Initial commit

.gitignore

@@ -0,0 +1,5 @@
+__pycache__
+*.pyc
+*.swp
+*.db
+*.log

Pipfile

@@ -0,0 +1,26 @@
+[[source]]
+name = "pypi"
+url = "https://pypi.org/simple"
+verify_ssl = true
+
+[dev-packages]
+pylint = "*"
+flake8 = "*"
+pytest = "*"
+shiv = "*"
+
+[packages]
+prompt-toolkit = ">=3.0"
+cryptography = "*"
+websockets = "*"
+docopt = "*"
+terminaltables = "*"
+termcolor = "*"
+requests = "*"
+quart = "==0.10.0"
+hypercorn = "==0.9.0"
+defusedxml = "*"
+netifaces = "*"
+aiosqlite = "*"
+pypykatz = "*"
+donut-shellcode = "*"

README.md

@@ -0,0 +1,110 @@
+<p><img src="https://blackbot.io/wp-content/uploads/2020/11/artic_c2_logo_red_v1-e1606038603815.png" width="350px" /></p>
+
+# DESCRIPTION
+
+ARTi-C2 is a modern execution framework built to empower security teams to scale attack scenario execution from single and multi-breach point targets through the Dynamic Language Runtime \(DLR\) with the intent to produce actionable attack intelligence that improves the effectiveness of AV and EDR products.
+
+# PHILOSOPHY
+
+Blackbot Labs believes in creating tools where vendor solutions and open source can be provisioned and managed together by all organizations with the intent to deliver actionable attack intelligence organizations can use to define clear objectives and drive strategic security program initiatives.
+
+### *Commitment*
+
+- **INTEGRITY** 
+We build tools to help security teams evaluate the integrity of EDRs and anti-virus solutions by producing telemetry data in JSON that can integrate into any SIEM for real-time analytics without compromising the integrity of their defenses.
+
+
+- **TRANSPARENCY**
+We work under the umbrella of full transparency during all phases of tool development. From striking up ideas with our community enhancing the capabilities of tools used by red teams all over the world, if Blackbot Labs is brewing up a new tool, you'll know about it.
+
+
+- **AGILITY**
+We enable lean security teams to remain agile and focused on developing a unique trade-craft that's agnostic to certain tools. Whether the focus is to keep tight margins between mean time to detect \(MTTD\) metrics and mean time to respond \(MTTR\) metrics or evaluating security control effectiveness, Blackbot Labs will always build tools to help cut through the noise and eliminate the gray areas of security testing.
+
+
+- **SCALABILITY**
+Scaling security testing capabilities empowers security teams to automate and scale testing efforts from single and multi-target breach points in different regional locations with the intent to produce ingestible telemetry data. If a tool doesn't deliver a scalable solution, we won't release it. 
+
+
+- **FLEXIBILITY**
+Blackbot Labs builds and delivers open source tools with the flexibility and intent for security professionals to improve their trade-craft and scale security testing initiatives.
+
+
+- **RAPID DEPLOYMENT**
+Facilitating rapid deployment models is important to us. We'll do our best to deliver practical deployment frameworks that facilitate advanced security eco-systems and data-driven pipelines without compromise. 
+
+
+
+
+# CAPABILITIES
+
+ARTi-C2 Core features and capabilities are sourced from SILENTTRINITY and Boolang atomic tests are from ATOMIC-RED-TEAM. All other feature enhancements were built to ensure Blackbot operators' operational trade-craft, agility, scalability, and rapid execution is not compromised while delivering scalable atomic testing capabilities from MITRE ATT&CK.
+
+
+| CAPABILITY | DESCRIPTION |
+| ------ | ------ |
+| **Rapid Deployment** | Automate and scale testing efforts from single and multi-target breach points located in different regional environments
+| **Modern Command & Control** | *Implant and Server Comms:* Uses the power of SILENTRINITY's ECDHE Encrypted C2 Communication capabilities to encrypt all C2 traffic. Implant management capabilities allow security teams to use multi-channel communication techniques mapped to MITRE ATT&CK. </br>*Client and Server Comms*: Uses Asyncio and WebSockets are used by a modern CLI powered by prompt-toolkit. Notable featurse include:     - Implant location tagging NGROK integration 
