cobbr · attl4s · Sep 28, 2020 · Sep 28, 2020 · Sep 28, 2020 · Sep 28, 2020
diff --git a/Covenant/API/Models/Grunt.cs b/Covenant/API/Models/Grunt.cs
@@ -40,7 +40,7 @@ public Grunt()
         /// 'Disconnected', 'Hidden'</param>
         /// <param name="integrity">Possible values include: 'Untrusted',
         /// 'Low', 'Medium', 'High', 'System'</param>
-        public Grunt(string name, string originalServerGuid, int implantTemplateId, bool validateCert, bool useCertPinning, string smbPipeName, int delay, int jitterPercent, int connectAttempts, System.DateTime killDate, DotNetVersion dotNetVersion, RuntimeIdentifier runtimeIdentifier, GruntStatus status, IntegrityLevel integrity, int? id = default(int?), string guid = default(string), IList<string> children = default(IList<string>), ImplantTemplate implantTemplate = default(ImplantTemplate), int? listenerId = default(int?), Listener listener = default(Listener), string note = default(string), string process = default(string), string userDomainName = default(string), string userName = default(string), string ipAddress = default(string), string hostname = default(string), string operatingSystem = default(string), string gruntSharedSecretPassword = default(string), string gruntRSAPublicKey = default(string), string gruntNegotiatedSessionKey = default(string), string gruntChallenge = default(string), System.DateTime? activationTime = default(System.DateTime?), System.DateTime? lastCheckIn = default(System.DateTime?), string powerShellImport = default(string), IList<GruntCommand> gruntCommands = default(IList<GruntCommand>))
+        public Grunt(string name, string originalServerGuid, int implantTemplateId, bool validateCert, bool useCertPinning, string smbPipeName, int delay, int jitterPercent, int connectAttempts, System.DateTime killDate, string guardrails, DotNetVersion dotNetVersion, RuntimeIdentifier runtimeIdentifier, GruntStatus status, IntegrityLevel integrity, int? id = default(int?), string guid = default(string), IList<string> children = default(IList<string>), ImplantTemplate implantTemplate = default(ImplantTemplate), int? listenerId = default(int?), Listener listener = default(Listener), string note = default(string), string process = default(string), string userDomainName = default(string), string userName = default(string), string ipAddress = default(string), string hostname = default(string), string operatingSystem = default(string), string gruntSharedSecretPassword = default(string), string gruntRSAPublicKey = default(string), string gruntNegotiatedSessionKey = default(string), string gruntChallenge = default(string), System.DateTime? activationTime = default(System.DateTime?), System.DateTime? lastCheckIn = default(System.DateTime?), string powerShellImport = default(string), IList<GruntCommand> gruntCommands = default(IList<GruntCommand>))
         {
             Id = id;
             Name = name;
@@ -59,6 +59,7 @@ public Grunt()
             JitterPercent = jitterPercent;
             ConnectAttempts = connectAttempts;
             KillDate = killDate;
+            Guardrails = guardrails;
             DotNetVersion = dotNetVersion;
             RuntimeIdentifier = runtimeIdentifier;
             Status = status;
@@ -170,6 +171,11 @@ public Grunt()
         [JsonProperty(PropertyName = "killDate")]
         public System.DateTime KillDate { get; set; }
 
+        /// <summary>
+        /// </summary>
+        [JsonProperty(PropertyName = "guardrails")]
+        public string Guardrails { get; set; }
+
         /// <summary>
         /// Gets or sets possible values include: 'Net35', 'Net40', 'NetCore31'
         /// </summary>

