From bba8cd3b57e3bbd0f94e9e9d4a748cffcff3fc2e Mon Sep 17 00:00:00 2001 From: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com> Date: Tue, 3 Oct 2023 10:47:58 -0400 Subject: [PATCH] Updated common.requires_os calls (#3109) --- rta/adobe_hijack.py | 2 +- rta/adobe_priv_helper_tool.py | 2 +- rta/app_bundler_execution.py | 2 +- rta/app_hijack.py | 2 +- rta/appcompat_shim.py | 2 +- rta/at_command.py | 2 +- rta/at_job.py | 2 +- rta/atom_init_coffee.py | 2 +- rta/auth_plugin.py | 2 +- rta/automator_workflows.py | 2 +- rta/background_process_from_tmp.py | 2 +- rta/bash_cmdline_history.py | 2 +- rta/bifrost_attack.py | 2 +- rta/binary_masquerade.py | 2 +- rta/bitsadmin_download.py | 2 +- rta/bitsadmin_execution.py | 2 +- rta/browser_cred_access.py | 2 +- rta/browser_debugging.py | 2 +- rta/brute_force_login.py | 2 +- rta/builtin_cmd_file_delete.py | 2 +- rta/c2_dns_from_iso.py | 2 +- rta/calendar_file_mod.py | 2 +- rta/certutil_file_obfuscation.py | 2 +- rta/certutil_webrequest.py | 2 +- rta/child_w3wp.py | 2 +- rta/clr_logs_creation.py | 2 +- rta/cmd_shell_via_word.py | 2 +- rta/cmstp_image_load.py | 2 +- rta/comsvcs_dump.py | 2 +- rta/crashdump_disabled.py | 2 +- rta/credaccess_reg_query_privesc_token_manip.py | 2 +- rta/credaccess_sam_from_vss.py | 2 +- rta/credential_access_dump_hashes_via_cmd.py | 2 +- rta/credential_access_known_utilities.py | 2 +- rta/credential_access_osascript_phishing.py | 2 +- rta/credman_discovery.py | 2 +- rta/cron_tab_file_create.py | 2 +- rta/cscript_suspicious_args.py | 2 +- rta/curl_data_exfil.py | 2 +- rta/curl_payload_download.py | 2 +- rta/curl_sus_payload.py | 2 +- rta/darkradiation.py | 2 +- rta/dcom_lateral_movement_with_mmc.py | 2 +- rta/ddns_lolbas.py | 2 +- rta/ddns_unsigned.py | 2 +- rta/defensive_evasion_reflective_loading.py | 2 +- rta/defensive_evasion_safari_modification.py | 2 +- rta/delete_bootconf.py | 2 +- rta/delete_catalogs.py | 2 +- rta/delete_quarantine_attrib.py | 2 +- rta/delete_usnjrnl.py | 2 +- rta/delete_volume_shadows.py | 2 +- rta/deprecated/_discovery_builtin_cmd.py | 2 +- rta/deprecated/_funzip_extract_content.py | 2 +- rta/deprecated/_linux_discovery_sensitive_files.py | 2 +- rta/deprecated/_persistence_code_extension.py | 2 +- rta/deprecated/_persistence_reopened_app.py | 2 +- rta/deprecated/_persistence_terminal_plist_mod.py | 2 +- rta/directory_service_plugin_file.py | 2 +- rta/disable_os_security_updates.py | 2 +- rta/disable_windows_fw.py | 2 +- rta/discovery_virtual_machine_grep.py | 2 +- rta/dmg_create_in_tmp.py | 2 +- rta/dock_plist.py | 2 +- rta/double_persist.py | 2 +- rta/dscl_hidden_account.py | 2 +- rta/dseditgroup_admin_add.py | 2 +- rta/dsenableroot_account.py | 2 +- rta/dylib_injection.py | 2 +- rta/dynwrapx_image_load.py | 2 +- rta/echo_tmp_file_create.py | 2 +- rta/edmond_child_process.py | 2 +- rta/eggshell_backdoor.py | 2 +- rta/eicar.py | 2 +- rta/elevated_osascript_execution.py | 2 +- rta/emond_child_process.py | 2 +- rta/emond_plist.py | 2 +- rta/empire_stager.py | 2 +- rta/enum_commands.py | 2 +- rta/enumeration_linpeas.py | 2 +- rta/env_variable_hijacking.py | 2 +- rta/evasion_addinproc_certoc_odbc_gfxdwn.py | 2 +- rta/evasion_loadlib_via_callback.py | 2 +- rta/evasion_ntdll_from_unusual_path.py | 2 +- rta/evasion_oversized_dll_load.py | 2 +- rta/evasion_patch_etw_amsi.py | 2 +- rta/evasion_unhook_ldrloaddll.py | 2 +- rta/exec_cmd_adfind.py | 2 +- rta/exec_cmd_appcmd_logging.py | 2 +- rta/exec_cmd_arp.py | 2 +- rta/exec_cmd_aspnet_regiis.py | 2 +- rta/exec_cmd_attrib_hidden.py | 2 +- rta/exec_cmd_auditpol.py | 2 +- rta/exec_cmd_clear_history.py | 2 +- rta/exec_cmd_compiled_html.py | 2 +- rta/exec_cmd_endpoint_security_masquerading.py | 2 +- rta/exec_cmd_fltmc_unload.py | 2 +- rta/exec_cmd_fsutil_fsinfo.py | 2 +- rta/exec_cmd_hidden_share.py | 2 +- rta/exec_cmd_mklink.py | 2 +- rta/exec_cmd_mpcmdrun_download.py | 2 +- rta/exec_cmd_msdt.py | 2 +- rta/exec_cmd_mssql_xp_cmdshell.py | 2 +- rta/exec_cmd_net_stop.py | 2 +- rta/exec_cmd_net_use.py | 2 +- rta/exec_cmd_netsh_advfirewall_network_discovery.py | 2 +- rta/exec_cmd_netsh_remotedesktop.py | 2 +- rta/exec_cmd_nltest.py | 2 +- rta/exec_cmd_non_executable_file.py | 2 +- rta/exec_cmd_ntdsdit.py | 2 +- rta/exec_cmd_posh_mailbox.py | 2 +- rta/exec_cmd_psexesvc.py | 2 +- rta/exec_cmd_pwd_appcmd.py | 2 +- rta/exec_cmd_rundll32.py | 2 +- rta/exec_cmd_rundll32_davsetcookie.py | 2 +- rta/exec_cmd_set_casmailbox.py | 2 +- rta/exec_cmd_set_mppreference.py | 2 +- rta/exec_cmd_short_name.py | 2 +- rta/exec_cmd_windows_firewall_disabled.py | 2 +- rta/exec_cmd_wmi_cmdexe.py | 2 +- rta/exec_cmd_wmi_subscription.py | 2 +- rta/exec_cmd_wmic_antivirus_enum.py | 2 +- rta/exec_cmd_workfolders.py | 2 +- rta/exec_cmd_xwizard.py | 2 +- rta/exec_conhost_indirect.py | 2 +- rta/exec_control_panel_cpl.py | 2 +- rta/exec_cscript_archive_args.py | 2 +- rta/exec_cscript_suspicious_powershell.py | 2 +- rta/exec_dll_file_compressed.py | 2 +- rta/exec_dnguard_program.py | 2 +- rta/exec_echo_named_pipe.py | 2 +- rta/exec_explorer_trampoline.py | 2 +- rta/exec_from_mount.py | 2 +- rta/exec_from_python.py | 2 +- rta/exec_from_terminal.py | 2 +- rta/exec_gfxdownloadwrapper.py | 2 +- rta/exec_ingress_tool_posh.py | 2 +- rta/exec_java_revshell_linux.py | 2 +- rta/exec_ms_dotnet_clickonce.py | 2 +- rta/exec_msdt_diagcab.py | 2 +- rta/exec_msiexec_dllregisterserver.py | 2 +- rta/exec_nohup.py | 2 +- rta/exec_persistence_from_iso.py | 2 +- rta/exec_privhelper_tool.py | 2 +- rta/exec_renamed_msbuild.py | 2 +- rta/exec_renamed_winword.py | 2 +- rta/exec_scripting_persistence_locations.py | 2 +- rta/exec_scripting_unusual_extension.py | 2 +- rta/exec_scripting_via_html_app.py | 2 +- rta/exec_sliver_posh.py | 2 +- rta/exec_sqlserver_suspicious_child.py | 2 +- rta/exec_susp_explorer.py | 2 +- rta/exec_susp_msiexec.py | 2 +- rta/exec_susp_parent_child.py | 2 +- rta/exec_svchost_child_schedule.py | 2 +- rta/exec_tclsh.py | 2 +- rta/exec_unusual_directory.py | 2 +- rta/exec_unusual_path_msmpeng.py | 2 +- rta/exec_vs_prebuildevent.py | 2 +- rta/exec_vsls_agent.py | 2 +- rta/exec_winword_susp_parent.py | 2 +- rta/execution_iso_dll_rundll32.py | 2 +- rta/execution_iso_dll_sideload.py | 2 +- rta/execution_node_child_process.py | 2 +- rta/execution_pubprn.py | 2 +- rta/extexport_sideload.py | 2 +- rta/file_ads_creation.py | 2 +- rta/file_create_dpapi_key.py | 2 +- rta/file_create_exchange_um.py | 2 +- rta/file_create_exec_pdf_reader.py | 2 +- rta/file_create_lsass_dump.py | 2 +- rta/file_create_mimilsa_log.py | 2 +- rta/file_create_ms_addins.py | 2 +- rta/file_create_mstsc_startup.py | 2 +- rta/file_create_outlook_vba.py | 2 +- rta/file_create_powershell_profile.py | 2 +- rta/file_create_scripting_startup.py | 2 +- rta/file_create_smss_exec.py | 2 +- rta/file_create_task_file.py | 2 +- rta/file_create_vbs_startup.py | 2 +- rta/file_creation_teamviewer.py | 2 +- rta/file_delete_spool_driver.py | 2 +- rta/file_delete_vbk.py | 2 +- rta/file_exe_ususual_extension.py | 2 +- rta/file_html_smuggling.py | 2 +- rta/file_mod_via_chmod.py | 2 +- rta/file_ms_template_macros.py | 2 +- rta/file_script_startup_folder.py | 2 +- rta/file_susp_browser_extension.py | 2 +- rta/finder_sync_plugin.py | 2 +- rta/findstr_pw_search.py | 2 +- rta/firewall_allowlist_modif_unsigned.py | 2 +- rta/fltmc_unload.py | 2 +- rta/git_creds_access.py | 2 +- rta/globalflags.py | 2 +- rta/grep_software_discovery.py | 2 +- rta/hidden_file_mount.py | 2 +- rta/hidden_plist.py | 2 +- rta/html_help_file_written_exec.py | 2 +- rta/image_load_dnguard.py | 2 +- rta/image_load_msbuild_vaultcli.py | 2 +- rta/image_load_phantomdll.py | 2 +- rta/image_load_rdp_client_dll.py | 2 +- rta/image_load_script_interpreter_wmiutils.py | 2 +- rta/image_load_taskhost.py | 2 +- rta/image_load_vaultcli.py | 2 +- rta/impersonate_trusted_installer.py | 2 +- rta/inhibit_system_recovery.py | 2 +- rta/inhibit_system_recovery_and_rename.py | 2 +- rta/inhibit_system_recovery_cmd.py | 2 +- rta/inhibit_system_recovery_lolbas_child.py | 2 +- rta/inhibit_system_recovery_office.py | 2 +- rta/inhibit_system_recovery_renamed.py | 2 +- rta/installutil_network.py | 2 +- rta/ip_discovery_unsigned.py | 2 +- rta/iqy_file_writes.py | 2 +- rta/javascript_payload.py | 2 +- rta/kcc_kerberos_dump.py | 2 +- rta/kerberos_netconn_file_creation.py | 2 +- rta/kernel_module_removal_execution.py | 2 +- rta/kernelext_agent_unload.py | 2 +- rta/kext_load.py | 2 +- rta/keychain_cred_access.py | 2 +- rta/keychain_dump.py | 2 +- rta/keychain_pwd_cmdline.py | 2 +- rta/lateral_command_psexec.py | 2 +- rta/lateral_commands.py | 2 +- rta/launchagent_plist.py | 2 +- rta/launchd_load_plist.py | 2 +- rta/launchdaemon_persistence.py | 2 +- rta/ldapsearch_group_enumeration.py | 2 +- rta/link_to_tmp.py | 2 +- rta/linux_compress_sensitive_files.py | 2 +- rta/login_hook.py | 2 +- rta/login_window_plist.py | 2 +- rta/lua_image_load.py | 2 +- rta/mac_office_descendant.py | 2 +- rta/macos_installer_curl.py | 2 +- rta/mimikatz_cmdline.py | 2 +- rta/mimipenguin_execution.py | 2 +- rta/modification_of_wdigest_security_provider.py | 2 +- rta/modify_sublime_app.py | 2 +- rta/mount_smbfs.py | 2 +- rta/ms_office_drop_exe.py | 2 +- rta/ms_office_task_creation.py | 2 +- rta/msbuild_network.py | 2 +- rta/msbuild_unusual_args.py | 2 +- rta/msequationeditor_file_written_exec.py | 2 +- rta/msequationeditor_net_conn.py | 2 +- rta/mshta_network.py | 2 +- rta/msiexec_http_installer.py | 2 +- rta/msiexec_remote_msi.py | 2 +- rta/msiexec_remote_msi_install.py | 2 +- rta/msoffice_addins_file.py | 2 +- rta/msoffice_dcom_accessvbom.py | 2 +- rta/msoffice_descendant_reg_mod_persistence.py | 2 +- rta/msoffice_dll_image_load.py | 2 +- rta/msoffice_file_dll_sideload.py | 2 +- rta/msoffice_file_drop_exec_wmi.py | 2 +- rta/msoffice_file_exec_script_interpreter.py | 2 +- rta/msoffice_potential_proc_inj.py | 2 +- rta/msoffice_reg_mod.py | 2 +- rta/msoffice_signed_binary_spawn.py | 2 +- rta/msoffice_startup_persistence.py | 2 +- rta/msoffice_untrusted_exec.py | 2 +- rta/msoffice_wmi_imageload.py | 2 +- rta/msxsl_image_load.py | 2 +- rta/msxsl_network.py | 2 +- rta/net_user_add.py | 2 +- rta/network_connection_desktopimgdownldr.py | 2 +- rta/network_connection_download_powershell.py | 2 +- rta/network_connection_download_script_interpreter.py | 2 +- rta/network_connection_external_ip_lookup_non_browser.py | 2 +- rta/network_connection_freesslcert.py | 2 +- rta/network_connection_iexplore_rundll32.py | 2 +- rta/network_connection_kerberos_port.py | 2 +- rta/network_connection_nslookup.py | 2 +- rta/network_connection_process_unusual_args.py | 2 +- rta/network_connection_rdp_tunneling.py | 2 +- rta/network_connection_unusual_rundll32.py | 2 +- rta/networksetup_vpn.py | 2 +- rta/obfuscated_cmd_commands.py | 2 +- rta/obfuscated_powershell.py | 2 +- rta/office_app_execution.py | 2 +- rta/office_application_startup.py | 2 +- rta/office_child_process.py | 2 +- rta/openssl_decode_payload.py | 2 +- rta/openssl_file_drop.py | 2 +- rta/opera_child_process.py | 2 +- rta/osascript_hidden_login_item.py | 2 +- rta/osascript_net_conn.py | 2 +- rta/osascript_sh_execution.py | 2 +- rta/osascript_suspicious_cmdline.py | 2 +- rta/outlook_suspicious_child.py | 2 +- rta/path_passed_to_system.py | 2 +- rta/payload_decode_bash_cmds.py | 2 +- rta/periodic_task_creation.py | 2 +- rta/persistence_chrome_extension.py | 2 +- rta/persistence_mail_plist.py | 2 +- rta/persistence_plist_masquerade.py | 2 +- rta/persistence_startup_item.py | 2 +- rta/persistence_startup_unusual_process.py | 2 +- rta/persistent_scripts.py | 2 +- rta/ping_delayed_exec.py | 2 +- rta/pkexec_shell.py | 2 +- rta/pkg_install_chmod.py | 2 +- rta/plist_creation.py | 2 +- rta/plistbuddy_file_modification.py | 2 +- rta/port_monitor.py | 2 +- rta/powershell_args.py | 2 +- rta/powershell_base64_gzip.py | 2 +- rta/powershell_delete_shadow_copy.py | 2 +- rta/powershell_from_script.py | 2 +- rta/powershell_unsigned_defender_exclusion.py | 2 +- rta/powershell_vault_access.py | 2 +- rta/privilege_escalation_remote_thread.py | 2 +- rta/privilege_escalation_tcc_bypass.py | 2 +- rta/process_double_extension.py | 2 +- rta/process_extension_anomalies.py | 2 +- rta/process_name_masquerade.py | 2 +- rta/ransomnote_delete_shadows.py | 2 +- rta/recycle_bin_process.py | 2 +- rta/reg_creation_servicedll.py | 2 +- rta/reg_mod_amsienable.py | 2 +- rta/reg_mod_appcertdlls.py | 2 +- rta/reg_mod_appinitdlls.py | 2 +- rta/reg_mod_autodialdll.py | 2 +- rta/reg_mod_base64_executable.py | 2 +- rta/reg_mod_builtindnsclientenabled.py | 2 +- rta/reg_mod_disable_uac.py | 2 +- rta/reg_mod_disableantispyware.py | 2 +- rta/reg_mod_driver_blocklist.py | 2 +- rta/reg_mod_enableat.py | 2 +- rta/reg_mod_enablescriptblocklogging.py | 2 +- rta/reg_mod_ifeo.py | 2 +- rta/reg_mod_lsa_ssp.py | 2 +- rta/reg_mod_netwire.py | 2 +- rta/reg_mod_networkprovider.py | 2 +- rta/reg_mod_nullsessionpipes.py | 2 +- rta/reg_mod_plugx.py | 2 +- rta/reg_mod_point_and_print_dll.py | 2 +- rta/reg_mod_port_forwarding.py | 2 +- rta/reg_mod_print_processors.py | 2 +- rta/reg_mod_remcos.py | 2 +- rta/reg_mod_run_key_unusual_proc.py | 2 +- rta/reg_mod_shadow_rdp.py | 2 +- rta/reg_mod_shim_sb.py | 2 +- rta/reg_mod_startup_shell_folder.py | 2 +- rta/reg_mod_suspicious_service.py | 2 +- rta/reg_mod_systemcertificates.py | 2 +- rta/reg_mod_time_provider.py | 2 +- rta/reg_mod_unusual_startup_folder.py | 2 +- rta/reg_mod_windir.py | 2 +- rta/reg_run_key_asterisk.py | 2 +- rta/reg_vss_service_disable.py | 2 +- rta/registry_hive_export.py | 2 +- rta/registry_persistence_create.py | 2 +- rta/registry_rdp_enable.py | 2 +- rta/regsvr32_scrobj.py | 2 +- rta/regsvr32_unusual_args.py | 2 +- rta/renamed_autoit.py | 2 +- rta/renamed_automaton_interpreter.py | 2 +- rta/reverse_shell.py | 2 +- rta/root_cert_install.py | 2 +- rta/root_crontab_file_modification.py | 2 +- rta/rubeus_alike_commandline.py | 2 +- rta/rundll32_inf_callback.py | 2 +- rta/rundll32_javascript_callback.py | 2 +- rta/rundll32_unusual_args.py | 2 +- rta/rundll32_unusual_dll_extension.py | 2 +- rta/schtask_escalation.py | 2 +- rta/schtasks_xml_masqueraded.py | 2 +- rta/scp_privacy_bypass.py | 2 +- rta/screensaver_child_process.py | 2 +- rta/screensaver_plist_mod.py | 2 +- rta/scrobj_com_hijack.py | 2 +- rta/secure_file_deletion.py | 2 +- rta/security_authtrampoline.py | 2 +- rta/sensitive_file_access.py | 2 +- rta/settingcontentms_files.py | 2 +- rta/sevenzip_encrypted.py | 2 +- rta/shellcode_load_ws2_32_unbacked.py | 2 +- rta/shellcode_winexec_calc.py | 2 +- rta/shlayer_payload.py | 2 +- rta/shortcut_file_suspicious_process.py | 2 +- rta/shove_sip_bypass.py | 2 +- rta/signed_proxy_file_written_exec.py | 2 +- rta/silentprocessexit_lsass.py | 2 +- rta/sip_provider.py | 2 +- rta/smb_connection.py | 2 +- rta/solarmaker_backdoor.py | 2 +- rta/spctl_gatekeeper_bypass.py | 2 +- rta/special_chars_zip_file.py | 2 +- rta/sqlite_db_evasion.py | 2 +- rta/ssh_bruteforce.py | 2 +- rta/sticky_keys_write_execute.py | 2 +- rta/sudo_exploit.py | 2 +- rta/susp_scheduled_task_creation.py | 2 +- rta/susp_script_file_name.py | 2 +- rta/suspicious_bits_job_notify.py | 2 +- rta/suspicious_child_acrobat.py | 2 +- rta/suspicious_child_childless_process.py | 2 +- rta/suspicious_child_compattelrunner.py | 2 +- rta/suspicious_child_dns.py | 2 +- rta/suspicious_child_exchange_um.py | 2 +- rta/suspicious_child_explorer.py | 2 +- rta/suspicious_child_services.py | 2 +- rta/suspicious_child_solarwinds_businesslayerhost.py | 2 +- rta/suspicious_child_solarwindsdiagnostics.py | 2 +- rta/suspicious_child_svchost_sch.py | 2 +- rta/suspicious_child_wmiprvse.py | 2 +- rta/suspicious_child_zoom.py | 2 +- rta/suspicious_dll_registration_regsvr32.py | 2 +- rta/suspicious_lineage_script.py | 2 +- rta/suspicious_msiexec_child.py | 2 +- rta/suspicious_office_child.py | 2 +- rta/suspicious_office_children.py | 2 +- rta/suspicious_office_descendant_fp.py | 2 +- rta/suspicious_parent_cmd.py | 2 +- rta/suspicious_parent_csc.py | 2 +- rta/suspicious_parent_msbuild_explorer.py | 2 +- rta/suspicious_parent_msbuild_office.py | 2 +- rta/suspicious_parent_msbuild_script.py | 2 +- rta/suspicious_parent_sc.py | 2 +- rta/suspicious_parent_smss.py | 2 +- rta/suspicious_powershell_download.py | 2 +- rta/suspicious_wmic_script.py | 2 +- rta/suspicious_wscript_parent.py | 2 +- rta/system_restore_process.py | 2 +- rta/systemkey_credential_access.py | 2 +- rta/systemsetup_ssh_enable.py | 2 +- rta/tar_dylib.py | 2 +- rta/tcc_bypass_mounted_apfs.py | 2 +- rta/tcc_modification.py | 2 +- rta/trust_provider.py | 2 +- rta/uac_cdssync.py | 2 +- rta/uac_clipup.py | 2 +- rta/uac_computerdefaults.py | 2 +- rta/uac_dccw.py | 2 +- rta/uac_diskcleanup.py | 2 +- rta/uac_dism_dll_side_loading.py | 2 +- rta/uac_eventviewer.py | 2 +- rta/uac_eventvwr.py | 2 +- rta/uac_fodhelper.py | 2 +- rta/uac_icmluautil.py | 2 +- rta/uac_mmc_deserialization.py | 2 +- rta/uac_mmc_hijack.py | 2 +- rta/uac_mmc_net_core_profiler.py | 2 +- rta/uac_sdclt.py | 2 +- rta/uac_sysprep.py | 2 +- rta/uac_windir_masq.py | 2 +- rta/uac_windows_activation.py | 2 +- rta/uac_winfw_mmc.py | 2 +- rta/uac_wow64log.py | 2 +- rta/uac_wsreset.py | 2 +- rta/uncommon_persistence.py | 2 +- rta/unshadow_execution.py | 2 +- rta/unsigned_startup_item_netconn.py | 2 +- rta/unusual_kerberos_client.py | 2 +- rta/unusual_ms_tool_network.py | 2 +- rta/unusual_parent_child.py | 2 +- rta/unusual_parent_chrome_extension.py | 2 +- rta/unusual_powershell_engine_image_load.py | 2 +- rta/unusual_rdp_client.py | 2 +- rta/unzip_to_tmp.py | 2 +- rta/user_action_script.py | 2 +- rta/user_dir_escalation.py | 2 +- rta/user_mode_smb_connection.py | 2 +- rta/vaultcmd_commands.py | 2 +- rta/webproxy_modification.py | 2 +- rta/webservice_lolbas.py | 2 +- rta/webservice_unsigned.py | 2 +- rta/werfault_masquerading.py | 2 +- rta/werfault_persistence.py | 2 +- rta/wevtutil_log_clear.py | 2 +- rta/windefend_svc_stop.py | 2 +- rta/windows_script_host_file_written_exec.py | 2 +- rta/winrar_encrypted.py | 2 +- rta/winrar_startup_folder.py | 2 +- rta/wizardupdate_infection.py | 2 +- rta/wmi_incoming_logon.py | 2 +- rta/wmic_xsl_exec.py | 2 +- rta/wuauclt_image_load.py | 2 +- rta/xcsset_infection.py | 2 +- 484 files changed, 484 insertions(+), 484 deletions(-) diff --git a/rta/adobe_hijack.py b/rta/adobe_hijack.py index 3d0f91607..e143d5022 100644 --- a/rta/adobe_hijack.py +++ b/rta/adobe_hijack.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): rdr_cef_dir = Path("C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF") rdrcef_exe = rdr_cef_dir / "RdrCEF.exe" diff --git a/rta/adobe_priv_helper_tool.py b/rta/adobe_priv_helper_tool.py index 5de11a21a..4cf0b65e2 100644 --- a/rta/adobe_priv_helper_tool.py +++ b/rta/adobe_priv_helper_tool.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/com.adobe.ARMDC.SMJobBlessHelper" diff --git a/rta/app_bundler_execution.py b/rta/app_bundler_execution.py index 7f58655c6..ef583372a 100644 --- a/rta/app_bundler_execution.py +++ b/rta/app_bundler_execution.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/app_hijack.py b/rta/app_hijack.py index 5bb950a7e..880f0829a 100644 --- a/rta/app_hijack.py +++ b/rta/app_hijack.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): app_dir = Path("/Applications/test/Contents/") diff --git a/rta/appcompat_shim.py b/rta/appcompat_shim.py index 2173bef06..dd9e98071 100644 --- a/rta/appcompat_shim.py +++ b/rta/appcompat_shim.py @@ -28,7 +28,7 @@ metadata = RtaMetadata( SHIM_FILE = common.get_path("bin", "CVE-2013-3893.sdb") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(SHIM_FILE) def main(): common.log("Application Compatibility Shims") diff --git a/rta/at_command.py b/rta/at_command.py index ef94cea95..a2111918b 100644 --- a/rta/at_command.py +++ b/rta/at_command.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(target_host=None): target_host = target_host or common.get_ip() host_str = "\\\\%s" % target_host diff --git a/rta/at_job.py b/rta/at_job.py index 79a89c135..d4b2b5d1e 100644 --- a/rta/at_job.py +++ b/rta/at_job.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing file creation on /private/var/at/jobs/test.") diff --git a/rta/atom_init_coffee.py b/rta/atom_init_coffee.py index 59809c164..193844a45 100644 --- a/rta/atom_init_coffee.py +++ b/rta/atom_init_coffee.