+| **Standard Execution Header** | Automate and scale testing efforts from single and multi-target breach points located in different regional environments
+| **JSON Logging Support** | Streamline, ingest, decode, and analyze evidence with your ELK stack or any Analytics platform ready to parse JSON.
+| **Stageless in Memory Code Execution** | Send a single web request to a callback URL and observe the stager dynamically compile, check-in, evaluate, and execute tasks in the jobs queue. Continuously execute Atomic Red Team tests and measure and improve EDR and anti-virus protection capabilities, 24/7/365.
+| **Modular Payload Development** |     - Boolang using reflective DLL injection to invoke powershell's  run-time environment</br> - Booland using refelctive DLL injection to invoke system calls and CMD
+| **Dynamic Attack Formations** | Dynamically form and execute attack-chains in real-time without the need to recompile or restart ARTi-C2. As of today, ARTiC2 support the dynamicac development of 3 differnt attack functions:</br>    - Attack Chains:</br>- Attack Profiles:</br>- Attack Scenarios:
+| **Modular Payload Delivery** | ARTi-C2 leverages [SILENTRINITY's](https://github.com/byt3bl33d3r/SILENTTRINITY) framework to deliver Red Team Atomic tests "As is" through the following dynamically compiled payload deliver controllers:</br>- unmanaged powershell</br>- stageless powershell
+| ***Operational Management** | Job IDs are included controller execution and evidence collection for seamless correlation. 
+
+</br>
+</br>
+
+
+# MITRE ATT&CK COVERAGE
+
+- Getting Started With ARTi-C2
+- Automated Test Execution with the Execution Frameworks
+- Peruse the Complete list of Atomic Tests (md, csv) and the ATT&CK Matrix
+- Windows Matrix and tests by tactic (md, csv)
+- MacOS Matrix and tests by tactic (md, csv)
+- Linux Matrix and tests by tactic (md, csv)
+- Using ATT&CK Navigator? Check out our coverage layers (All, Windows, MacOS, Linux)
+- Fork and Contribute your own modifications
+- Have questions? Join the community on Slack at https://blackbotlab.slack.com
+- Need a Slack invitation? Grab one at https://slack.blackbot.io/
+
+
+
+## USE CASES 
+- SOCs need to evaluate and improve EDR solutions in minutes
+- Organizations are evaluating different EDR/AV solutions for Windows OS
+- Organizations need to simulate APT group tactics, techniques, and procedures without the need to go 'ALL IN" on research and planning.
+- Organizations need to know if their assets are protected against common attacks from disk and memory
+- Organizations need to execute lightweight test cases mapped to MITRE ATT&CK and prove their assets are protected
+- Organizations need to benchmark critical risk profiles against the ATT&CK framework before releasing systems to Corp IT/production
+- Organizations need to simulate ransomware tactics without introducing risk in order to develop specific detection and prevention capabilities
+- Organizations are required to keep tight margins between mean time to detect \(MTTD\) and mean time to respond \(MTTR\) metrics can demonstrate improvement
+
+
+
+
+## GET STARTED
+
+1. Download the repo
+
+2. Run the installer script
+
+3. Launch ARTi-C2
+
+4. Launch ARTi-C2 CLI
+
+## GET INVOLVED
+Have questions? , Need a Slack invitation? 
+Join the Blackbot Labs Community Today!
+- [https://community.blackbot.io](https://community.blackbot.io)
+
+
+
+### CODE OF CONDUCT
+
+Blackbot Labs operates under the umbrella of full transparency while ensuring end-user privacy remains a top priority. For more details on how we operate with our community, visit our community page.
+
+[https://blackbot.io/community](https://blackbot.io/community)
+

