From 8e80b70186a0ff7f82f7cb5f44def962ef7e99dd Mon Sep 17 00:00:00 2001 From: Grimmie <57014148+Gr1mmie@users.noreply.github.com> Date: Sat, 19 Mar 2022 21:13:03 -0400 Subject: [PATCH 01/10] Create README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..3920b48 --- /dev/null +++ b/README.md @@ -0,0 +1,2 @@ +# AtlasC2 +C# C2 Framework centered around Stage 1 operations From 7122b13807a3c401ee8459b40dde6681118ec959 Mon Sep 17 00:00:00 2001 From: Grimmie <57014148+Gr1mmie@users.noreply.github.com> Date: Sun, 20 Mar 2022 00:27:10 -0400 Subject: [PATCH 02/10] Update README.md --- README.md | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/README.md b/README.md index 3920b48..491177e 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,77 @@ # AtlasC2 C# C2 Framework centered around Stage 1 operations + +Atlas is based around gaining a foothold within an environment and further utilizing it to smuggle in C# (currently strictly C#) weaponry utilizing an HTTP based implant. Isn't exactly very OPSEC safe in it's current state...at all. + +## Usage +### Starting/Managing Listeners +To start a new listener, use the `StartListener` command. This command takes two params: Listener name and the port to run on +image + +The `Listeners` command lists all listeners, `ViewListener` returns data on the specified listener, and `RemoveListener` can be used to remove a listener from the list + +image + +### Interfacing W/ Implants +Listing connected implants can be done using the `Implants` command + +image + +Connecting to an implant is as simple as `Connect `. See what I did there?...ok I'll see myself out. Just as the `Connect` command is used to select an implant. `ViewImplant` can be used to view more information on the selected implant. The `Disconnect` command will deselect the currently selected implant as shown below. + + +image + +### Executing Tasks +To use a task, a task must first be selected using `SetTask`. Options can be viewed using `TaskOpts` and set using `SetTaskOpt`. Tasks are executing using `SendTask` + +image + +### Viewing Previous Tasks +It's posible to view the output of a previously run task using `TaskOut`. `TasksOut` can be used to view all previously run tasks pertaining to the selected implant. + +image + +### Shell Execution +Atlas allows operators to execute both PowerShell and Cmd commands using the `PSShell` and `CMDShell` tasks respectively. `PSShell` opens a new runspace and executes the command so even if `powershell.exe` is blacklisted, PowerShell commands can still be executed. This method also bypasses Constrained Language Mode. `CMDShell` opens a `cmd.exe` process and passes the command into the process. Executing a PowerShell command was shown above so that won't be shown here as well. Site note about `CMDShell`, many common commands executed including (but not limited to) whoami, ipconfig, pwd, and cd have been implemented into the implants functionality to avoid the need to execute such commands via a `cmd.exe` process. + +image + + +### Loading C# assemblies into memory + +Loading assembies takes a few steps unlike something like CobaltStrike that does everything using `execute-assembly`. First, an operator must use the `ByteConvert` utility (`ByteConvert` must be told whether the file is local or remote) to convert either a locally stored or remote file into a byte array and stores this in the `assemBytes` variable. Once this is done, the `Load` task is used to load the assembly into the implant process. + +image + +### Viewing Loaded Assemblies +To view assemblies loaded into the implant process, operators can use the `AssemQuery` and `AssemMethodQuery` tasks. The former returns all loaded assemblies while the latter returns All public methods pertaining to a loaded assembly + +image +The screenshot confirms that the `TestAssem` assembly was indeed loaded into the implant's process. + +`AssemMethodQuery` can then be used to return information on `TestAssem` an operator can use to return information used to execute public methods + +image + +### Executing Loaded Assemblies +Atlas offers the option to execute an assembly from its entry point or a specified exposed method. `ExecuteAssem` can be used to execute from the entry point. This task takes only the name of the assembly. `ExecuteAssemMethod` allows for the execution of other methods using information fetched from `AssemMethodQuery`. + +image + +For a full list of features, swing by the wiki (add link here) + +## Compilation +Open .sln and build all 3 components in Release mode + +## To-Do +* Encode PowerShell Commands +* Encrypted comms (yikes, ik) +* AppDomain Manipulation - Allow for the creation/removal of AppDomains and allow operator the ability to select which AppDomain to load assemblies into +* Better extensability capabilities +* Implement some sort of profiling system +* Automated Compilation: + * implant + * droppers/loaders/stagers +* Shellcode generation via Donut +* BOFs would be cool From 6ec070ae0700859634d6512b49c3c7ad4ebfe0c1 Mon Sep 17 00:00:00 2001 From: Grimmie <57014148+Gr1mmie@users.noreply.github.com> Date: Sun, 20 Mar 2022 00:30:44 -0400 Subject: [PATCH 03/10] ayy readme isn't empty now...wait no nvm, it kinda cleaner now --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 491177e..0331d8c 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,7 @@ Atlas is based around gaining a foothold within an environment and further utili ## Usage ### Starting/Managing Listeners To start a new listener, use the `StartListener` command. This command takes two params: Listener name and the port to run on + image The `Listeners` command lists all listeners, `ViewListener` returns data on the specified