Merge branch 'dev'

Ne0nd0g · Apr 17, 2021 · 325cd7e · 325cd7e
2 parents be117de + 19bffe5
commit 325cd7e
Show file tree

Hide file tree

Showing 34 changed files with 1,199 additions and 872 deletions.
diff --git a/cmd/merlinagent/main.go b/cmd/merlinagent/main.go
@@ -112,15 +112,11 @@ func main() {
 		if *verbose {
 			color.Red(errClient.Error())
 		}
+		os.Exit(1)
 	}
 
 	// Start the agent
-	err = a.Run()
-	if err != nil {
-		if *verbose {
-			color.Red(err.Error())
-		}
-	}
+	a.Run()
 }
 
 // usage prints command line options

diff --git a/cmd/merlinagentdll/main.go b/cmd/merlinagentdll/main.go
@@ -79,10 +79,7 @@ func run(URL string) {
 		os.Exit(1)
 	}
 
-	errRun := a.Run()
-	if errRun != nil {
-		os.Exit(1)
-	}
+	a.Run()
 }
 
 // EXPORTED FUNCTIONS

diff --git a/docs/CHANGELOG.MD b/docs/CHANGELOG.MD
@@ -4,6 +4,23 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## 0.11.0 - 2021-04-17
+
+### Added
+
+- Added `nslookup` command to execute a DNS query using native Go
+- Added [go-clr](https://github.com/Ne0nd0g/go-clr) for in process .NET Common Language Runtime (CLR)
+  - `load-assembly` to load a .NET assembly into memory
+  - `invoke-assembly` to execute a previously loaded .NET assembly
+  - `list-assemblies` to list previously loaded .NET assemblies
+- Added `memfd` command to run Linux executables in-memory as an anonymous file
+- Upgraded go-quic package to support Go v1.16
+- Added `SetWaitTime` and `SetMaxRetry` function to agents package to be called from the API package
+
+### Fixed
+
+- Fixed issue when sleep time was increased and all subsequent JWTs were expired by updating sleep time on server first
+
 ## 0.10.0 - 2021-02-13
 
 ### Added

diff --git a/docs/_build/doctrees/agent/javascript.doctree b/docs/_build/doctrees/agent/javascript.doctree
diff --git a/docs/_build/doctrees/environment.pickle b/docs/_build/doctrees/environment.pickle
diff --git a/docs/_build/doctrees/server/menu/agents.doctree b/docs/_build/doctrees/server/menu/agents.doctree
diff --git a/docs/_build/html/_sources/server/menu/agents.rst.txt b/docs/_build/html/_sources/server/menu/agents.rst.txt
@@ -31,13 +31,24 @@ help
                         |                                | RtlCreateUserThread <pid>
       info              | Display all information about  |
                         | the agent                      |
+      invoke-assembly   | Invoke, or execute, a .NET     | <assembly name>, <assembly
+                        | assembly that was previously   | args>
+                        | loaded into the agent's        |
+                        | process                        |
       jobs              | Display all active jobs for    |
                         | the agent                      |
       kill              | Instruct the agent to die or   |
                         | quit                           |
+      load-assembly     | Load a .NET assembly into the  | <assembly path> [<assembly
+                        | agent's process                | name>]
+      list-assemblies   | List the .NET assemblies that  |
+                        | are loaded into the agent's    |
+                        | process                        |
       ls                | List directory contents        | ls /etc OR ls C:\\Users OR ls
                         |                                | C:/Users
       main              | Return to the main menu        |
+      memfd             | Execute Linux file in memory   | <file path> [<arguments>]
+      nslookup          | DNS query on host or ip        | nslookup 8.8.8.8
       pwd               | Display the current working    | pwd
                         | directory                      |
       run               | Execute a program directly,    | run ping -c 3 8.8.8.8
@@ -367,6 +378,40 @@ The ``info`` command is used to get information about a specific agent.
     | Agent Failed Logins       | 0                                             |
     +---------------------------+-----------------------------------------------+
 
