cmd/root.go

package cmd

import (
	"fmt"
	"os"
	"rmm-hunter/internal/pkg"
	"rmm-hunter/internal/pkg/hunter"
	"rmm-hunter/internal/tui"
	"rmm-hunter/internal/web"

	scurvy "github.com/Kraken-OffSec/Scurvy"
	"github.com/Kraken-OffSec/Scurvy/core/escalator"
	"github.com/spf13/cobra"
)

var (
	excludeRMMs []string
	outputFile  string
	webUI       bool
	cliUI       bool
)

// rootCmd represents the base command when called without any subcommands
var rootCmd = &cobra.Command{
	Use:   "rmm-hunter",
	Short: "RMM-Hunter - Detect and eliminate Remote Monitoring and Management software",
	Long: `RMM-Hunter is a tool designed to detect and eliminate Remote Monitoring 
and Management (RMM) software on Windows systems. It can hunt for suspicious 
processes, services, binaries, and network connections associated with RMM tools.

Steps:
- Click start
- Type Powershell (see Windows Powershell)
- Right click and select "Run as administrator"
- Navigate to the directory containing rmm-hunter.exe 
	> If you downloaded the executable, it will be in your Downloads folder
		> cd ~\Downloads\
- To start the enumeration process, run the following command:
	> .\rmm-hunter.exe hunt

- To remove detected RMM software, run the following command:
	> CLI - A command line interface with interactive prompts
    	-> .\rmm-hunter.exe eliminate--cli
	> Web - A web interface for browser based elimination (Under Construction)
    	-> .\rmm-hunter.exe eliminate --web
`,
	Version: "1.0.0",
}

// huntCmd represents the hunt command
var huntCmd = &cobra.Command{
	Use:   "hunt",
	Short: "Hunt for RMM software on the system",
	Long: `Hunt mode scans the system for signs of RMM software including:
- Suspicious Processes
- Suspicious Autoruns
- Services
- Binaries and Executables
- Directories
- Processes
- Outbound Network Connections
- Scheduled Tasks
- Registry Entries

	> .\rmm-hunter.exe hunt
`,
	Run: func(cmd *cobra.Command, args []string) {
		fmt.Println("Starting RMM Hunt...")
		runHunt()
	},
}

// eliminateCmd represents the eliminate command
var eliminateCmd = &cobra.Command{
	Use:   "eliminate",
	Short: "Eliminate Sus software based on hunt results",
	Long: `Eliminate mode removes detected RMM Software from the system.
Requires a JSON input file containing hunt results to determine what to remove.
Administrative Privileges are required. The executable will run a UAC prompt asking for escalation permissions to adjust.
	> CLI - A command line interface with interactive prompts
    	-> .\rmm-hunter.exe eliminate --cli
	> Web - A web interface for browser based elimination (Under Construction)
    	-> .\rmm-hunter.exe eliminate --web
`,
	Run: func(cmd *cobra.Command, args []string) {
		if admin, err := scurvy.IsAdmin(); err != nil || !admin {
			escErr := escalator.RequireAdmin()
			if err != nil {
				fmt.Printf("Failed to elevate: %v\n", escErr)
				os.Exit(1)
			}
			fmt.Println("User is not admin, please run as administrator")
			os.Exit(1)
		}
		fmt.Println("Starting Elimination UI...")
		runEliminate()
	},
}

// Execute adds all child commands to the root command and sets flags appropriately.
func Execute() {
	err := rootCmd.Execute()
	if err != nil {
		os.Exit(1)
	}
}

func init() {
	// Add subcommands
	rootCmd.AddCommand(huntCmd)
	rootCmd.AddCommand(eliminateCmd)

	// Global flags
	rootCmd.PersistentFlags().StringSliceVar(&excludeRMMs, "exclude", []string{},
		"Comma-separated list of Sus names to exclude from detection (optional)")

	// Hunt command flags
	huntCmd.Flags().StringSliceVar(&excludeRMMs, "exclude", []string{},
		"Comma-separated list of Sus names to exclude from hunt")
	huntCmd.Flags().StringVarP(&outputFile, "output", "o", "suspicious-hunter.json",
		"Output file to write hunt results (optional) Default: suspicious-hunter.json")

	// Eliminate command flags
	eliminateCmd.Flags().BoolVarP(&webUI, "web", "w", false,
		"Use web UI instead of TUI (optional)")
	eliminateCmd.Flags().BoolVarP(&cliUI, "cli", "c", false,
		"Use CLI UI instead of TUI (optional)")

	// Mark web and cli flags as mutually exclusive
	eliminateCmd.MarkFlagsMutuallyExclusive("web", "cli")