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): atom_dir = Path.home().joinpath(".atom") diff --git a/rta/auth_plugin.py b/rta/auth_plugin.py index 8007b6735..79e5d0db4 100644 --- a/rta/auth_plugin.py +++ b/rta/auth_plugin.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing file modification on test.plist to mimic authorization plugin modification") diff --git a/rta/automator_workflows.py b/rta/automator_workflows.py index d5f8d7405..917555dcc 100644 --- a/rta/automator_workflows.py +++ b/rta/automator_workflows.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/background_process_from_tmp.py b/rta/background_process_from_tmp.py index faaa317a3..86061a350 100644 --- a/rta/background_process_from_tmp.py +++ b/rta/background_process_from_tmp.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/sh" diff --git a/rta/bash_cmdline_history.py b/rta/bash_cmdline_history.py index 52a6450da..9c392dc13 100644 --- a/rta/bash_cmdline_history.py +++ b/rta/bash_cmdline_history.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/history" diff --git a/rta/bifrost_attack.py b/rta/bifrost_attack.py index 9d3affeee..ab72abf1d 100644 --- a/rta/bifrost_attack.py +++ b/rta/bifrost_attack.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bifrost" diff --git a/rta/binary_masquerade.py b/rta/binary_masquerade.py index cc596ad66..5366b3d84 100644 --- a/rta/binary_masquerade.py +++ b/rta/binary_masquerade.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): if platform.processor() == "arm": diff --git a/rta/bitsadmin_download.py b/rta/bitsadmin_download.py index 648278dc4..d7a2c44cd 100644 --- a/rta/bitsadmin_download.py +++ b/rta/bitsadmin_download.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Running Windows BitsAdmin to Download") server, ip, port = common.serve_web() diff --git a/rta/bitsadmin_execution.py b/rta/bitsadmin_execution.py index 667cfcd97..6b8c4cecd 100644 --- a/rta/bitsadmin_execution.py +++ b/rta/bitsadmin_execution.py @@ -24,7 +24,7 @@ ROOT_DIR = Path(__file__).parent EXE_FILE = common.get_path("bin", "renamed.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): fake_word = ROOT_DIR / "winword.exe" diff --git a/rta/browser_cred_access.py b/rta/browser_cred_access.py index 062f81885..9b788f5c6 100644 --- a/rta/browser_cred_access.py +++ b/rta/browser_cred_access.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/browser_debugging.py b/rta/browser_debugging.py index 07ac4434e..661599e4e 100644 --- a/rta/browser_debugging.py +++ b/rta/browser_debugging.py @@ -30,7 +30,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): param1 = "--remote-debugging-port=9222" param2 = "--user-data-dir=remote-profile" diff --git a/rta/brute_force_login.py b/rta/brute_force_login.py index 67a7e7082..4a9c12c04 100644 --- a/rta/brute_force_login.py +++ b/rta/brute_force_login.py @@ -29,7 +29,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(username="rta-tester", remote_host=None): if not remote_host: common.log("A remote host is required to detonate this RTA", "!") diff --git a/rta/builtin_cmd_file_delete.py b/rta/builtin_cmd_file_delete.py index 2e041469e..e4f1547f6 100644 --- a/rta/builtin_cmd_file_delete.py +++ b/rta/builtin_cmd_file_delete.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/xargs" diff --git a/rta/c2_dns_from_iso.py b/rta/c2_dns_from_iso.py index 0545f6f40..859374202 100644 --- a/rta/c2_dns_from_iso.py +++ b/rta/c2_dns_from_iso.py @@ -24,7 +24,7 @@ PROC = 'ping.exe' # ps script to mount, execute a file and unmount ISO device PS_SCRIPT = common.get_path("bin", "ExecFromISOFile.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): if Path(ISO).is_file() and Path(PS_SCRIPT).is_file(): diff --git a/rta/calendar_file_mod.py b/rta/calendar_file_mod.py index a83edb533..1d9fab45f 100644 --- a/rta/calendar_file_mod.py +++ b/rta/calendar_file_mod.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cal_dir = Path(f"{Path.home()}/Library/Calendars/") diff --git a/rta/certutil_file_obfuscation.py b/rta/certutil_file_obfuscation.py index d2063e34a..0ee9e984a 100644 --- a/rta/certutil_file_obfuscation.py +++ b/rta/certutil_file_obfuscation.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Encoding target") encoded_file = Path("encoded.txt").resolve() diff --git a/rta/certutil_webrequest.py b/rta/certutil_webrequest.py index 80712857e..014ac0c1f 100644 --- a/rta/certutil_webrequest.py +++ b/rta/certutil_webrequest.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( MY_DLL = common.get_path("bin", "mydll.dll") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(MY_DLL) def main(): # http server will terminate on main thread exit diff --git a/rta/child_w3wp.py b/rta/child_w3wp.py index 8e948fefb..3a14b38df 100644 --- a/rta/child_w3wp.py +++ b/rta/child_w3wp.py @@ -31,7 +31,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): w3wp = "C:\\Users\\Public\\w3wp.exe" common.copy_file(EXE_FILE, w3wp) diff --git a/rta/clr_logs_creation.py b/rta/clr_logs_creation.py index a06288517..a3affe36d 100644 --- a/rta/clr_logs_creation.py +++ b/rta/clr_logs_creation.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msxsl = "C:\\Users\\Public\\msxsl.exe" fake_clr_path = "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs" diff --git a/rta/cmd_shell_via_word.py b/rta/cmd_shell_via_word.py index 75a596dcc..daf68634e 100644 --- a/rta/cmd_shell_via_word.py +++ b/rta/cmd_shell_via_word.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): binary = "winword.exe" common.copy_file(EXE_FILE, binary) diff --git a/rta/cmstp_image_load.py b/rta/cmstp_image_load.py index 92209a3ca..509a7112e 100644 --- a/rta/cmstp_image_load.py +++ b/rta/cmstp_image_load.py @@ -24,7 +24,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cmstp = "C:\\Users\\Public\\cmstp.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/comsvcs_dump.py b/rta/comsvcs_dump.py index 42c29a04c..2d0ea6f53 100644 --- a/rta/comsvcs_dump.py +++ b/rta/comsvcs_dump.py @@ -34,7 +34,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Memory Dump via Comsvcs") pid = os.getpid() diff --git a/rta/crashdump_disabled.py b/rta/crashdump_disabled.py index 720562152..409d28db0 100644 --- a/rta/crashdump_disabled.py +++ b/rta/crashdump_disabled.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Temporarily disabling CrashDump...") diff --git a/rta/credaccess_reg_query_privesc_token_manip.py b/rta/credaccess_reg_query_privesc_token_manip.py index db8b4ce7d..2764211b7 100644 --- a/rta/credaccess_reg_query_privesc_token_manip.py +++ b/rta/credaccess_reg_query_privesc_token_manip.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( techniques=["T1134", "T1003"], ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): import ctypes from ctypes import byref, windll, wintypes diff --git a/rta/credaccess_sam_from_vss.py b/rta/credaccess_sam_from_vss.py index 9697cab4b..e4f277656 100644 --- a/rta/credaccess_sam_from_vss.py +++ b/rta/credaccess_sam_from_vss.py @@ -32,7 +32,7 @@ def vss_create(): results = wmi.ExecMethod_("Create", createparams) return results.Properties_[1].value -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): import win32file vss_list = get_vss_list() diff --git a/rta/credential_access_dump_hashes_via_cmd.py b/rta/credential_access_dump_hashes_via_cmd.py index 307515a5c..47be1e5ac 100644 --- a/rta/credential_access_dump_hashes_via_cmd.py +++ b/rta/credential_access_dump_hashes_via_cmd.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing defaults commands to dump hashes.") diff --git a/rta/credential_access_known_utilities.py b/rta/credential_access_known_utilities.py index abbf8d59b..3b466ffcb 100644 --- a/rta/credential_access_known_utilities.py +++ b/rta/credential_access_known_utilities.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): binary = "ProcessDump.exe" common.copy_file(EXE_FILE, binary) diff --git a/rta/credential_access_osascript_phishing.py b/rta/credential_access_osascript_phishing.py index 64e223b5e..a4fac6674 100644 --- a/rta/credential_access_osascript_phishing.py +++ b/rta/credential_access_osascript_phishing.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/osascript" diff --git a/rta/credman_discovery.py b/rta/credman_discovery.py index 50eb18037..e49ba1ea8 100644 --- a/rta/credman_discovery.py +++ b/rta/credman_discovery.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): appdata = os.getenv("LOCALAPPDATA") credmanfile = f"{appdata}\\Microsoft\\Credentials\\a.txt" diff --git a/rta/cron_tab_file_create.py b/rta/cron_tab_file_create.py index 4bb81bf38..0c984e927 100644 --- a/rta/cron_tab_file_create.py +++ b/rta/cron_tab_file_create.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing file creation on /private/var/at/tabs/test.") diff --git a/rta/cscript_suspicious_args.py b/rta/cscript_suspicious_args.py index 73f01c368..376d843a2 100644 --- a/rta/cscript_suspicious_args.py +++ b/rta/cscript_suspicious_args.py @@ -23,7 +23,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cscript = "C:\\Users\\Public\\cscript.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/curl_data_exfil.py b/rta/curl_data_exfil.py index 0e3062f20..6f59d33ad 100644 --- a/rta/curl_data_exfil.py +++ b/rta/curl_data_exfil.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/curl_payload_download.py b/rta/curl_payload_download.py index b6c56d2d9..3b75a41b9 100644 --- a/rta/curl_payload_download.py +++ b/rta/curl_payload_download.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/testfile" diff --git a/rta/curl_sus_payload.py b/rta/curl_sus_payload.py index 76616f860..55e93672b 100644 --- a/rta/curl_sus_payload.py +++ b/rta/curl_sus_payload.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/curl" diff --git a/rta/darkradiation.py b/rta/darkradiation.py index 54cda4da7..3cd28ffdf 100644 --- a/rta/darkradiation.py +++ b/rta/darkradiation.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/xargs" diff --git a/rta/dcom_lateral_movement_with_mmc.py b/rta/dcom_lateral_movement_with_mmc.py index cb54ac95d..910659e60 100644 --- a/rta/dcom_lateral_movement_with_mmc.py +++ b/rta/dcom_lateral_movement_with_mmc.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(remote_host=None): remote_host = remote_host or common.get_ip() common.log("DCOM Lateral Movement with MMC") diff --git a/rta/ddns_lolbas.py b/rta/ddns_lolbas.py index af9a1cb43..ec37fcaa0 100644 --- a/rta/ddns_lolbas.py +++ b/rta/ddns_lolbas.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/ddns_unsigned.py b/rta/ddns_unsigned.py index bff4ad7ab..39cc9e387 100644 --- a/rta/ddns_unsigned.py +++ b/rta/ddns_unsigned.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\Users\\Public\\posh.exe" common.copy_file(EXE_FILE, posh) diff --git a/rta/defensive_evasion_reflective_loading.py b/rta/defensive_evasion_reflective_loading.py index a907afbe3..f7a28aced 100644 --- a/rta/defensive_evasion_reflective_loading.py +++ b/rta/defensive_evasion_reflective_loading.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing deletion on /private/tmp/NSCreateObjectFileImageFromMemory-test file.") diff --git a/rta/defensive_evasion_safari_modification.py b/rta/defensive_evasion_safari_modification.py index 11af1258b..7ca1530e3 100644 --- a/rta/defensive_evasion_safari_modification.py +++ b/rta/defensive_evasion_safari_modification.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/defaults" diff --git a/rta/delete_bootconf.py b/rta/delete_bootconf.py index 31270f3c4..d4972b420 100644 --- a/rta/delete_bootconf.py +++ b/rta/delete_bootconf.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Messing with the boot configuration is probably not a great idea so create a backup: common.log("Exporting the boot configuration....") diff --git a/rta/delete_catalogs.py b/rta/delete_catalogs.py index 24aa819dd..266ceec9f 100644 --- a/rta/delete_catalogs.py +++ b/rta/delete_catalogs.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): warning = "Deleting the backup catalog may have unexpected consequences. Operational issues are unknown." common.log("WARNING: %s" % warning, log_type="!") diff --git a/rta/delete_quarantine_attrib.py b/rta/delete_quarantine_attrib.py index 5e352b337..407d40083 100644 --- a/rta/delete_quarantine_attrib.py +++ b/rta/delete_quarantine_attrib.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/delete_usnjrnl.py b/rta/delete_usnjrnl.py index 9f08963a1..7506bb695 100644 --- a/rta/delete_usnjrnl.py +++ b/rta/delete_usnjrnl.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): message = "Deleting the USN journal may have unintended consequences" common.log("WARNING: %s" % message, log_type="!") diff --git a/rta/delete_volume_shadows.py b/rta/delete_volume_shadows.py index fef2ae862..66d57b32e 100644 --- a/rta/delete_volume_shadows.py +++ b/rta/delete_volume_shadows.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Deleting volume shadow copies...") common.execute(["vssadmin.exe", "delete", "shadows", "/for=c:", "/oldest", "/quiet"]) diff --git a/rta/deprecated/_discovery_builtin_cmd.py b/rta/deprecated/_discovery_builtin_cmd.py index 86b859d2c..33eef0abb 100644 --- a/rta/deprecated/_discovery_builtin_cmd.py +++ b/rta/deprecated/_discovery_builtin_cmd.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/deprecated/_funzip_extract_content.py b/rta/deprecated/_funzip_extract_content.py index db576ce2c..ebfe8099d 100644 --- a/rta/deprecated/_funzip_extract_content.py +++ b/rta/deprecated/_funzip_extract_content.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/deprecated/_linux_discovery_sensitive_files.py b/rta/deprecated/_linux_discovery_sensitive_files.py index 6fa99840e..60ce89377 100644 --- a/rta/deprecated/_linux_discovery_sensitive_files.py +++ b/rta/deprecated/_linux_discovery_sensitive_files.py @@ -14,7 +14,7 @@ from . import RtaMetadata metadata = RtaMetadata(uuid="82358d3d-6f04-42d0-a182-db37cf98294e", platforms=["linux"], endpoint=[], siem=[], techniques=[]) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Reading sensitive files", log_type="~") diff --git a/rta/deprecated/_persistence_code_extension.py b/rta/deprecated/_persistence_code_extension.py index 53f860775..ca591cd57 100644 --- a/rta/deprecated/_persistence_code_extension.py +++ b/rta/deprecated/_persistence_code_extension.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/code" diff --git a/rta/deprecated/_persistence_reopened_app.py b/rta/deprecated/_persistence_reopened_app.py index 0c146873f..3bbe09893 100644 --- a/rta/deprecated/_persistence_reopened_app.py +++ b/rta/deprecated/_persistence_reopened_app.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/deprecated/_persistence_terminal_plist_mod.py b/rta/deprecated/_persistence_terminal_plist_mod.py index 3141d85b2..a5527f336 100644 --- a/rta/deprecated/_persistence_terminal_plist_mod.py +++ b/rta/deprecated/_persistence_terminal_plist_mod.py @@ -36,7 +36,7 @@ plist_content = """ """ -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing plutil commands to modify plist file.") diff --git a/rta/directory_service_plugin_file.py b/rta/directory_service_plugin_file.py index 5152f13c7..6c7fbff44 100644 --- a/rta/directory_service_plugin_file.py +++ b/rta/directory_service_plugin_file.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing file modification on test.dsplug to mimic DirectoryService plugin modification") diff --git a/rta/disable_os_security_updates.py b/rta/disable_os_security_updates.py index d5f316d01..2932eeba4 100644 --- a/rta/disable_os_security_updates.py +++ b/rta/disable_os_security_updates.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/defaults" diff --git a/rta/disable_windows_fw.py b/rta/disable_windows_fw.py index 35323c3af..15bff40d8 100644 --- a/rta/disable_windows_fw.py +++ b/rta/disable_windows_fw.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("NetSH Advanced Firewall Configuration", log_type="~") netsh = "netsh.exe" diff --git a/rta/discovery_virtual_machine_grep.py b/rta/discovery_virtual_machine_grep.py index 86f7cce49..d32936031 100644 --- a/rta/discovery_virtual_machine_grep.py +++ b/rta/discovery_virtual_machine_grep.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing egrep commands to fingerprint virtual machine.") diff --git a/rta/dmg_create_in_tmp.py b/rta/dmg_create_in_tmp.py index 52c0552ac..345818ee0 100644 --- a/rta/dmg_create_in_tmp.py +++ b/rta/dmg_create_in_tmp.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): tmp_dir = Path("/tmp/TestDMGDir") diff --git a/rta/dock_plist.py b/rta/dock_plist.py index 7695da37e..f6a9b9563 100644 --- a/rta/dock_plist.py +++ b/rta/dock_plist.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing file modification on com.apple.dock.plist to mimic dock plist modification") diff --git a/rta/double_persist.py b/rta/double_persist.py index 236898088..65165ee82 100644 --- a/rta/double_persist.py +++ b/rta/double_persist.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "DoublePersist.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): binary = "DoublePersist.exe" common.copy_file(EXE_FILE, binary) diff --git a/rta/dscl_hidden_account.py b/rta/dscl_hidden_account.py index 1c06e02be..3ee3fea3a 100644 --- a/rta/dscl_hidden_account.py +++ b/rta/dscl_hidden_account.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/dscl" diff --git a/rta/dseditgroup_admin_add.py b/rta/dseditgroup_admin_add.py index bd8278216..a0e579801 100644 --- a/rta/dseditgroup_admin_add.py +++ b/rta/dseditgroup_admin_add.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/dseditgroup" diff --git a/rta/dsenableroot_account.py b/rta/dsenableroot_account.py index 576142b33..271194686 100644 --- a/rta/dsenableroot_account.py +++ b/rta/dsenableroot_account.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/dsenableroot" diff --git a/rta/dylib_injection.py b/rta/dylib_injection.py index 5b6bab71c..b384f9a58 100644 --- a/rta/dylib_injection.py +++ b/rta/dylib_injection.py @@ -30,7 +30,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): if platform.processor() == "arm": diff --git a/rta/dynwrapx_image_load.py b/rta/dynwrapx_image_load.py index 17c8aa373..ddde48ff0 100644 --- a/rta/dynwrapx_image_load.py +++ b/rta/dynwrapx_image_load.py @@ -29,7 +29,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cscript = "C:\\Users\\Public\\cscript.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/echo_tmp_file_create.py b/rta/echo_tmp_file_create.py index b1cf5902e..d6d80ec62 100644 --- a/rta/echo_tmp_file_create.py +++ b/rta/echo_tmp_file_create.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): file_path = "/tmp/test" diff --git a/rta/edmond_child_process.py b/rta/edmond_child_process.py index 0d8eec9ba..fe373c4e5 100644 --- a/rta/edmond_child_process.py +++ b/rta/edmond_child_process.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/emond" diff --git a/rta/eggshell_backdoor.py b/rta/eggshell_backdoor.py index 316713975..9576f85bc 100644 --- a/rta/eggshell_backdoor.py +++ b/rta/eggshell_backdoor.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/eggshell" diff --git a/rta/eicar.py b/rta/eicar.py index 6be6f738b..6e3cd0fda 100644 --- a/rta/eicar.py +++ b/rta/eicar.py @@ -15,7 +15,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/elevated_osascript_execution.py b/rta/elevated_osascript_execution.py index 2b5933e52..ccc998ef9 100644 --- a/rta/elevated_osascript_execution.py +++ b/rta/elevated_osascript_execution.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/emond_child_process.py b/rta/emond_child_process.py index e14a7b246..bfd89efb5 100644 --- a/rta/emond_child_process.py +++ b/rta/emond_child_process.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/emond_plist.py b/rta/emond_plist.py index 25c692c02..349bd34b8 100644 --- a/rta/emond_plist.py +++ b/rta/emond_plist.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing file modification on test.plist to mimic emond file modification") diff --git a/rta/empire_stager.py b/rta/empire_stager.py index 81d4ff257..be0743519 100644 --- a/rta/empire_stager.py +++ b/rta/empire_stager.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/enum_commands.py b/rta/enum_commands.py index 31be7d360..809534cc8 100644 --- a/rta/enum_commands.py +++ b/rta/enum_commands.py @@ -27,7 +27,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(args=None): slow_commands = ["gpresult.exe /z", "systeminfo.exe"] diff --git a/rta/enumeration_linpeas.py b/rta/enumeration_linpeas.py index 059bee14d..684e2e1f5 100644 --- a/rta/enumeration_linpeas.py +++ b/rta/enumeration_linpeas.