diff --git a/Covenant/API/Models/Launcher.cs b/Covenant/API/Models/Launcher.cs
@@ -39,7 +39,7 @@ public Launcher()
         /// 'ConsoleApplication', 'WindowsApplication',
         /// 'DynamicallyLinkedLibrary', 'NetModule', 'WindowsRuntimeMetadata',
         /// 'WindowsRuntimeApplication'</param>
-        public Launcher(int? id = default(int?), int? listenerId = default(int?), int? implantTemplateId = default(int?), string name = default(string), string description = default(string), LauncherType? type = default(LauncherType?), DotNetVersion? dotNetVersion = default(DotNetVersion?), RuntimeIdentifier? runtimeIdentifier = default(RuntimeIdentifier?), bool? validateCert = default(bool?), bool? useCertPinning = default(bool?), string smbPipeName = default(string), int? delay = default(int?), int? jitterPercent = default(int?), int? connectAttempts = default(int?), System.DateTime? killDate = default(System.DateTime?), string launcherString = default(string), string stagerCode = default(string), OutputKind? outputKind = default(OutputKind?), bool? compressStager = default(bool?))
+        public Launcher(int? id = default(int?), int? listenerId = default(int?), int? implantTemplateId = default(int?), string name = default(string), string description = default(string), LauncherType? type = default(LauncherType?), DotNetVersion? dotNetVersion = default(DotNetVersion?), RuntimeIdentifier? runtimeIdentifier = default(RuntimeIdentifier?), bool? validateCert = default(bool?), bool? useCertPinning = default(bool?), string smbPipeName = default(string), int? delay = default(int?), int? jitterPercent = default(int?), int? connectAttempts = default(int?), System.DateTime? killDate = default(System.DateTime?), string guardrails = default(string), string launcherString = default(string), string stagerCode = default(string), OutputKind? outputKind = default(OutputKind?), bool? compressStager = default(bool?))
         {
             Id = id;
             ListenerId = listenerId;
@@ -56,6 +56,7 @@ public Launcher()
             JitterPercent = jitterPercent;
             ConnectAttempts = connectAttempts;
             KillDate = killDate;
+            Guardrails = guardrails;
             LauncherString = launcherString;
             StagerCode = stagerCode;
             OutputKind = outputKind;
@@ -154,6 +155,11 @@ public Launcher()
         [JsonProperty(PropertyName = "killDate")]
         public System.DateTime? KillDate { get; set; }
 
+        /// <summary>
+        /// </summary>
+        [JsonProperty(PropertyName = "guardrails")]
+        public string Guardrails { get; set; }
+
         /// <summary>
         /// </summary>
         [JsonProperty(PropertyName = "launcherString")]

diff --git a/Covenant/Components/Launchers/LauncherForm.razor b/Covenant/Components/Launchers/LauncherForm.razor
@@ -129,6 +129,11 @@
             <input id="KillDate" name="KillDate" @bind="Launcher.KillDate" class="form-control">
             <div class="text-danger"><ValidationMessage For="() => Launcher.KillDate" /></div>
         </div>
+        <div class="form-group col-md-3">
+            <label for="Guardrails">Guardrails (envVar1=value1;envVar2=value2)</label>
+            <input id="Guardrails" name="Guardrails" @bind="Launcher.Guardrails" class="form-control">
+            <div class="text-danger"><ValidationMessage For="() => Launcher.Guardrails" /></div>
+        </div>
     </div>
 
     @switch (Launcher.Name)

