Merge pull request #440 from BishopFox/snitch

Add optional monitoring of implant hashes on Virus Total and IBM X-Force
BishopFox · Jun 24, 2021 · 410f075 · 410f075
2 parents e600f9f + 633a423
commit 410f075
Show file tree

Hide file tree

Showing 102 changed files with 9,415 additions and 1,412 deletions.
diff --git a/client/command/bind-commands.go b/client/command/bind-commands.go
@@ -1726,4 +1726,31 @@ func BindCommands(app *grumble.App, rpc rpcpb.SliverRPCClient) {
 		HelpGroup: consts.SliverHelpGroup,
 	})
 	app.AddCommand(portfwdCmd)
+
+	monitorCmd := &grumble.Command{
+		Name: consts.MonitorStr,
+		Help: "Monitor threat intel platforms for Sliver implants",
+	}
+
+	monitorCmd.AddCommand(&grumble.Command{
+		Name: "start",
+		Help: "Start the monitoring loops",
+		Run: func(ctx *grumble.Context) error {
+			fmt.Println()
+			monitorStartCmd(ctx, rpc)
+			fmt.Println()
+			return nil
+		},
+	})
+	monitorCmd.AddCommand(&grumble.Command{
+		Name: "stop",
+		Help: "Stop the monitoring loops",
+		Run: func(ctx *grumble.Context) error {
+			fmt.Println()
+			monitorStopCmd(ctx, rpc)
+			fmt.Println()
+			return nil
+		},
+	})
+	app.AddCommand(monitorCmd)
 }
diff --git a/client/command/monitor.go b/client/command/monitor.go
@@ -0,0 +1,32 @@
+package command
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/bishopfox/sliver/protobuf/commonpb"
+	"github.com/bishopfox/sliver/protobuf/rpcpb"
+	"github.com/desertbit/grumble"
+)
+
+func monitorStartCmd(ctx *grumble.Context, rpc rpcpb.SliverRPCClient) {
+	resp, err := rpc.MonitorStart(context.Background(), &commonpb.Empty{})
+	if err != nil {
+		fmt.Printf(Warn+"%s", err)
+		return
+	}
+	if resp != nil && resp.Err != "" {
+		fmt.Printf(Warn+"%s", resp.Err)
+		return
+	}
+	fmt.Printf(Info + "Started monitoring threat intel platforms for implants hashes")
+}
+
+func monitorStopCmd(ctx *grumble.Context, rpc rpcpb.SliverRPCClient) {
+	_, err := rpc.MonitorStop(context.Background(), &commonpb.Empty{})
+	if err != nil {
+		fmt.Printf(Warn+"%s", err)
+		return
+	}
+	fmt.Printf(Info + "Stopped monitoring threat intel platforms for implants hashes")
+}
diff --git a/client/command/sessions.go b/client/command/sessions.go
@@ -132,6 +132,7 @@ func printSessions(sessions map[uint32]*clientpb.Session) {
 		strings.Repeat("=", len("Operating System")),
 		strings.Repeat("=", len("Last Check-in")),
 		strings.Repeat("=", len("Health")))
+	// strings.Repeat("=", len("Burned")))
 
 	// Sort the keys because maps have a randomized order
 	var keys []int
@@ -153,8 +154,12 @@ func printSessions(sessions map[uint32]*clientpb.Session) {
 		} else {
 			SessionHealth = bold + green + "[ALIVE]" + normal
 		}
+		burned := ""
+		if session.Burned {
+			burned = "🔥"
+		}
 
-		fmt.Fprintf(table, "%d\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t\n",
+		fmt.Fprintf(table, "%d\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n",
 			session.ID,
 			session.Name,
 			session.Transport,
@@ -164,6 +169,7 @@ func printSessions(sessions map[uint32]*clientpb.Session) {
 			fmt.Sprintf("%s/%s", session.OS, session.Arch),
 			session.LastCheckin,
 			SessionHealth,
+			burned,
 		)
 	}
 	table.Flush()

diff --git a/client/console/console.go b/client/console/console.go
@@ -131,6 +131,15 @@ func eventLoop(app *grumble.App, rpc rpcpb.SliverRPCClient) {
 			}
 			fmt.Println()
 