+invoke-assembly
+---------------
+
+The ``invoke-assembly`` command will execute a .NET assembly that was previously loaded into the agent with the
+load-assembly_ command. The first argument is the name of the assembly and all the remaining arguments are passed to
+the assembly for execution. Use the list-assemblies_ command return a list of loaded assemblies.
+The execute-assembly_ command is different because it uses injection to run the assembly in a child process.
+This command runs the assembly in the current process without injection.
+
+.. note::
+    Only CLR v4 is currently supported which can be used to execute both v3.5 and v4 .NET assemblies
+
+.. code-block:: text
+
+    Merlin[agent][c1090dbc-f2f7-4d90-a241-86e0c0217786]» invoke-assembly Rubeus.exe klist
+    [-] Created job GlPHKaRtmg for agent c1090dbc-f2f7-4d90-a241-86e0c0217786
+
+    [-] Results job GlPHKaRtmg for agent c1090dbc-f2f7-4d90-a241-86e0c0217786
+
+    [+]
+       ______        _
+      (_____ \      | |
+       _____) )_   _| |__  _____ _   _  ___
+      |  __  /| | | |  _ \| ___ | | | |/___)
+      | |  \ \| |_| | |_) ) ____| |_| |___ |
+      |_|   |_|____/|____/|_____)____/(___/
+
+      v1.5.0
+
+
+    Action: List Kerberos Tickets (Current User)
+
+    [*] Current LUID    : 0x37913
+
 jobs
 ----
 
@@ -393,6 +438,51 @@ The ``kill`` control type instructs the agent to exit or die. There is no respon
     Merlin[agent][c1090dbc-f2f7-4d90-a241-86e0c0217786]» kill
     Merlin» [-]Created job goaRNhTVTT for agent c1090dbc-f2f7-4d90-a241-86e0c0217786
 
+list-assemblies
+---------------
+
+The ``list-assemblies`` command lists .NET assemblies that have been loaded into the agent's process with the load-assembly_ command.
+
+.. code-block:: text
+
+    Merlin[agent][c1090dbc-f2f7-4d90-a241-86e0c0217786]» list-assemblies
+    [-] Created job NIflRstGrR for agent c1090dbc-f2f7-4d90-a241-86e0c0217786
+    [-] Results job NIflRstGrR for agent c1090dbc-f2f7-4d90-a241-86e0c0217786
+
+    [+] Loaded Assemblies:
+    seatbelt.exe
+    rubeus.exe
+    sharpdpapi.exe
+    sharpup.exe
+    Hagrid
+
+load-assembly
+-------------
+
+The ``load-assembly`` command loads a .NET assembly into the agent's process. Once the assembly is loaded, it can be executed
+multiple times with the invoke-assembly_ command. The .NET assembly is only sent across the wire one time.
+An option third argument can be provided to reference the assembly as any other name when executed with the
+invoke-assembly_ command.
+
+.. note::
+    Only CLR v4 is currently supported which can be used to execute both v3.5 and v4 .NET assemblies
+
+.. code-block:: text
+
+    Merlin[agent][c1090dbc-f2f7-4d90-a241-86e0c0217786]» load-assembly /root/Rubeus.exe
+    [-] Created job iQOkWgGqkJ for agent c1090dbc-f2f7-4d90-a241-86e0c0217786
+    [-] Results job iQOkWgGqkJ for agent c1090dbc-f2f7-4d90-a241-86e0c0217786
+
+    [+] successfully loaded rubeus.exe into the default AppDomain
+
+.. code-block:: text
+
+    Merlin[agent][c1090dbc-f2f7-4d90-a241-86e0c0217786]» load-assembly /root/Rubeus.exe Hagrid
+    [-] Created job YrPdQkcuTG for agent c1090dbc-f2f7-4d90-a241-86e0c0217786
+    [-] Results job YrPdQkcuTG for agent c1090dbc-f2f7-4d90-a241-86e0c0217786
+
+    [+] successfully loaded Hagrid into the default AppDomain
+
 ls
 --
 
@@ -442,6 +532,73 @@ The ``ls`` command is used to list a directory's contents using native Go functi
     -rw-rw-rw-      2018-09-15 00:31:34     174     desktop.ini
     drwxrwxrwx      2018-09-15 00:42:33     0       windows nt
 
