Added tsch module

author: Bryan McNulty <bryanmcnulty@protonmail.com> 2025-03-01 20:50:04 -0600
committer: Bryan McNulty <bryanmcnulty@protonmail.com> 2025-03-01 20:50:04 -0600
commit: 6dcae18a99ba7f7ca44c246d0e72b4d9410eb60c (patch)
tree: 2c9d4e482cb42d820f853a1bc2e92205b9eeba50 /cmd
parent: 50393c546010da3745b1d80f156aeb713f3411dc (diff)
download: goexec-6dcae18a99ba7f7ca44c246d0e72b4d9410eb60c.tar.gz
goexec-6dcae18a99ba7f7ca44c246d0e72b4d9410eb60c.zip
3 files changed, 169 insertions, 39 deletions
diff --git a/cmd/root.go b/cmd/root.go
index 00563c6..fdc0ad6 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -16,11 +16,28 @@ var (
 	ctx      context.Context
 	authOpts *adauth.Options
 
-	debug, trace   bool
+	debug          bool
 	command        string
+	executable     string
 	executablePath string
 	executableArgs string
 
+	needsTarget = func(cmd *cobra.Command, args []string) (err error) {
+		if len(args) != 1 {
+			return fmt.Errorf("command require exactly one positional argument: [target]")
+		}
+		if creds, target, err = authOpts.WithTarget(ctx, "cifs", args[0]); err != nil {
+			return fmt.Errorf("failed to parse target: %w", err)
+		}
+		if creds == nil {
+			return fmt.Errorf("no credentials supplied")
+		}
+		if target == nil {
+			return fmt.Errorf("no target supplied")
+		}
+		return
+	}
+
 	rootCmd = &cobra.Command{
 		Use: "goexec",
 		PersistentPreRunE: func(cmd *cobra.Command, args []string) (err error) {
@@ -42,13 +59,16 @@ func init() {
 
 	rootCmd.InitDefaultVersionFlag()
 	rootCmd.InitDefaultHelpCmd()
-	rootCmd.PersistentFlags().BoolVarP(&debug, "debug", "d", false, "Enable debug logging")
+	rootCmd.PersistentFlags().BoolVar(&debug, "debug", false, "Enable debug logging")
 
 	authOpts = &adauth.Options{Debug: log.Debug().Msgf}
 	authOpts.RegisterFlags(rootCmd.PersistentFlags())
 
 	scmrCmdInit()
 	rootCmd.AddCommand(scmrCmd)
+
+	tschCmdInit()
+	rootCmd.AddCommand(tschCmd)
 }
 
 func Execute() {
diff --git a/cmd/scmr.go b/cmd/scmr.go
index 150320c..df0bc84 100644
--- a/cmd/scmr.go
+++ b/cmd/scmr.go
@@ -1,8 +1,6 @@
 package cmd
 
 import (
-	"errors"
-	"fmt"
 	"github.com/bryanmcnulty/adauth"
 	"github.com/spf13/cobra"
 
@@ -12,26 +10,26 @@ import (
 )
 
 func scmrCmdInit() {
-	scmrCmd.PersistentFlags().StringVarP(&executablePath, "executable-path", "e", "", "Full path to remote Windows executable")
+	scmrCmd.PersistentFlags().StringVarP(&executablePath, "executable-path", "f", "", "Full path to remote Windows executable")
 	scmrCmd.PersistentFlags().StringVarP(&executableArgs, "args", "a", "", "Arguments to pass to executable")
-	scmrCmd.PersistentFlags().StringVarP(&scmrName, "service", "s", "", "Name of service to create or modify")
-	scmrCmd.PersistentFlags().BoolVar(&scmrNoStart, "no-start", false, "Don't start service after execution")
+	scmrCmd.PersistentFlags().StringVarP(&scmrName, "service-name", "s", "", "Name of service to create or modify")
 
 	scmrCmd.MarkPersistentFlagRequired("executable-path")
-	scmrCmd.MarkPersistentFlagRequired("service")
+	scmrCmd.MarkPersistentFlagRequired("service-name")
 
-	scmrCmd.AddCommand(scmrChangeCmd)
 	scmrChangeCmdInit()
-	scmrCmd.AddCommand(scmrCreateCmd)
+	scmrCmd.AddCommand(scmrChangeCmd)
+
 	scmrCreateCmdInit()
+	scmrCmd.AddCommand(scmrCreateCmd)
 }
 
 func scmrChangeCmdInit() {
-	// no unique flags
+	scmrChangeCmd.Flags().StringVarP(&scmrDisplayName, "display-name", "n", "", "Display name of service to create")
+	scmrChangeCmd.Flags().BoolVar(&scmrNoStart, "no-start", false, "Don't start service")
 }
 
 func scmrCreateCmdInit() {
-	scmrCreateCmd.Flags().StringVarP(&scmrDisplayName, "display-name", "n", "", "Display name new service")
 	scmrCreateCmd.Flags().BoolVar(&scmrNoDelete, "no-delete", false, "Don't delete service after execution")
 }
 
