Open
Conversation
…rchestration - Add InputProvider interface (parallel to OutputProvider) in io.go - Add ExecutionUpload struct with Provider, Reader, RemotePath, NoDelete - Add DoUpload/CleanUpload methods on ExecutionIO - Fix FileStager path calculation (use filepath.Rel instead of path.Join) - Rename FileStager.Stage -> Upload, DeleteStage -> DeleteUploadedFile - Add O_CREATE|O_TRUNC flags to remote file open for proper file creation - Restructure ExecuteCleanMethod: Connect -> Init -> Upload -> Execute -> Cleanup - Upload runs before execution; cleanup runs after module cleanup - If only --upload is provided (no --exec), execution step is skipped Co-authored-by: Carter <carter-falconops@users.noreply.github.com>
- Add registerExecutionUploadFlags() and argsUpload() in cmd/args.go - Add uploadSource and uploadDest variables in cmd/root.go - Initialize exec.Upload in global exec variable - Set up SMB FileStager upload provider in PersistentPreRunE (uses C$ share) - Add upload reader cleanup in PersistentPostRun - Remove commented-out stageFilePath and registerStageFlags (superseded) Co-authored-by: Carter <carter-falconops@users.noreply.github.com>
DCOM (6 commands):
- dcom mmc, shellwindows, shellbrowserwindow, htafile, excel macro, visualstudio dte
TSCH (3 commands):
- tsch demand, create, change
WMI (1 command):
- wmi proc
SCMR (2 commands):
- scmr create, change
For each command:
- Register upload flags (--upload, --upload-dest, --no-delete-upload)
- Add argsUpload('smb') to Args chain for SMB client setup
- Update MarkFlagsOneRequired to accept 'upload' as alternative to exec/command
Co-authored-by: Carter <carter-falconops@users.noreply.github.com>
|
Cursor Agent can help with this pull request. Just |
Upload is a standalone action — auto-deleting the file the operator just uploaded makes no sense. Removed: - --no-delete-upload flag from all 12 commands - NoDelete field from ExecutionUpload - DeleteUploadedFile field and delete logic from FileStager - CleanUpload method from ExecutionIO - CleanUpload call from ExecuteCleanMethod Co-authored-by: Carter <carter-falconops@users.noreply.github.com>
- --upload-dest is now optional; defaults to C:\Windows\Temp\<UUID> (same pattern as --out remote path generation) - After upload, confirm file exists via SMB stat and log path + size - Add --no-upload-confirm flag to skip the confirmation check - Add UploadConfirmer optional interface in io.go - Add ConfirmUpload method on FileStager (stats remote file, logs details) Co-authored-by: Carter <carter-falconops@users.noreply.github.com>
The previous refactor (removing --no-delete-upload) accidentally removed the CleanUpload method and its call in ExecuteCleanMethod. This caused the SMB file writer handle registered in FileStager.Upload() to never be closed. Restored: - CleanUpload method on ExecutionIO (closes provider resources) - CleanUpload call in ExecuteCleanMethod (after upload + confirm) Co-authored-by: Carter <carter-falconops@users.noreply.github.com>
When --upload is combined with --exec/--command, the uploaded file is automatically deleted from the remote filesystem after execution completes. This supports the upload-execute-cleanup workflow (e.g., upload a.bat, execute cmd.exe /c a.bat, then delete a.bat — safe because cmd.exe already loaded the script). Upload-only mode (--upload without --exec) does NOT delete the file. - Add UploadRemover optional interface in io.go - Add RemoveUploadedFile method on FileStager (deletes via SMB) - In ExecuteCleanMethod, call RemoveUploadedFile after execution if both upload and execution were performed Co-authored-by: Carter <carter-falconops@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add
--uploadand--upload-destflags to all execution methods to enable stealthy file uploads via direct SMB2 writes.This feature allows operators to upload files to remote targets without creating processes or executing commands on the target, significantly reducing the operational footprint. It reuses the existing SMB client and
C$administrative share, leveraging SMB3 encryption and signing for secure transit. For SCMR and TSCH, which already use SMB named pipes, the upload traffic is indistinguishable from existing protocol traffic.