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/sed" diff --git a/rta/env_variable_hijacking.py b/rta/env_variable_hijacking.py index f2663cc22..f8ae76092 100644 --- a/rta/env_variable_hijacking.py +++ b/rta/env_variable_hijacking.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/launchctl" diff --git a/rta/evasion_addinproc_certoc_odbc_gfxdwn.py b/rta/evasion_addinproc_certoc_odbc_gfxdwn.py index 0432e3fe0..fc885368e 100644 --- a/rta/evasion_addinproc_certoc_odbc_gfxdwn.py +++ b/rta/evasion_addinproc_certoc_odbc_gfxdwn.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): addinproc = "C:\\Users\\Public\\AddInProcess.exe" certoc = "C:\\Users\\Public\\CertOc.exe" diff --git a/rta/evasion_loadlib_via_callback.py b/rta/evasion_loadlib_via_callback.py index 381461014..c4be1ac25 100644 --- a/rta/evasion_loadlib_via_callback.py +++ b/rta/evasion_loadlib_via_callback.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( # source code - https://gist.github.com/joe-desimone/0b2bb00eca4c522ba0bd5541a6f3528b BIN = common.get_path("bin", "LoadLib-Callback64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): if Path(BIN).is_file(): diff --git a/rta/evasion_ntdll_from_unusual_path.py b/rta/evasion_ntdll_from_unusual_path.py index e447052fb..23a7de872 100644 --- a/rta/evasion_ntdll_from_unusual_path.py +++ b/rta/evasion_ntdll_from_unusual_path.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): import time from os import path diff --git a/rta/evasion_oversized_dll_load.py b/rta/evasion_oversized_dll_load.py index 1622d8b23..23bfaf7e4 100644 --- a/rta/evasion_oversized_dll_load.py +++ b/rta/evasion_oversized_dll_load.py @@ -28,7 +28,7 @@ DLL = common.get_path("bin", "faultrep.dll") WER = "c:\\windows\\system32\\werfault.exe" -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): import os from os import path diff --git a/rta/evasion_patch_etw_amsi.py b/rta/evasion_patch_etw_amsi.py index e7b96959b..3b64b4dc1 100644 --- a/rta/evasion_patch_etw_amsi.py +++ b/rta/evasion_patch_etw_amsi.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): import ctypes, platform from ctypes import windll, wintypes diff --git a/rta/evasion_unhook_ldrloaddll.py b/rta/evasion_unhook_ldrloaddll.py index 971059e8d..73e77bfac 100644 --- a/rta/evasion_unhook_ldrloaddll.py +++ b/rta/evasion_unhook_ldrloaddll.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( # source code -https://gist.github.com/Samirbous/cee44dbd0254c28d4f57709d5c723aee BIN = common.get_path("bin", "rta_unhook_ldrload.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): if Path(BIN).is_file(): diff --git a/rta/exec_cmd_adfind.py b/rta/exec_cmd_adfind.py index 0a0e3e637..edf3a227e 100644 --- a/rta/exec_cmd_adfind.py +++ b/rta/exec_cmd_adfind.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): adfind = "C:\\Users\\Public\\adfind.exe" common.copy_file(EXE_FILE, adfind) diff --git a/rta/exec_cmd_appcmd_logging.py b/rta/exec_cmd_appcmd_logging.py index 65bf28334..c130416de 100644 --- a/rta/exec_cmd_appcmd_logging.py +++ b/rta/exec_cmd_appcmd_logging.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): appcmd = "C:\\Users\\Public\\appcmd.exe" common.copy_file(EXE_FILE, appcmd) diff --git a/rta/exec_cmd_arp.py b/rta/exec_cmd_arp.py index 0cbee9bd4..9c0cf5001 100644 --- a/rta/exec_cmd_arp.py +++ b/rta/exec_cmd_arp.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): arp = "C:\\Windows\\System32\\arp.exe" diff --git a/rta/exec_cmd_aspnet_regiis.py b/rta/exec_cmd_aspnet_regiis.py index 5e0ce2f3e..e527dd218 100644 --- a/rta/exec_cmd_aspnet_regiis.py +++ b/rta/exec_cmd_aspnet_regiis.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): aspnet_regiis = "C:\\Users\\Public\\aspnet_regiis.exe" common.copy_file(EXE_FILE, aspnet_regiis) diff --git a/rta/exec_cmd_attrib_hidden.py b/rta/exec_cmd_attrib_hidden.py index e2294f4f5..56461d09d 100644 --- a/rta/exec_cmd_attrib_hidden.py +++ b/rta/exec_cmd_attrib_hidden.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): attrib = "C:\\Users\\Public\\attrib.exe" common.copy_file(EXE_FILE, attrib) diff --git a/rta/exec_cmd_auditpol.py b/rta/exec_cmd_auditpol.py index 29f71425c..c7ec086df 100644 --- a/rta/exec_cmd_auditpol.py +++ b/rta/exec_cmd_auditpol.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): auditpol = "C:\\Users\\Public\\auditpol.exe" common.copy_file(EXE_FILE, auditpol) diff --git a/rta/exec_cmd_clear_history.py b/rta/exec_cmd_clear_history.py index 1ab2d5b81..3db358367 100644 --- a/rta/exec_cmd_clear_history.py +++ b/rta/exec_cmd_clear_history.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/exec_cmd_compiled_html.py b/rta/exec_cmd_compiled_html.py index 192ca5ad7..2964589b4 100644 --- a/rta/exec_cmd_compiled_html.py +++ b/rta/exec_cmd_compiled_html.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): hh = "C:\\Users\\Public\\hh.exe" mshta = "C:\\Windows\\System32\\mshta.exe" diff --git a/rta/exec_cmd_endpoint_security_masquerading.py b/rta/exec_cmd_endpoint_security_masquerading.py index 49326746c..586006bf2 100644 --- a/rta/exec_cmd_endpoint_security_masquerading.py +++ b/rta/exec_cmd_endpoint_security_masquerading.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): esensor = "C:\\Users\\Public\\esensor.exe" common.copy_file(EXE_FILE, esensor) diff --git a/rta/exec_cmd_fltmc_unload.py b/rta/exec_cmd_fltmc_unload.py index 56069e36e..68bdae44e 100644 --- a/rta/exec_cmd_fltmc_unload.py +++ b/rta/exec_cmd_fltmc_unload.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): fltmc = "C:\\Users\\Public\\fltmc.exe" common.copy_file(EXE_FILE, fltmc) diff --git a/rta/exec_cmd_fsutil_fsinfo.py b/rta/exec_cmd_fsutil_fsinfo.py index b7ccd111a..d63934494 100644 --- a/rta/exec_cmd_fsutil_fsinfo.py +++ b/rta/exec_cmd_fsutil_fsinfo.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): fsutil = "C:\\Windows\\System32\\fsutil.exe" diff --git a/rta/exec_cmd_hidden_share.py b/rta/exec_cmd_hidden_share.py index a5a4ae60c..f3ac01b33 100644 --- a/rta/exec_cmd_hidden_share.py +++ b/rta/exec_cmd_hidden_share.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): xcopy = "C:\\Users\\Public\\xcopy.exe" common.copy_file(EXE_FILE, xcopy) diff --git a/rta/exec_cmd_mklink.py b/rta/exec_cmd_mklink.py index aa09a77b3..849db50b6 100644 --- a/rta/exec_cmd_mklink.py +++ b/rta/exec_cmd_mklink.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/exec_cmd_mpcmdrun_download.py b/rta/exec_cmd_mpcmdrun_download.py index 688595156..377278e7d 100644 --- a/rta/exec_cmd_mpcmdrun_download.py +++ b/rta/exec_cmd_mpcmdrun_download.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): mpcmdrun = "C:\\Users\\Public\\MpCmdRun.exe" common.copy_file(EXE_FILE, mpcmdrun) diff --git a/rta/exec_cmd_msdt.py b/rta/exec_cmd_msdt.py index 96e92fd3e..c75f68bec 100644 --- a/rta/exec_cmd_msdt.py +++ b/rta/exec_cmd_msdt.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msdt = "C:\\Users\\Public\\rta.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/exec_cmd_mssql_xp_cmdshell.py b/rta/exec_cmd_mssql_xp_cmdshell.py index ab503819a..a6fb54414 100644 --- a/rta/exec_cmd_mssql_xp_cmdshell.py +++ b/rta/exec_cmd_mssql_xp_cmdshell.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): sqlservr = "C:\\Users\\Public\\sqlservr.exe" cmd = "C:\\Windows\\System32\\cmd.exe" diff --git a/rta/exec_cmd_net_stop.py b/rta/exec_cmd_net_stop.py index fbf042f4f..a2dd815c7 100644 --- a/rta/exec_cmd_net_stop.py +++ b/rta/exec_cmd_net_stop.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): net = "C:\\Users\\Public\\net.exe" common.copy_file(EXE_FILE, net) diff --git a/rta/exec_cmd_net_use.py b/rta/exec_cmd_net_use.py index 410e16218..de5412d08 100644 --- a/rta/exec_cmd_net_use.py +++ b/rta/exec_cmd_net_use.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): net = "C:\\Users\\Public\\net.exe" common.copy_file(EXE_FILE, net) diff --git a/rta/exec_cmd_netsh_advfirewall_network_discovery.py b/rta/exec_cmd_netsh_advfirewall_network_discovery.py index 428508a9d..1e9c310ae 100644 --- a/rta/exec_cmd_netsh_advfirewall_network_discovery.py +++ b/rta/exec_cmd_netsh_advfirewall_network_discovery.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): netsh = "C:\\Users\\Public\\netsh.exe" common.copy_file(EXE_FILE, netsh) diff --git a/rta/exec_cmd_netsh_remotedesktop.py b/rta/exec_cmd_netsh_remotedesktop.py index 4feed5efd..f71c86884 100644 --- a/rta/exec_cmd_netsh_remotedesktop.py +++ b/rta/exec_cmd_netsh_remotedesktop.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): netsh = "C:\\Users\\Public\\netsh.exe" common.copy_file(EXE_FILE, netsh) diff --git a/rta/exec_cmd_nltest.py b/rta/exec_cmd_nltest.py index 60ddf1be3..73b7b679e 100644 --- a/rta/exec_cmd_nltest.py +++ b/rta/exec_cmd_nltest.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/exec_cmd_non_executable_file.py b/rta/exec_cmd_non_executable_file.py index ce8eecd0b..cc5ea269c 100644 --- a/rta/exec_cmd_non_executable_file.py +++ b/rta/exec_cmd_non_executable_file.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing bash on unexecutable file.") diff --git a/rta/exec_cmd_ntdsdit.py b/rta/exec_cmd_ntdsdit.py index 670d7e8df..989ef6740 100644 --- a/rta/exec_cmd_ntdsdit.py +++ b/rta/exec_cmd_ntdsdit.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/exec_cmd_posh_mailbox.py b/rta/exec_cmd_posh_mailbox.py index 2e4432f2d..65d96fbbf 100644 --- a/rta/exec_cmd_posh_mailbox.py +++ b/rta/exec_cmd_posh_mailbox.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/exec_cmd_psexesvc.py b/rta/exec_cmd_psexesvc.py index c04123aed..839047caa 100644 --- a/rta/exec_cmd_psexesvc.py +++ b/rta/exec_cmd_psexesvc.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): psexesvc = "C:\\Users\\Public\\rta.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/exec_cmd_pwd_appcmd.py b/rta/exec_cmd_pwd_appcmd.py index 8c839baa1..0e5a62874 100644 --- a/rta/exec_cmd_pwd_appcmd.py +++ b/rta/exec_cmd_pwd_appcmd.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): appcmd = "C:\\Users\\Public\\appcmd.exe" common.copy_file(EXE_FILE, appcmd) diff --git a/rta/exec_cmd_rundll32.py b/rta/exec_cmd_rundll32.py index cab4f0809..da7734727 100644 --- a/rta/exec_cmd_rundll32.py +++ b/rta/exec_cmd_rundll32.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): rundll32 = "C:\\Users\\Public\\rundll32.exe" cmd = "C:\\Windows\\System32\\cmd.exe" diff --git a/rta/exec_cmd_rundll32_davsetcookie.py b/rta/exec_cmd_rundll32_davsetcookie.py index 2f4e7f777..f0dbe28af 100644 --- a/rta/exec_cmd_rundll32_davsetcookie.py +++ b/rta/exec_cmd_rundll32_davsetcookie.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): rundll32 = "C:\\Users\\Public\\rundll32.exe" common.copy_file(EXE_FILE, rundll32) diff --git a/rta/exec_cmd_set_casmailbox.py b/rta/exec_cmd_set_casmailbox.py index 2bb6a021f..21282aa6b 100644 --- a/rta/exec_cmd_set_casmailbox.py +++ b/rta/exec_cmd_set_casmailbox.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" common.execute([powershell, "/c", "echo", "Set-CASMailbox ActiveSyncAllowedDeviceIDs"], timeout=5, kill=True) diff --git a/rta/exec_cmd_set_mppreference.py b/rta/exec_cmd_set_mppreference.py index 365384480..cb74c8dba 100644 --- a/rta/exec_cmd_set_mppreference.py +++ b/rta/exec_cmd_set_mppreference.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/exec_cmd_short_name.py b/rta/exec_cmd_short_name.py index 4bc9e79d4..2c6fa9c3d 100644 --- a/rta/exec_cmd_short_name.py +++ b/rta/exec_cmd_short_name.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): rta = "C:\\Users\\Public\\a.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/exec_cmd_windows_firewall_disabled.py b/rta/exec_cmd_windows_firewall_disabled.py index f71f6da1f..5f0f3cbb9 100644 --- a/rta/exec_cmd_windows_firewall_disabled.py +++ b/rta/exec_cmd_windows_firewall_disabled.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/exec_cmd_wmi_cmdexe.py b/rta/exec_cmd_wmi_cmdexe.py index 55769d179..87edfc170 100644 --- a/rta/exec_cmd_wmi_cmdexe.py +++ b/rta/exec_cmd_wmi_cmdexe.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): wmiprvse = "C:\\Users\\Public\\wmiprvse.exe" cmd = "C:\\Windows\\System32\\cmd.exe" diff --git a/rta/exec_cmd_wmi_subscription.py b/rta/exec_cmd_wmi_subscription.py index 01a737558..70532e72e 100644 --- a/rta/exec_cmd_wmi_subscription.py +++ b/rta/exec_cmd_wmi_subscription.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): wmic = "C:\\Users\\Public\\wmic.exe" common.copy_file(EXE_FILE, wmic) diff --git a/rta/exec_cmd_wmic_antivirus_enum.py b/rta/exec_cmd_wmic_antivirus_enum.py index 7a8eda2ed..1ceacc3b2 100644 --- a/rta/exec_cmd_wmic_antivirus_enum.py +++ b/rta/exec_cmd_wmic_antivirus_enum.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): wmic = "C:\\Windows\\System32\\wbem\\WMIC.exe" diff --git a/rta/exec_cmd_workfolders.py b/rta/exec_cmd_workfolders.py index e8f533917..1ac8cd2c0 100644 --- a/rta/exec_cmd_workfolders.py +++ b/rta/exec_cmd_workfolders.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): workfolders = "C:\\Users\\Public\\WorkFolders.exe" control = "C:\\Users\\Public\\control.exe" diff --git a/rta/exec_cmd_xwizard.py b/rta/exec_cmd_xwizard.py index c80fd53f8..6a769e432 100644 --- a/rta/exec_cmd_xwizard.py +++ b/rta/exec_cmd_xwizard.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): xwizard = "C:\\Users\\Public\\xwizard.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/exec_conhost_indirect.py b/rta/exec_conhost_indirect.py index 22d1cfb70..b2dc7657c 100644 --- a/rta/exec_conhost_indirect.py +++ b/rta/exec_conhost_indirect.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): conhost = "C:\\Users\\Public\\conhost.exe" posh = "C:\\Users\\Public\\posh.exe" diff --git a/rta/exec_control_panel_cpl.py b/rta/exec_control_panel_cpl.py index c9bd41364..0b261aaa6 100644 --- a/rta/exec_control_panel_cpl.py +++ b/rta/exec_control_panel_cpl.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Execute command diff --git a/rta/exec_cscript_archive_args.py b/rta/exec_cscript_archive_args.py index 3c0e65783..fc412d9fc 100644 --- a/rta/exec_cscript_archive_args.py +++ b/rta/exec_cscript_archive_args.py @@ -23,7 +23,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cscript = "C:\\Users\\Public\\cscript.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/exec_cscript_suspicious_powershell.py b/rta/exec_cscript_suspicious_powershell.py index 09fff7242..a1225e131 100644 --- a/rta/exec_cscript_suspicious_powershell.py +++ b/rta/exec_cscript_suspicious_powershell.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cscript = "C:\\Users\\Public\\cscript.exe" common.copy_file(EXE_FILE, cscript) diff --git a/rta/exec_dll_file_compressed.py b/rta/exec_dll_file_compressed.py index 628a90bf4..56d0fda03 100644 --- a/rta/exec_dll_file_compressed.py +++ b/rta/exec_dll_file_compressed.py @@ -19,7 +19,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): path = "C:\\Users\\Public\\Temp\\7z\\" Path(path).mkdir(parents=True, exist_ok=True) diff --git a/rta/exec_dnguard_program.py b/rta/exec_dnguard_program.py index 1dde467e4..04f691ee3 100644 --- a/rta/exec_dnguard_program.py +++ b/rta/exec_dnguard_program.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\Users\\Public\\posh.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/exec_echo_named_pipe.py b/rta/exec_echo_named_pipe.py index 5a67df1bf..80a3a95f8 100644 --- a/rta/exec_echo_named_pipe.py +++ b/rta/exec_echo_named_pipe.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Execute command diff --git a/rta/exec_explorer_trampoline.py b/rta/exec_explorer_trampoline.py index 1916b3419..2d5c8a1af 100644 --- a/rta/exec_explorer_trampoline.py +++ b/rta/exec_explorer_trampoline.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): explorer = "C:\\Users\\Public\\explorer.exe" common.copy_file(EXE_FILE, explorer) diff --git a/rta/exec_from_mount.py b/rta/exec_from_mount.py index a145f9bac..168a95a7f 100644 --- a/rta/exec_from_mount.py +++ b/rta/exec_from_mount.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/Volumes/bash" diff --git a/rta/exec_from_python.py b/rta/exec_from_python.py index 62aef4e42..0c94ec7e4 100644 --- a/rta/exec_from_python.py +++ b/rta/exec_from_python.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # test_file = "/tmp/test.txt" diff --git a/rta/exec_from_terminal.py b/rta/exec_from_terminal.py index e5a5857d5..da185c70e 100644 --- a/rta/exec_from_terminal.py +++ b/rta/exec_from_terminal.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/terminal" diff --git a/rta/exec_gfxdownloadwrapper.py b/rta/exec_gfxdownloadwrapper.py index 7a1b488b1..2f5a8d1bd 100644 --- a/rta/exec_gfxdownloadwrapper.py +++ b/rta/exec_gfxdownloadwrapper.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): gfx = "C:\\Users\\Public\\GfxDownloadWrapper.exe" common.copy_file(EXE_FILE, gfx) diff --git a/rta/exec_ingress_tool_posh.py b/rta/exec_ingress_tool_posh.py index b802aae0d..59b786177 100644 --- a/rta/exec_ingress_tool_posh.py +++ b/rta/exec_ingress_tool_posh.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Users\\Public\\powershell.exe" common.copy_file(EXE_FILE, powershell) diff --git a/rta/exec_java_revshell_linux.py b/rta/exec_java_revshell_linux.py index 6afc5de9c..e56b8bfb4 100644 --- a/rta/exec_java_revshell_linux.py +++ b/rta/exec_java_revshell_linux.py @@ -14,7 +14,7 @@ metadata = RtaMetadata( techniques=["T1059", "T1071"], ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Creating a fake Java executable..") diff --git a/rta/exec_ms_dotnet_clickonce.py b/rta/exec_ms_dotnet_clickonce.py index 9cd761e0b..db0994975 100644 --- a/rta/exec_ms_dotnet_clickonce.py +++ b/rta/exec_ms_dotnet_clickonce.py @@ -29,7 +29,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): rundll32 = "C:\\Users\\Public\\rundll32.exe" dfsvc = "C:\\Users\\Public\\dfsvc.exe" diff --git a/rta/exec_msdt_diagcab.py b/rta/exec_msdt_diagcab.py index 60ceb1fd8..a2373e32e 100644 --- a/rta/exec_msdt_diagcab.py +++ b/rta/exec_msdt_diagcab.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): firefox = "C:\\Users\\Public\\firefox.exe" msdt = "C:\\Users\\Public\\msdt.exe" diff --git a/rta/exec_msiexec_dllregisterserver.py b/rta/exec_msiexec_dllregisterserver.py index 7f84d5b18..7e2b7ca8f 100644 --- a/rta/exec_msiexec_dllregisterserver.py +++ b/rta/exec_msiexec_dllregisterserver.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msiexec = "C:\\Windows\\System32\\msiexec.exe" diff --git a/rta/exec_nohup.py b/rta/exec_nohup.py index 471c31633..a10b90d3e 100644 --- a/rta/exec_nohup.py +++ b/rta/exec_nohup.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): test_file = "/tmp/test.txt" diff --git a/rta/exec_persistence_from_iso.py b/rta/exec_persistence_from_iso.py index 74dea60e4..3871fcb42 100644 --- a/rta/exec_persistence_from_iso.py +++ b/rta/exec_persistence_from_iso.py @@ -23,7 +23,7 @@ PROC = 'cmd.exe' # ps script to mount, execute a file and unmount ISO device PS_SCRIPT = common.get_path("bin", "ExecFromISOFile.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): if Path(ISO).is_file() and Path(PS_SCRIPT).is_file(): diff --git a/rta/exec_privhelper_tool.py b/rta/exec_privhelper_tool.py index 9541ae934..234e7345c 100644 --- a/rta/exec_privhelper_tool.py +++ b/rta/exec_privhelper_tool.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): tools = Path("/Library/PrivilegedHelperTools") diff --git a/rta/exec_renamed_msbuild.py b/rta/exec_renamed_msbuild.py index e8d8c6c86..70d06817c 100644 --- a/rta/exec_renamed_msbuild.py +++ b/rta/exec_renamed_msbuild.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msbuild = "C:\\Users\\Public\\rta.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/exec_renamed_winword.py b/rta/exec_renamed_winword.py index 814cfa366..030d53476 100644 --- a/rta/exec_renamed_winword.py +++ b/rta/exec_renamed_winword.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): winword = "C:\\Users\\Public\\rta.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/exec_scripting_persistence_locations.py b/rta/exec_scripting_persistence_locations.py index e87bae2e5..627a5f381 100644 --- a/rta/exec_scripting_persistence_locations.py +++ b/rta/exec_scripting_persistence_locations.