@@ -42,39 +40,17 @@ var (
 	scmrNoDelete    bool
 	scmrNoStart     bool
 
-	scmrArgs = func(cmd *cobra.Command, args []string) (err error) {
-		if len(args) != 1 {
-			return fmt.Errorf("expected exactly 1 positional argument, got %d", len(args))
-		}
-		if creds, target, err = authOpts.WithTarget(ctx, "cifs", args[0]); err != nil {
-			return fmt.Errorf("failed to parse target: %w", err)
-		}
-		log.Debug().Str("target", args[0]).Msg("Resolved target")
-		return nil
-	}
-
 	creds  *adauth.Credential
 	target *adauth.Target
 
 	scmrCmd = &cobra.Command{
 		Use:   "scmr",
 		Short: "Establish execution via SCMR",
-		Args: func(cmd *cobra.Command, args []string) error {
-			if len(args) != 1 {
-				return errors.New(`command not set. Choose from (change, create)`)
-			}
-			return nil
-		},
-		Run: func(cmd *cobra.Command, args []string) {
-			if err := cmd.Help(); err != nil {
-				panic(err)
-			}
-		},
 	}
 	scmrCreateCmd = &cobra.Command{
 		Use:   "create [target]",
 		Short: "Create & run a new Windows service to gain execution",
-		Args:  scmrArgs,
+		Args:  needsTarget,
 		RunE: func(cmd *cobra.Command, args []string) (err error) {
 			if scmrNoDelete {
 				log.Warn().Msg("Service will not be deleted after execution")
@@ -83,7 +59,7 @@ var (
 				scmrDisplayName = scmrName
 				log.Warn().Msg("No display name specified, using service name as display name")
 			}
-			executor := scmrexec.Executor{}
+			module := scmrexec.Module{}
 			execCfg := &exec.ExecutionConfig{
 				ExecutablePath:  executablePath,
 				ExecutableArgs:  executableArgs,
@@ -97,7 +73,7 @@ var (
 					StartType:   windows.SERVICE_DEMAND_START,
 				},
 			}
-			if err := executor.Exec(log.WithContext(ctx), creds, target, execCfg); err != nil {
+			if err := module.Exec(log.WithContext(ctx), creds, target, execCfg); err != nil {
 				log.Fatal().Err(err).Msg("SCMR execution failed")
 			}
 			return nil
@@ -106,9 +82,9 @@ var (
 	scmrChangeCmd = &cobra.Command{
 		Use:   "change [target]",
 		Short: "Change an existing Windows service to gain execution",
-		Args:  scmrArgs,
+		Args:  needsTarget,
 		Run: func(cmd *cobra.Command, args []string) {
-			executor := scmrexec.Executor{}
+			executor := scmrexec.Module{}
 			execCfg := &exec.ExecutionConfig{
 				ExecutablePath:  executablePath,
 				ExecutableArgs:  executableArgs,
diff --git a/cmd/tsch.go b/cmd/tsch.go
new file mode 100644
index 0000000..3c2038e
--- /dev/null
+++ b/cmd/tsch.go
@@ -0,0 +1,134 @@
+package cmd
+
+import (
+	"fmt"
+	"github.com/FalconOpsLLC/goexec/pkg/exec"
+	tschexec "github.com/FalconOpsLLC/goexec/pkg/exec/tsch"
+	"github.com/spf13/cobra"
+	"time"
+)
+
+func tschCmdInit() {
+	tschDeleteCmdInit()
+	tschCmd.AddCommand(tschDeleteCmd)
+
+	tschRegisterCmdInit()
+	tschCmd.AddCommand(tschRegisterCmd)
+
+	tschDemandCmdInit()
+	tschCmd.AddCommand(tschDemandCmd)
+}
+
+func tschDeleteCmdInit() {
+	tschDeleteCmd.Flags().StringVarP(&tschTaskPath, "path", "t", "", "Scheduled task path")
+	tschDeleteCmd.MarkFlagRequired("path")
+}
+
+func tschDemandCmdInit() {
+	tschDemandCmd.Flags().StringVarP(&executable, "executable", "e", "", "Remote Windows executable to invoke")
+	tschDemandCmd.Flags().StringVarP(&executableArgs, "args", "a", "", "Arguments to pass to executable")
+	tschDemandCmd.Flags().StringVarP(&tschName, "name", "n", "", "Target task name")
+	tschDemandCmd.Flags().BoolVar(&tschNoDelete, "no-delete", false, "Don't delete task after execution")
+	tschDemandCmd.MarkFlagRequired("executable")
+}
+
+func tschRegisterCmdInit() {
+	tschRegisterCmd.Flags().StringVarP(&executable, "executable", "e", "", "Remote Windows executable to invoke")
+	tschRegisterCmd.Flags().StringVarP(&executableArgs, "args", "a", "", "Arguments to pass to executable")
+	tschRegisterCmd.Flags().StringVarP(&tschName, "name", "n", "", "Target task name")
+	tschRegisterCmd.Flags().DurationVar(&tschStopDelay, "delay-stop", time.Duration(5*time.Second), "Delay between task execution and termination. This will not stop the process spawned by the task")
