GRAT2 : Command And Control (C2) Project For Learning Purpose

GRAT2 is a Command and Control (C2) tool written in python3 and the client in .NET 4.0. The main idea came from Georgios Koumettou who initiated the project.

Why we developed GRAT2 ?

We are aware that there are numerous C2 tools out there but, we developed this tool due to curiosity of how C2 and other evasion techniques work. That’s all! πŸ˜‰

Current Features

  • Evasion Techniques:
    • Sandbox (Check whether the machine is in the domain, if not exit).
    • Patch Event Tracing for Windows (ETW) Logging.
    • Patch Antimalware Scan Interface (AMSI).
    • caretrun – Execute command via cmd.exe in a caret format (^i^p^c^o^n^f^i^g) using explorer.exe as Parent PID (Evade some AV/EDRs).
  • Communication:
    • Encoded HTTP Communication using XOR and base64.
    • Proxy Aware.
  • Modules:
    • uac – Attempt to bypass UAC using silent disk clean-up with Parent PID Spoofing technique.
    • maketoken – Remove the current token and create a new one using the given credentials (Domain or Local).
    • revtoself – Remove the current token.
    • stealtoken – Attempt to steal a token from a running process and impersonate user (Administrator rights is required).
    • rportfwd – Attempt to create a reverse port forward.
    • whoami – Display the current user.
    • hostname – Display the machine hostname.
    • domain – Display the domain FQDN.
    • screenshot – Take a screenshot.
    • download – Download a file.
    • upload – Upload File.
    • cd – Change Directory.
    • run – Execute command via cmd.exe using explorer.exe as Parent PID.
    • caretrun – Execute command via cmd.exe in a caret format (^i^p^c^o^n^f^i^g) using explorer.exe as Parent PID (Evade some AV/EDRs).
    • sleep – Set new sleep time.
    • exit – Exit.
    • shell – Execute command via cmd.exe.
    • powershell – Execute powershell command using Unmanaged PowerShell.
    • powerscript – Execute powershell scripts using Unmanaged PowerShell.
    • executeassembly – Attempt to execute .NET assemblies in memory.
    • ps – Print the current processes.
    • pwd – Print the current directory.
    • ls – Directory Listing.
    • pid – Print the current Process ID.
  • Process Injection Techniques:
    • dynamic_injectcrt – Attempt to inject a shellcode into a process using Dynamic Invoke.
    • ppid_processhollow – Attempt to inject a shellcode into a process using Process Hollowing and Parent PID Spoofing (explorer.exe) technique.
    • processhollow – Attempt to inject a shellcode into a process using Process Hollowing technique.
    • injectppidapc – Attempt to inject a shellcode into a process using QueueUserAPC and Parent PID Spoofing (explorer.exe) technique.
    • injectapc – Attempt to inject a shellcode into a process using QueueUserAPC technique.
    • injectcrt – Attempt to inject a shellcode into a remote process using Create Remote Thread technique.

Refer to GRAT2_Shellcodes in order to generate position-independent shellcode using Donut.

TO DO

  • HTTPS Communication Channel.
  • Implement SOCKS5.
  • Fix known issues.

Configure Your Profile

  • c2 – Your GRAT2 Server IP Address (Required).
  • sandboxEvasion – If enabled (1), GRAT2 will be executed only on a domain join computer otherwise, GRAT2 will be terminated. If disabled (0), GRAT2 will be executed only on a non domain join computer otherwise, will be terminated (Default: Disabled).
  • patchEtw – If enabled (1), Event Tracing for Windows will be patched (Default: Enabled).
  • patchAmsi – if enabled (1), Antimalware Scan Interface will be patched (Default: Enabled).
  • sleep – Set sleep time (Default: 3 seconds).
  • UserAgent – Set UserAgent (Default: β€œMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; yie11; rv:11.0) like Gecko”).
  • initialUrl – Initial GRAT2 HTTP GET request (Default: jquery.js).
  • sendResults – GRAT2 HTTP POST results request (Default: login.aspx). NOTE if you change either initialUrl or sendResults string, you have to update the string under GRAT2_Server/handlers.py on line 42 and 78 respectively.

Usage

  • Open GRAT2 Client (GRAT2_Client.sln) project using Visual Studio, change the solution configuration from Debug to Release and then Build Solution.
  • Start GRAT2 Server:
  • Run GRAT2 Client executable – GRAT2_Client\bin\Release\GRAT2_Client.exe
  • Interact with the agent:

Disclaimer

This project can only be used for authorized testing or educational purposes. Using this software against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author.

Credit: @TheRealWover, @TheRealWover & @FuzzySec, @_RastaMouse & @xpn and @cobbr_io

R K

Recent Posts

ROADTools: The Modern Azure AD Exploration Framework

ROADTools is a powerful framework designed for exploring and interacting with Microsoft Azure Active Directory…

1 day ago

How to Enumerate Microsoft 365 Groups Using PowerShell and Python

Microsoft 365 Groups (also known as M365 Groups or Unified Groups) are at the heart…

1 day ago

SeamlessPass: Using Kerberos Tickets to Access Microsoft 365

SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain…

2 days ago

PPLBlade: Advanced Memory Dumping and Obfuscation Tool

PPLBlade is a powerful Protected Process Dumper designed to capture memory from target processes, hide…

2 days ago

HikPwn : Simple Scanner For Hikvision Devices With Basic Vulnerability Scanning

HikPwn: Comprehensive Guide to Scanning Hikvision Devices for Vulnerabilities If you’re searching for an efficient…

3 days ago

Comments in Bash Scripts

What Are Bash Comments? Comments in Bash scripts, are notes in your code that the…

1 week ago