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/exec_scripting_unusual_extension.py b/rta/exec_scripting_unusual_extension.py index 6b1750ae5..3f0c43710 100644 --- a/rta/exec_scripting_unusual_extension.py +++ b/rta/exec_scripting_unusual_extension.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing cscript against .exe") common.execute(["cmd.exe", "/c", "cscript.exe", "/e:Vbscript", "cmd.exe"], timeout=5, kill=True) diff --git a/rta/exec_scripting_via_html_app.py b/rta/exec_scripting_via_html_app.py index ff8d81026..c2597dae5 100644 --- a/rta/exec_scripting_via_html_app.py +++ b/rta/exec_scripting_via_html_app.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Execute Command # Had a hard time trying to escape the quotes that would be needed to execute a real command using diff --git a/rta/exec_sliver_posh.py b/rta/exec_sliver_posh.py index b8c2ab945..15fec41cf 100644 --- a/rta/exec_sliver_posh.py +++ b/rta/exec_sliver_posh.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/exec_sqlserver_suspicious_child.py b/rta/exec_sqlserver_suspicious_child.py index de4ca3487..3d40a0044 100644 --- a/rta/exec_sqlserver_suspicious_child.py +++ b/rta/exec_sqlserver_suspicious_child.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" sqlserver = "C:\\Users\\Public\\sqlserver.exe" diff --git a/rta/exec_susp_explorer.py b/rta/exec_susp_explorer.py index 8821e3830..2f49a2f02 100644 --- a/rta/exec_susp_explorer.py +++ b/rta/exec_susp_explorer.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): explorer = "C:\\Windows\\explorer.exe" common.execute([explorer, "easyminerRTA"], timeout=1, kill=True) diff --git a/rta/exec_susp_msiexec.py b/rta/exec_susp_msiexec.py index 8409a78fd..3ce98e2f8 100644 --- a/rta/exec_susp_msiexec.py +++ b/rta/exec_susp_msiexec.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" msiexec = "C:\\Users\\Public\\msiexec.exe" diff --git a/rta/exec_susp_parent_child.py b/rta/exec_susp_parent_child.py index b07f4ce44..811f625e8 100644 --- a/rta/exec_susp_parent_child.py +++ b/rta/exec_susp_parent_child.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\Users\\Public\\posh.exe" tiworker = "C:\\Users\\Public\\TiWorker.exe" diff --git a/rta/exec_svchost_child_schedule.py b/rta/exec_svchost_child_schedule.py index 3409cf1c4..ef057f06b 100644 --- a/rta/exec_svchost_child_schedule.py +++ b/rta/exec_svchost_child_schedule.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): svchost = "C:\\Users\\Public\\svchost.exe" common.copy_file(EXE_FILE, svchost) diff --git a/rta/exec_tclsh.py b/rta/exec_tclsh.py index 381b00ef1..0973f3482 100644 --- a/rta/exec_tclsh.py +++ b/rta/exec_tclsh.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/tclsh" diff --git a/rta/exec_unusual_directory.py b/rta/exec_unusual_directory.py index 56824da35..8ecbb312b 100644 --- a/rta/exec_unusual_directory.py +++ b/rta/exec_unusual_directory.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): exe_path = "c:\\windows\\system32\\cscript.exe" binary = "c:\\Users\\Public\\cscript.exe" diff --git a/rta/exec_unusual_path_msmpeng.py b/rta/exec_unusual_path_msmpeng.py index 6bdf1e4ca..efa141a04 100644 --- a/rta/exec_unusual_path_msmpeng.py +++ b/rta/exec_unusual_path_msmpeng.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msmpeng = "C:\\Users\\Public\\MsMpEng.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/exec_vs_prebuildevent.py b/rta/exec_vs_prebuildevent.py index 04b951b74..b54a019e1 100644 --- a/rta/exec_vs_prebuildevent.py +++ b/rta/exec_vs_prebuildevent.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msbuild = "C:\\Users\\Public\\msbuild.exe" cmd = "C:\\Users\\Public\\cmd.exe" diff --git a/rta/exec_vsls_agent.py b/rta/exec_vsls_agent.py index 79fa3d2af..91800054d 100644 --- a/rta/exec_vsls_agent.py +++ b/rta/exec_vsls_agent.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): vslsagent = "C:\\Users\\Public\\vsls-agent.exe" common.copy_file(EXE_FILE, vslsagent) diff --git a/rta/exec_winword_susp_parent.py b/rta/exec_winword_susp_parent.py index 8b8c5aca6..41d4d2a82 100644 --- a/rta/exec_winword_susp_parent.py +++ b/rta/exec_winword_susp_parent.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" winword = "C:\\Users\\Public\\winword.exe" diff --git a/rta/execution_iso_dll_rundll32.py b/rta/execution_iso_dll_rundll32.py index 66db61faa..23049f43a 100644 --- a/rta/execution_iso_dll_rundll32.py +++ b/rta/execution_iso_dll_rundll32.py @@ -24,7 +24,7 @@ PROC = 'Invite.lnk' # ps script to mount, execute a file and unmount ISO device PS_SCRIPT = common.get_path("bin", "ExecFromISOFile.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): if Path(ISO).is_file() and Path(PS_SCRIPT).is_file(): diff --git a/rta/execution_iso_dll_sideload.py b/rta/execution_iso_dll_sideload.py index 1aa167ac1..f60c1875a 100644 --- a/rta/execution_iso_dll_sideload.py +++ b/rta/execution_iso_dll_sideload.py @@ -22,7 +22,7 @@ PROC = 'WER_RTA.exe' # ps script to mount, execute a file and unmount ISO device PS_SCRIPT = common.get_path("bin", "ExecFromISOFile.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): if Path(ISO).is_file() and Path(PS_SCRIPT).is_file(): diff --git a/rta/execution_node_child_process.py b/rta/execution_node_child_process.py index 142aaf2e1..c63afdb2e 100644 --- a/rta/execution_node_child_process.py +++ b/rta/execution_node_child_process.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/node" diff --git a/rta/execution_pubprn.py b/rta/execution_pubprn.py index fc6dbb748..c041391ec 100644 --- a/rta/execution_pubprn.py +++ b/rta/execution_pubprn.py @@ -23,7 +23,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cscript = "C:\\Users\\Public\\cscript.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/extexport_sideload.py b/rta/extexport_sideload.py index 167794278..e75dc77e3 100644 --- a/rta/extexport_sideload.py +++ b/rta/extexport_sideload.py @@ -22,7 +22,7 @@ RENAMER = common.get_path("bin", "rcedit-x64.exe") EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): dll = "C:\\Users\\Public\\sqlite3.dll" posh = "C:\\Users\\Public\\posh.exe" diff --git a/rta/file_ads_creation.py b/rta/file_ads_creation.py index a6e51fb17..54c65ab6b 100644 --- a/rta/file_ads_creation.py +++ b/rta/file_ads_creation.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" exe = "C:\\Users\\Public\\a.exe" diff --git a/rta/file_create_dpapi_key.py b/rta/file_create_dpapi_key.py index e0f6ed9be..96820d337 100644 --- a/rta/file_create_dpapi_key.py +++ b/rta/file_create_dpapi_key.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" fake_dpapi = "C:\\Users\\Public\\ntds_capi_test.pfx" diff --git a/rta/file_create_exchange_um.py b/rta/file_create_exchange_um.py index 92a498449..cb0c9f16a 100644 --- a/rta/file_create_exchange_um.py +++ b/rta/file_create_exchange_um.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): proc = "C:\\Users\\Public\\UMWorkerProcess.exe" path = "C:\\Users\\Public\\Microsoft\\Exchange Server Test\\FrontEnd\\HttpProxy\\owa\\auth\\" diff --git a/rta/file_create_exec_pdf_reader.py b/rta/file_create_exec_pdf_reader.py index 178f3e7fa..59773ef1c 100644 --- a/rta/file_create_exec_pdf_reader.py +++ b/rta/file_create_exec_pdf_reader.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): rdrcef = "C:\\Users\\Public\\rdrcef.exe" arp = "C:\\Users\\Public\\arp.exe" diff --git a/rta/file_create_lsass_dump.py b/rta/file_create_lsass_dump.py index b086e9f16..a7d893760 100644 --- a/rta/file_create_lsass_dump.py +++ b/rta/file_create_lsass_dump.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" fake_dmp = "C:\\Users\\Public\\lsass_test.dmp" diff --git a/rta/file_create_mimilsa_log.py b/rta/file_create_mimilsa_log.py index 064779e7a..ec6201d66 100644 --- a/rta/file_create_mimilsa_log.py +++ b/rta/file_create_mimilsa_log.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): lsass = "C:\\Users\\Public\\lsass.exe" fake_log = "C:\\Users\\Public\\mimilsa.log" diff --git a/rta/file_create_ms_addins.py b/rta/file_create_ms_addins.py index 0870275e1..1d6bdf97e 100644 --- a/rta/file_create_ms_addins.py +++ b/rta/file_create_ms_addins.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): path = "C:\\Users\\Public\\\\AppData\\Roaming\\Microsoft\\Word\\Startup" Path(path).mkdir(parents=True, exist_ok=True) diff --git a/rta/file_create_mstsc_startup.py b/rta/file_create_mstsc_startup.py index bebe6a7b7..f7371f462 100644 --- a/rta/file_create_mstsc_startup.py +++ b/rta/file_create_mstsc_startup.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): mstsc = "C:\\Users\\Public\\mstsc.exe" path = "C:\\Users\\Public\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" diff --git a/rta/file_create_outlook_vba.py b/rta/file_create_outlook_vba.py index 4797cec9b..851ca871b 100644 --- a/rta/file_create_outlook_vba.py +++ b/rta/file_create_outlook_vba.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): path = "C:\\Users\\Public\\AppData\\Roaming\\Microsoft\\Outlook" Path(path).mkdir(parents=True, exist_ok=True) diff --git a/rta/file_create_powershell_profile.py b/rta/file_create_powershell_profile.py index d82fccd06..670420700 100644 --- a/rta/file_create_powershell_profile.py +++ b/rta/file_create_powershell_profile.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): path = "C:\\Users\\Public\\Documents\\WindowsPowerShell" Path(path).mkdir(parents=True, exist_ok=True) diff --git a/rta/file_create_scripting_startup.py b/rta/file_create_scripting_startup.py index 5f8caa28e..488ce62e9 100644 --- a/rta/file_create_scripting_startup.py +++ b/rta/file_create_scripting_startup.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" path = "C:\\Users\\Public\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" diff --git a/rta/file_create_smss_exec.py b/rta/file_create_smss_exec.py index b94f5e3f1..ce835d50e 100644 --- a/rta/file_create_smss_exec.py +++ b/rta/file_create_smss_exec.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): smss = "C:\\Users\\Public\\smss.exe" fake_exe = "C:\\Users\\Public\\a.exe" diff --git a/rta/file_create_task_file.py b/rta/file_create_task_file.py index 13690103f..19a0f75eb 100644 --- a/rta/file_create_task_file.py +++ b/rta/file_create_task_file.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): path = "C:\\Windows\\Tasks\\a.job" common.copy_file(EXE_FILE, path) diff --git a/rta/file_create_vbs_startup.py b/rta/file_create_vbs_startup.py index d1586236a..ec562dae3 100644 --- a/rta/file_create_vbs_startup.py +++ b/rta/file_create_vbs_startup.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): path = "C:\\Users\\Programs\\Startup" Path(path).mkdir(parents=True, exist_ok=True) diff --git a/rta/file_creation_teamviewer.py b/rta/file_creation_teamviewer.py index 31cd3faf4..90e1bd1aa 100644 --- a/rta/file_creation_teamviewer.py +++ b/rta/file_creation_teamviewer.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): teamviewer = "C:\\Users\\Public\\teamviewer.exe" fake_exe = "C:\\Users\\Public\\a.exe" diff --git a/rta/file_delete_spool_driver.py b/rta/file_delete_spool_driver.py index bb942dc36..06f5c6ddf 100644 --- a/rta/file_delete_spool_driver.py +++ b/rta/file_delete_spool_driver.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): file = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\rta.dll" common.copy_file(EXE_FILE, file) diff --git a/rta/file_delete_vbk.py b/rta/file_delete_vbk.py index 686a9631c..0c6ecd5c6 100644 --- a/rta/file_delete_vbk.py +++ b/rta/file_delete_vbk.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): fakebkp = Path("fake.vbk").resolve() with open(fakebkp, 'w'): diff --git a/rta/file_exe_ususual_extension.py b/rta/file_exe_ususual_extension.py index 20502c336..57562728e 100644 --- a/rta/file_exe_ususual_extension.py +++ b/rta/file_exe_ususual_extension.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" unusualext = "C:\\Users\\Public\\powershell.exe.pdf" diff --git a/rta/file_html_smuggling.py b/rta/file_html_smuggling.py index 739c75059..5b30f824f 100644 --- a/rta/file_html_smuggling.py +++ b/rta/file_html_smuggling.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): userprofile = os.getenv("USERPROFILE") partial = f"{userprofile}\\Downloads\\a.partial" diff --git a/rta/file_mod_via_chmod.py b/rta/file_mod_via_chmod.py index 18340f9d5..bce455f75 100644 --- a/rta/file_mod_via_chmod.py +++ b/rta/file_mod_via_chmod.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing chmod on tmp files.") diff --git a/rta/file_ms_template_macros.py b/rta/file_ms_template_macros.py index a92c79720..617c82f76 100644 --- a/rta/file_ms_template_macros.py +++ b/rta/file_ms_template_macros.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): path = "C:\\Users\\Public\\AppData\\Roaming\\Microsoft\\Templates\\" Path(path).mkdir(parents=True, exist_ok=True) diff --git a/rta/file_script_startup_folder.py b/rta/file_script_startup_folder.py index 1d180bc79..61af030ba 100644 --- a/rta/file_script_startup_folder.py +++ b/rta/file_script_startup_folder.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): proc = "C:\\Users\\Public\\proc.exe" path = "C:\\Users\\Public\\AppData\\Roaming\\Microsoft\\Windows\\'Start Menu'\\Programs\\Startup\\" diff --git a/rta/file_susp_browser_extension.py b/rta/file_susp_browser_extension.py index 03aafdb19..8dfe1a462 100644 --- a/rta/file_susp_browser_extension.py +++ b/rta/file_susp_browser_extension.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): proc = "C:\\Users\\Public\\proc.exe" path = "C:\\Users\\Public\\AppData\\Roaming\\Mozilla\\Test\\Profiles\\AdefaultA" diff --git a/rta/finder_sync_plugin.py b/rta/finder_sync_plugin.py index f4888adb9..bf314bf5e 100644 --- a/rta/finder_sync_plugin.py +++ b/rta/finder_sync_plugin.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/pluginkit" diff --git a/rta/findstr_pw_search.py b/rta/findstr_pw_search.py index e65d53660..68bba4890 100644 --- a/rta/findstr_pw_search.py +++ b/rta/findstr_pw_search.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): path = "c:\\rta" common.log("Searching for passwords on %s" % path) diff --git a/rta/firewall_allowlist_modif_unsigned.py b/rta/firewall_allowlist_modif_unsigned.py index 037eb7985..36928447d 100644 --- a/rta/firewall_allowlist_modif_unsigned.py +++ b/rta/firewall_allowlist_modif_unsigned.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\Users\\Public\\posh.exe" common.copy_file(EXE_FILE, posh) diff --git a/rta/fltmc_unload.py b/rta/fltmc_unload.py index db51193d8..c7d9ce35c 100644 --- a/rta/fltmc_unload.py +++ b/rta/fltmc_unload.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Execute command diff --git a/rta/git_creds_access.py b/rta/git_creds_access.py index ec5808078..3777c7751 100644 --- a/rta/git_creds_access.py +++ b/rta/git_creds_access.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" gitpath = "C:\\Users\\Public\\.config\\git" diff --git a/rta/globalflags.py b/rta/globalflags.py index 437257a16..b058d2caa 100644 --- a/rta/globalflags.py +++ b/rta/globalflags.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Setting up persistence using Globalflags") ifeo_subkey = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\netstat.exe" diff --git a/rta/grep_software_discovery.py b/rta/grep_software_discovery.py index 472261667..fab17c015 100644 --- a/rta/grep_software_discovery.py +++ b/rta/grep_software_discovery.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/grep" diff --git a/rta/hidden_file_mount.py b/rta/hidden_file_mount.py index b6c77acc0..fc979e4ea 100644 --- a/rta/hidden_file_mount.py +++ b/rta/hidden_file_mount.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): mount_dir = "/tmp/.exploit" diff --git a/rta/hidden_plist.py b/rta/hidden_plist.py index 8df4bf8bf..4ef1e481c 100644 --- a/rta/hidden_plist.py +++ b/rta/hidden_plist.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): plist_path = f"/Library/LaunchAgents/.test.plist" diff --git a/rta/html_help_file_written_exec.py b/rta/html_help_file_written_exec.py index 3e14d94af..62929ba6d 100644 --- a/rta/html_help_file_written_exec.py +++ b/rta/html_help_file_written_exec.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): server, ip, port = common.serve_web() url = f"http://{ip}:{port}/bin/renamed_posh.exe" diff --git a/rta/image_load_dnguard.py b/rta/image_load_dnguard.py index 19e15a86a..60ebd86cf 100644 --- a/rta/image_load_dnguard.py +++ b/rta/image_load_dnguard.py @@ -23,7 +23,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): proc = "C:\\Users\\Public\\proc.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/image_load_msbuild_vaultcli.py b/rta/image_load_msbuild_vaultcli.py index e81d5633c..6a507f8fa 100644 --- a/rta/image_load_msbuild_vaultcli.py +++ b/rta/image_load_msbuild_vaultcli.py @@ -22,7 +22,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msbuild = "C:\\Users\\Public\\msbuild.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/image_load_phantomdll.py b/rta/image_load_phantomdll.py index 68497d96c..d4dfe5d45 100644 --- a/rta/image_load_phantomdll.py +++ b/rta/image_load_phantomdll.py @@ -22,7 +22,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): proc = "C:\\Users\\Public\\proc.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/image_load_rdp_client_dll.py b/rta/image_load_rdp_client_dll.py index 6a4b8e605..7e6b1c338 100644 --- a/rta/image_load_rdp_client_dll.py +++ b/rta/image_load_rdp_client_dll.py @@ -18,7 +18,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): proc = "C:\\Users\\Public\\proc.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/image_load_script_interpreter_wmiutils.py b/rta/image_load_script_interpreter_wmiutils.py index a5f74d7c5..56f596902 100644 --- a/rta/image_load_script_interpreter_wmiutils.py +++ b/rta/image_load_script_interpreter_wmiutils.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cscript = "C:\\Users\\Public\\cscript.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/image_load_taskhost.py b/rta/image_load_taskhost.py index c35fdd3c4..6b25b78e6 100644 --- a/rta/image_load_taskhost.py +++ b/rta/image_load_taskhost.py @@ -22,7 +22,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): taskhost1 = "C:\\Users\\Public\\taskhost1.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/image_load_vaultcli.py b/rta/image_load_vaultcli.py index 4ccf98388..245e3ce5f 100644 --- a/rta/image_load_vaultcli.py +++ b/rta/image_load_vaultcli.py @@ -21,7 +21,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/impersonate_trusted_installer.py b/rta/impersonate_trusted_installer.py index 0d8170647..16986a890 100644 --- a/rta/impersonate_trusted_installer.py +++ b/rta/impersonate_trusted_installer.py @@ -48,7 +48,7 @@ def impersonate_trusted_installer(): print(f'[x] - Failed TrustedInstaller Impersonation') pass -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.impersonate_system() startsvc_trustedinstaller() diff --git a/rta/inhibit_system_recovery.py b/rta/inhibit_system_recovery.py index 4429fbd15..de51588ae 100644 --- a/rta/inhibit_system_recovery.py +++ b/rta/inhibit_system_recovery.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Deleting volume shadow copies...") diff --git a/rta/inhibit_system_recovery_and_rename.py b/rta/inhibit_system_recovery_and_rename.py index 079fe2e47..193abefc8 100644 --- a/rta/inhibit_system_recovery_and_rename.py +++ b/rta/inhibit_system_recovery_and_rename.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): vssadmin = "C:\\Windows\\System32\\vssadmin.exe" powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/inhibit_system_recovery_cmd.py b/rta/inhibit_system_recovery_cmd.py index afa0fbfa3..5e8313158 100644 --- a/rta/inhibit_system_recovery_cmd.py +++ b/rta/inhibit_system_recovery_cmd.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): vssadmin = "C:\\Windows\\System32\\vssadmin.exe" cmd = "C:\\Windows\\System32\\cmd.exe" diff --git a/rta/inhibit_system_recovery_lolbas_child.py b/rta/inhibit_system_recovery_lolbas_child.py index db5cd173c..2160fa37a 100644 --- a/rta/inhibit_system_recovery_lolbas_child.py +++ b/rta/inhibit_system_recovery_lolbas_child.py @@ -29,7 +29,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): vssadmin = "C:\\Windows\\System32\\vssadmin.exe" cscript = "C:\\Users\\Public\\cscript.exe" diff --git a/rta/inhibit_system_recovery_office.py b/rta/inhibit_system_recovery_office.py index e46fbe2db..a0dd58e4d 100644 --- a/rta/inhibit_system_recovery_office.py +++ b/rta/inhibit_system_recovery_office.py @@ -27,7 +27,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): binary = "winword.exe" common.copy_file(EXE_FILE, binary) diff --git a/rta/inhibit_system_recovery_renamed.py b/rta/inhibit_system_recovery_renamed.py index 1d1b9aa60..e443c322a 100644 --- a/rta/inhibit_system_recovery_renamed.py +++ b/rta/inhibit_system_recovery_renamed.