+	tschRegisterCmd.Flags().DurationVarP(&tschDelay, "delay-start", "d", time.Duration(5*time.Second), "Delay between task registration and execution")
+	tschRegisterCmd.Flags().DurationVarP(&tschDeleteDelay, "delay-delete", "D", time.Duration(0*time.Second), "Delay between task termination and deletion")
+	tschRegisterCmd.Flags().BoolVar(&tschNoDelete, "no-delete", false, "Don't delete task after execution")
+	tschRegisterCmd.Flags().BoolVar(&tschCallDelete, "call-delete", false, "Directly call SchRpcDelete to delete task")
+
+	tschRegisterCmd.MarkFlagsMutuallyExclusive("no-delete", "delay-delete")
+	tschRegisterCmd.MarkFlagsMutuallyExclusive("no-delete", "call-delete")
+	tschRegisterCmd.MarkFlagsMutuallyExclusive("delay-delete", "call-delete")
+	tschRegisterCmd.MarkFlagRequired("executable")
+}
+
+var (
+	tschNoDelete    bool
+	tschCallDelete  bool
+	tschDeleteDelay time.Duration
+	tschStopDelay   time.Duration
+	tschDelay       time.Duration
+	tschName        string
+	tschTaskPath    string
+
+	tschCmd = &cobra.Command{
+		Use:   "tsch",
+		Short: "Establish execution via TSCH (ITaskSchedulerService)",
+		Args: func(cmd *cobra.Command, args []string) error {
+			return fmt.Errorf("command not set. Choose from (delete, register, demand)")
+		},
+	}
+	tschRegisterCmd = &cobra.Command{
+		Use:   "register [target]",
+		Short: "Register a scheduled task with an automatic start time",
+		Args:  needsTarget,
+		Run: func(cmd *cobra.Command, args []string) {
+			if tschNoDelete {
+				log.Warn().Msg("Task will not be deleted after execution")
+			}
+			module := tschexec.Module{}
+			execCfg := &exec.ExecutionConfig{
+				ExecutableName:  executable,
+				ExecutableArgs:  executableArgs,
+				ExecutionMethod: tschexec.MethodRegister,
+
+				ExecutionMethodConfig: tschexec.MethodRegisterConfig{
+					NoDelete:    tschNoDelete,
+					CallDelete:  tschCallDelete,
+					StartDelay:  tschDelay,
+					StopDelay:   tschStopDelay,
+					DeleteDelay: tschDeleteDelay,
+					TaskName:    tschName,
+				},
+			}
+			if err := module.Exec(log.WithContext(ctx), creds, target, execCfg); err != nil {
+				log.Fatal().Err(err).Msg("TSCH execution failed")
+			}
+		},
+	}
+	tschDemandCmd = &cobra.Command{
+		Use:   "demand [target]",
+		Short: "Register a scheduled task and demand immediate start",
+		Args:  needsTarget,
+		Run: func(cmd *cobra.Command, args []string) {
+			if tschNoDelete {
+				log.Warn().Msg("Task will not be deleted after execution")
+			}
+			module := tschexec.Module{}
+			execCfg := &exec.ExecutionConfig{
+				ExecutableName:  executable,
+				ExecutableArgs:  executableArgs,
+				ExecutionMethod: tschexec.MethodDemand,
+
+				ExecutionMethodConfig: tschexec.MethodDemandConfig{
+					NoDelete: tschNoDelete,
+					TaskName: tschName,
+				},
+			}
+			if err := module.Exec(log.WithContext(ctx), creds, target, execCfg); err != nil {
+				log.Fatal().Err(err).Msg("TSCH execution failed")
+			}
+		},
+	}
+	tschDeleteCmd = &cobra.Command{
+		Use:   "delete [target]",
+		Short: "Delete a scheduled task",
+		Args:  needsTarget,
+		Run: func(cmd *cobra.Command, args []string) {
+			module := tschexec.Module{}
+			cleanCfg := &exec.CleanupConfig{
+				CleanupMethod:       tschexec.MethodDelete,
+				CleanupMethodConfig: tschexec.MethodDeleteConfig{TaskPath: tschTaskPath},
+			}
+			if err := module.Cleanup(log.WithContext(ctx), creds, target, cleanCfg); err != nil {
+				log.Fatal().Err(err).Msg("TSCH cleanup failed")
+			}
+		},
+	}
+)
author	Bryan McNulty <bryanmcnulty@protonmail.com>	2025-03-01 20:50:04 -0600
committer	Bryan McNulty <bryanmcnulty@protonmail.com>	2025-03-01 20:50:04 -0600
commit	6dcae18a99ba7f7ca44c246d0e72b4d9410eb60c (patch)
tree	2c9d4e482cb42d820f853a1bc2e92205b9eeba50 /cmd
parent	50393c546010da3745b1d80f156aeb713f3411dc (diff)
download	goexec-6dcae18a99ba7f7ca44c246d0e72b4d9410eb60c.tar.gz goexec-6dcae18a99ba7f7ca44c246d0e72b4d9410eb60c.zip