initial Apollo yml #27
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Validation Results (2024-11-28T04:38:23.141Z)
✅ Validation successful
Please ensure your contribution follows the required format.
🔍 View Full Validation Details
Run ID: 12062606645
Workflow: Validate Contributions
| - -Arguments | ||
| - ${args} | ||
| exit: | ||
| description: Task agent to exit. |
There was a problem hiding this comment.
| description: Task agent to exit. | |
| description: Task agent to exit. | |
| parameters: | |
| exit: | |
| type: boolean | |
| description: Exit the agent. |
There was a problem hiding this comment.
in the validation, parameters is a required field so i'd suggest perhaps a boolean here :)
There was a problem hiding this comment.
there's also a problem in my validation workflow i'll look at fixing: (see here, i think it may be a regression from #24)
Status: Downloaded newer image for dreadnode/robopages:latest
docker.io/dreadnode/robopages:latest
[2024-11-28T04:38:22Z ERROR] error while parsing "/workspace/apollo.yml": functions.exit: missing field `parameters` at line 161 column 5logged in eng-323
There was a problem hiding this comment.
fixed the workflow in #28 and tested
| cmdline: | ||
| - get_injection_techniques | ||
| get_privs: | ||
| description: Enable as many privileges as possible for the current access token. |
There was a problem hiding this comment.
same as per above below this description, there's a few others
| description: The process ID to inject into. | ||
| payload: | ||
| type: string | ||
| description: The payload to inject. |
There was a problem hiding this comment.
same as per above below this description :)
| - -EnableBlock | ||
| - ${enable} | ||
|
|
||
| cat: |
There was a problem hiding this comment.
too generic, would be better placed in a shell.yml maybe?
| cmdline: | ||
| - cd | ||
| - -Path | ||
| - ${dir} |
There was a problem hiding this comment.
same as above, might be worth creating a shell.yml with these commands, ideally relying on the platforms conditional like here
| - ${Assembly} | ||
| - -Arguments | ||
| - ${Arguments} | ||
| jobkill: |
There was a problem hiding this comment.
all these blocks seem auto generated ... i'm not sure i understand how these are intended to work tho, most don't seem like commonly available shell commands, but specific commands for apollo, while robopages execute their tools via a standard shell (wether on host, in a container or via ssh somewhere else)
There was a problem hiding this comment.
Maybe we could add a new type of execution adapter that would execute a specific yml by interacting with a custom target process/shell?
If i understand the intention here all these commands are supposed to do Apollo what to do, effectively using an LLM agent as its C2, so it could make sense to have what we have right now:
- Shell execution - default behaviour, executes cmdline as a shell command on the host)
- SSH execution - same as above but executing on a different host
- Docker execution - runs the cmdline inside the specified container image (for tools that are not installed by default on the host and/or to limit what the agent can do)
Plus a new:
- Custom execution adapter - that would cover these cases (another I can think of is msfconsole for instance, or bettercap).
So before we can merge this we have to answer:
1. How would the code sending these commands to Apollo look like?
Especially as part of this namespace https://github.com/dreadnode/robopages-cli/tree/main/src/runtime
2. How can we generalize that?
So that we don't have to implemen dozens of specific interactions with things like Apollo but just one that works for all (as an objective, if we can generalize to both Apollo and msfconsole that'd be great). Maybe an integrated plugin system and/or scripting engine? I'd like to avoid this complexity unless strictly needed, like if we see that we can't generalize the code easily.
3. How do we differentiate with normal robopages cmdlines (that execute via shell)?
How do we define in the YML file that we need this custom adapter rather than a standard shell? Maybe something like:
adapter:
type: stdin # writes the cmdline to the stdin of a target process
target: /path/to/msfconsole # or the apollo_executable?or
adapter:
type: rest # sends the cmdline as a json request to an API
target: https://example.com:8080/v1/api/somethingor
adapter:
type: tcp # sends the cmdline as a tcp buffer to and endpoint
target: tcp-server-ip:1234etc etc
AI-Generated Summary
PR Summary
Overview of Changes
This PR introduces the
apollo.ymlfile, constituting a comprehensive addition to the cybersecurity offensive toolkit, specifically for command and control (C2) operations. Aimed at enhancing SpecterOps training offerings, Apollo is a C#-based Windows agent utilizing the .NET Framework 4.0, designed for integration with the Mythic C2 server. It incorporates a wide array of functionalities ranging from file management, process control, registry manipulation, networking commands, to advanced exploitation techniques such as DLL injection, privilege escalation, and credential theft, among others.Key Modifications
mimikatzcommand execution, DCSync operations, and Pass-the-Hash techniques have been included, targeting credential theft and lateral movement.shinject,inject,assembly_inject) are introduced alongside process control operations (e.g.,kill,steal_token), facilitating deep system access and manipulation.ls,cp,mv,mkdir,rm) are incorporated, essential for file system exploration and data exfiltration.ifconfig,netstat) and system information gathering (whoami,ps), crucial for situational awareness and targeting.Potential Impact
This summary was generated with ❤️ by rigging