Merge branch 'master' into fix/extensions

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+* @moloch--
+* @rkervella

.github/workflows/autorelease.yml

@@ -17,7 +17,7 @@ jobs:
     - name: Go 1.18
       uses: actions/setup-go@v2
       with:
-        go-version: '^1.18'
+        go-version: '1.18.5'
 
     - name: OS Packages 
       run: |
@@ -68,7 +68,7 @@ jobs:
     - name: Go 1.18
       uses: actions/setup-go@v2
       with:
-        go-version: '^1.18'
+        go-version: '1.18.5'
 
     - name: Mingw
       run: brew install mingw-w64

.github/workflows/codeql-scanning.yml

@@ -20,7 +20,7 @@ jobs:
       - name: Go 1.18
         uses: actions/setup-go@v2
         with:
-          go-version: "^1.18"
+          go-version: "1.18.5"
 
       - name: Checkout repository
         uses: actions/checkout@v2

.github/workflows/go.yml

@@ -23,7 +23,7 @@ jobs:
     - name: Go 1.18
       uses: actions/setup-go@v2
       with:
-        go-version: '^1.18'
+        go-version: '1.18.5'
 
     - name: OS Packages 
       run: |
@@ -58,7 +58,7 @@ jobs:
     - name: Go 1.18
       uses: actions/setup-go@v2
       with:
-        go-version: '^1.18'
+        go-version: '1.18.5'
 
     - name: Mingw
       run: brew install mingw-w64

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.18.3
+FROM golang:1.18.5
 
 #
 # IMPORTANT: This Dockerfile is used for testing, I do not recommend deploying

client/assets/settings.go

@@ -35,6 +35,7 @@ type ClientSettings struct {
 	BeaconAutoResults bool   `json:"beacon_autoresults"`
 	SmallTermWidth    int    `json:"small_term_width"`
 	AlwaysOverflow    bool   `json:"always_overflow"`
+	VimMode           bool   `json:"vim_mode"`
 }
 
 // LoadSettings - Load the client settings from disk
@@ -59,6 +60,7 @@ func defaultSettings() *ClientSettings {
 		BeaconAutoResults: true,
 		SmallTermWidth:    170,
 		AlwaysOverflow:    false,
+		VimMode:           false,
 	}
 }
 

client/command/alias/install.go

@@ -59,9 +59,9 @@ func installFromDir(aliasLocalPath string, con *console.SliverConsoleClient) {
 		con.PrintErrorf("Error parsing %s: %s", ManifestFileName, err)
 		return
 	}
-	installPath := filepath.Join(assets.GetAliasesDir(), filepath.Base(manifest.Name))
+	installPath := filepath.Join(assets.GetAliasesDir(), filepath.Base(manifest.CommandName))
 	if _, err := os.Stat(installPath); !os.IsNotExist(err) {
-		con.PrintInfof("Alias '%s' already exists", manifest.Name)
+		con.PrintInfof("Alias '%s' already exists", manifest.CommandName)
 		confirm := false
 		prompt := &survey.Confirm{Message: "Overwrite current install?"}
 		survey.AskOne(prompt, &confirm)

client/command/alias/load.go

@@ -179,6 +179,8 @@ func LoadAlias(manifestPath string, con *console.SliverConsoleClient) (*AliasMan
 				f.String("a", "arch", "x84", "Assembly target architecture: x86, x64, x84 (x86+x64)")
 			}
 			f.String("p", "process", "", "Path to process to host the shared object")
+			f.String("A", "process-arguments", "", "arguments to pass to the hosting process")
+			f.Uint("P", "ppid", 0, "parent process ID to use when creating the hosting process (Windows only)")
 			f.Bool("s", "save", false, "Save output to disk")
 
