Golang Apfell Agent
Find the latest version of Poseidon in the MythicAgents repository here: https://github.com/MythicAgents/poseidon
I owe a huge thanks to @djhohnstein for his help with this project.
Fill out the profile.go
file with your C2 Listener information.
Then navigate to Manage Operations > Payload Management
on the Apfell server, and import the poseidon.json
file. This registers the payload with the Apfell server as an externally hosted payload.
You can then register the payload with the C2 server via Create Components > Create Payload
on the Apfell server, and stuff the GUID and other relevant information into profile.go
Then build the agent either on the target operating system you wish to run the agent against or compile using xgo (https://hub.docker.com/r/karalabe/xgo-latest/builds)
go build -tags=default cmd/agent/main.go
or
go build -tags=restfulpatchthrough cmd/agent/main.go
Once the agent is built, all that's left is to execute.
exit Stop execution of the agent.
shell Execute a shell command.
screencapture Screenshot target desktop.
download Download a file from the remote system.
upload Upload a file to the remote system.
inject Inject a library into a remote process.
shinject Inject shellcode into a remote process.
ps List running processes.
sleep Set time between checkins.
cat Read contents of file.
cd Change directory.
ls List directory contents.
keys Retrieve keys from kerberos keychain.
triagedirectory Search target directory for interesting files.
sshauth Authenticate to a host or a list of hosts using a username+password/key pair.
portscan Scan a target for open ports.
getprivs Enable as many privileges as possible for your current access token.
jobs List currently running and stoppable jobs.
jobkill Kill a job by the specified GUID.
kill Kill a process designated by PID.
cp Copy a file.
mv Move a file.
rm Delete a file.
mkdir Create a directory.
pwd Print working directory.
drives List currently mounted drives, their description, and current hard-disk usage.
getuser List information about the current user.
getenv Retrieve current environment variables.
setenv Set an environment variable.
unsetenv Delete an environment variable.
Command | MacOS | Linux |
---|---|---|
exit | ☑ | ☑ |
shell | ☑ | ☑ |
screencapture | ☑ | ☑ |
download | ☑ | ☑ |
upload | ☑ | ☑ |
libinject | ☑ | |
ps | ☑ | ☑ |
sleep | ☑ | ☑ |
cat | ☑ | ☑ |
cd | ☑ | ☑ |
ls | ☑ | ☑ |
keys | ☑ | |
triagedirectory | ☑ | ☑ |
sshauth | ☑ | ☑ |
portscan | ☑ | ☑ |
getprivs | ||
jobs | ☑ | ☑ |
jobkill | ☑ | ☑ |
kill | ☑ | ☑ |
cp | ☑ | ☑ |
mv | ☑ | ☑ |
rm | ☑ | ☑ |
mkdir | ☑ | ☑ |
pwd | ☑ | ☑ |
drives | ☑ | ☑ |
getuser | ☑ | ☑ |
getenv | ☑ | ☑ |
setenv | ☑ | ☑ |
unsetenv | ☑ | ☑ |
Due to the way Go-routines function, it's difficult if not impossible to kill them. As a result, only certain long-running tasks are able to receive a "kill" signal. The current list of killable jobs are:
triagedirectory
portscan