GRAT2 : Command And Control (C2) Project For Learning Purpose

GRAT2 is a Command and Control (C2) tool written in python3 and the client in .NET 4.0. The main idea came from Georgios Koumettou who initiated the project.

Why we developed GRAT2 ?

We are aware that there are numerous C2 tools out there but, we developed this tool due to curiosity of how C2 and other evasion techniques work. That’s all! πŸ˜‰

Current Features

  • Evasion Techniques:
    • Sandbox (Check whether the machine is in the domain, if not exit).
    • Patch Event Tracing for Windows (ETW) Logging.
    • Patch Antimalware Scan Interface (AMSI).
    • caretrun – Execute command via cmd.exe in a caret format (^i^p^c^o^n^f^i^g) using explorer.exe as Parent PID (Evade some AV/EDRs).
  • Communication:
    • Encoded HTTP Communication using XOR and base64.
    • Proxy Aware.
  • Modules:
    • uac – Attempt to bypass UAC using silent disk clean-up with Parent PID Spoofing technique.
    • maketoken – Remove the current token and create a new one using the given credentials (Domain or Local).
    • revtoself – Remove the current token.
    • stealtoken – Attempt to steal a token from a running process and impersonate user (Administrator rights is required).
    • rportfwd – Attempt to create a reverse port forward.
    • whoami – Display the current user.
    • hostname – Display the machine hostname.
    • domain – Display the domain FQDN.
    • screenshot – Take a screenshot.
    • download – Download a file.
    • upload – Upload File.
    • cd – Change Directory.
    • run – Execute command via cmd.exe using explorer.exe as Parent PID.
    • caretrun – Execute command via cmd.exe in a caret format (^i^p^c^o^n^f^i^g) using explorer.exe as Parent PID (Evade some AV/EDRs).
    • sleep – Set new sleep time.
    • exit – Exit.
    • shell – Execute command via cmd.exe.
    • powershell – Execute powershell command using Unmanaged PowerShell.
    • powerscript – Execute powershell scripts using Unmanaged PowerShell.
    • executeassembly – Attempt to execute .NET assemblies in memory.
    • ps – Print the current processes.
    • pwd – Print the current directory.
    • ls – Directory Listing.
    • pid – Print the current Process ID.
  • Process Injection Techniques:
    • dynamic_injectcrt – Attempt to inject a shellcode into a process using Dynamic Invoke.
    • ppid_processhollow – Attempt to inject a shellcode into a process using Process Hollowing and Parent PID Spoofing (explorer.exe) technique.
    • processhollow – Attempt to inject a shellcode into a process using Process Hollowing technique.
    • injectppidapc – Attempt to inject a shellcode into a process using QueueUserAPC and Parent PID Spoofing (explorer.exe) technique.
    • injectapc – Attempt to inject a shellcode into a process using QueueUserAPC technique.
    • injectcrt – Attempt to inject a shellcode into a remote process using Create Remote Thread technique.

Refer to GRAT2_Shellcodes in order to generate position-independent shellcode using Donut.

TO DO

  • HTTPS Communication Channel.
  • Implement SOCKS5.
  • Fix known issues.

Configure Your Profile

  • c2 – Your GRAT2 Server IP Address (Required).
  • sandboxEvasion – If enabled (1), GRAT2 will be executed only on a domain join computer otherwise, GRAT2 will be terminated. If disabled (0), GRAT2 will be executed only on a non domain join computer otherwise, will be terminated (Default: Disabled).
  • patchEtw – If enabled (1), Event Tracing for Windows will be patched (Default: Enabled).
  • patchAmsi – if enabled (1), Antimalware Scan Interface will be patched (Default: Enabled).
  • sleep – Set sleep time (Default: 3 seconds).
  • UserAgent – Set UserAgent (Default: β€œMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; yie11; rv:11.0) like Gecko”).
  • initialUrl – Initial GRAT2 HTTP GET request (Default: jquery.js).
  • sendResults – GRAT2 HTTP POST results request (Default: login.aspx). NOTE if you change either initialUrl or sendResults string, you have to update the string under GRAT2_Server/handlers.py on line 42 and 78 respectively.

Usage

  • Open GRAT2 Client (GRAT2_Client.sln) project using Visual Studio, change the solution configuration from Debug to Release and then Build Solution.
  • Start GRAT2 Server:
  • Run GRAT2 Client executable – GRAT2_Client\bin\Release\GRAT2_Client.exe
  • Interact with the agent:

Disclaimer

This project can only be used for authorized testing or educational purposes. Using this software against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author.

Credit: @TheRealWover, @TheRealWover & @FuzzySec, @_RastaMouse & @xpn and @cobbr_io

R K

Recent Posts

Install Python 3.7 on Ubuntu 18.04: apt and Source Build Methods

Python 3.7Β was a significant release for the language. It introducedΒ data classes, a decorator that automatically…

19 hours ago

Install Odoo 13 on Ubuntu 18.04: Python Venv and Nginx Guide

Odoo is a popular open-source suite of business applications. A single platform covers CRM, e-commerce, accounting,…

19 hours ago

Secure Apache with Let’s Encrypt on Ubuntu 18.04: Free SSL Guide

Let's Encrypt is a free, automated certificate authority run by the Internet Security Research Group…

19 hours ago

Install GCC on Ubuntu 18.04: C and C++ Compiler Setup Guide

GCC (GNU Compiler Collection) is a set of compilers and development libraries for C, C++, Fortran,…

19 hours ago

Install Python 3.8 on Ubuntu 18.04: apt and Source Build Methods

Python is one of the most widely used programming languages in the world. Its clean, readable…

20 hours ago

Install Tomcat 9 on Ubuntu 18.04: Systemd Service Setup Guide

Apache Tomcat is an open-source Java application server that implements the Java Servlet, JavaServer Pages, and…

2 days ago