Skip to content

Gr1mmie/AtlasC2

Repository files navigation

AtlasC2

C# C2 Framework centered around Stage 1 operations

Atlas is based around gaining a foothold within an environment and further utilizing it to smuggle in C# (currently strictly C#) weaponry utilizing an HTTP based implant. Isn't exactly very OPSEC safe in it's current state...at all. Currently targets only windows environments

Note: Default connection settings on implant are set to connect to localhost on port 8080, this can be changed here

Usage

Starting TeamServer

After generating an exe of the client, teamserver, and implant, simply execute Teamserver.exe to start up the teamserver

Starting/Managing Listeners

To start a new listener, use the StartListener command. This command takes two params: Listener name and the port to run on

image

The Listeners command lists all listeners, ViewListener returns data on the specified listener, and RemoveListener can be used to remove a listener from the list

image

Interfacing W/ Implants

Listing connected implants can be done using the Implants command

image

Connecting to an implant is as simple as Connect <ImplantId>. See what I did there?...ok I'll see myself out. Just as the Connect command is used to select an implant. ViewImplant can be used to view more information on the selected implant. The Disconnect command will deselect the currently selected implant as shown below.

image

Executing Tasks

To use a task, a task must first be selected using SetTask. Options can be viewed using TaskOpts and set using SetTaskOpt. Tasks are executing using SendTask

image

Viewing Previous Tasks

It's posible to view the output of a previously run task using TaskOut. TasksOut can be used to view all previously run tasks pertaining to the selected implant.

image

Shell Execution

Atlas allows operators to execute both PowerShell and Cmd commands using the PSShell and CMDShell tasks respectively. PSShell opens a new runspace and executes the command so even if powershell.exe is blacklisted, PowerShell commands can still be executed. This method also bypasses Constrained Language Mode. CMDShell opens a cmd.exe process and passes the command into the process. Executing a PowerShell command was shown above so that won't be shown here as well. Side note about CMDShell, many common commands executed including (but not limited to) whoami, ipconfig, pwd, and cd have been implemented into the implants functionality to avoid the need to execute such commands via a cmd.exe process.

image

Loading C# assemblies into memory

Loading assembies takes a few steps unlike something like CobaltStrike that does everything using execute-assembly. First, an operator must use the ByteConvert utility (ByteConvert must be told whether the file is local or remote) to convert either a locally stored or remote file into a byte array and stores this in the assemBytes variable. Once this is done, the Load task is used to load the assembly into the implant process.

image

Viewing Loaded Assemblies

To view assemblies loaded into the implant process, operators can use the AssemQuery and AssemMethodQuery tasks. The former returns all loaded assemblies while the latter returns All public methods pertaining to a loaded assembly

image

The screenshot confirms that the TestAssem assembly was indeed loaded into the implant's process.

AssemMethodQuery can then be used to return information on TestAssem an operator can use to return information used to execute public methods

image

Executing Loaded Assemblies

Atlas offers the option to execute an assembly from its entry point or a specified exposed method. ExecuteAssem can be used to execute from the entry point. This task takes only the name of the assembly. ExecuteAssemMethod allows for the execution of other methods using information fetched from AssemMethodQuery.

image

For a full list of features, swing by the wiki

Compilation

Open .sln and build all 3 components in Release mode, exit console windows and exe's should be generated in \bin\debug of each component. I gotta work on something better for this

To-Do

  • Authentication
  • Encode PowerShell Commands
  • Add admin utils:
    • cp
    • upload/download
  • Keylogger (probs make standalone to load into implant)
  • Some barebones persistence commands (idk something like creating a user via ADSI, WMI subscription creation. probs make these standalone assems to load into implant)
  • Allow for the changing of the sleep timing on implant and implement jitter
  • Allow for operator to change port TeamServer starts on via CLI
  • Encrypted comms (yikes, ik)
  • AppDomain Manipulation - Allow for the creation/removal of AppDomains and allow operator the ability to select which AppDomain to load assemblies into
  • Better extensability capabilities
  • Implement some sort of profiling system
  • Automated Compilation:
    • implant
    • droppers/loaders/stagers
  • Shellcode generation via Donut
  • BOFs would be cool

Disclaimer

Atlas was designed soley for educational/ethical purposes. I do not condone nor am I responsible for actions taken by users of Atlas