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): vssadmin = "C:\\Windows\\System32\\vssadmin.exe" ren_vssadmin = "C:\\Users\\Public\\renvssadmin.exe" diff --git a/rta/installutil_network.py b/rta/installutil_network.py index ac0c41cdf..725527788 100644 --- a/rta/installutil_network.py +++ b/rta/installutil_network.py @@ -36,7 +36,7 @@ metadata = RtaMetadata( MY_DOT_NET = common.get_path("bin", "mydotnet.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(MY_DOT_NET) def main(): server, ip, port = common.serve_web() diff --git a/rta/ip_discovery_unsigned.py b/rta/ip_discovery_unsigned.py index 5f5047eb0..63bfde793 100644 --- a/rta/ip_discovery_unsigned.py +++ b/rta/ip_discovery_unsigned.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\Users\\Public\\posh.exe" common.copy_file(EXE_FILE, posh) diff --git a/rta/iqy_file_writes.py b/rta/iqy_file_writes.py index e93b5f2b0..5427443d2 100644 --- a/rta/iqy_file_writes.py +++ b/rta/iqy_file_writes.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Suspicious File Writes (IQY, PUB)") adobe_path = Path("AcroRd32.exe").resolve() diff --git a/rta/javascript_payload.py b/rta/javascript_payload.py index 22f38832e..4bba705b2 100644 --- a/rta/javascript_payload.py +++ b/rta/javascript_payload.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Setup web server common.serve_web() diff --git a/rta/kcc_kerberos_dump.py b/rta/kcc_kerberos_dump.py index 835aea334..57e8fde3b 100644 --- a/rta/kcc_kerberos_dump.py +++ b/rta/kcc_kerberos_dump.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/kcc" diff --git a/rta/kerberos_netconn_file_creation.py b/rta/kerberos_netconn_file_creation.py index 01f5bd716..ea14a3335 100644 --- a/rta/kerberos_netconn_file_creation.py +++ b/rta/kerberos_netconn_file_creation.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/kernel_module_removal_execution.py b/rta/kernel_module_removal_execution.py index a0076f31d..d96c38bbc 100644 --- a/rta/kernel_module_removal_execution.py +++ b/rta/kernel_module_removal_execution.py @@ -27,7 +27,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/rmmod" diff --git a/rta/kernelext_agent_unload.py b/rta/kernelext_agent_unload.py index a0f80d027..519096b26 100644 --- a/rta/kernelext_agent_unload.py +++ b/rta/kernelext_agent_unload.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/kextunload" diff --git a/rta/kext_load.py b/rta/kext_load.py index 07dd1f3d9..d49ca9c05 100644 --- a/rta/kext_load.py +++ b/rta/kext_load.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/keychain_cred_access.py b/rta/keychain_cred_access.py index eabfde995..978be6c46 100644 --- a/rta/keychain_cred_access.py +++ b/rta/keychain_cred_access.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/keychain_dump.py b/rta/keychain_dump.py index 07639b4ab..922f59fc3 100644 --- a/rta/keychain_dump.py +++ b/rta/keychain_dump.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/keychain_pwd_cmdline.py b/rta/keychain_pwd_cmdline.py index 70e9457e1..59e33dbc2 100644 --- a/rta/keychain_pwd_cmdline.py +++ b/rta/keychain_pwd_cmdline.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/security" diff --git a/rta/lateral_command_psexec.py b/rta/lateral_command_psexec.py index 3a7e5cb60..4c95fccb4 100755 --- a/rta/lateral_command_psexec.py +++ b/rta/lateral_command_psexec.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(common.PS_EXEC) def main(remote_host=None): remote_host = remote_host or common.get_ip() diff --git a/rta/lateral_commands.py b/rta/lateral_commands.py index ce81874bd..649d4658c 100644 --- a/rta/lateral_commands.py +++ b/rta/lateral_commands.py @@ -31,7 +31,7 @@ metadata = RtaMetadata( MY_APP = common.get_path("bin", "myapp.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(MY_APP) def main(remote_host=None): remote_host = remote_host or common.get_ip() diff --git a/rta/launchagent_plist.py b/rta/launchagent_plist.py index 99e3a62c4..8483efb79 100644 --- a/rta/launchagent_plist.py +++ b/rta/launchagent_plist.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/launchctl" diff --git a/rta/launchd_load_plist.py b/rta/launchd_load_plist.py index 268b70be2..294cb195b 100644 --- a/rta/launchd_load_plist.py +++ b/rta/launchd_load_plist.py @@ -39,7 +39,7 @@ plist = """ """ -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): plist_name = "com.test.plist" daemon_dir = Path("/", "Library", "LaunchDaemons").expanduser() diff --git a/rta/launchdaemon_persistence.py b/rta/launchdaemon_persistence.py index fde4f3c53..42dca5963 100644 --- a/rta/launchdaemon_persistence.py +++ b/rta/launchdaemon_persistence.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/launchctl" diff --git a/rta/ldapsearch_group_enumeration.py b/rta/ldapsearch_group_enumeration.py index 7b2da0f89..87d09d2d7 100644 --- a/rta/ldapsearch_group_enumeration.py +++ b/rta/ldapsearch_group_enumeration.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/ldapsearch" diff --git a/rta/link_to_tmp.py b/rta/link_to_tmp.py index eccc4df72..c6a3c208f 100644 --- a/rta/link_to_tmp.py +++ b/rta/link_to_tmp.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/ln" diff --git a/rta/linux_compress_sensitive_files.py b/rta/linux_compress_sensitive_files.py index aa730c39e..99802ebbb 100644 --- a/rta/linux_compress_sensitive_files.py +++ b/rta/linux_compress_sensitive_files.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Compressing sensitive files") files = ["totally-legit.tar", "official-business.zip", "expense-reports.gz"] diff --git a/rta/login_hook.py b/rta/login_hook.py index 3a1447533..deee6b744 100644 --- a/rta/login_hook.py +++ b/rta/login_hook.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/defaults" diff --git a/rta/login_window_plist.py b/rta/login_window_plist.py index b92846bb1..5cc8da5d6 100644 --- a/rta/login_window_plist.py +++ b/rta/login_window_plist.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing deletion on /tmp/com.apple.loginwindow.plist file.") diff --git a/rta/lua_image_load.py b/rta/lua_image_load.py index 39dfccfa6..fe36b145e 100644 --- a/rta/lua_image_load.py +++ b/rta/lua_image_load.py @@ -22,7 +22,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\Users\\Public\\posh.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/mac_office_descendant.py b/rta/mac_office_descendant.py index 60f411632..2bfa69308 100644 --- a/rta/mac_office_descendant.py +++ b/rta/mac_office_descendant.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Emulating Microsoft Word running enumeration commands") office_path = Path("Microsoft Word").resolve() diff --git a/rta/macos_installer_curl.py b/rta/macos_installer_curl.py index 58d75b429..05cd75857 100644 --- a/rta/macos_installer_curl.py +++ b/rta/macos_installer_curl.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/mimikatz_cmdline.py b/rta/mimikatz_cmdline.py index a725f9939..e2a17047d 100644 --- a/rta/mimikatz_cmdline.py +++ b/rta/mimikatz_cmdline.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/mimipenguin_execution.py b/rta/mimipenguin_execution.py index d96859b90..792b70d4c 100644 --- a/rta/mimipenguin_execution.py +++ b/rta/mimipenguin_execution.py @@ -27,7 +27,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/ps" diff --git a/rta/modification_of_wdigest_security_provider.py b/rta/modification_of_wdigest_security_provider.py index be66302ef..e8c77739a 100644 --- a/rta/modification_of_wdigest_security_provider.py +++ b/rta/modification_of_wdigest_security_provider.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest" value = "UseLogonCredential" diff --git a/rta/modify_sublime_app.py b/rta/modify_sublime_app.py index 332d38811..05463781c 100644 --- a/rta/modify_sublime_app.py +++ b/rta/modify_sublime_app.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): sublime_dir = Path(f"{Path.home()}/Library/Application Support/Sublime Text 4/") diff --git a/rta/mount_smbfs.py b/rta/mount_smbfs.py index 93606713c..a584580c5 100644 --- a/rta/mount_smbfs.py +++ b/rta/mount_smbfs.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/mount_smbfs" diff --git a/rta/ms_office_drop_exe.py b/rta/ms_office_drop_exe.py index 13e4cb1e8..5d98e57a6 100644 --- a/rta/ms_office_drop_exe.py +++ b/rta/ms_office_drop_exe.py @@ -28,7 +28,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cmd_path = "c:\\windows\\system32\\cmd.exe" diff --git a/rta/ms_office_task_creation.py b/rta/ms_office_task_creation.py index 91863e921..57753c42c 100644 --- a/rta/ms_office_task_creation.py +++ b/rta/ms_office_task_creation.py @@ -28,7 +28,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): winword = "C:\\Users\\Public\\winword.exe" svchost = "C:\\Users\\Public\\svchost.exe" diff --git a/rta/msbuild_network.py b/rta/msbuild_network.py index 8e79375e8..30d123795 100644 --- a/rta/msbuild_network.py +++ b/rta/msbuild_network.py @@ -31,7 +31,7 @@ metadata = RtaMetadata( MS_BUILD = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe" -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(MS_BUILD) def main(): common.log("MsBuild Beacon") diff --git a/rta/msbuild_unusual_args.py b/rta/msbuild_unusual_args.py index 4f277f6f8..177e24809 100644 --- a/rta/msbuild_unusual_args.py +++ b/rta/msbuild_unusual_args.py @@ -22,7 +22,7 @@ RENAMER = common.get_path("bin", "rcedit-x64.exe") EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msbuild = "C:\\Users\\Public\\posh.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/msequationeditor_file_written_exec.py b/rta/msequationeditor_file_written_exec.py index 5e6cc40d5..0ef3f8051 100644 --- a/rta/msequationeditor_file_written_exec.py +++ b/rta/msequationeditor_file_written_exec.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): server, ip, port = common.serve_web() url = f"http://{ip}:{port}/bin/renamed_posh.exe" diff --git a/rta/msequationeditor_net_conn.py b/rta/msequationeditor_net_conn.py index 6c70e01e6..9bd9fea82 100644 --- a/rta/msequationeditor_net_conn.py +++ b/rta/msequationeditor_net_conn.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "regsvr32.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): eqnedt32 = "C:\\Users\\Public\\eqnedt32.exe" diff --git a/rta/mshta_network.py b/rta/mshta_network.py index 3f3b4bcd6..b0618d820 100644 --- a/rta/mshta_network.py +++ b/rta/mshta_network.py @@ -30,7 +30,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(HTA_FILE) def main(): # http server will terminate on main thread exit diff --git a/rta/msiexec_http_installer.py b/rta/msiexec_http_installer.py index 989d6aba4..2e812750b 100644 --- a/rta/msiexec_http_installer.py +++ b/rta/msiexec_http_installer.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("MsiExec HTTP Download") server, ip, port = common.serve_web() diff --git a/rta/msiexec_remote_msi.py b/rta/msiexec_remote_msi.py index 732616f46..458cb7fce 100644 --- a/rta/msiexec_remote_msi.py +++ b/rta/msiexec_remote_msi.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Execute command diff --git a/rta/msiexec_remote_msi_install.py b/rta/msiexec_remote_msi_install.py index fa54d9ea8..a5fa6dd87 100644 --- a/rta/msiexec_remote_msi_install.py +++ b/rta/msiexec_remote_msi_install.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msiexec = "C:\\Users\\Public\\msiexec.exe" common.copy_file(EXE_FILE, msiexec) diff --git a/rta/msoffice_addins_file.py b/rta/msoffice_addins_file.py index 30ceb12cc..7ef4695ce 100644 --- a/rta/msoffice_addins_file.py +++ b/rta/msoffice_addins_file.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): path = "C:\\Users\\Public\\AppData\\Roaming\\Microsoft\\Word\\Startup" Path(path).mkdir(parents=True, exist_ok=True) diff --git a/rta/msoffice_dcom_accessvbom.py b/rta/msoffice_dcom_accessvbom.py index 27d6e23fd..ad3e015ed 100644 --- a/rta/msoffice_dcom_accessvbom.py +++ b/rta/msoffice_dcom_accessvbom.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): winword = "C:\\Users\\Public\\winword.exe" common.copy_file(EXE_FILE, winword) diff --git a/rta/msoffice_descendant_reg_mod_persistence.py b/rta/msoffice_descendant_reg_mod_persistence.py index 0fb97782e..5b347ada0 100644 --- a/rta/msoffice_descendant_reg_mod_persistence.py +++ b/rta/msoffice_descendant_reg_mod_persistence.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): winword = "C:\\Users\\Public\\winword.exe" posh = "C:\\Users\\Public\\posh.exe" diff --git a/rta/msoffice_dll_image_load.py b/rta/msoffice_dll_image_load.py index 46b04259c..da7d288f9 100644 --- a/rta/msoffice_dll_image_load.py +++ b/rta/msoffice_dll_image_load.py @@ -24,7 +24,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): winword = "C:\\Users\\Public\\winword.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/msoffice_file_dll_sideload.py b/rta/msoffice_file_dll_sideload.py index 80a8f6e4e..af5b27945 100644 --- a/rta/msoffice_file_dll_sideload.py +++ b/rta/msoffice_file_dll_sideload.py @@ -31,7 +31,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): winword = "C:\\Users\\Public\\winword.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/msoffice_file_drop_exec_wmi.py b/rta/msoffice_file_drop_exec_wmi.py index 2684d95be..ce1743bc4 100644 --- a/rta/msoffice_file_drop_exec_wmi.py +++ b/rta/msoffice_file_drop_exec_wmi.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): server, ip, port = common.serve_web() url = f"http://{ip}:{port}/bin/renamed_posh.exe" diff --git a/rta/msoffice_file_exec_script_interpreter.py b/rta/msoffice_file_exec_script_interpreter.py index 3354785af..c5bedadad 100644 --- a/rta/msoffice_file_exec_script_interpreter.py +++ b/rta/msoffice_file_exec_script_interpreter.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): binary = "winword.exe" common.copy_file(EXE_FILE, binary) diff --git a/rta/msoffice_potential_proc_inj.py b/rta/msoffice_potential_proc_inj.py index 36af034fb..ec1a37907 100644 --- a/rta/msoffice_potential_proc_inj.py +++ b/rta/msoffice_potential_proc_inj.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): winword = "C:\\Users\\Public\\winword.exe" cmd = "C:\\Windows\\System32\\cmd.exe" diff --git a/rta/msoffice_reg_mod.py b/rta/msoffice_reg_mod.py index e51dca639..0aa2b3edc 100644 --- a/rta/msoffice_reg_mod.py +++ b/rta/msoffice_reg_mod.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): winword = "C:\\Users\\Public\\winword.exe" common.copy_file(EXE_FILE, winword) diff --git a/rta/msoffice_signed_binary_spawn.py b/rta/msoffice_signed_binary_spawn.py index c03311f46..7bf1ddade 100644 --- a/rta/msoffice_signed_binary_spawn.py +++ b/rta/msoffice_signed_binary_spawn.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" temposh = "C:\\Users\\Public\\posh.exe" diff --git a/rta/msoffice_startup_persistence.py b/rta/msoffice_startup_persistence.py index edd9fff49..62ff4d292 100644 --- a/rta/msoffice_startup_persistence.py +++ b/rta/msoffice_startup_persistence.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Users\\Public\\posh.exe" temp = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\temp_persist.exe" diff --git a/rta/msoffice_untrusted_exec.py b/rta/msoffice_untrusted_exec.py index fa9a77656..2c498351b 100644 --- a/rta/msoffice_untrusted_exec.py +++ b/rta/msoffice_untrusted_exec.py @@ -29,7 +29,7 @@ EXE_FILE = common.get_path("bin", "regsvr32.exe") EXE_FILE2 = common.get_path("bin", "renamed.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): binary = "winword.exe" common.copy_file(EXE_FILE2, binary) diff --git a/rta/msoffice_wmi_imageload.py b/rta/msoffice_wmi_imageload.py index cc8696b7f..26bfd0a02 100644 --- a/rta/msoffice_wmi_imageload.py +++ b/rta/msoffice_wmi_imageload.py @@ -19,7 +19,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): winword = "C:\\Users\\Public\\winword.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/msxsl_image_load.py b/rta/msxsl_image_load.py index a0fad0c36..9d1e007d4 100644 --- a/rta/msxsl_image_load.py +++ b/rta/msxsl_image_load.py @@ -23,7 +23,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msxsl = "C:\\Users\\Public\\msxsl.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/msxsl_network.py b/rta/msxsl_network.py index 04f044b63..129d20a35 100644 --- a/rta/msxsl_network.py +++ b/rta/msxsl_network.py @@ -26,7 +26,7 @@ XML_FILE = common.get_path("bin", "customers.xml") XSL_FILE = common.get_path("bin", "cscript.xsl") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(MS_XSL, XML_FILE, XSL_FILE) def main(): common.log("MsXsl Beacon") diff --git a/rta/net_user_add.py b/rta/net_user_add.py index a3f5f89ca..f813740a9 100644 --- a/rta/net_user_add.py +++ b/rta/net_user_add.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Creating local and domain user accounts using net.exe") commands = [ diff --git a/rta/network_connection_desktopimgdownldr.py b/rta/network_connection_desktopimgdownldr.py index 29074b548..58a5e09ff 100644 --- a/rta/network_connection_desktopimgdownldr.py +++ b/rta/network_connection_desktopimgdownldr.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): desktopimgdownldr = "C:\\Users\\Public\\desktopimgdownldr.exe" common.copy_file(EXE_FILE, desktopimgdownldr) diff --git a/rta/network_connection_download_powershell.py b/rta/network_connection_download_powershell.py index 3fa4d47f0..c692318a4 100644 --- a/rta/network_connection_download_powershell.py +++ b/rta/network_connection_download_powershell.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" fake_exe = "C:\\Users\\Public\\a.exe" diff --git a/rta/network_connection_download_script_interpreter.py b/rta/network_connection_download_script_interpreter.py index ae7afbd54..2e2fb9bf5 100644 --- a/rta/network_connection_download_script_interpreter.py +++ b/rta/network_connection_download_script_interpreter.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): wscript = "C:\\Users\\Public\\wscript.exe" fake_exe = "C:\\Users\\Public\\a.exe" diff --git a/rta/network_connection_external_ip_lookup_non_browser.py b/rta/network_connection_external_ip_lookup_non_browser.py index 2e2e4545c..ebb907798 100644 --- a/rta/network_connection_external_ip_lookup_non_browser.py +++ b/rta/network_connection_external_ip_lookup_non_browser.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/network_connection_freesslcert.py b/rta/network_connection_freesslcert.py index 2579959fe..2e28f4ce3 100644 --- a/rta/network_connection_freesslcert.py +++ b/rta/network_connection_freesslcert.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/network_connection_iexplore_rundll32.py b/rta/network_connection_iexplore_rundll32.py index 597478f60..26695b169 100644 --- a/rta/network_connection_iexplore_rundll32.py +++ b/rta/network_connection_iexplore_rundll32.py @@ -22,7 +22,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): rundll32 = "C:\\Users\\Public\\rundll32.exe" iexplore = "C:\\Users\\Public\\iexplore.exe" diff --git a/rta/network_connection_kerberos_port.py b/rta/network_connection_kerberos_port.py index 9eb7867a0..0a60d994c 100644 --- a/rta/network_connection_kerberos_port.py +++ b/rta/network_connection_kerberos_port.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/network_connection_nslookup.py b/rta/network_connection_nslookup.py index d4544c93a..86e190365 100644 --- a/rta/network_connection_nslookup.py +++ b/rta/network_connection_nslookup.py @@ -15,7 +15,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): nslookup = "C:\\Windows\\System32\\nslookup.exe" diff --git a/rta/network_connection_process_unusual_args.py b/rta/network_connection_process_unusual_args.py index e983340a7..1a10e7eb7 100644 --- a/rta/network_connection_process_unusual_args.py +++ b/rta/network_connection_process_unusual_args.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "regsvr32.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Making connection using fake regsvr32.exe") diff --git a/rta/network_connection_rdp_tunneling.py b/rta/network_connection_rdp_tunneling.py index fe6ae5da2..f2dc65a9b 100644 --- a/rta/network_connection_rdp_tunneling.py +++ b/rta/network_connection_rdp_tunneling.