listener, and `RemoveListener` can be used to remove a listener from the list From b4f16628f5d9f2e1ef2d1a115b6f147d643b9549 Mon Sep 17 00:00:00 2001 From: Grimmie <57014148+Gr1mmie@users.noreply.github.com> Date: Sun, 20 Mar 2022 00:33:36 -0400 Subject: [PATCH 04/10] ok code line thingy format fixed. markdown hard --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 0331d8c..e59f6fd 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,7 @@ Loading assembies takes a few steps unlike something like CobaltStrike that does To view assemblies loaded into the implant process, operators can use the `AssemQuery` and `AssemMethodQuery` tasks. The former returns all loaded assemblies while the latter returns All public methods pertaining to a loaded assembly image + The screenshot confirms that the `TestAssem` assembly was indeed loaded into the implant's process. `AssemMethodQuery` can then be used to return information on `TestAssem` an operator can use to return information used to execute public methods From 8a3fde25077e4f1e59bd04643c7247e38d56c26c Mon Sep 17 00:00:00 2001 From: Grimmie <57014148+Gr1mmie@users.noreply.github.com> Date: Sun, 20 Mar 2022 00:35:41 -0400 Subject: [PATCH 05/10] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index e59f6fd..0c4fdf3 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,8 @@ Atlas offers the option to execute an assembly from its entry point or a specifi For a full list of features, swing by the wiki (add link here) +## Note To Self: u forgot YARA rule. dewit + ## Compilation Open .sln and build all 3 components in Release mode From 1d0ab5acf2dded503daf131f1b3d75283b5de912 Mon Sep 17 00:00:00 2001 From: Grimmie <57014148+Gr1mmie@users.noreply.github.com> Date: Sun, 20 Mar 2022 00:38:33 -0400 Subject: [PATCH 06/10] disclaimer thingy --- README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0c4fdf3..478dcc1 100644 --- a/README.md +++ b/README.md @@ -63,8 +63,6 @@ Atlas offers the option to execute an assembly from its entry point or a specifi For a full list of features, swing by the wiki (add link here) -## Note To Self: u forgot YARA rule. dewit - ## Compilation Open .sln and build all 3 components in Release mode @@ -79,3 +77,9 @@ Open .sln and build all 3 components in Release mode * droppers/loaders/stagers * Shellcode generation via Donut * BOFs would be cool + + +### Note To Self: u forgot YARA rule. dewit + +## Disclaimer +Atlas was designed soley for educational/ethical purposes. I do not condone nor am I responsible for actions taken by users of Atlas From 0e2d5afa854695200082e9ce25161fbf0de50afd Mon Sep 17 00:00:00 2001 From: Grimmie <57014148+Gr1mmie@users.noreply.github.com> Date: Sun, 20 Mar 2022 10:00:01 -0400 Subject: [PATCH 07/10] ya know, would be nice if I can remember everything I want to add at once --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 478dcc1..4215b8f 100644 --- a/README.md +++ b/README.md @@ -67,6 +67,7 @@ For a full list of features, swing by the wiki (add link here) Open .sln and build all 3 components in Release mode ## To-Do +* Authentication * Encode PowerShell Commands * Encrypted comms (yikes, ik) * AppDomain Manipulation - Allow for the creation/removal of AppDomains and allow operator the ability to select which AppDomain to load assemblies into From b0d146d6c53b7de9acaee599c942cdb031f6609a Mon Sep 17 00:00:00 2001 From: Grimmie <57014148+Gr1mmie@users.noreply.github.com> Date: Sun, 20 Mar 2022 10:18:59 -0400 Subject: [PATCH 08/10] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 4215b8f..1261e37 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,8 @@ Open .sln and build all 3 components in Release mode ## To-Do * Authentication * Encode PowerShell Commands +* Add admin utils: + * `cp` * Encrypted comms (yikes, ik) * AppDomain Manipulation - Allow for the creation/removal of AppDomains and allow operator the ability to select which AppDomain to load assemblies into * Better extensability capabilities From 21a98d56cb8a6d69d9f26b26a5884eec96146abf Mon Sep 17 00:00:00 2001 From: Grimmie <57014148+Gr1mmie@users.noreply.github.com> Date: Sun, 20 Mar 2022 10:37:05 -0400 Subject: [PATCH 09/10] Update README.md --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 1261e37..249b5f6 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,11 @@ C# C2 Framework centered around Stage 1 operations Atlas is based around gaining a foothold within an environment and further utilizing it to smuggle in C# (currently strictly C#) weaponry utilizing an HTTP based implant. Isn't exactly very OPSEC safe in it's current state...at all. ## Usage + +### Starting TeamServer + +After generating an exe of the client, teamserver, and implant, simply execute `Teamserver.exe` to start up the teamserver + ### Starting/Managing Listeners To start a new listener, use the `StartListener` command. This command takes two params: Listener name and the port to run on From feb79a0fca17c2bb4f9bfdae732012c4f0eb84fc Mon Sep 17 00:00:00 2001 From: Grimmie <57014148+Gr1mmie@users.noreply.github.com> Date: Sun, 20 Mar 2022 11:02:32 -0400 Subject: [PATCH 10/10] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 249b5f6..c152fea 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,8 @@ Open .sln and build all 3 components in Release mode * Encode PowerShell Commands * Add admin utils: * `cp` +* Allow for the changing of the sleep timing on implant and implement jitter +* Allow for operator to change port TeamServer starts on via CLI * Encrypted comms (yikes, ik) * AppDomain Manipulation - Allow for the creation/removal of AppDomains and allow operator the ability to select which AppDomain to load assemblies into * Better extensability capabilities