GRAT2: Command and Control (C2) tool written in python3 and .NET 4.0

GRAT2

GRAT2 is a Command and Control (C2) tool written in python3 and the client in .NET 4.0. The main idea came from Georgios Koumettou who initiated the project.

Current Features:

Evasion Techniques:

• Sandbox (Check whether the machine is in the domain, if not exit).
• Patch Event Tracing for Windows (ETW) Logging.
• Patch Antimalware Scan Interface (AMSI).
• caretrun – Execute command via cmd.exe in a caret format (^i^p^c^o^n^f^i^g) using explorer.exe as Parent PID (Evade some AV/EDRs).

Communication:

• Encoded HTTP Communication using XOR and base64.
• Proxy Aware.

Modules:

• UAC – Attempt to bypass UAC using silent disk clean-up with Parent PID Spoofing technique.
• maketoken – Remove the current token and create a new one using the given credentials (Domain or Local).
• revtoself – Remove the current token.
• stealtoken – Attempt to steal a token from a running process and impersonate user (Administrator rights is required).
• rportfwd – Attempt to create a reverse port forward.
• whoami – Display the current user.
• hostname – Display the machine hostname.
• domain – Display the domain FQDN.
• screenshot – Take a screenshot.
• download – Download a file.
• upload – Upload File.
• cd – Change Directory.
• run – Execute command via cmd.exe using explorer.exe as Parent PID.
• caretrun – Execute command via cmd.exe in a caret format (^i^p^c^o^n^f^i^g) using explorer.exe as Parent PID (Evade some AV/EDRs).
• sleep – Set new sleep time.
• exit – Exit.
• shell – Execute command via cmd.exe.
• powershell – Execute powershell command using Unmanaged PowerShell.
• powerscript – Execute powershell scripts using Unmanaged PowerShell.
• executeassembly – Attempt to execute .NET assemblies in memory.
• ps – Print the current processes.
• pwd – Print the current directory.
• ls – Directory Listing.
• pid – Print the current Process ID.

Process Injection Techniques:

• dynamic_injectcrt – Attempt to inject shellcode into a process using Dynamic Invoke.
• ppid_processhollow – Attempt to inject shellcode into a process using Process Hollowing and Parent PID Spoofing (explorer.exe) technique.
• processhollow – Attempt to inject shellcode into a process using the Process Hollowing technique.
• injectppidapc – Attempt to inject shellcode into a process using QueueUserAPC and Parent PID Spoofing (explorer.exe) technique.
• injectapc – Attempt to inject shellcode into a process using the QueueUserAPC technique.
• injectcrt – Attempt to inject shellcode into a remote process using the Create Remote Thread technique.

Refer to GRAT2_Shellcodes in order to generate position-independent shellcode using Donut.

Install & Use