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/network_connection_unusual_rundll32.py b/rta/network_connection_unusual_rundll32.py index 2d9466c6f..5665298b8 100644 --- a/rta/network_connection_unusual_rundll32.py +++ b/rta/network_connection_unusual_rundll32.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "regsvr32.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): binary = "rundll32.exe" common.copy_file(EXE_FILE, binary) diff --git a/rta/networksetup_vpn.py b/rta/networksetup_vpn.py index 9582fe084..b183eb07c 100644 --- a/rta/networksetup_vpn.py +++ b/rta/networksetup_vpn.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/networksetup" diff --git a/rta/obfuscated_cmd_commands.py b/rta/obfuscated_cmd_commands.py index 76881d011..1eb63b827 100644 --- a/rta/obfuscated_cmd_commands.py +++ b/rta/obfuscated_cmd_commands.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # All encoded versions of the following: `start calc && ping -n 2 127.0.0.1>nul && taskkill /im calc.exe` commands = """ diff --git a/rta/obfuscated_powershell.py b/rta/obfuscated_powershell.py index 3a7df1ffc..c2b558353 100644 --- a/rta/obfuscated_powershell.py +++ b/rta/obfuscated_powershell.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # All encoded versions of the following: # `iex("Write-Host 'This is my test command' -ForegroundColor Green; start c:\windows\system32\calc")` diff --git a/rta/office_app_execution.py b/rta/office_app_execution.py index 79a97656b..afabe7be7 100644 --- a/rta/office_app_execution.py +++ b/rta/office_app_execution.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/Microsoft PowerPoint" diff --git a/rta/office_application_startup.py b/rta/office_application_startup.py index 0c8c4c01c..8eaca8621 100644 --- a/rta/office_application_startup.py +++ b/rta/office_application_startup.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(dll_location="c:\\windows\\temp\\evil.dll"): # Write evil dll to office test path: subkey = "Software\\Microsoft\\Office Test\\Special\\Perf" diff --git a/rta/office_child_process.py b/rta/office_child_process.py index 03a79cf78..e81e66e72 100644 --- a/rta/office_child_process.py +++ b/rta/office_child_process.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/openssl_decode_payload.py b/rta/openssl_decode_payload.py index 6a522427d..7c08c5b9f 100644 --- a/rta/openssl_decode_payload.py +++ b/rta/openssl_decode_payload.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/openssl" diff --git a/rta/openssl_file_drop.py b/rta/openssl_file_drop.py index 9a6a898dd..5a9631653 100644 --- a/rta/openssl_file_drop.py +++ b/rta/openssl_file_drop.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/testbin" diff --git a/rta/opera_child_process.py b/rta/opera_child_process.py index 2b9c654a0..43d7768ce 100644 --- a/rta/opera_child_process.py +++ b/rta/opera_child_process.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/osascript_hidden_login_item.py b/rta/osascript_hidden_login_item.py index 70c8088a6..aaad0ecd6 100644 --- a/rta/osascript_hidden_login_item.py +++ b/rta/osascript_hidden_login_item.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/osascript_net_conn.py b/rta/osascript_net_conn.py index 7b5cccd43..85277e0ff 100644 --- a/rta/osascript_net_conn.py +++ b/rta/osascript_net_conn.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/osascript" diff --git a/rta/osascript_sh_execution.py b/rta/osascript_sh_execution.py index 3cd6cddc7..661043a14 100644 --- a/rta/osascript_sh_execution.py +++ b/rta/osascript_sh_execution.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/osascript" diff --git a/rta/osascript_suspicious_cmdline.py b/rta/osascript_suspicious_cmdline.py index 8c6945bb6..cfa85ea0d 100644 --- a/rta/osascript_suspicious_cmdline.py +++ b/rta/osascript_suspicious_cmdline.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/osascript" diff --git a/rta/outlook_suspicious_child.py b/rta/outlook_suspicious_child.py index b3170ee3a..719ea6467 100644 --- a/rta/outlook_suspicious_child.py +++ b/rta/outlook_suspicious_child.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): outlook = "C:\\Users\\Public\\outlook.exe" svchost = "C:\\Users\\Public\\svchost.exe" diff --git a/rta/path_passed_to_system.py b/rta/path_passed_to_system.py index 5a540e290..b23957773 100644 --- a/rta/path_passed_to_system.py +++ b/rta/path_passed_to_system.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/payload_decode_bash_cmds.py b/rta/payload_decode_bash_cmds.py index e810b0049..73ada0793 100644 --- a/rta/payload_decode_bash_cmds.py +++ b/rta/payload_decode_bash_cmds.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/periodic_task_creation.py b/rta/periodic_task_creation.py index 1e21b8f72..eae2b4553 100644 --- a/rta/periodic_task_creation.py +++ b/rta/periodic_task_creation.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing file modification on periodic file test.conf to mimic periodic tasks creation") diff --git a/rta/persistence_chrome_extension.py b/rta/persistence_chrome_extension.py index d26088e1c..98da3fc7c 100644 --- a/rta/persistence_chrome_extension.py +++ b/rta/persistence_chrome_extension.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing chrome commands to load suspicious ext.") diff --git a/rta/persistence_mail_plist.py b/rta/persistence_mail_plist.py index c4632c0b8..5a4a83fa1 100644 --- a/rta/persistence_mail_plist.py +++ b/rta/persistence_mail_plist.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing file modification on SyncedRules.plist file.") diff --git a/rta/persistence_plist_masquerade.py b/rta/persistence_plist_masquerade.py index 6ef917de4..4a029a321 100644 --- a/rta/persistence_plist_masquerade.py +++ b/rta/persistence_plist_masquerade.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/persistence_startup_item.py b/rta/persistence_startup_item.py index 1c50e2c72..b497a36de 100644 --- a/rta/persistence_startup_item.py +++ b/rta/persistence_startup_item.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing creation on temp StartupParameters.plist file.") diff --git a/rta/persistence_startup_unusual_process.py b/rta/persistence_startup_unusual_process.py index 325ed3e49..0cc1f5b9b 100644 --- a/rta/persistence_startup_unusual_process.py +++ b/rta/persistence_startup_unusual_process.py @@ -34,7 +34,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" tempowershell = "C:\\Windows\\notp0sh.exe" diff --git a/rta/persistent_scripts.py b/rta/persistent_scripts.py index da2e4a743..6e696c6f4 100644 --- a/rta/persistent_scripts.py +++ b/rta/persistent_scripts.py @@ -26,7 +26,7 @@ VBS = common.get_path("bin", "persistent_script.vbs") NAME = "rta-vbs-persistence" -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(common.PS_EXEC, VBS) def main(): common.log("Persistent Scripts") diff --git a/rta/ping_delayed_exec.py b/rta/ping_delayed_exec.py index 273dd81fa..635873e0e 100644 --- a/rta/ping_delayed_exec.py +++ b/rta/ping_delayed_exec.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cmd = "C:\\Windows\\System32\\cmd.exe" diff --git a/rta/pkexec_shell.py b/rta/pkexec_shell.py index de2bde6a7..c50f300d9 100644 --- a/rta/pkexec_shell.py +++ b/rta/pkexec_shell.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing command to simulate privilege escalation via PKEXEC exploitation") # The exploit reproduction is available for commercial usage via MIT License diff --git a/rta/pkg_install_chmod.py b/rta/pkg_install_chmod.py index 1bc9870cf..45be4e6b7 100644 --- a/rta/pkg_install_chmod.py +++ b/rta/pkg_install_chmod.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): dest_file = "/tmp/test.py" diff --git a/rta/plist_creation.py b/rta/plist_creation.py index 8d57c16e5..3e7dd59ce 100644 --- a/rta/plist_creation.py +++ b/rta/plist_creation.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): launch_agents_dir = Path.home() / "Library" / "Launchagents" plistbuddy_bin = "/usr/libexec/PlistBuddy" diff --git a/rta/plistbuddy_file_modification.py b/rta/plistbuddy_file_modification.py index 1e09e76d6..c03a87dbc 100644 --- a/rta/plistbuddy_file_modification.py +++ b/rta/plistbuddy_file_modification.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/plistbuddy" diff --git a/rta/port_monitor.py b/rta/port_monitor.py index 16bdebbb3..e51147a74 100644 --- a/rta/port_monitor.py +++ b/rta/port_monitor.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Writing registry key and dummy dll") diff --git a/rta/powershell_args.py b/rta/powershell_args.py index b10c86fd2..deadc64ab 100644 --- a/rta/powershell_args.py +++ b/rta/powershell_args.py @@ -26,7 +26,7 @@ def encode(command): return base64.b64encode(command.encode("utf-16le")) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("PowerShell Suspicious Commands") temp_script = Path("tmp.ps1").resolve() diff --git a/rta/powershell_base64_gzip.py b/rta/powershell_base64_gzip.py index 380d4b8d1..b5efea1e2 100644 --- a/rta/powershell_base64_gzip.py +++ b/rta/powershell_base64_gzip.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("PowerShell with base64/gzip") diff --git a/rta/powershell_delete_shadow_copy.py b/rta/powershell_delete_shadow_copy.py index 6142d212c..4d2370273 100644 --- a/rta/powershell_delete_shadow_copy.py +++ b/rta/powershell_delete_shadow_copy.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/powershell_from_script.py b/rta/powershell_from_script.py index b5410c938..709a583ba 100644 --- a/rta/powershell_from_script.py +++ b/rta/powershell_from_script.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Write script script_file = Path("launchpowershell.vbs").resolve() diff --git a/rta/powershell_unsigned_defender_exclusion.py b/rta/powershell_unsigned_defender_exclusion.py index 53ba8527a..22d4dc078 100644 --- a/rta/powershell_unsigned_defender_exclusion.py +++ b/rta/powershell_unsigned_defender_exclusion.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\Users\\Public\\posh.exe" common.copy_file(EXE_FILE, posh) diff --git a/rta/powershell_vault_access.py b/rta/powershell_vault_access.py index 937992cad..392818241 100644 --- a/rta/powershell_vault_access.py +++ b/rta/powershell_vault_access.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/privilege_escalation_remote_thread.py b/rta/privilege_escalation_remote_thread.py index c24592ea0..2753b4505 100644 --- a/rta/privilege_escalation_remote_thread.py +++ b/rta/privilege_escalation_remote_thread.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): if platform.processor() == "arm": diff --git a/rta/privilege_escalation_tcc_bypass.py b/rta/privilege_escalation_tcc_bypass.py index 323dea346..38818d41f 100644 --- a/rta/privilege_escalation_tcc_bypass.py +++ b/rta/privilege_escalation_tcc_bypass.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing deletion on /tmp/TCC.db file.") diff --git a/rta/process_double_extension.py b/rta/process_double_extension.py index 6f67aefea..c4acc2cee 100644 --- a/rta/process_double_extension.py +++ b/rta/process_double_extension.py @@ -29,7 +29,7 @@ metadata = RtaMetadata( MY_APP = common.get_path("bin", "myapp_x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(MY_APP) def main(): anomalies = ["test.txt.exe"] diff --git a/rta/process_extension_anomalies.py b/rta/process_extension_anomalies.py index 7864464a7..6bd209f19 100644 --- a/rta/process_extension_anomalies.py +++ b/rta/process_extension_anomalies.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( MY_APP = common.get_path("bin", "myapp.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(MY_APP) def main(): anomalies = [ diff --git a/rta/process_name_masquerade.py b/rta/process_name_masquerade.py index f608b491a..9c2ca9bee 100644 --- a/rta/process_name_masquerade.py +++ b/rta/process_name_masquerade.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( CMD_PATH = "c:\\windows\\system32\\cmd.exe" -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerades = ["svchost.exe", "lsass.exe"] diff --git a/rta/ransomnote_delete_shadows.py b/rta/ransomnote_delete_shadows.py index 709eb6368..da75a47f8 100644 --- a/rta/ransomnote_delete_shadows.py +++ b/rta/ransomnote_delete_shadows.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): vssadmin = "C:\\Windows\\System32\\vssadmin.exe" powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/recycle_bin_process.py b/rta/recycle_bin_process.py index 06f5e3e9e..3097f482d 100644 --- a/rta/recycle_bin_process.py +++ b/rta/recycle_bin_process.py @@ -31,7 +31,7 @@ RECYCLE_PATHS = ["C:\\$Recycle.Bin", "C:\\Recycler"] TARGET_APP = common.get_path("bin", "myapp.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(TARGET_APP, common.CMD_PATH) def main(): common.log("Execute files from the Recycle Bin") diff --git a/rta/reg_creation_servicedll.py b/rta/reg_creation_servicedll.py index d0f0b41e7..f51b6ed9e 100644 --- a/rta/reg_creation_servicedll.py +++ b/rta/reg_creation_servicedll.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Temporarily creating a Service DLL reg key...") diff --git a/rta/reg_mod_amsienable.py b/rta/reg_mod_amsienable.py index 74a77b3c1..05a21e133 100644 --- a/rta/reg_mod_amsienable.py +++ b/rta/reg_mod_amsienable.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "Software\\Microsoft\\Windows Script\\Settings" value = "AmsiEnable" diff --git a/rta/reg_mod_appcertdlls.py b/rta/reg_mod_appcertdlls.py index 9ca7cf12a..758ab5316 100644 --- a/rta/reg_mod_appcertdlls.py +++ b/rta/reg_mod_appcertdlls.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDLLs" value = "RTA" diff --git a/rta/reg_mod_appinitdlls.py b/rta/reg_mod_appinitdlls.py index 6a81ddc51..ef8208fc8 100644 --- a/rta/reg_mod_appinitdlls.py +++ b/rta/reg_mod_appinitdlls.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows" value = "AppInit_Dlls" diff --git a/rta/reg_mod_autodialdll.py b/rta/reg_mod_autodialdll.py index 9e8e8b3c2..19d2a8f6b 100644 --- a/rta/reg_mod_autodialdll.py +++ b/rta/reg_mod_autodialdll.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters" value = "AutodialDLL" diff --git a/rta/reg_mod_base64_executable.py b/rta/reg_mod_base64_executable.py index 3b3bd2abc..43bcafd15 100644 --- a/rta/reg_mod_base64_executable.py +++ b/rta/reg_mod_base64_executable.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Policies\\Test" value = "Base64" diff --git a/rta/reg_mod_builtindnsclientenabled.py b/rta/reg_mod_builtindnsclientenabled.py index ffc3bb434..701769a6e 100644 --- a/rta/reg_mod_builtindnsclientenabled.py +++ b/rta/reg_mod_builtindnsclientenabled.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Policies\\Microsoft\\Edge" value = "BuiltInDnsClientEnabled" diff --git a/rta/reg_mod_disable_uac.py b/rta/reg_mod_disable_uac.py index aa2753ea3..5b764d60c 100644 --- a/rta/reg_mod_disable_uac.py +++ b/rta/reg_mod_disable_uac.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" value = "EnableLUA" diff --git a/rta/reg_mod_disableantispyware.py b/rta/reg_mod_disableantispyware.py index f5461c92d..139bbd785 100644 --- a/rta/reg_mod_disableantispyware.py +++ b/rta/reg_mod_disableantispyware.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Policies\\Microsoft\\Windows Defender" value = "DisableAntiSpyware" diff --git a/rta/reg_mod_driver_blocklist.py b/rta/reg_mod_driver_blocklist.py index de04b2223..f48b4ebe9 100644 --- a/rta/reg_mod_driver_blocklist.py +++ b/rta/reg_mod_driver_blocklist.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SYSTEM\\CurrentControlSet\\Control\\CI\\Config" value = "VulnerableDriverBlocklistEnable" diff --git a/rta/reg_mod_enableat.py b/rta/reg_mod_enableat.py index 1347a4ae7..da6cfff3c 100644 --- a/rta/reg_mod_enableat.py +++ b/rta/reg_mod_enableat.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration" value = "EnableAt" diff --git a/rta/reg_mod_enablescriptblocklogging.py b/rta/reg_mod_enablescriptblocklogging.py index 84e72c6b6..5ec7161db 100644 --- a/rta/reg_mod_enablescriptblocklogging.py +++ b/rta/reg_mod_enablescriptblocklogging.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" value = "EnableScriptBlockLogging" diff --git a/rta/reg_mod_ifeo.py b/rta/reg_mod_ifeo.py index 0c727830a..7c4b6f154 100644 --- a/rta/reg_mod_ifeo.py +++ b/rta/reg_mod_ifeo.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Temp Registry mod: IFEO") diff --git a/rta/reg_mod_lsa_ssp.py b/rta/reg_mod_lsa_ssp.py index 69f683033..ba34c6ab1 100644 --- a/rta/reg_mod_lsa_ssp.py +++ b/rta/reg_mod_lsa_ssp.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SYSTEM\\ControlSet001\\Control\\Lsa\\Security Packages" key2 = "SYSTEM\\ControlSet001\\Control\\Lsa" diff --git a/rta/reg_mod_netwire.py b/rta/reg_mod_netwire.py index ba99703b3..9ea64ee6b 100644 --- a/rta/reg_mod_netwire.py +++ b/rta/reg_mod_netwire.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Temporarily creating a Netwire RAT-like reg key...") diff --git a/rta/reg_mod_networkprovider.py b/rta/reg_mod_networkprovider.py index 3ea63f348..be2d0c924 100644 --- a/rta/reg_mod_networkprovider.py +++ b/rta/reg_mod_networkprovider.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "System\\CurrentControlSet\\Services\\Test\\NetworkProvider" value = "ProviderPath" diff --git a/rta/reg_mod_nullsessionpipes.py b/rta/reg_mod_nullsessionpipes.py index d49ad47ff..6a39cd31d 100644 --- a/rta/reg_mod_nullsessionpipes.py +++ b/rta/reg_mod_nullsessionpipes.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Modifying NullSessionPipes reg key...") diff --git a/rta/reg_mod_plugx.py b/rta/reg_mod_plugx.py index 4ff4f27f7..20a72fea8 100644 --- a/rta/reg_mod_plugx.py +++ b/rta/reg_mod_plugx.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Temporarily creating a PlugX-like reg key...") diff --git a/rta/reg_mod_point_and_print_dll.py b/rta/reg_mod_point_and_print_dll.py index 3e31630af..214590001 100644 --- a/rta/reg_mod_point_and_print_dll.py +++ b/rta/reg_mod_point_and_print_dll.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\RTA" diff --git a/rta/reg_mod_port_forwarding.py b/rta/reg_mod_port_forwarding.py index 7cfb6efd3..b1fb79d92 100644 --- a/rta/reg_mod_port_forwarding.py +++ b/rta/reg_mod_port_forwarding.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "System\\CurrentControlSet\\Services\\PortProxy\\v4tov4" value = "a" diff --git a/rta/reg_mod_print_processors.py b/rta/reg_mod_print_processors.py index b8191f1b0..e8f049bca 100644 --- a/rta/reg_mod_print_processors.py +++ b/rta/reg_mod_print_processors.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SYSTEM\\ControlSet001\\Control\\Print\\Monitors" value = "RTA" diff --git a/rta/reg_mod_remcos.py b/rta/reg_mod_remcos.py index 686d0cfde..1469310ab 100644 --- a/rta/reg_mod_remcos.py +++ b/rta/reg_mod_remcos.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Temporarily creating a Remcos RAT alike reg key...") diff --git a/rta/reg_mod_run_key_unusual_proc.py b/rta/reg_mod_run_key_unusual_proc.py index 5ab1736eb..3f4697c50 100644 --- a/rta/reg_mod_run_key_unusual_proc.py +++ b/rta/reg_mod_run_key_unusual_proc.py @@ -27,7 +27,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\Windows\\posh.exe" common.copy_file(EXE_FILE, posh) diff --git a/rta/reg_mod_shadow_rdp.py b/rta/reg_mod_shadow_rdp.py index ecbb4baba..b6d678c1e 100644 --- a/rta/reg_mod_shadow_rdp.py +++ b/rta/reg_mod_shadow_rdp.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Modifying RDP Shadow reg key...") diff --git a/rta/reg_mod_shim_sb.py b/rta/reg_mod_shim_sb.py index 1f117f9d6..f3025cf40 100644 --- a/rta/reg_mod_shim_sb.py +++ b/rta/reg_mod_shim_sb.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom" value = "a.sdb" diff --git a/rta/reg_mod_startup_shell_folder.py b/rta/reg_mod_startup_shell_folder.py index 8f6b8abe5..0ef202897 100644 --- a/rta/reg_mod_startup_shell_folder.py +++ b/rta/reg_mod_startup_shell_folder.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" value = "Common Startup" diff --git a/rta/reg_mod_suspicious_service.py b/rta/reg_mod_suspicious_service.py index be4ba9de1..298c88662 100644 --- a/rta/reg_mod_suspicious_service.py +++ b/rta/reg_mod_suspicious_service.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SYSTEM\\ControlSet001\\Services\\RTA" value = "ImagePath" diff --git a/rta/reg_mod_systemcertificates.py b/rta/reg_mod_systemcertificates.py index e348fabcd..03ebd4679 100644 --- a/rta/reg_mod_systemcertificates.py +++ b/rta/reg_mod_systemcertificates.