diff --git a/Covenant/Core/CovenantService.cs b/Covenant/Core/CovenantService.cs
@@ -1623,6 +1623,7 @@ private string GruntTemplateReplace(string CodeTemplate, ImplantTemplate templat
                             .Replace("{{REPLACE_JITTER_PERCENT}}", this.FormatForVerbatimString(grunt.JitterPercent.ToString()))
                             .Replace("{{REPLACE_CONNECT_ATTEMPTS}}", this.FormatForVerbatimString(grunt.ConnectAttempts.ToString()))
                             .Replace("{{REPLACE_KILL_DATE}}", this.FormatForVerbatimString(grunt.KillDate.ToBinary().ToString()))
+                            .Replace("{{REPLACE_GUARDRAILS}}", grunt.Guardrails)
                             .Replace("{{REPLACE_GRUNT_SHARED_SECRET_PASSWORD}}", this.FormatForVerbatimString(grunt.GruntSharedSecretPassword));
                     }
                     else if (template.CommType == CommunicationType.SMB)
@@ -4299,6 +4300,7 @@ public async Task<BinaryLauncher> GenerateBinaryLauncher()
                 JitterPercent = launcher.JitterPercent,
                 ConnectAttempts = launcher.ConnectAttempts,
                 KillDate = launcher.KillDate,
+                Guardrails = launcher.Guardrails,
                 DotNetVersion = launcher.DotNetVersion,
                 RuntimeIdentifier = launcher.RuntimeIdentifier
             };
@@ -4346,6 +4348,7 @@ public async Task<BinaryLauncher> EditBinaryLauncher(BinaryLauncher launcher)
             matchingLauncher.JitterPercent = launcher.JitterPercent;
             matchingLauncher.ConnectAttempts = launcher.ConnectAttempts;
             matchingLauncher.KillDate = launcher.KillDate;
+            matchingLauncher.Guardrails = launcher.Guardrails;
             matchingLauncher.LauncherString = launcher.LauncherString;
             matchingLauncher.StagerCode = launcher.StagerCode;
             _context.Launchers.Update(matchingLauncher);
@@ -4389,6 +4392,7 @@ public async Task<ShellCodeLauncher> GenerateShellCodeLauncher()
                 JitterPercent = launcher.JitterPercent,
                 ConnectAttempts = launcher.ConnectAttempts,
                 KillDate = launcher.KillDate,
+                Guardrails = launcher.Guardrails,
                 DotNetVersion = launcher.DotNetVersion,
                 RuntimeIdentifier = launcher.RuntimeIdentifier
             };
@@ -4436,6 +4440,7 @@ public async Task<ShellCodeLauncher> EditShellCodeLauncher(ShellCodeLauncher lau
             matchingLauncher.JitterPercent = launcher.JitterPercent;
             matchingLauncher.ConnectAttempts = launcher.ConnectAttempts;
             matchingLauncher.KillDate = launcher.KillDate;
+            matchingLauncher.Guardrails = launcher.Guardrails;
             matchingLauncher.LauncherString = launcher.LauncherString;
             matchingLauncher.StagerCode = launcher.StagerCode;
             _context.Launchers.Update(matchingLauncher);
@@ -4473,6 +4478,7 @@ public async Task<PowerShellLauncher> GeneratePowerShellLauncher()
                 JitterPercent = launcher.JitterPercent,
                 ConnectAttempts = launcher.ConnectAttempts,
                 KillDate = launcher.KillDate,
+                Guardrails = launcher.Guardrails,
                 DotNetVersion = launcher.DotNetVersion,
                 RuntimeIdentifier = launcher.RuntimeIdentifier
             };
@@ -4520,6 +4526,7 @@ public async Task<PowerShellLauncher> EditPowerShellLauncher(PowerShellLauncher
             matchingLauncher.JitterPercent = launcher.JitterPercent;
             matchingLauncher.ConnectAttempts = launcher.ConnectAttempts;
             matchingLauncher.KillDate = launcher.KillDate;
+            matchingLauncher.Guardrails = launcher.Guardrails;
             matchingLauncher.LauncherString = launcher.LauncherString;
             matchingLauncher.StagerCode = launcher.StagerCode;
             matchingLauncher.ParameterString = launcher.ParameterString;
@@ -4560,6 +4567,7 @@ public async Task<MSBuildLauncher> GenerateMSBuildLauncher()
                 JitterPercent = launcher.JitterPercent,
                 ConnectAttempts = launcher.ConnectAttempts,
                 KillDate = launcher.KillDate,
+                Guardrails = launcher.Guardrails,
                 DotNetVersion = launcher.DotNetVersion,
                 RuntimeIdentifier = launcher.RuntimeIdentifier
             };
@@ -4607,6 +4615,7 @@ public async Task<MSBuildLauncher> EditMSBuildLauncher(MSBuildLauncher launcher)
             matchingLauncher.JitterPercent = launcher.JitterPercent;
             matchingLauncher.ConnectAttempts = launcher.ConnectAttempts;
             matchingLauncher.KillDate = launcher.KillDate;
+            matchingLauncher.Guardrails = launcher.Guardrails;
             matchingLauncher.LauncherString = launcher.LauncherString;
             matchingLauncher.StagerCode = launcher.StagerCode;
             matchingLauncher.DiskCode = launcher.DiskCode;
@@ -4647,6 +4656,7 @@ public async Task<InstallUtilLauncher> GenerateInstallUtilLauncher()
                 JitterPercent = launcher.JitterPercent,
                 ConnectAttempts = launcher.ConnectAttempts,
                 KillDate = launcher.KillDate,
+                Guardrails = launcher.Guardrails,
                 DotNetVersion = launcher.DotNetVersion,
                 RuntimeIdentifier = launcher.RuntimeIdentifier
             };
@@ -4694,6 +4704,7 @@ public async Task<InstallUtilLauncher> EditInstallUtilLauncher(InstallUtilLaunch
