There has been an interesting project that I’ve been meaning to take a closer look at for a long time now. Some time ago, @q8fawazo released a nice little example of a stage0 framework called Airstrike. The idea behind a stage0 is effectively a cut down c2 with minimal functionality, a focus on stealth, carry out recon of the target and finally used to deliver additional payloads or full fat C2 frameworks such as cobalt. There had not been a particular need for me to use something like this on recent engagements, but I had now found myself in numerous situations where additional recon in order to tailor payloads and execution methods were required. Thankfully I had some help from k0z to get the framework where we wanted it and we aimed to modify the nice initial starter Airstrike provided.
We wanted a low profile feature set that was flexible enough to provide the means to deliver additional payloads and carry out stealthy recon but not overly complex. So we made a little shopping list of desired features:
- Front end capable of sending and receiving information from the agent.
- Process enumeration functionality.
- DLL checker / enumeration functionality.
- Built in shellcode runner.
- BOF/COFF loader (this came as a late addition when we thought, oh yeah why add a load of extra features when we could use BoF’s).
So with our functionality ideas nailed we got to work.
The initial framework provided by Fawaz was a great starting point however it used react for the front end, and quite simply I know nothing about react…. so I resorted to a more tried and tested approach and used crappy HTML and my own JS to achieve what I needed. I still kept the original socket based flask backend (for now) as it works well but does have some limitations. However I wanted to focus more on agent functionality than front end tinkering (for now x2).
The design idea was simple, implement a terminal based output that allowed me to capture typed events and forward them to the backend to action, and then return the output to the terminal and maintain this all within a new “command” model in the db to store command output and command history. I also did a little rebranding and CSS wrangling, eventually we ended up with a nice front end capable of sending and receiving data to the backend.
The front end also implemented a few QoL stuff such as a hide button for killed Agents, colour updates based on status and of course default dark mode cause, dark mode.
The terminal is simply accessed by clicking the line in the table and up pops the terminal and it supports a nice little free text entry for command execution (error handling and case conversion are considered extra flair at this point)
With the front end out the way we could focus on the good stuff, the agent. The basic agent gave enough functionality to get going, however it was rewritten to support automatic uuid generation for agent tracking in the front end, custom sleep functions, conversion to spoofed syscalls, better shellcode running capabilities and a complete overhaul of the means used to enumerate system information. K0z leveraged the PEB for nearly all system and proc information gathering.
The communication methods were also adapted to support post requests and the agents also no longer needed to send all information every time and could simply check-in with the UUID generated by the agent at run time. Additional encryption and encoding methods were also embedded to allow the data being sent to arrive at the front end securely and land in the terminal without any formatting nasties.
We wont be sharing the code for the agent at the moment, as we are actively using it and developing it. However, hopefully this blog can show that with a good base provided by Airstrike and a few days work we were able to implement a custom and capable stage0.
The real crown jewel in our opinion however was the COFF loader. I had recently been reading through the Sektor7 advanced course and its CoFF loader module. With this as a starting point we were able to iron out some opsec issues within the Mokosh loader and implement support for Beacon functions. This allows the use of cobalt strike BoF files with no modification. In a similar way to COFF loader specific cobalt functions are not supported as there is no actual beacon to interact with. But it allowed for great use of the situational awareness BoF’s and other enumeration methods, whilst ensuring the agent worked and remained undetected.
The following is an example of loading the “whoami.o” BoF from the Situational Awareness BoF repo.
The load functionality was also overhauled with a stealthier execution method to load chosen shellcode files into the agent. By issueing the load command the shellcode is launched within the agent process, in this case we used cobalt strike.
The beacon successfully calls home and we are good to go!
By ensuring our cobalt deployment is correctly configured we also remain safe in memory utilising the sleep mask kit, UDRL and all the normal goodies.
Bonus is, once the beacon is killed, return controls to the agent and life carries on (assuming you avoided a massive process crash).
So there it is, a little insight into a hectic few days of development work that allowed us to go from a barebones initial Stage0 to a nice fairly feature complete Stage0 Dropper. We are continuing to work on more evasion features within the agent to make the standalone binary a bit more resistant to the bigger fish EDR’s but within a sideload or other better delivery mechanisms it works well, we may release additional blogs in the future showcasing it going through its testing and development against some of the “top” EDR’s
Thanks to:
原文始发于D-SEC:Stage 0 to Hero