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\Test" value = "Blob" diff --git a/rta/reg_mod_time_provider.py b/rta/reg_mod_time_provider.py index cfb11c0ea..29fddebdb 100644 --- a/rta/reg_mod_time_provider.py +++ b/rta/reg_mod_time_provider.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SYSTEM\\ControlSet001\\Services\\W32Time\\TimeProviders" value = "Test" diff --git a/rta/reg_mod_unusual_startup_folder.py b/rta/reg_mod_unusual_startup_folder.py index 26accbb46..daef9d721 100644 --- a/rta/reg_mod_unusual_startup_folder.py +++ b/rta/reg_mod_unusual_startup_folder.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Temp Registry mod: Common Startup Folder") diff --git a/rta/reg_mod_windir.py b/rta/reg_mod_windir.py index b5cb533a9..c5eceee68 100644 --- a/rta/reg_mod_windir.py +++ b/rta/reg_mod_windir.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "System\\Environment" value = "windir" diff --git a/rta/reg_run_key_asterisk.py b/rta/reg_run_key_asterisk.py index 4d3756836..c6a58b924 100644 --- a/rta/reg_run_key_asterisk.py +++ b/rta/reg_run_key_asterisk.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Writing registry key") diff --git a/rta/reg_vss_service_disable.py b/rta/reg_vss_service_disable.py index e87dd3c87..ee3f483c6 100644 --- a/rta/reg_vss_service_disable.py +++ b/rta/reg_vss_service_disable.py @@ -31,7 +31,7 @@ metadata = RtaMetadata( HIGHENTROPY = common.get_path("bin", "highentropy.txt") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SYSTEM\\CurrentControlSet\\Services\\VSS" value = "Start" diff --git a/rta/registry_hive_export.py b/rta/registry_hive_export.py index 8c56ca651..dfe074f96 100644 --- a/rta/registry_hive_export.py +++ b/rta/registry_hive_export.py @@ -29,7 +29,7 @@ metadata = RtaMetadata( REG = "reg.exe" -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): for hive in ["sam", "security", "system"]: filename = Path("%s.reg" % hive).resolve() diff --git a/rta/registry_persistence_create.py b/rta/registry_persistence_create.py index c22a7fde6..7a545b423 100644 --- a/rta/registry_persistence_create.py +++ b/rta/registry_persistence_create.py @@ -38,7 +38,7 @@ def pause(): time.sleep(0.5) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(TARGET_APP) def main(): common.log("Suspicious Registry Persistence") diff --git a/rta/registry_rdp_enable.py b/rta/registry_rdp_enable.py index ec75a9260..66488ec7a 100644 --- a/rta/registry_rdp_enable.py +++ b/rta/registry_rdp_enable.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Enabling RDP Through Registry") diff --git a/rta/regsvr32_scrobj.py b/rta/regsvr32_scrobj.py index 9c00bdc6a..b9534e439 100644 --- a/rta/regsvr32_scrobj.py +++ b/rta/regsvr32_scrobj.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): regsvr32 = "C:\\Users\\Public\\regsvr32.exe" common.copy_file(EXE_FILE, regsvr32) diff --git a/rta/regsvr32_unusual_args.py b/rta/regsvr32_unusual_args.py index 369f55872..c622432c9 100644 --- a/rta/regsvr32_unusual_args.py +++ b/rta/regsvr32_unusual_args.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): binary = "regsvr32.exe" common.copy_file(EXE_FILE, binary) diff --git a/rta/renamed_autoit.py b/rta/renamed_autoit.py index 048861cdf..295df368a 100644 --- a/rta/renamed_autoit.py +++ b/rta/renamed_autoit.py @@ -19,7 +19,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): autoit = "C:\\Users\\Public\\rta.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/renamed_automaton_interpreter.py b/rta/renamed_automaton_interpreter.py index 8c2a4b9b9..2549779b0 100644 --- a/rta/renamed_automaton_interpreter.py +++ b/rta/renamed_automaton_interpreter.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): autohotkey = "C:\\Users\\Public\\notaut0hotkey.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/reverse_shell.py b/rta/reverse_shell.py index d02502663..6e6e06c61 100644 --- a/rta/reverse_shell.py +++ b/rta/reverse_shell.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing command to simulate reverse shell execution") diff --git a/rta/root_cert_install.py b/rta/root_cert_install.py index 659eb0d0c..02ff6a119 100644 --- a/rta/root_cert_install.py +++ b/rta/root_cert_install.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/security" diff --git a/rta/root_crontab_file_modification.py b/rta/root_crontab_file_modification.py index 39a086b4b..1bae7f7ea 100644 --- a/rta/root_crontab_file_modification.py +++ b/rta/root_crontab_file_modification.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing deletion on /private/var/at/tabs/root file.") diff --git a/rta/rubeus_alike_commandline.py b/rta/rubeus_alike_commandline.py index 375dfba61..77de4b327 100644 --- a/rta/rubeus_alike_commandline.py +++ b/rta/rubeus_alike_commandline.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/rundll32_inf_callback.py b/rta/rundll32_inf_callback.py index 1bc608dff..013485d7b 100644 --- a/rta/rundll32_inf_callback.py +++ b/rta/rundll32_inf_callback.py @@ -28,7 +28,7 @@ metadata = RtaMetadata( INF_FILE = common.get_path("bin", "script_launch.inf") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(INF_FILE) def main(): # http server will terminate on main thread exit diff --git a/rta/rundll32_javascript_callback.py b/rta/rundll32_javascript_callback.py index d2bb42aec..7a97a0ed1 100644 --- a/rta/rundll32_javascript_callback.py +++ b/rta/rundll32_javascript_callback.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("RunDLL32 with Javascript Callback") server, ip, port = common.serve_web() diff --git a/rta/rundll32_unusual_args.py b/rta/rundll32_unusual_args.py index 86d11f178..e393695a9 100644 --- a/rta/rundll32_unusual_args.py +++ b/rta/rundll32_unusual_args.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): source_dll = "C:\\Windows\\System32\\IEAdvpack.dll" dll = "C:\\Users\\Public\\IEAdvpack.dll" diff --git a/rta/rundll32_unusual_dll_extension.py b/rta/rundll32_unusual_dll_extension.py index 14af87ca2..c6ecc30a8 100644 --- a/rta/rundll32_unusual_dll_extension.py +++ b/rta/rundll32_unusual_dll_extension.py @@ -26,7 +26,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): rundll32 = "C:\\Users\\Public\\rundll32.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/schtask_escalation.py b/rta/schtask_escalation.py index 91527f518..69dc9bdd5 100644 --- a/rta/schtask_escalation.py +++ b/rta/schtask_escalation.py @@ -33,7 +33,7 @@ def schtasks(*args, **kwargs): return common.execute(["schtasks.exe"] + list(args), **kwargs) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Scheduled Task Privilege Escalation") diff --git a/rta/schtasks_xml_masqueraded.py b/rta/schtasks_xml_masqueraded.py index 644daccb7..2d278e2bc 100644 --- a/rta/schtasks_xml_masqueraded.py +++ b/rta/schtasks_xml_masqueraded.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Execute Command common.log("Executing command to simulate the task creation (This will not create a task)") diff --git a/rta/scp_privacy_bypass.py b/rta/scp_privacy_bypass.py index ee0b387bd..0d020c7cf 100644 --- a/rta/scp_privacy_bypass.py +++ b/rta/scp_privacy_bypass.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/scp" diff --git a/rta/screensaver_child_process.py b/rta/screensaver_child_process.py index cea3e9c39..a3fbb91e4 100644 --- a/rta/screensaver_child_process.py +++ b/rta/screensaver_child_process.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/ScreenSaverEngine" diff --git a/rta/screensaver_plist_mod.py b/rta/screensaver_plist_mod.py index e382f0480..132df6e5a 100644 --- a/rta/screensaver_plist_mod.py +++ b/rta/screensaver_plist_mod.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/killall" diff --git a/rta/scrobj_com_hijack.py b/rta/scrobj_com_hijack.py index e1cd13a1d..8bf11f9b6 100644 --- a/rta/scrobj_com_hijack.py +++ b/rta/scrobj_com_hijack.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Classes\\CLSID\\{00000000-0000-0000-0000-0000DEADBEEF}" subkey = "InprocServer32" diff --git a/rta/secure_file_deletion.py b/rta/secure_file_deletion.py index 0d496dac2..79bd6772b 100644 --- a/rta/secure_file_deletion.py +++ b/rta/secure_file_deletion.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): temp_path = Path(tempfile.gettempdir()) / os.urandom(16).encode("hex") sdelete_path = common.get_path("bin", "sdelete.exe") diff --git a/rta/security_authtrampoline.py b/rta/security_authtrampoline.py index 765a65677..7ffb57d67 100644 --- a/rta/security_authtrampoline.py +++ b/rta/security_authtrampoline.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/sensitive_file_access.py b/rta/sensitive_file_access.py index b55f34e2e..977d15878 100644 --- a/rta/sensitive_file_access.py +++ b/rta/sensitive_file_access.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( techniques=["T1555.004", "T1552.001", "T1003.003"], ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): diff --git a/rta/settingcontentms_files.py b/rta/settingcontentms_files.py index 6321154a2..da6beda8f 100644 --- a/rta/settingcontentms_files.py +++ b/rta/settingcontentms_files.py @@ -30,7 +30,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Write to AppData\Local\ common.execute(["cmd", "/c", "echo", "test", ">", "%APPDATA%\\test.SettingContent-ms"]) diff --git a/rta/sevenzip_encrypted.py b/rta/sevenzip_encrypted.py index 22df1fdfc..bb96230eb 100644 --- a/rta/sevenzip_encrypted.py +++ b/rta/sevenzip_encrypted.py @@ -33,7 +33,7 @@ def create_exfil(path=Path("secret_stuff.txt").resolve()): return path -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(SEVENZIP) def main(password="s0l33t"): # create 7z.exe with not-7zip name, and exfil diff --git a/rta/shellcode_load_ws2_32_unbacked.py b/rta/shellcode_load_ws2_32_unbacked.py index 3782982a3..f2132b9a9 100644 --- a/rta/shellcode_load_ws2_32_unbacked.py +++ b/rta/shellcode_load_ws2_32_unbacked.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Inject shellcode into WerFault.exe to trigger diff --git a/rta/shellcode_winexec_calc.py b/rta/shellcode_winexec_calc.py index db1376370..6b8bce868 100644 --- a/rta/shellcode_winexec_calc.py +++ b/rta/shellcode_winexec_calc.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( techniques=["T1134", "T1055"], ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): diff --git a/rta/shlayer_payload.py b/rta/shlayer_payload.py index 909e69a11..a540c870a 100644 --- a/rta/shlayer_payload.py +++ b/rta/shlayer_payload.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/curl" diff --git a/rta/shortcut_file_suspicious_process.py b/rta/shortcut_file_suspicious_process.py index 9915efc16..3856258fa 100644 --- a/rta/shortcut_file_suspicious_process.py +++ b/rta/shortcut_file_suspicious_process.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Writing dummy shortcut file") shortcut_path = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\evil.lnk" diff --git a/rta/shove_sip_bypass.py b/rta/shove_sip_bypass.py index 947e6f47b..fa42eb1dd 100644 --- a/rta/shove_sip_bypass.py +++ b/rta/shove_sip_bypass.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/sh" diff --git a/rta/signed_proxy_file_written_exec.py b/rta/signed_proxy_file_written_exec.py index 8bfe0e8b4..afd2d9396 100644 --- a/rta/signed_proxy_file_written_exec.py +++ b/rta/signed_proxy_file_written_exec.py @@ -33,7 +33,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): server, ip, port = common.serve_web() url = f"http://{ip}:{port}/bin/renamed_posh.exe" diff --git a/rta/silentprocessexit_lsass.py b/rta/silentprocessexit_lsass.py index 4e78e438d..8f149c508 100644 --- a/rta/silentprocessexit_lsass.py +++ b/rta/silentprocessexit_lsass.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Temporarily creating LSA SilentProcessExit reg key...") diff --git a/rta/sip_provider.py b/rta/sip_provider.py index 82d9d570b..6d65ce0bc 100644 --- a/rta/sip_provider.py +++ b/rta/sip_provider.py @@ -55,7 +55,7 @@ else: TARGET_APP = common.get_path("bin", "myapp.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(SIGCHECK, TRUST_PROVIDER_DLL, TARGET_APP) def main(): common.log("Registering SIP provider") diff --git a/rta/smb_connection.py b/rta/smb_connection.py index b37de0726..4931b04c4 100644 --- a/rta/smb_connection.py +++ b/rta/smb_connection.py @@ -27,7 +27,7 @@ metadata = RtaMetadata( SMB_PORT = 445 -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(ip=None): ip = ip or common.get_ip() diff --git a/rta/solarmaker_backdoor.py b/rta/solarmaker_backdoor.py index d6bb86041..4de1427b8 100644 --- a/rta/solarmaker_backdoor.py +++ b/rta/solarmaker_backdoor.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): reg = "C:\\Windows\\System32\\reg.exe" diff --git a/rta/spctl_gatekeeper_bypass.py b/rta/spctl_gatekeeper_bypass.py index 6b2644c46..eba2ac78b 100644 --- a/rta/spctl_gatekeeper_bypass.py +++ b/rta/spctl_gatekeeper_bypass.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/spctl" diff --git a/rta/special_chars_zip_file.py b/rta/special_chars_zip_file.py index c9492fdcc..718de02fa 100644 --- a/rta/special_chars_zip_file.py +++ b/rta/special_chars_zip_file.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Creating suspicious zip file with special characters to mimic evasion of sanboxed office apps.") diff --git a/rta/sqlite_db_evasion.py b/rta/sqlite_db_evasion.py index edbe2db9f..5fb8f12e3 100644 --- a/rta/sqlite_db_evasion.py +++ b/rta/sqlite_db_evasion.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/sqlite3" diff --git a/rta/ssh_bruteforce.py b/rta/ssh_bruteforce.py index d9b23d16f..b5f717196 100644 --- a/rta/ssh_bruteforce.py +++ b/rta/ssh_bruteforce.py @@ -21,7 +21,7 @@ def test(masquerade, masquerade2): common.execute([masquerade2, "childprocess", masquerade], timeout=0.3, kill=True) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/sshd-keygen-wrapper" diff --git a/rta/sticky_keys_write_execute.py b/rta/sticky_keys_write_execute.py index c775c76e7..af2643c3c 100644 --- a/rta/sticky_keys_write_execute.py +++ b/rta/sticky_keys_write_execute.py @@ -34,7 +34,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Prep bins = [ diff --git a/rta/sudo_exploit.py b/rta/sudo_exploit.py index 3dcd7349e..134e5a96c 100644 --- a/rta/sudo_exploit.py +++ b/rta/sudo_exploit.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log( "Executing command to simulate attempted use of a heap-based buffer overflow vulnerability for the " diff --git a/rta/susp_scheduled_task_creation.py b/rta/susp_scheduled_task_creation.py index 9f7159b0f..4e1bb16d5 100644 --- a/rta/susp_scheduled_task_creation.py +++ b/rta/susp_scheduled_task_creation.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): regsvr32 = "C:\\Users\\Public\\regsvr32.exe" common.copy_file(EXE_FILE, regsvr32) diff --git a/rta/susp_script_file_name.py b/rta/susp_script_file_name.py index 1f3322797..31ef516b5 100644 --- a/rta/susp_script_file_name.py +++ b/rta/susp_script_file_name.py @@ -27,7 +27,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): mshta = "C:\\Users\\Public\\mshta.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/suspicious_bits_job_notify.py b/rta/suspicious_bits_job_notify.py index 878cc589f..43595c69d 100644 --- a/rta/suspicious_bits_job_notify.py +++ b/rta/suspicious_bits_job_notify.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): svchost = "C:\\Users\\Public\\svchost.exe" child = "C:\\Users\\Public\\child.exe" diff --git a/rta/suspicious_child_acrobat.py b/rta/suspicious_child_acrobat.py index 092ea967c..16712d38f 100644 --- a/rta/suspicious_child_acrobat.py +++ b/rta/suspicious_child_acrobat.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): acrobat = "C:\\Users\\Public\\Acrobat.exe" arp = "C:\\Windows\\System32\\arp.exe" diff --git a/rta/suspicious_child_childless_process.py b/rta/suspicious_child_childless_process.py index 6ddd29237..91186789e 100644 --- a/rta/suspicious_child_childless_process.py +++ b/rta/suspicious_child_childless_process.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): svchost = "C:\\Users\\Public\\svchost.exe" rta = "C:\\Users\\Public\\rta.exe" diff --git a/rta/suspicious_child_compattelrunner.py b/rta/suspicious_child_compattelrunner.py index d8b71333b..46905a55a 100644 --- a/rta/suspicious_child_compattelrunner.py +++ b/rta/suspicious_child_compattelrunner.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): compattelrunner = "C:\\Users\\Public\\compattelrunner.exe" child = "C:\\Users\\Public\\child.exe" diff --git a/rta/suspicious_child_dns.py b/rta/suspicious_child_dns.py index 952b65138..bc684c327 100644 --- a/rta/suspicious_child_dns.py +++ b/rta/suspicious_child_dns.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): dns = "C:\\Users\\Public\\dns.exe" common.copy_file(EXE_FILE, dns) diff --git a/rta/suspicious_child_exchange_um.py b/rta/suspicious_child_exchange_um.py index fa9666ac5..d8cbf2c7f 100644 --- a/rta/suspicious_child_exchange_um.py +++ b/rta/suspicious_child_exchange_um.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): umservice = "C:\\Users\\Public\\umservice.exe" common.copy_file(EXE_FILE, umservice) diff --git a/rta/suspicious_child_explorer.py b/rta/suspicious_child_explorer.py index 12c1af6de..73f37bbb1 100644 --- a/rta/suspicious_child_explorer.py +++ b/rta/suspicious_child_explorer.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): explorer = "C:\\Users\\Public\\explorer.exe" common.copy_file(EXE_FILE, explorer) diff --git a/rta/suspicious_child_services.py b/rta/suspicious_child_services.py index 7c65c7579..d01404593 100644 --- a/rta/suspicious_child_services.py +++ b/rta/suspicious_child_services.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): services = "C:\\Users\\Public\\services.exe" pwsh = "C:\\Users\\Public\\pwsh.exe" diff --git a/rta/suspicious_child_solarwinds_businesslayerhost.py b/rta/suspicious_child_solarwinds_businesslayerhost.py index 2dbfda204..71fabbb8b 100644 --- a/rta/suspicious_child_solarwinds_businesslayerhost.py +++ b/rta/suspicious_child_solarwinds_businesslayerhost.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): buzz = "C:\\Users\\Public\\SolarWinds.BusinessLayerHost.exe" powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/suspicious_child_solarwindsdiagnostics.py b/rta/suspicious_child_solarwindsdiagnostics.py index dc1f0a74a..f0a0d347c 100644 --- a/rta/suspicious_child_solarwindsdiagnostics.py +++ b/rta/suspicious_child_solarwindsdiagnostics.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): solarwindsdiagnostics = "C:\\Users\\Public\\solarwindsdiagnostics.exe" powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/suspicious_child_svchost_sch.py b/rta/suspicious_child_svchost_sch.py index dc00f1041..3ca3958a5 100644 --- a/rta/suspicious_child_svchost_sch.py +++ b/rta/suspicious_child_svchost_sch.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): svchost = "C:\\Users\\Public\\svchost.exe" powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/suspicious_child_wmiprvse.py b/rta/suspicious_child_wmiprvse.py index 8002b59b1..bf48690eb 100644 --- a/rta/suspicious_child_wmiprvse.py +++ b/rta/suspicious_child_wmiprvse.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): wmiprvse = "C:\\Users\\Public\\wmiprvse.exe" arp = "C:\\Windows\\System32\\arp.exe" diff --git a/rta/suspicious_child_zoom.py b/rta/suspicious_child_zoom.py index c3768ef4e..9e8f15d43 100644 --- a/rta/suspicious_child_zoom.py +++ b/rta/suspicious_child_zoom.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): zoom = "C:\\Users\\Public\\zoom.exe" pwsh = "C:\\Users\\Public\\pwsh.exe" diff --git a/rta/suspicious_dll_registration_regsvr32.py b/rta/suspicious_dll_registration_regsvr32.py index 0370a0516..98f986284 100644 --- a/rta/suspicious_dll_registration_regsvr32.py +++ b/rta/suspicious_dll_registration_regsvr32.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Suspicious DLL Registration by Regsvr32") diff --git a/rta/suspicious_lineage_script.py b/rta/suspicious_lineage_script.py index 951b77389..f498fe95d 100644 --- a/rta/suspicious_lineage_script.py +++ b/rta/suspicious_lineage_script.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cscript = "C:\\Users\\Public\\cscript.exe" explorer = "C:\\Users\\Public\\explorer.exe" diff --git a/rta/suspicious_msiexec_child.py b/rta/suspicious_msiexec_child.py index 88ebc5979..c63a13642 100644 --- a/rta/suspicious_msiexec_child.py +++ b/rta/suspicious_msiexec_child.