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
@@ -269,7 +271,10 @@ func runAliasCommand(ctx *grumble.Context, con *console.SliverConsoleClient) {
 	} else {
 		extArgs = strings.Join(args, " ")
 	}
+
+	extArgs = strings.TrimSpace(extArgs)
 	entryPoint := aliasManifest.Entrypoint
+	processArgs := strings.Split(ctx.Flags.String("process-arguments"), " ")
 	processName := ctx.Flags.String("process")
 	if processName == "" {
 		processName, err = aliasManifest.getDefaultProcess(goos)
@@ -304,15 +309,17 @@ func runAliasCommand(ctx *grumble.Context, con *console.SliverConsoleClient) {
 		msg := fmt.Sprintf("Executing %s %s ...", ctx.Command.Name, extArgs)
 		con.SpinUntil(msg, ctrl)
 		executeAssemblyResp, err := con.Rpc.ExecuteAssembly(context.Background(), &sliverpb.ExecuteAssemblyReq{
-			Request:   con.ActiveTarget.Request(ctx),
-			IsDLL:     isDLL,
-			Process:   processName,
-			Arguments: extArgs,
-			Assembly:  binData,
-			Arch:      ctx.Flags.String("arch"),
-			Method:    ctx.Flags.String("method"),
-			ClassName: ctx.Flags.String("class"),
-			AppDomain: ctx.Flags.String("app-domain"),
+			Request:     con.ActiveTarget.Request(ctx),
+			IsDLL:       isDLL,
+			Process:     processName,
+			Arguments:   extArgs,
+			Assembly:    binData,
+			Arch:        ctx.Flags.String("arch"),
+			Method:      ctx.Flags.String("method"),
+			ClassName:   ctx.Flags.String("class"),
+			AppDomain:   ctx.Flags.String("app-domain"),
+			ProcessArgs: processArgs,
+			PPid:        uint32(ctx.Flags.Uint("ppid")),
 		})
 		ctrl <- true
 		<-ctrl
@@ -348,6 +355,8 @@ func runAliasCommand(ctx *grumble.Context, con *console.SliverConsoleClient) {
 			ProcessName: processName,
 			EntryPoint:  aliasManifest.Entrypoint,
 			Kill:        true,
+			ProcessArgs: processArgs,
+			PPid:        uint32(ctx.Flags.Uint("ppid")),
 		})
 		ctrl <- true
 		<-ctrl
@@ -384,6 +393,8 @@ func runAliasCommand(ctx *grumble.Context, con *console.SliverConsoleClient) {
 			ProcessName: processName,
 			Kill:        true,
 			IsDLL:       isDLL,
+			ProcessArgs: processArgs,
+			PPid:        uint32(ctx.Flags.Uint("ppid")),
 		})
 		ctrl <- true
 		<-ctrl

client/command/armory/armory.go

@@ -56,7 +56,7 @@ type ArmoryPackage struct {
 	IsAlias bool `json:"-"`
 }
 
-// AmoryBundle - A list of packages
+// ArmoryBundle - A list of packages
 type ArmoryBundle struct {
 	Name     string   `json:"name"`
 	Packages []string `json:"packages"`

client/command/commands.go

@@ -478,7 +478,8 @@ func BindCommands(con *console.SliverConsoleClient) {
 			f.String("k", "key", "", "path to PEM encoded private key file (HTTPS only)")
 			f.Bool("e", "lets-encrypt", false, "attempt to provision a let's encrypt certificate (HTTPS only)")
 			f.StringL("aes-encrypt-key", "", "encrypt stage with AES encryption key")
-			f.StringL("aes-encrypt-iv", "", "encrypt stage with AES encyption iv")
+			f.StringL("aes-encrypt-iv", "", "encrypt stage with AES encryption iv")
+			f.String("C", "compress", "none", "compress the stage before encrypting (zlib, gzip, deflate9, none)")
 		},
 		Run: func(ctx *grumble.Context) error {
 			con.Println()
@@ -1000,6 +1001,7 @@ func BindCommands(con *console.SliverConsoleClient) {
 			f.String("O", "stdout", "", "remote path to redirect STDOUT to")
 			f.String("E", "stderr", "", "remote path to redirect STDERR to")
 			f.String("n", "name", "", "name to assign loot (optional)")
+			f.Uint("P", "ppid", 0, "parent process id (optional, Windows only)")
 