	// Mark one of web or cli as required
	eliminateCmd.MarkFlagsOneRequired("web", "cli")
}

func runHunt() {
	if len(excludeRMMs) > 0 {
		fmt.Printf("Excluding RMMs: %v\n", excludeRMMs)
	}

	hunter.Start(pkg.RunOptions{
		ExcludeRMMs: excludeRMMs,
	})

}

func runEliminate() {
	if webUI {
		fmt.Println("Starting Web UI on http://127.0.0.1:8080 ...")
		web.StartWebServer()
		return
	} else if cliUI {
		// Launch the TUI for elimination flow
		if err := tui.RunEliminateUI(); err != nil {
			fmt.Printf("[-] TUI error: %v\n", err)
			os.Exit(1)
		}
	} else {
		fmt.Println("No UI specified")
		os.Exit(1)
	}
}
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`package cmd`

			`import (`
			`"fmt"`
			`"os"`
			`"rmm-hunter/internal/pkg"`
			`"rmm-hunter/internal/pkg/hunter"`
Implement TUI for managing suspicious artifacts (FilePicker, TypePicker, ListView, and DetailView) 2025-10-10 22:43:47 -04:00			`"rmm-hunter/internal/tui"`
Add web server implementation for RMM-Hunter with API endpoints and WebSocket support 2025-10-12 18:46:59 -04:00			`"rmm-hunter/internal/web"`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00
Update `eliminate` connection logic to refine firewall rules and upgrade Scurvy library to latest version 2025-10-11 18:42:58 -04:00			`scurvy "github.com/Kraken-OffSec/Scurvy"`
Upgrade Scurvy library and add forced elevation logic with improved usage examples 2025-10-11 19:23:44 -04:00			`"github.com/Kraken-OffSec/Scurvy/core/escalator"`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`"github.com/spf13/cobra"`
			`)`

			`var (`
			`excludeRMMs []string`
			`outputFile string`
Add web and CLI UI options for `eliminate` command with mutual exclusivity and required flag checks 2025-10-10 22:59:46 -04:00			`webUI bool`
			`cliUI bool`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`)`

			`// rootCmd represents the base command when called without any subcommands`
			`var rootCmd = &cobra.Command{`
			`Use: "rmm-hunter",`
			`Short: "RMM-Hunter - Detect and eliminate Remote Monitoring and Management software",`
			Long: `RMM-Hunter is a tool designed to detect and eliminate Remote Monitoring
			`and Management (RMM) software on Windows systems. It can hunt for suspicious`
Upgrade Scurvy library and add forced elevation logic with improved usage examples 2025-10-11 19:23:44 -04:00			`processes, services, binaries, and network connections associated with RMM tools.`

			`Steps:`
			`- Click start`
			`- Type Powershell (see Windows Powershell)`
			`- Right click and select "Run as administrator"`
			`- Navigate to the directory containing rmm-hunter.exe`
			`> If you downloaded the executable, it will be in your Downloads folder`
			`> cd ~\Downloads\`
			`- To start the enumeration process, run the following command:`
			`> .\rmm-hunter.exe hunt`

			`- To remove detected RMM software, run the following command:`
			`> CLI - A command line interface with interactive prompts`
			`-> .\rmm-hunter.exe eliminate--cli`
			`> Web - A web interface for browser based elimination (Under Construction)`
			`-> .\rmm-hunter.exe eliminate --web`
			`,
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`Version: "1.0.0",`
			`}`

			`// huntCmd represents the hunt command`
			`var huntCmd = &cobra.Command{`
			`Use: "hunt",`
			`Short: "Hunt for RMM software on the system",`
			Long: `Hunt mode scans the system for signs of RMM software including:
Add JSON and HTML writers for reporting Hunter findings 2025-10-10 16:06:48 -04:00			`- Suspicious Processes`
			`- Suspicious Autoruns`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`- Services`
Add JSON and HTML writers for reporting Hunter findings 2025-10-10 16:06:48 -04:00			`- Binaries and Executables`
			`- Directories`
			`- Processes`
			`- Outbound Network Connections`
			`- Scheduled Tasks`
Upgrade Scurvy library and add forced elevation logic with improved usage examples 2025-10-11 19:23:44 -04:00			`- Registry Entries`

			`> .\rmm-hunter.exe hunt`
			`,
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`Run: func(cmd *cobra.Command, args []string) {`
			`fmt.Println("Starting RMM Hunt...")`
			`runHunt()`
			`},`
			`}`