             matchingLauncher.JitterPercent = launcher.JitterPercent;
             matchingLauncher.ConnectAttempts = launcher.ConnectAttempts;
             matchingLauncher.KillDate = launcher.KillDate;
+            matchingLauncher.Guardrails = launcher.Guardrails;
             matchingLauncher.LauncherString = launcher.LauncherString;
             matchingLauncher.DiskCode = launcher.DiskCode;
             matchingLauncher.StagerCode = launcher.StagerCode;
@@ -4732,6 +4743,7 @@ public async Task<WmicLauncher> GenerateWmicLauncher()
                 JitterPercent = launcher.JitterPercent,
                 ConnectAttempts = launcher.ConnectAttempts,
                 KillDate = launcher.KillDate,
+                Guardrails = launcher.Guardrails,
                 DotNetVersion = launcher.DotNetVersion,
                 RuntimeIdentifier = launcher.RuntimeIdentifier
             };
@@ -4779,6 +4791,7 @@ public async Task<WmicLauncher> EditWmicLauncher(WmicLauncher launcher)
             matchingLauncher.JitterPercent = launcher.JitterPercent;
             matchingLauncher.ConnectAttempts = launcher.ConnectAttempts;
             matchingLauncher.KillDate = launcher.KillDate;
+            matchingLauncher.Guardrails = launcher.Guardrails;
             matchingLauncher.ScriptLanguage = launcher.ScriptLanguage;
             matchingLauncher.LauncherString = launcher.LauncherString;
             matchingLauncher.StagerCode = launcher.StagerCode;
@@ -4820,6 +4833,7 @@ public async Task<Regsvr32Launcher> GenerateRegsvr32Launcher()
                 JitterPercent = launcher.JitterPercent,
                 ConnectAttempts = launcher.ConnectAttempts,
                 KillDate = launcher.KillDate,
+                Guardrails = launcher.Guardrails,
                 DotNetVersion = launcher.DotNetVersion,
                 RuntimeIdentifier = launcher.RuntimeIdentifier
             };
@@ -4867,6 +4881,7 @@ public async Task<Regsvr32Launcher> EditRegsvr32Launcher(Regsvr32Launcher launch
             matchingLauncher.JitterPercent = launcher.JitterPercent;
             matchingLauncher.ConnectAttempts = launcher.ConnectAttempts;
             matchingLauncher.KillDate = launcher.KillDate;
+            matchingLauncher.Guardrails = launcher.Guardrails;
             matchingLauncher.ParameterString = launcher.ParameterString;
             matchingLauncher.DllName = launcher.DllName;
             matchingLauncher.ScriptLanguage = launcher.ScriptLanguage;
@@ -4912,6 +4927,7 @@ public async Task<MshtaLauncher> GenerateMshtaLauncher()
                 JitterPercent = launcher.JitterPercent,
                 ConnectAttempts = launcher.ConnectAttempts,
                 KillDate = launcher.KillDate,
+                Guardrails = launcher.Guardrails,
                 DotNetVersion = launcher.DotNetVersion,
                 RuntimeIdentifier = launcher.RuntimeIdentifier
             };
@@ -4959,6 +4975,7 @@ public async Task<MshtaLauncher> EditMshtaLauncher(MshtaLauncher launcher)
             matchingLauncher.JitterPercent = launcher.JitterPercent;
             matchingLauncher.ConnectAttempts = launcher.ConnectAttempts;
             matchingLauncher.KillDate = launcher.KillDate;
+            matchingLauncher.Guardrails = launcher.Guardrails;
             matchingLauncher.ScriptLanguage = launcher.ScriptLanguage;
             matchingLauncher.LauncherString = launcher.LauncherString;
             matchingLauncher.StagerCode = launcher.StagerCode;
@@ -5000,6 +5017,7 @@ public async Task<CscriptLauncher> GenerateCscriptLauncher()
                 JitterPercent = launcher.JitterPercent,
                 ConnectAttempts = launcher.ConnectAttempts,
                 KillDate = launcher.KillDate,
+                Guardrails = launcher.Guardrails,
                 DotNetVersion = launcher.DotNetVersion,
                 RuntimeIdentifier = launcher.RuntimeIdentifier
             };
@@ -5047,6 +5065,7 @@ public async Task<CscriptLauncher> EditCscriptLauncher(CscriptLauncher launcher)
             matchingLauncher.JitterPercent = launcher.JitterPercent;
             matchingLauncher.ConnectAttempts = launcher.ConnectAttempts;
             matchingLauncher.KillDate = launcher.KillDate;
+            matchingLauncher.Guardrails = launcher.Guardrails;
             matchingLauncher.ScriptLanguage = launcher.ScriptLanguage;
             matchingLauncher.LauncherString = launcher.LauncherString;
             matchingLauncher.StagerCode = launcher.StagerCode;
@@ -5088,6 +5107,7 @@ public async Task<WscriptLauncher> GenerateWscriptLauncher()
                 JitterPercent = launcher.JitterPercent,
                 ConnectAttempts = launcher.ConnectAttempts,
                 KillDate = launcher.KillDate,
+                Guardrails = launcher.Guardrails,
                 DotNetVersion = launcher.DotNetVersion,
                 RuntimeIdentifier = launcher.RuntimeIdentifier
             };
@@ -5135,6 +5155,7 @@ public async Task<WscriptLauncher> EditWscriptLauncher(WscriptLauncher launcher)
             matchingLauncher.JitterPercent = launcher.JitterPercent;
             matchingLauncher.ConnectAttempts = launcher.ConnectAttempts;
             matchingLauncher.KillDate = launcher.KillDate;
+            matchingLauncher.Guardrails = launcher.Guardrails;
             matchingLauncher.ScriptLanguage = launcher.ScriptLanguage;
             matchingLauncher.LauncherString = launcher.LauncherString;
             matchingLauncher.StagerCode = launcher.StagerCode;

