", "blockscripts": "false", "stickiness": "65", "stickiness-depth-min": "3", "stickiness-depth-max": "15", "incognito": "true", "javascript-enable": "true", "visited-remember": "10", "actions-before-restart": 100, "command-line-args": [ "--ignore-certificate-errors" ], "url-replace": [ { "verb": [ "order", "enable", "engage" ] }, { "group": [ "operations", "logistics", "medical" ] }, { "type": [ "document", "doc", "files", "vault", "filevault" ] } ] }, "Loop": true, "TimeLineEvents": [ { "TrackableId": null, "Command": "random", "CommandArgs": [ "https://www.cert.org", "https://www.wikipedia.org", "https://www.google.com", "https://www.facebook.com", "https://www.twitter.com", "https://www.pinterest.com", "https://www.reddit.com", "https://www.yelp.com", "https://www.imdb.com", "https://www.fandom.com", "https://www.yahoo.com", "https://www.gamestop.com", "https://www.microsoft.com", "https://www.nytimes.com", "https://www.foxnews.com", "https://www.cnn.com", "https://www.msnbc.com", "https://www.drudgereport.com", "https://www.espn.com", "https://www.netflix.com", "https://www.webmd.com", "https://www.linkedin.com", "https://www.instagram.com", { "Uri": "http://httpbin.org/post", "Category": "cat1", "Method": "POST", "Headers": { "1": "a", "2": "b" }, "FormValues": { "1": "a", "2": "b" } }, { "Uri": "http://httpbin.org/put", "Category": "cat1", "Method": "PUT", "Headers": { "1": "a", "2": "b" }, "Body": "body" }, { "Uri": "http://httpbin.org/delete", "Category": "cat1", "Method": "DELETE" } ], "DelayAfter": 10000, "DelayBefore": 10000 } ], "ScheduleType": "Other", "Schedule": null } ] }Beta Was this translation helpful? Give feedback.
All reactions