+		case consts.WatchtowerEvent:
+			msg := string(event.Data)
+			fmt.Printf(clearln+Warn+bold+"WARNING: %s%s has been burned (seen on %s)\n", normal, event.Session.Name, msg)
+			sessions := cmd.GetSessionsByName(event.Session.Name, rpc)
+			for _, session := range sessions {
+				fmt.Printf(clearln+"\t🔥 Session #%d is affected\n", session.ID)
+			}
+			fmt.Println()
+
 		case consts.JoinedEvent:
 			fmt.Printf(clearln+Info+"%s has joined the game\n\n", event.Client.Operator.Name)
 		case consts.LeftEvent:

diff --git a/client/constants/constants.go b/client/constants/constants.go
@@ -47,6 +47,9 @@ const (
 	// CanaryEvent - A DNS canary was triggered
 	CanaryEvent = "canary"
 
+	// WatchtowerEvent - An implant hash has been identified on a threat intel platform
+	WatchtowerEvent = "watchtower"
+
 	// StartedEvent - Job was started
 	JobStartedEvent = "job-started"
 	// StoppedEvent - Job was stopped
@@ -160,6 +163,7 @@ const (
 	WgConfigStr           = "wg-config"
 	WgSocksStr            = "wg-socks"
 	WgPortFwdStr          = "wg-portfwd"
+	MonitorStr            = "monitor"
 
 	PortfwdStr = "portfwd"
 

diff --git a/go.mod b/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/Binject/binjection v0.0.0-20200705191933-da1a50d7013d
 	github.com/Binject/debug v0.0.0-20210225042342-c9b8b45728d2
 	github.com/BurntSushi/xgb v0.0.0-20201008132610-5f9e7b3c49cd // indirect
-	github.com/Microsoft/go-winio v0.4.16
+	github.com/Microsoft/go-winio v0.4.16 // indirect
 	github.com/alecthomas/chroma v0.8.1
 	github.com/binject/go-donut v0.0.0-20201215224200-d947cf4d090d
 	github.com/cheggaaa/pb/v3 v3.0.5
@@ -26,14 +26,16 @@ require (
 	github.com/grpc-ecosystem/go-grpc-middleware v1.2.2
 	github.com/kbinani/screenshot v0.0.0-20191211154542-3a185f1ce18f
 	github.com/lesnuages/go-socks5 v0.0.0-20210409090601-adbe23bd0194
+	github.com/lesnuages/go-winio v0.4.19
+	github.com/lesnuages/snitch v0.6.0
 	github.com/lxn/win v0.0.0-20210218163916-a377121e959e // indirect
 	github.com/mattn/go-sqlite3 v1.14.5
 	github.com/miekg/dns v1.1.35
 	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
 	github.com/sergi/go-diff v1.1.0 // indirect
 	github.com/sirupsen/logrus v1.7.0
 	github.com/spf13/cobra v1.1.1
-	github.com/stretchr/testify v1.6.1
+	github.com/stretchr/testify v1.7.0
 	golang.org/x/crypto v0.0.0-20210317152858-513c2a44f670
 	golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1
 	golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57

