Apollo v2.3.13 releases: Windows agent written in C#

Apollo

Apollo

Apollo is a Windows agent written in C# using the 4.0 .NET Framework designed to be used in SpecterOps training offerings. Apollo lacks some evasive tradecraft provided by other commercial and open-source tools, such as more evasive network communications, PE manipulation, AMSI evasion, and otherwise; however, this project (in tandem with Mythic) is designed to introduce several quality of life improvements for an operator.

Notable Features

  • Lateral Movement
  • UAC Bypass
  • Credential Tracking and Manipulation
  • .NET Assembly and PowerShell Script Execution
  • User Exploitation Suite
  • SOCKSv5 Support

Supported C2 Profiles

Currently, only two C2 profiles are available to use when creating a new Apollo agent: HTTP and SMB.

HTTP Profile

The HTTP profile calls back to the Mythic server over the basic, non-dynamic profile. When selecting options to be stamped into Apollo at compile time, all options are respected with the exception of those parameters relating to GET requests.

SMB (Currently Defunct)

The SMB profile only takes a pipe name on the compilation. This pipe name can be randomly generated when creating the agent and can be generated based on a provided regex (e.g.[0-9a-z]{4}\-[0-9a-z]{8}\-[0-9a-z]{8}\-[0-9a-z]{4}). Currently, there’s an open issue with SMB messages, so SMB linking is non-functional.

SOCKSv5 Support

SOCKS support is built-in to the agent and dispatched through the SocksManager file. To start the socks server, issue socks start [port], and to stop it issue socks stop. You can view active SOCKS proxies by clicking on the dropdown of a callback and clicking “Socks Proxies.”

Quality of Life Improvements

File Triage

The ls command reports back a wealth of information and allows operators to easily copy file paths and examine permissions of files, in addition to being able to sort and filter files. Clicking the icon under the ACLs column will show all the permissions of a file. Additionally, this hooks into Mythic’s native file browser.

This shows typical ls output:

Clicking the ACL icon shows permissions:

Interfaces with Mythic’s filebrowser and caches data server-side:

Process Listings

When issuing ps_full, additional details are retrieved such as:

  • Company name of the process executable
  • Description of the process executable
  • The full path of the process
  • Integrity level of the process
  • Desktop session
  • Process command-line arguments

This process listing also interfaces with Mythic’s built-in process browser, which allows you to see process trees more easily.

 

Clicking the informational icon next to the name displays a popup window with more information.

 

Assembly and PowerShell Script Caching

Apollo can cache one or more .NET assemblies as well as one or more PowerShell Scripts with no size limitation on imported files.

Dynamic Injection Techniques

The agent can change what code injection technique is in use by post-exploitation jobs that require injection through a suite of injection commands. Currently, injection techniques that are supported:

  • CreateRemoteThread
  • QueueUserAPC (Early Bird)

 

Token Manipulation Tracking

Apollo attempts to track the current access token in use by the agent through its own whoami command, which will track the impersonated user for local and remote operations.

Apollo

 

Job Tracking

Agent jobs are tracked by job ID, by command, and by the arguments passed to the command so that you know what job correlates to what tasking.

Apollo

 

Artifact Tracking

Commands that manipulate the disk, create new logons, or spawn new processes will document those changes in the Artifact Reporting page as shown below.

Apollo

Changelog v2.3.13

  • Last version that supports Mythic 2.3.13. Future versions target Mythic 3.0+

Install

Copyright (c) 2018, Dwight Hohnstein
All rights reserved.