Skip to content

Releases: mttaggart/OffensiveNotion

v1.5.0: "Dragon Well"

07 Apr 02:49
@mttaggart mttaggart
v1.5.0
2455af5
Compare
Choose a tag to compare
v1.5.0: "Dragon Well" Latest
Latest

v1.5.0: "Dragon Well"

It's been a minute, but we're still around! This release is centered around one big new feature: execute-assembly!

With the amazing work of Yamakadi on CLROxide, it became eminently possible to add this feature to ON, so here we are!

image

Bear in mind that the assemblies are downloaded from the web (remember the nature of this C2), and that they'll be subject to EDR inspection without proper precautions. But the feature works like a charm!

Assets 8
Loading

v1.4.0: "Toledo"

25 Aug 15:32
@mttaggart mttaggart
v1.4.0
3261794
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.4.0: "Toledo"

Welcome back! In v1.4.0, aka "Toledo", we wanted to add some much-needed features to ON.

ls

At long last, ls is now a native command! You can enumerate directories without needing to resort to the shell.

Cloud Upload

Finally! A way to exfiltrate data from the target. It turns out Notion has no native file upload capability. What the Notion app does in the background is hand the file off to S3, where it will eventually reside. So to get uploads working in OffensiveNotion, we've implemented cloud upload ourselves in 2 commands: s3upload and azupload, supporting S3 and Azure Blob Storage, respectively.

Now, to use these, there's a bit of preparation necessary and the commands require some sensitive information to be send to the agent. But we don't store that information in memory after the commands have been run. That makes the commands more verbose, but also more OPSEC safe.

azupload

Usage: azupload storage_account access_key container_name file

To use Azure Storage, you'll need to create an Azure Storage Account with public access enabled. Then a container that allows anonymous read. You don't technically have to do use anonymous read; it'll just make the links in ON easier to follow. But if you want to maintain better access control, the upload will still function.

s3upload

Usage: s3upload aws_access_key_id aws_secret_access_key region bucket_name file

For S3, you'll want to create an IAM user with S3 write permissions for a new bucket. The access key ID and secret access key are sent, along with the region, bucket name, and the file to upload. The file is set with an anonymous read ACL for ease of access, so beware of the URL and who is accessing it!

Assets 8
Loading

v1.3.0: "Tamahagane"

17 Jun 18:50
@mttaggart mttaggart
v1.3.0
3f95a9d
Compare
Choose a tag to compare
v1.3.0: "Tamahagane"

This release contains 2 new features, some improvements, and a bugfix:

New Features

  • getsystem/rev2self: Got an admin session on Windows? Now you can elevate to SYSTEM! This command will grab the SYSTEM token and let you run commands with that level of privilege. rev2self will dump those permissions and revert to the previous user.

Improvements

  • Big thanks to @hitcxy for improved shell encoding in our shell command!

Bugfixes

  • As of 6/17/2022, Notion's API changed how it accepts updating blocks. So we modified our command completion routine to match the new API spec.

Contributors

hitcxy
Assets 8
Loading

v1.2.1

26 Apr 13:08
@mttaggart mttaggart
v1.2.1
503fc25
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.2.1

This release contains a bugfix for the launching of the appified Edge/Chrome browsers, and the ability to set that option in the build script.

Assets 8
Loading

v1.2.0: "Damascus Steel"

20 Apr 19:13
@mttaggart mttaggart
v1.2.0
57ec4b5
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.2.0: "Damascus Steel"

With this release, we have focused on some OPSEC considerations and usability of the agent.

Guardrails

OffensiveNotion now has the ability to define environmental conditions under which to run. Only execute on matching domains, hostnames, or usernames! See the wiki for more details.

Configuration

We have replaced the sleep command with a more comprehensive config command that allows you to modify the running config of an agent. Be aware, there are some ways you can modify the running config that will break the agent. See the wiki for all the config options.

String Encryption

String literals are now encrypted with LitCrypt! This significantly reduces the signature footprint of OffensiveNotion.

This does add an extra step for developing on OffensiveNotion. To work with the source code in VSCode or other editors using Clippy/Rust-Analyzer, make sure to set a value for the environment variable LITCRYPT_ENCRYPT_KEY.

Check-In Emojis

New agents finally have icons on their agent pages!

Screenshot_20220420_102142

User icon

Screenshot_20220420_113548

Root icon

Acknowledgements

A special thank you to @MEhrn00 for his contribution to the guardrails module, and continued expertise in exploring the Windows API via Rust!

Contributors

MEhrn00
Assets 8
Loading

v1.1.0: "Age of Steel"

23 Mar 14:24
@mttaggart mttaggart
v1.1.0
6584c61
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.1.0: "Age of Steel"

Screenshot_20220323_060713

Less than a month after our initial release, this version adds quite a bit of exciting functionality and improvements!

selfdestruct

With the addition of this command, OffensiveNotion can now clean up after itself and leave fewer artifacts for defenders to detect!

inject self

The Windows agent now has a self-injector option for shellcode injection. This maps the shellcode into the agent's own process and executes it as a thread. This is a good option for inline execution of another C2 agent.

Docker build pipeline improvements.

The Docker image is leaner, meaner, and easier to use. The entire build process is run through Docker now, meaning the only commands you'll need are docker build and docker run.

macOS Build!

We've saved the best for last: OffensiveNotion now runs on macOS! The macOS agent has full feature parity with the Linux version, including 2 mechanisms for persistence:

  • launchagent: Creates a LaunchAgent in either the user folder or the root LaunchAgents folder, depending on elevation. And yes, elevate via sudo works!
  • loginitem: Creates a Login Item to start OffensiveNotion when the user logs in.

We've even provided instructions on the wiki for how to build a proper .app package for your engagement!

Thanks as always for supporting OffensiveNotion. We hope you enjoy using this tool as much as we enjoy building it.

Assets 5
Loading

v1.0.0 : "Iron Age"

27 Feb 19:14
@mttaggart mttaggart
v1.0.0
f9da6ae
Compare
Choose a tag to compare
v1.0.0 : "Iron Age"

It's Here!

We're pleased to share our first public release of OffensiveNotion. Please consult the Wiki for usage details. You can find the compiled Windows and Linux 64-bit binaries below.

Enjoy!

Please note this is a default build, meaning the built-in configs are meaningless. To kick this off, please run with one of the following options:

  • -d: Debug mode, which will walk you through adding config params.
  • -c: Provide a config json file as a path. See below for a sample.
  • -b: Provide base64-encoded config. Might want to use the below as a base.

Example Config

{
    "sleep_interval": 10,
    "jitter_time": 5,
    "parent_page_id": "your_page_id",
    "api_key": "your_api_key",
    "config_file_path": "cfg.json",
    "launch_app": true,
    "log_level": 5
}
Assets 4
Loading