Atlas is a lightweight Windows Apfell agent written in C#. It was intended to be used as an initial access agent with a focus on stability and flexibility in its configuration. I created the agent in an attempt to learn more about coding in C#, so the code is not optimized or written in the "proper" way. It was a fun project and I hope it may be useful to people for red team assessments and penetration testing.
- 3.5/4.0 .NET compatibility
- Small assembly size: <54Kb
- Dynamic .NET assembly loading and execution
- Loaded assemblies are tracked so they only need to be loaded once
- Upload/Download files
- AMSI bypass when loading assemblies
- Proxy support
- Dynamic agent configuration
- Add/remove C2 servers
- Change sleep time and jitter
- Change user-agent and host header
- Change kill date
- Modify query parameter for GET requests
- Modify Proxy settings
- Intelligent C2 server selection
- Keeps track of failed connections to servers and always chooses server with least failed connections
- Tracking of failed connections is display with configuration data
Then navigate to Manage Operations > Payload Management on the Apfell server, and import the atlas.json file. This registers the payload with the Apfell server as an externally hosted payload.
You can then register the payload with the Apfell server via Create Components > Create Payload on the Apfell server, and stuff the PayloadUUID and other relevant information into Config.cs
Additional Atlas specific configuration options in Config.cs
Param specify the query parameter to use for GET requests
ChunkSize specify the chunking size to use for upload/download and command output
UseDefaultProxy true or false, specify whether to use the system default proxy settings or use below manual settings
ProxyAddress specify proxy server address to use for web requests
ProxyUser specify username to use for authenticating to proxy server
ProxyPassword specify password to use for authenticating to proxy server
Then build the agent on a windows system with visual studio or via Mono on a *nix system.
Once the agent is built, all that's left is to execute.
config dynamically change agent settings during runtime (see below for more detail)
download download files from target system to apfell server
exit exit atlas instance via Environment.Exit
jobkill kill a long running job
jobs list current running jobs
listloaded list assemblies loaded via the loadassembly command
loadassembly load an arbitrary .NET assembly via Assembly.Load and keep track of assembly FullName for later execution
runassembly execute the entrypoint of a .NET assembly loaded via loadassembly command
upload upload a file from the apfell server to the target system
Atlas allows a degree of dynamic configuration of the agent's settings after initial execution. These settings can be changed via the config command. below are the options to this command as there are many.
config base command
options:
info display current agent configuration
domain option to add/remove C2 domain
add add a C2 domain to list of domains
remove remove a C2 domain from list of domains (will not let list be less then one domain)
sleep sleep time between taskings in seconds
jitter variation in sleep time, specify as a percentage
kill_date date for agent to exit itself
host_header host header to use for domain fronting
user_agent user-agent header for web requests
param option for query parameter used in GET requests
proxy option to modify proxy settings
use_default true/false, choose whether to use system default settings or manual settings specified in config
address address of proxy server
username username to authenticate to proxy server
password password to authenticate to proxy server
Examples:
config info
config domain add http://hello.world
config sleep 60
config jitter 20
config kill_date 2020-03-01
config host_header cdn.cloudfront.com
config user_agent Mozilla 5.0 IE blah blah blah
config param order
config proxy use_default false
config proxy address 192.168.1.100
config proxy username harm.j0y
config proxy password Liv3F0rTh3Tw!ts
Since functionality in Atlas is loaded via .NET assemblies, I have provided three support .NET projects that give Atlas basic RAT capability. Your welcome to use whatever fits your needs, but these are a good start.
processlist - This is a basic process listing application based off of @cobbr's code from SharpSploit, it will retrieve current running process's PID, PPID, Arch, Name, and Owner.
run - This is slightly modified code from @_RastaMouse which he was kind enough to share after my struggles with named pipes redirection. This assembly executes shell commands while spoofing parent process ID and blocking non microsoft dlls from the process space. Neat little code and seems useful. (this does not execute via cmd.exe, if you would like to execute commands through there, start the command with cmd.exe /c)
Usage:
run.exe <PPID> <command>
Example:
run.exe 4343 ipconfig /all
Note: PPID is required for command
apcinject - Again, not my code. This is a slightly modified version of process injection using QueueUserAPC with a new process and suspended thread created by @0xthirteen.
Usage:
apcinject.exe <path to target application> <base64 shellcode>
Example:
apcinject.exe C:\Windows\System32\svchost.exe SGFjayB0aGUgUGxhbmV0IQ==
- HTTP Profile
- File Browser Commands (ls & rm)
- Process listing hook
- unloadassembly
This project would not of been possible without the help and support of my coworkers