search

MythicAgents / Apollo

A .NET Framework 4.0 Windows Agent
BSD 3-Clause "New" or "Revised" License
439 stars 89 forks source link

MimikatzWrappers Included in Binary when MIMIKATZ is undefined #13

Closed reznok closed 3 years ago

reznok commented 3 years ago

When building a payload through the mythic payload creator, mimikatz agent source files (specifically MimikatzWrappers.cs) will be included in the generated payload if mimikatz is not selected but pth (and maybe dcsync) is still selected. This is a bit unintuitive and can lead to payloads that will be easily caught by AV if not aware of this behavior.

Cause: MimikatzWrappers.cs only checks for the following two build parameters: PTH and DCSYNC. No check is done to see if MIMIKATZ is in the build params.

Fixes: 1: Add an #IF MIMIKATZ block around the entire MimikatzWrappers.cs code. This would be a quick and logical fix, as everything in this file does depend on mimikatz as well.

2: Add support for agent module dependencies. For example, if a user tried to build a payload with pth but no mimikatz, mythic would return an error saying a dependency is missing. This would be a more in-depth change, but this behavior may also be desirable by future agent functions.

I'm happy to PR either (or both!) fixes, but would appreciate the opinion of the maintainer beforehand :)

djhohnstein commented 3 years ago

Due to the way all the wrappers are implemented, I think a documentation update could be in order to let the end user know these commands are "lazily" implemented via Mimikatz. I agree though, there is some confusion as to the dependencies of the command.

In general, module structure needs to be reworked to support dynamic loading, and having these large "manager style" commands is not best practice for Mythic to interface with (e.g. AssemblyManager.cs manages assembly_inject, execute_assembly, etc). In reality, each of these things should be split out into their own discrete files so that when that large migration happens, all those commands are portable to discrete libraries.

The best solution is to rewrite pth and dcsync into their own modules so that they have no dependencies. Those modules should split themselves out from Mimikatz by implementing the same functionality under the hood. DCSYNC should parse out credentials and report them back to Mythic (currently doesn't), and pth should update the token impersonation tracking within the agent.