			`// eliminateCmd represents the eliminate command`
			`var eliminateCmd = &cobra.Command{`
			`Use: "eliminate",`
			`Short: "Eliminate Sus software based on hunt results",`
Update `eliminate` connection logic to refine firewall rules and upgrade Scurvy library to latest version 2025-10-11 18:42:58 -04:00			Long: `Eliminate mode removes detected RMM Software from the system.
			`Requires a JSON input file containing hunt results to determine what to remove.`
Upgrade Scurvy library and add forced elevation logic with improved usage examples 2025-10-11 19:23:44 -04:00			`Administrative Privileges are required. The executable will run a UAC prompt asking for escalation permissions to adjust.`
			`> CLI - A command line interface with interactive prompts`
			`-> .\rmm-hunter.exe eliminate --cli`
			`> Web - A web interface for browser based elimination (Under Construction)`
Update `eliminate` connection logic to refine firewall rules and upgrade Scurvy library to latest version 2025-10-11 18:42:58 -04:00			`-> .\rmm-hunter.exe eliminate --web`
			`,
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`Run: func(cmd *cobra.Command, args []string) {`
Update `eliminate` connection logic to refine firewall rules and upgrade Scurvy library to latest version 2025-10-11 18:42:58 -04:00			`if admin, err := scurvy.IsAdmin(); err != nil \|\| !admin {`
Upgrade Scurvy library and add forced elevation logic with improved usage examples 2025-10-11 19:23:44 -04:00			`escErr := escalator.RequireAdmin()`
			`if err != nil {`
			`fmt.Printf("Failed to elevate: %v\n", escErr)`
			`os.Exit(1)`
			`}`
Update `eliminate` connection logic to refine firewall rules and upgrade Scurvy library to latest version 2025-10-11 18:42:58 -04:00			`fmt.Println("User is not admin, please run as administrator")`
			`os.Exit(1)`
			`}`
Implement TUI for managing suspicious artifacts (FilePicker, TypePicker, ListView, and DetailView) 2025-10-10 22:43:47 -04:00			`fmt.Println("Starting Elimination UI...")`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`runEliminate()`
			`},`
			`}`

			`// Execute adds all child commands to the root command and sets flags appropriately.`
			`func Execute() {`
			`err := rootCmd.Execute()`
			`if err != nil {`
			`os.Exit(1)`
			`}`
			`}`

			`func init() {`
			`// Add subcommands`
			`rootCmd.AddCommand(huntCmd)`
			`rootCmd.AddCommand(eliminateCmd)`

			`// Global flags`
			`rootCmd.PersistentFlags().StringSliceVar(&excludeRMMs, "exclude", []string{},`
			`"Comma-separated list of Sus names to exclude from detection (optional)")`

			`// Hunt command flags`
			`huntCmd.Flags().StringSliceVar(&excludeRMMs, "exclude", []string{},`
			`"Comma-separated list of Sus names to exclude from hunt")`
			`huntCmd.Flags().StringVarP(&outputFile, "output", "o", "suspicious-hunter.json",`
			`"Output file to write hunt results (optional) Default: suspicious-hunter.json")`

Add web and CLI UI options for `eliminate` command with mutual exclusivity and required flag checks 2025-10-10 22:59:46 -04:00			`// Eliminate command flags`
			`eliminateCmd.Flags().BoolVarP(&webUI, "web", "w", false,`
			`"Use web UI instead of TUI (optional)")`
			`eliminateCmd.Flags().BoolVarP(&cliUI, "cli", "c", false,`
			`"Use CLI UI instead of TUI (optional)")`

			`// Mark web and cli flags as mutually exclusive`
			`eliminateCmd.MarkFlagsMutuallyExclusive("web", "cli")`

			`// Mark one of web or cli as required`
			`eliminateCmd.MarkFlagsOneRequired("web", "cli")`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`}`

			`func runHunt() {`
			`if len(excludeRMMs) > 0 {`
			`fmt.Printf("Excluding RMMs: %v\n", excludeRMMs)`
			`}`

			`hunter.Start(pkg.RunOptions{`
			`ExcludeRMMs: excludeRMMs,`
			`})`

			`}`

			`func runEliminate() {`
Add web and CLI UI options for `eliminate` command with mutual exclusivity and required flag checks 2025-10-10 22:59:46 -04:00			`if webUI {`
Add web server implementation for RMM-Hunter with API endpoints and WebSocket support 2025-10-12 18:46:59 -04:00			`fmt.Println("Starting Web UI on http://127.0.0.1:8080 ...")`
			`web.StartWebServer()`
Add web and CLI UI options for `eliminate` command with mutual exclusivity and required flag checks 2025-10-10 22:59:46 -04:00			`return`
			`} else if cliUI {`
			`// Launch the TUI for elimination flow`
			`if err := tui.RunEliminateUI(); err != nil {`
			`fmt.Printf("[-] TUI error: %v\n", err)`
			`os.Exit(1)`
			`}`
			`} else {`
			`fmt.Println("No UI specified")`
Implement TUI for managing suspicious artifacts (FilePicker, TypePicker, ListView, and DetailView) 2025-10-10 22:43:47 -04:00			`os.Exit(1)`
			`}`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`}`