search

cobbr / Covenant

Covenant is a collaborative .NET C2 framework for red teamers.
https://cobbr.io/Covenant.html
GNU General Public License v3.0
4.14k stars 767 forks source link

[Feature Request] Integration of TikiTorch #87

Open NotoriousRebel opened 4 years ago

NotoriousRebel commented 4 years ago

Feature Request or Bug Feature Request

Describe the feature request or bug Creating a task that would allow a launcher to do Inject into new process using TikiTorch given that you know the PID of target process would be awesome :)

Expected behavior The launcher is now under a different process such as svchost or explorer

rasta-mouse commented 4 years ago

AFAIK Covenant can't generate Grunt shellcode (yet?), it's why there are no process injection Tasks at all. Not sure what the timescales for that are, but once that's tackled I'd love to port the functionality over.

EDIT: I should also point out that this is possible to do manually: https://rastamouse.me/2019/08/covenant-donut-tikitorch/

NotoriousRebel commented 4 years ago

@rasta-mouse I read your blog post <3 it's pretty amazing, that's why I created this post. I wonder if it would be possible to automate this with PowerShell once you have the GruntStager.exe assuming you have Donut and Tikitorch on the system.

rasta-mouse commented 4 years ago

Perhaps, but it wouldn't exactly be elegant. Best just to roadmap the development properly IMO.

NotoriousRebel commented 4 years ago

@cobbr how hard would this be?

cobbr commented 4 years ago

No clue, I'm not super familiar with TikiTorch to be honest. Once we have process injection/migration integrated, I'll definitely take a look!

rasta-mouse commented 4 years ago

@cobbr TikiTorch is just a library of a few process injection / hollowing techniques. There's nothing really special about it - if the correct Windows APIs were in SharpSploit (for example), a Covenant Task could just recreate the same steps as a TikiTorch payload would.