class ShellOPSEC(CommandOPSEC):
process_creation = "/bin/bash -c"
async def opsec_pre(self, task: MythicTask):
processes = await MythicResponseRPC(task).search_database(
search={"host": task.callback.host}
if len(processes.response) == 0:
task.opsec_pre_blocked = True
task.opsec_pre_message = f"This spawns {self.process_creation} and there is no process data on the host yet."
task.opsec_pre_message += "\nRun \"list_apps\" first to check for dangerous processes"
task.opsec_pre_bypass_role = "operator"
processes = await MythicResponseRPC(task).search_database(
search={"name": "Microsoft Defender", "host": task.callback.host}
if len(processes.response) > 0:
task.opsec_pre_blocked = True
task.opsec_pre_message = f"Microsoft Defender spotted on the host in running processes. Don't spawn commands this way"
async def opsec_post(self, task: MythicTask):
processes = await MythicResponseRPC(task).search_database(
search={"name": "Microsoft Defender", "host": task.callback.host}
if len(processes.response) > 0:
task.opsec_post_blocked = True
task.opsec_post_message = f"Microsoft Defender spotted on the host in running processes. Really, don't do this"
class ShellCommand(CommandBase):
help_cmd = "shell {command}"
description = """This runs {command} in a terminal by leveraging JXA's Application.doShellScript({command}).
WARNING! THIS IS SINGLE THREADED, IF YOUR COMMAND HANGS, THE AGENT HANGS!"""
author = "@its_a_feature_"
attackmapping = ["T1059"]
argument_class = ShellArguments