-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCGViaKali.py
183 lines (159 loc) · 6.94 KB
/
CGViaKali.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
from pywinauto import Application, Desktop, keyboard, mouse
import time
import logging
import sys
import os
import psutil
import wmi
#file locations for executables and log files
outlook_path = "C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE"
check_file = "C:\\Windows\\Temp\\test.txt"
#These are the dialogues during the initial setup of Microsoft Outlook
productKey = "Enter your product key"
respectPrivacy = "Microsoft respects your privacy"
betterTogether = "Getting better together"
poweringExperience = "Powering your experiences"
#These are the names of each email that kicks off a different threat graph
CGViaKali = 'With Attachments, Subject Your flight has been successfully booked!, Received 1/31/2022, Size 130 KB, Flag Status Unflagged, DataItem'
#Code to establish logging
logger = logging.getLogger(__name__)
stream_handler = logging.StreamHandler(sys.stdout)
file_handler = logging.FileHandler("cgViaKali.log")
logger.addHandler(file_handler)
logger.addHandler(stream_handler)
formatter = logging.Formatter("[%(asctime)s] %(levelname)s:%(name)s:%(message)s")
stream_handler.setFormatter(formatter)
file_handler.setFormatter(formatter)
logger.setLevel(logging.DEBUG)
#This function kills a process.
def killProcess(process):
ti = 0
name = process
logger.debug('The process I am seeking to kill is: ' + str(name))
f = wmi.WMI()
for process in f.Win32_Process():
if process.name == name:
process.Terminate()
logger.debug('I have found, and killed ' + str(name))
ti +=1
if ti == 0:
logger.debug('There are no running instances of ' + str(name))
#This function checks if a process is running.
def processRunCheck(processname):
for proc in psutil.process_iter():
try:
if processname.lower() in proc.name().lower():
return True
except (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess):
pass
return False;
#This function searchs a text file for a string in the dialogue object
def currentWindow(app):
string = str(app.windows()[0])
remove_first = string[25:]
window = remove_first[:-9]
return window
#This function will generate test file to search the print_control_identifiers() output for certain strings.
def check_id(filepath,string,dialogue_object):
temp = sys.stdout
sys.stdout = open(filepath,'w',encoding="utf8")
print(dialogue_object.print_control_identifiers())
sys.stdout = temp
with open(filepath, 'r') as file:
content = file.read()
if string in content:
logger.debug(f'Dialogue: {string} in {dialogue_object} located.')
return True
else:
logger.debug(f'Dialogue: {string} in {dialogue_object} not found.')
return False
#This function reverts the inbox folder tree to a predictable state, for repeatability.
def revert_tree(app,check_file):
dlg = app[currentWindow(app)]
if check_id(check_file,"Junk Email",dlg) == True:
dlg = app[currentWindow(app)]
dlg.child_window(title="Sophos", control_type="TreeItem").collapse()
logger.debug("Tree is reset")
else:
logger.debug("Tree is already collapsed")
pass
def kaliOutlook():
logger.debug("Starting Outlook Function")
time.sleep(3)
logger.debug("Outlook is starting...")
app=Application(backend="uia").start(outlook_path)
time.sleep(10)
mainDLG=app['Outlook Today - Outlook']
logger.debug("Pywinauto is connected to Outlook.")
logger.debug("Clicking through product key dialogue.")
mainDLG.child_window(title="Enter your product key", control_type="Window").child_window(title="Close", control_type="Button").click_input()
time.sleep(3)
if (check_id(check_file,respectPrivacy,mainDLG) == True):
logger.debug("Privacy dialogue found, clicking through the rest of initial setup prompts.")
mainDLG['Microsoft respects your privacyDialog2'].child_window(title="Next", control_type="Button").click_input()
time.sleep(2)
mainDLG['Getting better together'].child_window(title="Don't send optional data", control_type="Button").click_input()
time.sleep(3)
mainDLG['Powering your experiences2'].child_window(title="Done", control_type="Button").click_input()
revert_tree(app,check_file)
logger.debug("Reverted Email Inbox Tree back to initial state..")
mainDLG.child_window(title="Sophos", control_type="TreeItem").click_input(double=True)
mainDLG.child_window(title="Inbox", control_type="TreeItem").click_input()
mainDLG = app['Inbox - Sophos - Outlook (Unlicensed Product)']
mainDLG[CGViaKali].click_input()
logger.debug("Opening the attachment...")
mainDLG.child_window(title="Attachment options", control_type="Button").click_input()
mainDLG.ContextMenu.Open.click_input()
logger.debug("Attachment opened...")
#Returns the PID for a process.
def returnPID(process):
process_name = process
processID = None
for proc in psutil.process_iter():
if process_name in proc.name():
processID = proc.pid
return (processID)
def kaliWord():
logger.debug("Word process is starting...")
word = returnPID("WINWORD.EXE")
if (isinstance(word,int) == False):
logger.debug("Word PID not detected!")
app = Application(backend="uia").connect(process=word, visible_only=False)
try:
try:
mainDLG = app['Microsoft Word']
mainDLG.No.click_input()
except:
logger.debug("Word is not in safe mode")
finally:
mainDLG = app.window(title_re="^DeltaFlightItinerary")
mainDLG.child_window(title="Enter your product key", control_type="Window").child_window(title="Close", control_type="Button").click_input()
except:
logger.debug("Sophos has detected the malicious file.")
if __name__ == '__main__':
logger.debug("Killing any Microsoft Word Processes...")
killProcess('WINWORD.EXE')
if (processRunCheck('outlook.exe') == False):
logger.debug("Outlook process not found, starting function...")
logger.debug("Sleeping for 30 seconds...")
time.sleep(30)
kaliOutlook()
logger.debug("Sleeping for 15 seconds...")
time.sleep(15)
kaliWord()
logger.debug("CGViaKali Script Complete.")
else:
logger.debug("Killing existing Outlook process...")
killProcess('OUTLOOK.EXE')
logger.debug("Outlook processed killed.")
logger.debug("Sleeping for 10 seconds...")
time.sleep(10)
kaliOutlook()
logger.debug("Sleeping for 10 seconds...")
time.sleep(10)
try:
kaliWord()
except:
logger.debug("Sophos has detected the Lockdown Exploit")
finally:
logger.debug("CGViaKali Script Complete.")