forked from mttaggart/OffensiveNotion
-
Notifications
You must be signed in to change notification settings - Fork 1
Changelog
pikachu edited this page May 30, 2022
·
1 revision
Changelog for OffensiveNotion
- Build artifacts now contain debug versions for all OS.
-
sysinfo
module acts as a one-stop shop for enumerating the host (early working prototype) - Execution guardrail checks for hostname, username, and (on Windows only) domain name.
-
config
command can change agent configs on the fly. - Agent check-ins now have an emoji icon on the page: 💲 for low priv, #️⃣ for high priv.
- Litcrypt string encryption.
- Added macOS agent.
- Added
selfdestruct
command. - Added
inject self
for shellcode injection. Uses a CreateThread pattern to inject shellcode into the running agent process and execute it as a thread. - Refactored
main.py
where it is now executed by Docker from the physical host. - Numerous changes to
main.py
's logic. - Refactored container build to be much faster.
- Added
requirements.txt
to repo. - README and Wiki changes to reflect changed/new capabilities.
Done
- Quickstart
- Install
- Agent interaction
- Commands
- Linux commands
- Windows commands
- YARA Rules
- Python Setup Script for config options
- Dynamic Docker container spin up/tear down for agent generation
- Parse args for Docker build options
- Commands:
-
shell
-
cd
-
download
-
ps
-
pwd
-
save
-
shutdown
-
sleep [#]
to adjust callback
-
Done
-
Jitter interval for callback time
-
Commands:
-
getprivs
-
sleep [#][%]
to adjust callback and jitter -
portscan
-
-
Linux
elevate sudo
-
Windows
elevate fodhelper
-
Linux
persist bashrc
-
Linux
persist cron
-
Linux
persist service
-
Windows
inject
-
Windows
persist startup
-
Windows
persist registry
-
Persist:
- Windows
persist schtasks
- (Bonus)
wmic
- Windows
Done
- Compiles with Notion icon
- Mirror the notion.ico file 😈 (slightly red tint to logo)
- "Web delivery" via Flask and one-liner for remote download/exec (https://www.offensive-security.com/metasploit-unleashed/web-delivery/)
- Agent checks in by POSTing hostname and username to page title with asterisk if in an admin context (getprivs at checkin)
- Agent can spawn in kiosk mode Notion.so page at startup
For Next Release
- Linux
persist rc.local
- Linux
inject
(more of a shellcode runner than injection) - Windows
runas
(SCshell) - Windows
inject-assembly
(⚠️ large lift⚠️ ) - (Bonus) Windows
persist comhijack
- (Bonus) Windows
persist xll