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
 		},
@@ -1033,6 +1035,8 @@ func BindCommands(con *console.SliverConsoleClient) {
 			f.Bool("s", "save", false, "save output to file")
 			f.Bool("X", "loot", false, "save output as loot")
 			f.String("n", "name", "", "name to assign loot (optional)")
+			f.Uint("P", "ppid", 0, "parent process id (optional)")
+			f.String("A", "process-arguments", "", "arguments to pass to the hosting process")
 
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
 		},
@@ -1076,10 +1080,13 @@ func BindCommands(con *console.SliverConsoleClient) {
 		Flags: func(f *grumble.Flags) {
 			f.String("e", "entry-point", "", "Entrypoint for the DLL (Windows only)")
 			f.String("p", "process", `c:\windows\system32\notepad.exe`, "Path to process to host the shellcode")
+			f.Bool("w", "unicode", false, "Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)")
 			f.Bool("s", "save", false, "save output to file")
 			f.Bool("X", "loot", false, "save output as loot")
 			f.String("n", "name", "", "name to assign loot (optional)")
 			f.Bool("k", "keep-alive", false, "don't terminate host process once the execution completes")
+			f.Uint("P", "ppid", 0, "parent process id (optional)")
+			f.String("A", "process-arguments", "", "arguments to pass to the hosting process")
 
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
 		},
@@ -1108,6 +1115,8 @@ func BindCommands(con *console.SliverConsoleClient) {
 			f.String("n", "name", "", "name to assign loot (optional)")
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
 			f.Bool("k", "keep-alive", false, "don't terminate host process once the execution completes")
+			f.Uint("P", "ppid", 0, "parent process id (optional)")
+			f.String("A", "process-arguments", "", "arguments to pass to the hosting process")
 		},
 		Args: func(a *grumble.Args) {
 			a.String("filepath", "path the DLL file")
@@ -1196,6 +1205,7 @@ func BindCommands(con *console.SliverConsoleClient) {
 			f.String("d", "service-description", "Sliver implant", "description of the service")
 			f.String("p", "profile", "", "profile to use for service binary")
 			f.String("b", "binpath", "c:\\windows\\temp", "directory to which the executable will be uploaded")
+			f.String("c", "custom-exe", "", "custom service executable to use instead of generating a new Sliver")
 		},
 		Run: func(ctx *grumble.Context) error {
 			con.Println()
@@ -1458,6 +1468,7 @@ func BindCommands(con *console.SliverConsoleClient) {
 
 			f.String("c", "canary", "", "canary domain(s)")
 
+			f.String("N", "name", "", "implant name")
 			f.String("m", "mtls", "", "mtls connection strings")
 			f.String("g", "wg", "", "wg connection strings")
 			f.String("b", "http", "", "http(s) connection strings")
@@ -1520,6 +1531,7 @@ func BindCommands(con *console.SliverConsoleClient) {
 
 			f.String("c", "canary", "", "canary domain(s)")
 
+			f.String("N", "name", "", "implant name")
 			f.String("m", "mtls", "", "mtls connection strings")
 			f.String("g", "wg", "", "wg connection strings")
 			f.String("b", "http", "", "http(s) connection strings")
@@ -1799,6 +1811,7 @@ func BindCommands(con *console.SliverConsoleClient) {
 			f.String("T", "type", "", "force a specific loot type (file/cred) if looting")
 			f.String("F", "file-type", "", "force a specific file type (binary/text) if looting")
 			f.String("n", "name", "", "name to assign the download if looting")
+			f.Bool("r", "recurse", false, "recursively download all files in a directory")
 		},
 		Args: func(a *grumble.Args) {
 			a.String("remote-path", "path to the file or directory to download")
@@ -2483,7 +2496,7 @@ func BindCommands(con *console.SliverConsoleClient) {
 		LongHelp: help.GetHelpFor([]string{consts.PivotsStr, consts.NamedPipeStr}),
 		Flags: func(f *grumble.Flags) {
 			f.String("b", "bind", "", "name of the named pipe to bind pivot listener")
-
+			f.Bool("a", "allow-all", false, "allow all users to connect")
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
 		},
 		Run: func(ctx *grumble.Context) error {
@@ -3242,7 +3255,7 @@ func BindCommands(con *console.SliverConsoleClient) {
 			return nil
 		},
 		Args: func(a *grumble.Args) {
-			a.String("connection-string", "connection string to the Operator Host")
+			a.String("connection-string", "connection string to the Operator Host (e.g. 127.0.0.1:1234)")
 		},
 		Flags: func(f *grumble.Flags) {
 			f.Bool("s", "skip-existing", false, "Do not add existing sessions as Operator Agents")

