C# C2 Framework centered around Stage 1 operations
Atlas is based around gaining a foothold within an environment and further utilizing it to smuggle in C# (currently strictly C#) weaponry utilizing an HTTP based implant. Isn't exactly very OPSEC safe in it's current state...at all. Currently targets only windows environments
Note: Default connection settings on implant are set to connect to localhost on port 8080, this can be changed here
After generating an exe of the client, teamserver, and implant, simply execute Teamserver.exe
to start up the teamserver
To start a new listener, use the StartListener
command. This command takes two params: Listener name and the port to run on
The Listeners
command lists all listeners, ViewListener
returns data on the specified listener, and RemoveListener
can be used to remove a listener from the list
Listing connected implants can be done using the Implants
command
Connecting to an implant is as simple as Connect <ImplantId>
. See what I did there?...ok I'll see myself out. Just as the Connect
command is used to select an implant. ViewImplant
can be used to view more information on the selected implant. The Disconnect
command will deselect the currently selected implant as shown below.
To use a task, a task must first be selected using SetTask
. Options can be viewed using TaskOpts
and set using SetTaskOpt
. Tasks are executing using SendTask
It's posible to view the output of a previously run task using TaskOut
. TasksOut
can be used to view all previously run tasks pertaining to the selected implant.
Atlas allows operators to execute both PowerShell and Cmd commands using the PSShell
and CMDShell
tasks respectively. PSShell
opens a new runspace and executes the command so even if powershell.exe
is blacklisted, PowerShell commands can still be executed. This method also bypasses Constrained Language Mode. CMDShell
opens a cmd.exe
process and passes the command into the process. Executing a PowerShell command was shown above so that won't be shown here as well. Side note about CMDShell
, many common commands executed including (but not limited to) whoami, ipconfig, pwd, and cd have been implemented into the implants functionality to avoid the need to execute such commands via a cmd.exe
process.
Loading assembies takes a few steps unlike something like CobaltStrike that does everything using execute-assembly
. First, an operator must use the ByteConvert
utility (ByteConvert
must be told whether the file is local or remote) to convert either a locally stored or remote file into a byte array and stores this in the assemBytes
variable. Once this is done, the Load
task is used to load the assembly into the implant process.
To view assemblies loaded into the implant process, operators can use the AssemQuery
and AssemMethodQuery
tasks. The former returns all loaded assemblies while the latter returns All public methods pertaining to a loaded assembly
The screenshot confirms that the TestAssem
assembly was indeed loaded into the implant's process.
AssemMethodQuery
can then be used to return information on TestAssem
an operator can use to return information used to execute public methods
Atlas offers the option to execute an assembly from its entry point or a specified exposed method. ExecuteAssem
can be used to execute from the entry point. This task takes only the name of the assembly. ExecuteAssemMethod
allows for the execution of other methods using information fetched from AssemMethodQuery
.
For a full list of features, swing by the wiki
Open .sln and build all 3 components in Release mode, exit console windows and exe's should be generated in \bin\debug of each component. I gotta work on something better for this
- Authentication
- Encode PowerShell Commands
- Add admin utils:
cp
upload
/download
- Keylogger (probs make standalone to load into implant)
- Some barebones persistence commands (idk something like creating a user via ADSI, WMI subscription creation. probs make these standalone assems to load into implant)
- Allow for the changing of the sleep timing on implant and implement jitter
- Allow for operator to change port TeamServer starts on via CLI
- Encrypted comms (yikes, ik)
- AppDomain Manipulation - Allow for the creation/removal of AppDomains and allow operator the ability to select which AppDomain to load assemblies into
- Better extensability capabilities
- Implement some sort of profiling system
- Automated Compilation:
- implant
- droppers/loaders/stagers
- Shellcode generation via Donut
- BOFs would be cool
Atlas was designed soley for educational/ethical purposes. I do not condone nor am I responsible for actions taken by users of Atlas