Merge branch 'master' into v2.3-testing

Payload_Type/apfell/agent_code/c2_profiles/http.js

@@ -493,4 +493,4 @@ class customC2 extends baseC2{
 }
 //------------- INSTANTIATE OUR C2 CLASS BELOW HERE IN MAIN CODE-----------------------
 ObjC.import('Security');
-var C2 = new customC2(callback_interval, "callback_host", "callback_port");
+var C2 = new customC2(callback_interval, "callback_host", "callback_port");

Payload_Type/apfell/agent_code/list_users.js

@@ -50,6 +50,7 @@ exports.list_users = function(task, command, params){
         for (let i = 0; i < numResults; i++) {
             let idObj = results[i];
             let info = {
+
                 "POSIXName": idObj.posixName.js,
                 "POSIXID": idObj.posixUID,
                 "POSIXGID": group.posixGID,
@@ -68,4 +69,4 @@ exports.list_users = function(task, command, params){
         "user_output": JSON.stringify(all_users, null, 2),
         "completed": true
     };
-};
+};

Payload_Type/apfell/mythic/agent_functions/list_users.py

@@ -18,6 +18,7 @@ def __init__(self, command_line, **kwargs):
             ),
         ]
 
+
     async def parse_arguments(self):
         if len(self.command_line) == 0:
             raise ValueError("Must supply a path to a file")
@@ -43,7 +44,7 @@ class ListUsersCommand(CommandBase):
     async def create_tasking(self, task: MythicTask) -> MythicTask:
         if task.args.get_arg("gid") < 0:
             resp = await MythicRPC().execute("create_artifact", task_id=task.id,
-                artifact="$.CSGetLocalIdentityAuthority, $.CSIdentityQueryCreate, $.CSIdentityQueryExecute",
+                artifact="$.CBIdentityAuthority.defaultIdentityAuthority, $.CBGroupIdentity.groupIdentityWithPosixGIDAuthority",
                 artifact_type="API Called",
             )
         else:

documentation-payload/apfell/commands/add_user.md

@@ -12,6 +12,12 @@ Add a local user to the system by wrapping the Apple binary, dscl.
 - Version: 1  
 - Author: @its_a_feature_  
 
+
+{{% notice tip %}}   
+For `Authenticate as this user` and `Authenticate with this password` dropdowns to be available, add credentials under the Operational Views tab in Mythic
+{{% /notice %}}  
+
+
 ### Arguments
 
 #### password

documentation-payload/apfell/commands/current_user.md

@@ -13,6 +13,13 @@ This uses AppleEvents or ObjectiveC APIs to get information about the current us
 - Version: 1  
 - Author: @its_a_feature_  
 
+
+{{% notice warning %}}   
+If the `JXA` method is selected:
+In Mojave+ (10.14+) this will cause a popup the first time asking for permission for your process to access System Events.
+{{% /notice %}}  
+
+
 ### Arguments
 
 #### method

documentation-payload/apfell/commands/list_users.md

@@ -7,7 +7,7 @@ hidden = false
 
 ## Summary
 
-This uses JXA to list the non-service user accounts on the system. You can specify a GID to look at the users of a certain group or you can specify 'groups' to be true and enumerate users by groups 
+This uses JXA to list the non-service user accounts on the system. You can specify a GID to look at the users of a certain group or you can use '-1' for GID to enumerate users for groups 0-1000
 - Needs Admin: False  
 - Version: 1  
 - Author: @its_a_feature_  
@@ -18,13 +18,11 @@ This uses JXA to list the non-service user accounts on the system. You can speci
 
 - Description:  Enumerate users in a specific group or -1 for all groups
 - Required Value: False  
-- Default Value: None  
+- Default Value: None 
 
-#### groups
-
-- Description: Enumerate groups and their members 
-- Required Value: False  
-- Default Value: None  
+{{% notice tip %}}   
+If -1 for all groups is used, there may be duplicate users shown if they are memebers of multiple groups
+{{% /notice %}} 
 
 ## Usage
 
@@ -38,9 +36,7 @@ list_users
 - T1069  
 ## Detailed Summary
 
-- If gid is -1 and groups is false, enumerates all users and prints their info
-- If gid is -1 and groups is true, enumerate all groups and their members
+- If gid is -1, enumerates all users and prints their info
 - If gid > 0, enumerate all users within the specified group 
 
 All of these options are done via the Collaboration and CoreServices Frameworks and queried via API calls.
-

documentation-payload/apfell/commands/persist_folderaction.md

@@ -12,7 +12,9 @@ Use Folder Actions to persist a compiled script on disk. You can either specify
 - Version: 1  
 - Author: @its_a_feature_  
 
-{{% notice warning %}} In Mojave+ (10.14+) this will cause a popup the first time asking for permission for your process to access System Events. {{% /notice %}}
+{{% notice warning %}}   
+In Mojave+ (10.14+) this will cause a popup the first time asking for permission for your process to access System Events.
+{{% /notice %}}
 
 ### Arguments
 

documentation-payload/apfell/commands/prompt.md

@@ -13,6 +13,12 @@ Create a custom prompt to ask the user for credentials where you can provide tit
 - Version: 1  
 - Author: @its_a_feature_  
 
+
+{{% notice warning %}}   
+This can potentially hang the agent as dependent on user interaction, so be careful  
+{{% /notice %}}
+
+
 ### Arguments
 
 #### title

documentation-payload/apfell/commands/screenshot.md

@@ -12,6 +12,11 @@ Use the built-in CGDisplay API calls to capture the display and send it back ove
 - Version: 1  
 - Author: @its_a_feature_  
 
+{{% notice warning %}}   
+In Catalina+ (10.15+) there are TCC protections against this, so be careful
+{{% /notice %}}  
+
+
 ### Arguments
 
 ## Usage
@@ -38,5 +43,3 @@ let capture = bitmapimagerep.representationUsingTypeProperties($.NSBitmapImageFi
 ```
 The screencapture is chunked and sent back to Mythic.
 
->**NOTE** With 10.15, there are protections against this, so be careful
-