Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BOF Refactor, Windows Service and fixes #78

Closed
wants to merge 56 commits into from
Closed

BOF Refactor, Windows Service and fixes #78

wants to merge 56 commits into from

Conversation

martindube
Copy link

@martindube martindube commented Nov 17, 2024
edited
Loading

Hello maintainers!

Here's a PR with fixes but also features. I'm not used to contribute so feel free to comment. I did my best to make commits in a cherry-pickable format.

Challenge with BOFs

I would like to start by sharing that I have only 1 week of experience with Athena and a few months with Mythic. I could have felt in a rabbit hole.

That being said, using the main branch of Athena and the associated container, no BOF were working. For reasons I do not fully understand, the "parent" task is never marked as completed. In addition, the subtask output is never sent to the parent task either. I don't know if this is a bug in Mythic but I found a "simple" way to fix it: Use completion callbacks. This is the commit refactor d36ac3d137d3c7e6de6c0546f0d7cc3775eb0096.

I read this documentation carefuly and I couldn't find a better way to fix this. In addition, the Mythic.execute approach was getting deprecated so I took time to modernize it.

Summary

Fixes:

  • Fix execute-assembly (missing double quote in a string) and other typos
  • fix(config): Print the right variable when setting config.debug
  • fix(nidhogg): Fix description (It was copied from env)
  • Ignore COFF binaries: .o and .bin
  • fix(inject-assembly): Add completion function. Standardize indent.

Features:

  • Add output type: Windows Service
  • Toggle debug mode and add LogManager.Debug()
  • Refactor BOFs
    • Replace MythicRPC().execute -> MythicRPC*
    • Move functions to bof_utilities
    • Use a new class: CoffCommandBase
    • Standardize the definition of process_response()
    • Use a default completion function

Refactor example

Before:

        resp = await MythicRPC().execute("create_subtask_group", tasks=[
            {"command": "coff", "params": {"coffFile":file_resp.response["agent_file_id"], "functionName":"go","arguments": encoded_args, "timeout":"60"}},
            ], 
            subtask_group_name = "coff", parent_task_id=taskData.Task.ID)

After:

        subtask = await SendMythicRPCTaskCreateSubtask(MythicRPCTaskCreateSubtaskMessage(
            taskData.Task.ID, 
            CommandName="coff",
            SubtaskCallbackFunction="coff_completion_callback",
            Params=json.dumps({
                "coffFile": file_resp.AgentFileId,
                "functionName": "go",
                "arguments": encoded_args,
                "timeout": "60",
            }),
            Token=taskData.Task.TokenID,
        ))

checkymander and others added 30 commits September 6, 2024 15:18
update obfuscation params'
2eff903
update load to get the path when load fails
8369247
fixed load command
1ac3357
update load.py to wait until after compilation to try and load 3rd pa…
b3f210d 
…rty libraries
removed backup csproj for inject-shellcode
6d93d6d
return load.py to old path
85036fb
update copy commands for post build
a5ebb68
update post-build path
670eb28
revert pathing change for public athena
fa1c75b
added IAgentMod interface and a few test interfaces, added zip, zip-d…
be8ff6c 
…l, and zip-inspect commands
;alsdkfj
45be85d
add aegis wrapper, update debug config stuff
35f56f5
Added logic to csproj to support randomizing agent.dll name
dc24961
Updated inject technique to give more control to the spawning of the …
5838ca4 
…process
a
1c6dd05
added new tech
b846ce2
update for new structs
9ee8e4f
fixed missing call
d244032
fixed old htargets
c9b4f7b
add sus
1f1a10a
added debyg
4288b9d
multthread broke me
205c03c
.net 8 bump
d6127b5
Merge branch 'new-features' of https://github.com/MythicAgents/Athena
f809e09 
…into new-features
git blame tr41nwr3ck
e7d577f
updated http-server to print POST requests contents
fadf68a
added POST response to http-server and updated Hypnosis injection tec…
c8d8481 
…hnique to foce synchrony
added ThreadHijack technique
be80566
initial add of python modules
da0ec2e
update plugins, add pymanager, added python plugins
1705905
tr41nwr3ck and others added 10 commits November 18, 2024 13:00
@tr41nwr3ck @martindube
Update execute-assembly.py
72502d2 
fixed spelling
@martindube
feat(agent): Add output type: Windows Service
b000708
@martindube
Fix execute-assembly and other typos
e643cd6
@martindube
fix(config): Now printing the right variable when setting config.debug
3071695
@martindube
feat(ILogger): Toggle debug mode and add LogManager.Debug()
729a661
@martindube
fix(nidhogg): Fix description
617a3a3
@martindube
refactor: Modernize BOFs
97a1a12 
- Replace MythicRPC().execute -> MythicRPC*
- Move functions to bof_utilities
- Use a new class: CoffCommandBase
- Standardize the definition of process_response()
- Use a default completion function
@martindube
Ignore COFF binaries: .o and .bin
7d4f717
@martindube
fix(inject-assembly): Add completion function. Standardize indent.
d80a36b
@martindube
fix(windows-service): Prevent obfuscation of windows service. Not wor…
43a3019 
…king yet with Obfuscar
@martindube
Copy link
Author

Closing. We'll use #79 instead.

@martindube martindube closed this Nov 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@martindube @tr41nwr3ck