GRAT2 : Command And Control (C2) Project For Learning Purpose

GRAT2 is a Command and Control (C2) tool written in python3 and the client in .NET 4.0. The main idea came from Georgios Koumettou who initiated the project.

Why we developed GRAT2 ?

We are aware that there are numerous C2 tools out there but, we developed this tool due to curiosity of how C2 and other evasion techniques work. That’s all! πŸ˜‰

Current Features

  • Evasion Techniques:
    • Sandbox (Check whether the machine is in the domain, if not exit).
    • Patch Event Tracing for Windows (ETW) Logging.
    • Patch Antimalware Scan Interface (AMSI).
    • caretrun – Execute command via cmd.exe in a caret format (^i^p^c^o^n^f^i^g) using explorer.exe as Parent PID (Evade some AV/EDRs).
  • Communication:
    • Encoded HTTP Communication using XOR and base64.
    • Proxy Aware.
  • Modules:
    • uac – Attempt to bypass UAC using silent disk clean-up with Parent PID Spoofing technique.
    • maketoken – Remove the current token and create a new one using the given credentials (Domain or Local).
    • revtoself – Remove the current token.
    • stealtoken – Attempt to steal a token from a running process and impersonate user (Administrator rights is required).
    • rportfwd – Attempt to create a reverse port forward.
    • whoami – Display the current user.
    • hostname – Display the machine hostname.
    • domain – Display the domain FQDN.
    • screenshot – Take a screenshot.
    • download – Download a file.
    • upload – Upload File.
    • cd – Change Directory.
    • run – Execute command via cmd.exe using explorer.exe as Parent PID.
    • caretrun – Execute command via cmd.exe in a caret format (^i^p^c^o^n^f^i^g) using explorer.exe as Parent PID (Evade some AV/EDRs).
    • sleep – Set new sleep time.
    • exit – Exit.
    • shell – Execute command via cmd.exe.
    • powershell – Execute powershell command using Unmanaged PowerShell.
    • powerscript – Execute powershell scripts using Unmanaged PowerShell.
    • executeassembly – Attempt to execute .NET assemblies in memory.
    • ps – Print the current processes.
    • pwd – Print the current directory.
    • ls – Directory Listing.
    • pid – Print the current Process ID.
  • Process Injection Techniques:
    • dynamic_injectcrt – Attempt to inject a shellcode into a process using Dynamic Invoke.
    • ppid_processhollow – Attempt to inject a shellcode into a process using Process Hollowing and Parent PID Spoofing (explorer.exe) technique.
    • processhollow – Attempt to inject a shellcode into a process using Process Hollowing technique.
    • injectppidapc – Attempt to inject a shellcode into a process using QueueUserAPC and Parent PID Spoofing (explorer.exe) technique.
    • injectapc – Attempt to inject a shellcode into a process using QueueUserAPC technique.
    • injectcrt – Attempt to inject a shellcode into a remote process using Create Remote Thread technique.

Refer to GRAT2_Shellcodes in order to generate position-independent shellcode using Donut.

TO DO

  • HTTPS Communication Channel.
  • Implement SOCKS5.
  • Fix known issues.

Configure Your Profile

  • c2 – Your GRAT2 Server IP Address (Required).
  • sandboxEvasion – If enabled (1), GRAT2 will be executed only on a domain join computer otherwise, GRAT2 will be terminated. If disabled (0), GRAT2 will be executed only on a non domain join computer otherwise, will be terminated (Default: Disabled).
  • patchEtw – If enabled (1), Event Tracing for Windows will be patched (Default: Enabled).
  • patchAmsi – if enabled (1), Antimalware Scan Interface will be patched (Default: Enabled).
  • sleep – Set sleep time (Default: 3 seconds).
  • UserAgent – Set UserAgent (Default: β€œMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; yie11; rv:11.0) like Gecko”).
  • initialUrl – Initial GRAT2 HTTP GET request (Default: jquery.js).
  • sendResults – GRAT2 HTTP POST results request (Default: login.aspx). NOTE if you change either initialUrl or sendResults string, you have to update the string under GRAT2_Server/handlers.py on line 42 and 78 respectively.

Usage

  • Open GRAT2 Client (GRAT2_Client.sln) project using Visual Studio, change the solution configuration from Debug to Release and then Build Solution.
  • Start GRAT2 Server:
  • Run GRAT2 Client executable – GRAT2_Client\bin\Release\GRAT2_Client.exe
  • Interact with the agent:

Disclaimer

This project can only be used for authorized testing or educational purposes. Using this software against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author.

Credit: @TheRealWover, @TheRealWover & @FuzzySec, @_RastaMouse & @xpn and @cobbr_io

R K

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

2 weeks ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

2 weeks ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

2 weeks ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

2 weeks ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

2 weeks ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

2 weeks ago