diff --git a/go.sum b/go.sum
@@ -31,6 +31,8 @@ github.com/Netflix/go-expect v0.0.0-20180615182759-c93bf25de8e8/go.mod h1:oX5x61
 github.com/Netflix/go-expect v0.0.0-20190729225929-0e00d9168667 h1:l2RCK7mjLhjfZRIcCXTVHI34l67IRtKASBjusViLzQ0=
 github.com/Netflix/go-expect v0.0.0-20190729225929-0e00d9168667/go.mod h1:oX5x61PbNXchhh0oikYAH+4Pcfw5LKv21+Jnpr6r6Pc=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
+github.com/VirusTotal/vt-go v0.0.0-20210528074736-45bbe34cc8ab h1:96tkQLYmgypA3W42fvC3UX3EoOP3hQZuT7d98lnnwyc=
+github.com/VirusTotal/vt-go v0.0.0-20210528074736-45bbe34cc8ab/go.mod h1:u1+HeRyl/gQs67eDgVEWNE7+x+zCyXhdtNVrRJR5YPE=
 github.com/VividCortex/ewma v1.1.1 h1:MnEK4VOv6n0RSY4vtRe3h11qjxL3+t0B8yOL8iMXdcM=
 github.com/VividCortex/ewma v1.1.1/go.mod h1:2Tkkvm3sRDVXaiyucHiACn4cqf7DpdyLvmxzcbUokwA=
 github.com/akamensky/argparse v1.2.1/go.mod h1:S5kwC7IuDcEr5VeXtGPRVZ5o/FdhcMlQz4IZQuw64xA=
@@ -81,6 +83,8 @@ github.com/danwakefield/fnmatch v0.0.0-20160403171240-cbb64ac3d964/go.mod h1:Xd9
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/demisto/goxforce v0.0.0-20160322194047-db8357535b1d h1:hmOGJg3cq5XK2aMs7R4kXXVSHqHMaC5hI5fwkX7V2zE=
+github.com/demisto/goxforce v0.0.0-20160322194047-db8357535b1d/go.mod h1:q72QzdO6OUjwTqnLCFJczIQ7GsBa4ffzkQiQcq6rVTY=
 github.com/desertbit/closer/v3 v3.0.1/go.mod h1:AAC4KRd8DC40nwvV967J/kDFhujMEiuwIKQfN0IDxXw=
 github.com/desertbit/closer/v3 v3.1.2 h1:a6+2DmwIcNygW04XXWYq+Qp2X9uIk9QbZCP9//qEkb0=
 github.com/desertbit/closer/v3 v3.1.2/go.mod h1:AAC4KRd8DC40nwvV967J/kDFhujMEiuwIKQfN0IDxXw=
@@ -283,6 +287,20 @@ github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/lesnuages/go-socks5 v0.0.0-20210409090601-adbe23bd0194 h1:k4VboDB9x//V1RZdK+zji9Bk2QQYCeHVn0HpHM03As4=
 github.com/lesnuages/go-socks5 v0.0.0-20210409090601-adbe23bd0194/go.mod h1:0p7Kyo90yOpoiH+cElGtWjhneXBBcaB+kJggBU1snEY=
+github.com/lesnuages/go-winio v0.4.19 h1:lFDu1mnhg5em+8zTHO4ChSD11J56xkyE8m3N8IrVmbA=
+github.com/lesnuages/go-winio v0.4.19/go.mod h1:rm7jf4kBcldxMeljR7c7XY1qVCBc+8z3PtSgkrT9Clk=
+github.com/lesnuages/snitch v0.0.0-20210622140401-a8ca6ff38eee h1:hsW2S5ruvWIW2jsME5BtA08lciltp80fdRCn5Cgny4k=
+github.com/lesnuages/snitch v0.0.0-20210622140401-a8ca6ff38eee/go.mod h1:RfXlAVJYL7gUoZ9VMMon4LqrPiAjC8x62Ntbse4a4s0=
+github.com/lesnuages/snitch v0.2.0 h1:5cEE/jHit74JvNwDOM2LMkc+PjKZGglLf4C61SVt2F8=
+github.com/lesnuages/snitch v0.2.0/go.mod h1:RfXlAVJYL7gUoZ9VMMon4LqrPiAjC8x62Ntbse4a4s0=
+github.com/lesnuages/snitch v0.3.0 h1:mu+mZCRZwHF1RDlr9YP/r11tvSPgLrq7NNvhVslNtkg=
+github.com/lesnuages/snitch v0.3.0/go.mod h1:RfXlAVJYL7gUoZ9VMMon4LqrPiAjC8x62Ntbse4a4s0=
+github.com/lesnuages/snitch v0.4.0 h1:4rhpAe1+XmZKqPvTXus8tcN4ycATfiv1WuIra3d+K+I=
+github.com/lesnuages/snitch v0.4.0/go.mod h1:RfXlAVJYL7gUoZ9VMMon4LqrPiAjC8x62Ntbse4a4s0=
+github.com/lesnuages/snitch v0.5.0 h1:9r4x7dUYn4OrnHy7y0iwB/jdIIWpQy2Mm8txWb59494=
+github.com/lesnuages/snitch v0.5.0/go.mod h1:RfXlAVJYL7gUoZ9VMMon4LqrPiAjC8x62Ntbse4a4s0=
+github.com/lesnuages/snitch v0.6.0 h1:vOao32MdYDHYDcTAq2CKszDh6Dn8Bv1Gmgc8uVh193U=
+github.com/lesnuages/snitch v0.6.0/go.mod h1:RfXlAVJYL7gUoZ9VMMon4LqrPiAjC8x62Ntbse4a4s0=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
@@ -399,9 +417,12 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
+github.com/thedevsaddam/gojsonq/v2 v2.5.2 h1:CoMVaYyKFsVj6TjU6APqAhAvC07hTI6IQen8PHzHYY0=
+github.com/thedevsaddam/gojsonq/v2 v2.5.2/go.mod h1:bv6Xa7kWy82uT0LnXPE2SzGqTj33TAEeR560MdJkiXs=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=