client/command/exec/execute-assembly.go

@@ -57,19 +57,25 @@ func ExecuteAssemblyCmd(ctx *grumble.Context, con *console.SliverConsoleClient)
 
 	assemblyArgs := ctx.Args.StringList("arguments")
 	process := ctx.Flags.String("process")
+	processArgs := strings.Split(ctx.Flags.String("process-arguments"), " ")
+
+	assemblyArgsStr := strings.Join(assemblyArgs, " ")
+	assemblyArgsStr = strings.TrimSpace(assemblyArgsStr)
 
 	ctrl := make(chan bool)
 	con.SpinUntil("Executing assembly ...", ctrl)
 	execAssembly, err := con.Rpc.ExecuteAssembly(context.Background(), &sliverpb.ExecuteAssemblyReq{
-		Request:   con.ActiveTarget.Request(ctx),
-		IsDLL:     isDLL,
-		Process:   process,
-		Arguments: strings.Join(assemblyArgs, " "),
-		Assembly:  assemblyBytes,
-		Arch:      ctx.Flags.String("arch"),
-		Method:    ctx.Flags.String("method"),
-		ClassName: ctx.Flags.String("class"),
-		AppDomain: ctx.Flags.String("app-domain"),
+		Request:     con.ActiveTarget.Request(ctx),
+		IsDLL:       isDLL,
+		Process:     process,
+		Arguments:   assemblyArgsStr,
+		Assembly:    assemblyBytes,
+		Arch:        ctx.Flags.String("arch"),
+		Method:      ctx.Flags.String("method"),
+		ClassName:   ctx.Flags.String("class"),
+		AppDomain:   ctx.Flags.String("app-domain"),
+		ProcessArgs: processArgs,
+		PPid:        uint32(ctx.Flags.Int("ppid")),
 	})
 	ctrl <- true
 	<-ctrl

client/command/exec/execute.go

@@ -47,6 +47,7 @@ func ExecuteCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 	stderr := ctx.Flags.String("stderr")
 	saveLoot := ctx.Flags.Bool("loot")
 	saveOutput := ctx.Flags.Bool("save")
+	ppid := ctx.Flags.Uint("ppid")
 	hostName := getHostname(session, beacon)
 
 	// If the user wants to loot or save the output, we have to capture it regardless of if they specified -o
@@ -61,14 +62,16 @@ func ExecuteCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 
 	ctrl := make(chan bool)
 	con.SpinUntil(fmt.Sprintf("Executing %s %s ...", cmdPath, strings.Join(args, " ")), ctrl)
-	if token {
-		exec, err = con.Rpc.ExecuteToken(context.Background(), &sliverpb.ExecuteTokenReq{
-			Request: con.ActiveTarget.Request(ctx),
-			Path:    cmdPath,
-			Args:    args,
-			Output:  captureOutput,
-			Stderr:  stderr,
-			Stdout:  stdout,
+	if token || ppid != 0 {
+		exec, err = con.Rpc.ExecuteWindows(context.Background(), &sliverpb.ExecuteWindowsReq{
+			Request:  con.ActiveTarget.Request(ctx),
+			Path:     cmdPath,
+			Args:     args,
+			Output:   captureOutput,
+			Stderr:   stderr,
+			Stdout:   stdout,
+			UseToken: token,
+			PPid:     uint32(ppid),
 		})
 	} else {
 		exec, err = con.Rpc.Execute(context.Background(), &sliverpb.ExecuteReq{