+main
+----
+
+The ``main`` command is used to leave the Agent menu and return back to the :doc:`main`. It is an alias for the ``back`` command.
+
+.. code-block:: text
+
+    Merlin[agent][c1090dbc-f2f7-4d90-a241-86e0c0217786]» main
+    Merlin»
+
+memfd
+-----
+
+The ``memfd`` command loads a Linux executable file into memory (RAM) as an anonymous file using the
+`memfd_create <https://man7.org/linux/man-pages/man2/memfd_create.2.html>`__ API call, executes it, and returns the
+results.
+The file is created with an empty string as its name.
+Less the fact that RAM is a file on Linux, the executable is not written to disk.
+View the `Detecting Linux memfd_create() Fileless Malware with Command Line Forensics
+<https://www.sandflysecurity.com/blog/detecting-linux-memfd_create-fileless-malware-with-command-line-forensics/>`__
+for detection guidance.
+
+.. note::
+    This command will not run on Windows agents
+
+.. code-block:: text
+
+    Merlin[agent][c1090dbc-f2f7-4d90-a241-86e0c0217786]» memfd /tmp/hello.py
+    [-] Created job ZyeWhgfThk for agent c1090dbc-f2f7-4d90-a241-86e0c0217786
+
+    [-] Results job ZyeWhgfThk for agent c1090dbc-f2f7-4d90-a241-86e0c0217786
+
+    [+] Hello from a Python script
+
+
+nslookup
+--------
+
+The ``nslookup`` command takes a space separated list of IP addresses or hostnames and performs a DNS query using the
+host's resolver and returns the results.
+
+.. code-block:: text
+
+    Merlin[agent][c1090dbc-f2f7-4d90-a241-86e0c0217786]» nslookup 8.8.8.8 9.9.9.9 github.com google.com
+    [-] Created job fQilcQFmlk for agent c1090dbc-f2f7-4d90-a241-86e0c0217786
+
+    [-] Results job fQilcQFmlk for agent c1090dbc-f2f7-4d90-a241-86e0c0217786
+
+    [+] Query: 8.8.8.8, Result: dns.google.
+    Query: 9.9.9.9, Result: dns9.quad9.net.
+    Query: github.com, Result: 192.30.255.113
+    Query: google.com, Result: 142.250.73.238 2607:f8b0:4004:82a::200e
+
+pwd
+---
+
+The ``pwd`` command uses native Go to get and return the current working directory.
+
+.. code-block:: text
+
+    Merlin[agent][c1090dbc-f2f7-4d90-a241-86e0c0217786]» pwd
+    [-]Created job JweUayTyTv for agent c1090dbc-f2f7-4d90-a241-86e0c0217786
+
+    [-] Results job JweUayTyTv for agent c1090dbc-f2f7-4d90-a241-86e0c0217786
+
+    [+] Current working directory: C:\Users\Joe
+
 quit
 ----
 
@@ -811,28 +968,6 @@ To correctly issue the command either escape the ``\`` or enclose the commands i
 
     Merlin[agent][c1090dbc-f2f7-4d90-a241-86e0c0217786]» shell dir C:\\Windows\\System32
 
-main
-----
-
-The ``main`` command is used to leave the Agent menu and return back to the :doc:`main`. It is an alias for the ``back`` command.
-
-.. code-block:: text
-
-    Merlin[agent][c1090dbc-f2f7-4d90-a241-86e0c0217786]» main
-    Merlin»
-
-pwd
----
-
-The ``pwd`` command uses native Go to get and return the current working directory.
-
-.. code-block:: text
-
-    Merlin[agent][c1090dbc-f2f7-4d90-a241-86e0c0217786]» pwd
-    [-]Created job JweUayTyTv for agent c1090dbc-f2f7-4d90-a241-86e0c0217786 at 2019-02-27T01:14:17Z
-    Merlin[agent][c1090dbc-f2f7-4d90-a241-86e0c0217786]» [+]Results for job JweUayTyTv at 2019-02-27T01:14:28Z
-    Current working directory: C:\Users\Joe
-
 status
 ------
 

diff --git a/docs/_build/html/searchindex.js b/docs/_build/html/searchindex.js