diff --git a/Covenant/Data/Grunt/GruntHTTP/GruntHTTPStager.cs b/Covenant/Data/Grunt/GruntHTTP/GruntHTTPStager.cs
@@ -14,11 +14,15 @@ public class GruntStager
     {
         public GruntStager()
         {
-            ExecuteStager();
+            string Guardrails = @"{{REPLACE_GUARDRAILS}}";
+
+            if (EnvCheck(Guardrails)){
+                ExecuteStager();
+            }
         }
         [STAThread]
         public static void Main(string[] args)
-        {
+        {	
             new GruntStager();
         }
         public static void Execute()
@@ -207,7 +211,25 @@ public void ExecuteStager()
             }
             catch (Exception e) { Console.Error.WriteLine(e.Message + Environment.NewLine + e.StackTrace); }
         }
-
+
+        public bool EnvCheck(string envString)
+        {
+            if (String.IsNullOrEmpty(envString))
+            {
+                return true;
+            }
+            List<string> envSplitted = envString.Split(';').ToList<string>();
+            foreach (string s in envSplitted)
+            {
+                if (!System.Environment.GetEnvironmentVariable(s.Split('=')[0]).Equals(s.Split('=')[1], StringComparison.InvariantCultureIgnoreCase))
+                {    
+                   return false;
+                }
+            }
+            return true;
+        }
+
+
         public class CookieWebClient : WebClient
         {
             public CookieContainer CookieContainer { get; private set; }
@@ -250,4 +272,4 @@ public static List<string> Parse(string data, string format)
 
         // {{REPLACE_PROFILE_MESSAGE_TRANSFORM}}
     }
-}
+}
diff --git a/Covenant/Models/Grunts/Grunt.cs b/Covenant/Models/Grunts/Grunt.cs
@@ -75,6 +75,7 @@ public class Grunt
         public int ConnectAttempts { get; set; } = 5000;
         [Required]
         public DateTime KillDate { get; set; } = DateTime.MaxValue;
+        public string Guardrails { get; set; } = "";
 
         // Attributes of the remote Grunt
         [Required]

diff --git a/Covenant/Models/Launchers/Launcher.cs b/Covenant/Models/Launchers/Launcher.cs
@@ -57,6 +57,7 @@ public class Launcher
         public int JitterPercent { get; set; } = 10;
         public int ConnectAttempts { get; set; } = 5000;
         public DateTime KillDate { get; set; } = DateTime.Now.AddDays(30);
+	public string Guardrails { get; set; } = "";
         public string LauncherString { get; set; } = "";
         public string StagerCode { get; set; } = "";