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msiexec = "C:\\Users\\Public\\msiexec.exe" regsvr32 = "C:\\Users\\Public\\regsvr32.exe" diff --git a/rta/suspicious_office_child.py b/rta/suspicious_office_child.py index 7d3053828..cc0537b07 100644 --- a/rta/suspicious_office_child.py +++ b/rta/suspicious_office_child.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): binary = "winword.exe" common.copy_file(EXE_FILE, binary) diff --git a/rta/suspicious_office_children.py b/rta/suspicious_office_children.py index f3fcb0627..0099d5eac 100644 --- a/rta/suspicious_office_children.py +++ b/rta/suspicious_office_children.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cmd_path = "c:\\windows\\system32\\cmd.exe" diff --git a/rta/suspicious_office_descendant_fp.py b/rta/suspicious_office_descendant_fp.py index 27610a9a8..51ba3b763 100644 --- a/rta/suspicious_office_descendant_fp.py +++ b/rta/suspicious_office_descendant_fp.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("MS Office unusual child process emulation") suspicious_apps = [ diff --git a/rta/suspicious_parent_cmd.py b/rta/suspicious_parent_cmd.py index e67bf7450..7bb16f08d 100644 --- a/rta/suspicious_parent_cmd.py +++ b/rta/suspicious_parent_cmd.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): logonui = "C:\\Users\\Public\\logonui.exe" cmd = "C:\\Windows\\System32\\cmd.exe" diff --git a/rta/suspicious_parent_csc.py b/rta/suspicious_parent_csc.py index d9ce4a253..959cf0495 100644 --- a/rta/suspicious_parent_csc.py +++ b/rta/suspicious_parent_csc.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): wscript = "C:\\Users\\Public\\wscript.exe" csc = "C:\\Users\\Public\\csc.exe" diff --git a/rta/suspicious_parent_msbuild_explorer.py b/rta/suspicious_parent_msbuild_explorer.py index cd1216794..8f1cb2e6f 100644 --- a/rta/suspicious_parent_msbuild_explorer.py +++ b/rta/suspicious_parent_msbuild_explorer.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): explorer = "C:\\Users\\Public\\explorer.exe" msbuild = "C:\\Users\\Public\\msbuild.exe" diff --git a/rta/suspicious_parent_msbuild_office.py b/rta/suspicious_parent_msbuild_office.py index 56f0c3587..aa45b68ec 100644 --- a/rta/suspicious_parent_msbuild_office.py +++ b/rta/suspicious_parent_msbuild_office.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): excel = "C:\\Users\\Public\\excel.exe" msbuild = "C:\\Users\\Public\\msbuild.exe" diff --git a/rta/suspicious_parent_msbuild_script.py b/rta/suspicious_parent_msbuild_script.py index 0475f779a..b3016dbb2 100644 --- a/rta/suspicious_parent_msbuild_script.py +++ b/rta/suspicious_parent_msbuild_script.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Users\\Public\\powershell.exe" msbuild = "C:\\Users\\Public\\msbuild.exe" diff --git a/rta/suspicious_parent_sc.py b/rta/suspicious_parent_sc.py index b082c913d..90b141818 100644 --- a/rta/suspicious_parent_sc.py +++ b/rta/suspicious_parent_sc.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" sc = "C:\\Users\\Public\\sc.exe" diff --git a/rta/suspicious_parent_smss.py b/rta/suspicious_parent_smss.py index 1246e78c1..1f0691cd7 100644 --- a/rta/suspicious_parent_smss.py +++ b/rta/suspicious_parent_smss.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): smss = "C:\\Users\\Public\\smss.exe" conhost = "C:\\Users\\Public\\conhost.exe" diff --git a/rta/suspicious_powershell_download.py b/rta/suspicious_powershell_download.py index 83141c18e..c45d2ff41 100644 --- a/rta/suspicious_powershell_download.py +++ b/rta/suspicious_powershell_download.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): server, ip, port = common.serve_web() url = "http://{}:{}/bad.ps1".format(ip, port) diff --git a/rta/suspicious_wmic_script.py b/rta/suspicious_wmic_script.py index c8c3c6298..df1add08c 100644 --- a/rta/suspicious_wmic_script.py +++ b/rta/suspicious_wmic_script.py @@ -37,7 +37,7 @@ version="1.0"> """ -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing suspicious WMIC script") diff --git a/rta/suspicious_wscript_parent.py b/rta/suspicious_wscript_parent.py index a890fcf59..9b8da04d9 100644 --- a/rta/suspicious_wscript_parent.py +++ b/rta/suspicious_wscript_parent.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): script_data = """ WScript.CreateObject("wscript.shell") diff --git a/rta/system_restore_process.py b/rta/system_restore_process.py index 3580421e1..88ccf3238 100644 --- a/rta/system_restore_process.py +++ b/rta/system_restore_process.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( SYSTEM_RESTORE = "c:\\System Volume Information" -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(common.PS_EXEC) def main(): status = common.run_system() diff --git a/rta/systemkey_credential_access.py b/rta/systemkey_credential_access.py index 3e611916f..130f335e1 100644 --- a/rta/systemkey_credential_access.py +++ b/rta/systemkey_credential_access.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/systemsetup_ssh_enable.py b/rta/systemsetup_ssh_enable.py index d973737f2..1b83056c2 100644 --- a/rta/systemsetup_ssh_enable.py +++ b/rta/systemsetup_ssh_enable.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/systemsetup" diff --git a/rta/tar_dylib.py b/rta/tar_dylib.py index afd862d20..3736cdedb 100644 --- a/rta/tar_dylib.py +++ b/rta/tar_dylib.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Execute command" diff --git a/rta/tcc_bypass_mounted_apfs.py b/rta/tcc_bypass_mounted_apfs.py index 3e7104c86..6ecdf1300 100644 --- a/rta/tcc_bypass_mounted_apfs.py +++ b/rta/tcc_bypass_mounted_apfs.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/mount_apfs" diff --git a/rta/tcc_modification.py b/rta/tcc_modification.py index 733d4c316..92d35482f 100644 --- a/rta/tcc_modification.py +++ b/rta/tcc_modification.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/sqlite" diff --git a/rta/trust_provider.py b/rta/trust_provider.py index 8e7072d21..4d4d32b30 100644 --- a/rta/trust_provider.py +++ b/rta/trust_provider.py @@ -45,7 +45,7 @@ else: TARGET_APP = common.get_path("bin", "myapp.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(SIGCHECK, TRUST_PROVIDER_DLL, TARGET_APP) def main(): common.log("Trust Provider") diff --git a/rta/uac_cdssync.py b/rta/uac_cdssync.py index 52b6bc60f..f6c038c6c 100644 --- a/rta/uac_cdssync.py +++ b/rta/uac_cdssync.py @@ -26,7 +26,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" taskhostw = "C:\\Users\\Public\\taskhostw.exe" diff --git a/rta/uac_clipup.py b/rta/uac_clipup.py index da2bbabcb..716a063d3 100644 --- a/rta/uac_clipup.py +++ b/rta/uac_clipup.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): dllhost = "C:\\Users\\Public\\dllhost.exe" clipup = "C:\\Users\\Public\\clipup.exe" diff --git a/rta/uac_computerdefaults.py b/rta/uac_computerdefaults.py index 0cb837c59..6f6a11c71 100644 --- a/rta/uac_computerdefaults.py +++ b/rta/uac_computerdefaults.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "Software\\Classes\\ms-settings\\shell\\open\\command" value = "test" diff --git a/rta/uac_dccw.py b/rta/uac_dccw.py index 947318123..a3f956442 100644 --- a/rta/uac_dccw.py +++ b/rta/uac_dccw.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): dccw = "C:\\Users\\Public\\dccw.exe" dllhost = "C:\\Users\\Public\\dllhost.exe" diff --git a/rta/uac_diskcleanup.py b/rta/uac_diskcleanup.py index f111397c2..4e80a8078 100644 --- a/rta/uac_diskcleanup.py +++ b/rta/uac_diskcleanup.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" common.execute([powershell, "/autoclean", "/d"], timeout=2, kill=True) diff --git a/rta/uac_dism_dll_side_loading.py b/rta/uac_dism_dll_side_loading.py index 6beab774a..41b82d10f 100644 --- a/rta/uac_dism_dll_side_loading.py +++ b/rta/uac_dism_dll_side_loading.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): dism = "C:\\Users\\Public\\Dism.exe" dllhost = "C:\\Users\\Public\\dllhost.exe" diff --git a/rta/uac_eventviewer.py b/rta/uac_eventviewer.py index 33e216b87..865cebb06 100644 --- a/rta/uac_eventviewer.py +++ b/rta/uac_eventviewer.py @@ -29,7 +29,7 @@ metadata = RtaMetadata( # %SystemRoot%\system32\mmc.exe "%1" %* -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(target_file=common.get_path("bin", "myapp.exe")): winreg = common.get_winreg() common.log("Bypass UAC with %s" % target_file) diff --git a/rta/uac_eventvwr.py b/rta/uac_eventvwr.py index 6c5bfa9cc..30811d440 100644 --- a/rta/uac_eventvwr.py +++ b/rta/uac_eventvwr.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): eventvwr = "C:\\Users\\Public\\eventvwr.exe" powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/uac_fodhelper.py b/rta/uac_fodhelper.py index 86fe0f002..55734e793 100644 --- a/rta/uac_fodhelper.py +++ b/rta/uac_fodhelper.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "Software\\Classes\\ms-settings\\shell\\open\\command" value = "test" diff --git a/rta/uac_icmluautil.py b/rta/uac_icmluautil.py index 6605c6fc2..fefccdd13 100644 --- a/rta/uac_icmluautil.py +++ b/rta/uac_icmluautil.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): dllhost = "C:\\Users\\Public\\dllhost.exe" common.copy_file(EXE_FILE, dllhost) diff --git a/rta/uac_mmc_deserialization.py b/rta/uac_mmc_deserialization.py index afe029bc8..f2cc8f8c5 100644 --- a/rta/uac_mmc_deserialization.py +++ b/rta/uac_mmc_deserialization.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): appdata = os.getenv("LOCALAPPDATA") path = Path(appdata) / "\\Microsoft\\Event Viewer" diff --git a/rta/uac_mmc_hijack.py b/rta/uac_mmc_hijack.py index 7cbff6458..878615ca4 100644 --- a/rta/uac_mmc_hijack.py +++ b/rta/uac_mmc_hijack.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): mmc = "C:\\Users\\Public\\mmc.exe" msc = "C:\\Users\\Public\\a.msc" diff --git a/rta/uac_mmc_net_core_profiler.py b/rta/uac_mmc_net_core_profiler.py index 86f572004..d422b884e 100644 --- a/rta/uac_mmc_net_core_profiler.py +++ b/rta/uac_mmc_net_core_profiler.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "Environment" value = "COR_PROFILER_PATH" diff --git a/rta/uac_sdclt.py b/rta/uac_sdclt.py index 309be5580..6aa2ed8d5 100644 --- a/rta/uac_sdclt.py +++ b/rta/uac_sdclt.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): sdclt = "C:\\Users\\Public\\sdclt.exe" common.copy_file(EXE_FILE, sdclt) diff --git a/rta/uac_sysprep.py b/rta/uac_sysprep.py index 38e637774..5fd9bbdb1 100644 --- a/rta/uac_sysprep.py +++ b/rta/uac_sysprep.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Bypass UAC with CRYPTBASE.dll") diff --git a/rta/uac_windir_masq.py b/rta/uac_windir_masq.py index 85925a21e..f4cf8e715 100644 --- a/rta/uac_windir_masq.py +++ b/rta/uac_windir_masq.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): proc = "C:\\Users\\Public\\proc.exe" common.copy_file(EXE_FILE, proc) diff --git a/rta/uac_windows_activation.py b/rta/uac_windows_activation.py index 2bb11917e..c65076d2c 100644 --- a/rta/uac_windows_activation.py +++ b/rta/uac_windows_activation.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "Software\\Classes\\Launcher.SystemSettings\\shell\\open\\command" value = "test" diff --git a/rta/uac_winfw_mmc.py b/rta/uac_winfw_mmc.py index dc4a90bb7..8e71dcabe 100644 --- a/rta/uac_winfw_mmc.py +++ b/rta/uac_winfw_mmc.py @@ -30,7 +30,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): mmc = "C:\\Users\\Public\\mmc.exe" dllhost = "C:\\Users\\Public\\dllhost.exe" diff --git a/rta/uac_wow64log.py b/rta/uac_wow64log.py index 9fa0ec345..14618f6f2 100644 --- a/rta/uac_wow64log.py +++ b/rta/uac_wow64log.py @@ -24,7 +24,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/uac_wsreset.py b/rta/uac_wsreset.py index 8f8e8d8e0..33324f6ca 100644 --- a/rta/uac_wsreset.py +++ b/rta/uac_wsreset.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "Software" value = "ms-windows-store" diff --git a/rta/uncommon_persistence.py b/rta/uncommon_persistence.py index 29b0daa5b..a1d3a97d0 100644 --- a/rta/uncommon_persistence.py +++ b/rta/uncommon_persistence.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" value = "Common Startup" diff --git a/rta/unshadow_execution.py b/rta/unshadow_execution.py index 3b5c4f89e..c2f6d23af 100644 --- a/rta/unshadow_execution.py +++ b/rta/unshadow_execution.py @@ -27,7 +27,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/unshadow" diff --git a/rta/unsigned_startup_item_netconn.py b/rta/unsigned_startup_item_netconn.py index d180a7039..97463f24a 100644 --- a/rta/unsigned_startup_item_netconn.py +++ b/rta/unsigned_startup_item_netconn.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\posh.exe" common.copy_file(EXE_FILE, posh) diff --git a/rta/unusual_kerberos_client.py b/rta/unusual_kerberos_client.py index a43e2633d..e355c2f83 100644 --- a/rta/unusual_kerberos_client.py +++ b/rta/unusual_kerberos_client.py @@ -27,7 +27,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\Users\\Public\\posh.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/unusual_ms_tool_network.py b/rta/unusual_ms_tool_network.py index ceec52563..55428e5c2 100644 --- a/rta/unusual_ms_tool_network.py +++ b/rta/unusual_ms_tool_network.py @@ -65,7 +65,7 @@ def http_from_process(name, ip, port): common.remove_file(path) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): server, ip, port = common.serve_web() diff --git a/rta/unusual_parent_child.py b/rta/unusual_parent_child.py index 262066f5c..e451fcffe 100644 --- a/rta/unusual_parent_child.py +++ b/rta/unusual_parent_child.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Running Windows processes with an unexpected parent of %s" % Path(sys.executable).name) process_names = [ diff --git a/rta/unusual_parent_chrome_extension.py b/rta/unusual_parent_chrome_extension.py index a011dd6ab..d532292aa 100644 --- a/rta/unusual_parent_chrome_extension.py +++ b/rta/unusual_parent_chrome_extension.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): proc = "C:\\Users\\Public\\proc.exe" childproc = "C:\\Users\\Public\\childproc.exe" diff --git a/rta/unusual_powershell_engine_image_load.py b/rta/unusual_powershell_engine_image_load.py index b6ac4ac2a..cc5983718 100644 --- a/rta/unusual_powershell_engine_image_load.py +++ b/rta/unusual_powershell_engine_image_load.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" posh = "C:\\Windows\\System32\\posh.exe" diff --git a/rta/unusual_rdp_client.py b/rta/unusual_rdp_client.py index 42db9adc4..1e1b692c9 100644 --- a/rta/unusual_rdp_client.py +++ b/rta/unusual_rdp_client.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" posh = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\posh.exe" diff --git a/rta/unzip_to_tmp.py b/rta/unzip_to_tmp.py index 917b47ddc..ddda2e847 100644 --- a/rta/unzip_to_tmp.py +++ b/rta/unzip_to_tmp.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/Users/bash" diff --git a/rta/user_action_script.py b/rta/user_action_script.py index a4b8fab4c..8113d650d 100644 --- a/rta/user_action_script.py +++ b/rta/user_action_script.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/user_dir_escalation.py b/rta/user_dir_escalation.py index fe98895e6..cafcab9cf 100644 --- a/rta/user_dir_escalation.py +++ b/rta/user_dir_escalation.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(common.PS_EXEC) def main(): # make sure path is absolute for psexec diff --git a/rta/user_mode_smb_connection.py b/rta/user_mode_smb_connection.py index 891ed451d..4690aeeff 100644 --- a/rta/user_mode_smb_connection.py +++ b/rta/user_mode_smb_connection.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" posh = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\posh.exe" diff --git a/rta/vaultcmd_commands.py b/rta/vaultcmd_commands.py index 69aad84bb..67cf397eb 100644 --- a/rta/vaultcmd_commands.py +++ b/rta/vaultcmd_commands.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Searching Credential Vaults via VaultCmd") diff --git a/rta/webproxy_modification.py b/rta/webproxy_modification.py index 145b7bf0a..934ee03e7 100644 --- a/rta/webproxy_modification.py +++ b/rta/webproxy_modification.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/networksetup" diff --git a/rta/webservice_lolbas.py b/rta/webservice_lolbas.py index 0bbba801e..4974f9fe8 100644 --- a/rta/webservice_lolbas.py +++ b/rta/webservice_lolbas.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/webservice_unsigned.py b/rta/webservice_unsigned.py index d6a025c9e..4389660dd 100644 --- a/rta/webservice_unsigned.py +++ b/rta/webservice_unsigned.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\Users\\Public\\posh.exe" common.copy_file(EXE_FILE, posh) diff --git a/rta/werfault_masquerading.py b/rta/werfault_masquerading.py index c37f52f24..916dcc947 100644 --- a/rta/werfault_masquerading.py +++ b/rta/werfault_masquerading.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "regsvr32.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): werfault = "C:\\Users\\Public\\werfault.exe" diff --git a/rta/werfault_persistence.py b/rta/werfault_persistence.py index 06f729786..2559d51cf 100644 --- a/rta/werfault_persistence.py +++ b/rta/werfault_persistence.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(MY_APP) def main(): reg_key = "'HKLM:\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\hangs'" diff --git a/rta/wevtutil_log_clear.py b/rta/wevtutil_log_clear.py index 820258ed2..fad12fcc0 100644 --- a/rta/wevtutil_log_clear.py +++ b/rta/wevtutil_log_clear.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Clearing Windows Event Logs") common.log("WARNING - About to clear logs from Windows Event Viewer", log_type="!") diff --git a/rta/windefend_svc_stop.py b/rta/windefend_svc_stop.py index 0dafb8ce4..8fe208a79 100644 --- a/rta/windefend_svc_stop.py +++ b/rta/windefend_svc_stop.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" tempshell = "C:\\Users\\Public\\powershell.exe" diff --git a/rta/windows_script_host_file_written_exec.py b/rta/windows_script_host_file_written_exec.py index d3bd19fd8..d6577a66a 100644 --- a/rta/windows_script_host_file_written_exec.py +++ b/rta/windows_script_host_file_written_exec.py @@ -29,7 +29,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): server, ip, port = common.serve_web() url = f"http://{ip}:{port}/bin/renamed_posh.exe" diff --git a/rta/winrar_encrypted.py b/rta/winrar_encrypted.py index e36a5a2ad..1736d4261 100644 --- a/rta/winrar_encrypted.py +++ b/rta/winrar_encrypted.py @@ -34,7 +34,7 @@ def create_exfil(path=Path("secret_stuff.txt").resolve()): return path -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(MY_APP, WINRAR) def main(password="s0l33t"): # Copies of the rar.exe for various tests diff --git a/rta/winrar_startup_folder.py b/rta/winrar_startup_folder.py index 774ed1d11..ff5c7fc4c 100644 --- a/rta/winrar_startup_folder.py +++ b/rta/winrar_startup_folder.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("WinRAR StartUp Folder Persistence") win_rar_path = Path("WinRAR.exe").resolve() diff --git a/rta/wizardupdate_infection.py b/rta/wizardupdate_infection.py index 5f3476c07..4d7c00a48 100644 --- a/rta/wizardupdate_infection.py +++ b/rta/wizardupdate_infection.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/curl" diff --git a/rta/wmi_incoming_logon.py b/rta/wmi_incoming_logon.py index 5175a8d1c..417b23117 100644 --- a/rta/wmi_incoming_logon.py +++ b/rta/wmi_incoming_logon.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(remote_host=None): if not remote_host: common.log("A remote host is required to detonate this RTA", "!") diff --git a/rta/wmic_xsl_exec.py b/rta/wmic_xsl_exec.py index dc1235c80..bbefca2de 100644 --- a/rta/wmic_xsl_exec.py +++ b/rta/wmic_xsl_exec.py @@ -22,7 +22,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): wmic = "C:\\Users\\Public\\wmic.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/wuauclt_image_load.py b/rta/wuauclt_image_load.py index 033421a87..4e83cf6e0 100644 --- a/rta/wuauclt_image_load.py +++ b/rta/wuauclt_image_load.py @@ -28,7 +28,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): wuauclt = "C:\\Users\\Public\\wuauclt.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/xcsset_infection.py b/rta/xcsset_infection.py index eeeeba60a..9adf70e44 100644 --- a/rta/xcsset_infection.py +++ b/rta/xcsset_infection.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/zip"