artic2.py

@@ -0,0 +1,6 @@
+#! /usr/bin/env python3
+
+from blackbot.__main__ import run
+
+if __name__ == '__main__':
+    run()

blackbot/__init__.py

@@ -0,0 +1,2 @@
+VERSION = "1.0.0"
+CODENAME = "alpha"

blackbot/__main__.py

@@ -0,0 +1,21 @@
+#! /usr/bin/env python3
+
+"""
+Usage: st [-h] [-v] (client|wss) [<args>...]
+
+options:
+    -h, --help                   Show this help message and exit
+    -v, --version                Show version
+"""
+
+from docopt import docopt
+from blackbot import VERSION
+
+def run():
+    args = docopt(__doc__, version=VERSION, options_first=True)
+    if args['client']:
+        import blackbot.core.client.__main__ as client
+        client.start(docopt(client.__doc__, argv=args["<args>"]))
+    elif args['wss']:
+        import blackbot.core.wss.__main__ as wss
+        wss.start(docopt(wss.__doc__, argv=args["<args>"]))

blackbot/core/automate/attack_chain/atomic_collection_cmd

@@ -0,0 +1,8 @@
+atomic
+use Collection/cmd
+set Atomic T1119-4
+run ADD_SESSION
+set Atomic T1115-1
+run ADD_SESSION
+set Atomic T1119-1
+run ADD_SESSION

blackbot/core/automate/attack_chain/atomic_collection_powershell

@@ -0,0 +1,22 @@
+atomic
+use Collection/powershell
+set Atomic T1123-1
+run ADD_SESSION
+set Atomic T1074.001-1
+run ADD_SESSION
+set Atomic T1056.001-1
+run ADD_SESSION
+set Atomic T1119-3
+run ADD_SESSION
+set Atomic T1074.001-2
+run ADD_SESSION
+set Atomic T1115-2
+run ADD_SESSION
+set Atomic T1119-2
+run ADD_SESSION
+set Atomic T1056.002-1
+run ADD_SESSION
+set Atomic T1114.001-1
+run ADD_SESSION
+set Atomic T1056.004-1
+run ADD_SESSION

blackbot/core/automate/attack_chain/atomic_commandcontrol_cmd

@@ -0,0 +1,14 @@
+atomic
+use CommandControl/cmd
+set Atomic T1105-7
+run ADD_SESSION
+set Atomic T1105-3
+run ADD_SESSION
+set Atomic T1105-5
+run ADD_SESSION
+set Atomic T1105-6
+run ADD_SESSION
+set Atomic T1105-1
+run ADD_SESSION
+set Atomic T1071.001-2
+run ADD_SESSION

blackbot/core/automate/attack_chain/atomic_commandcontrol_powershell

@@ -0,0 +1,30 @@
+atomic
+use CommandControl/powershell
+set Atomic T1095-1
+run ADD_SESSION
+set Atomic T1071.001-1
+run ADD_SESSION
+set Atomic T1219-1
+run ADD_SESSION
+set Atomic T1090.001-1
+run ADD_SESSION
+set Atomic T1071.004-2
+run ADD_SESSION
+set Atomic T1105-2
+run ADD_SESSION
+set Atomic T1105-4
+run ADD_SESSION
+set Atomic T1095-2
+run ADD_SESSION
+set Atomic T1071.004-4
+run ADD_SESSION
+set Atomic T1095-3
+run ADD_SESSION
+set Atomic T1219-3
+run ADD_SESSION
+set Atomic T1071.004-1
+run ADD_SESSION
+set Atomic T1071.004-3
+run ADD_SESSION
+set Atomic T1219-2
+run ADD_SESSION

blackbot/core/automate/attack_chain/atomic_credentialaccess_cmd

@@ -0,0 +1,42 @@
+atomic
+use CredentialAccess/cmd
+set Atomic T1003.001-6
+run ADD_SESSION
+set Atomic T1003.001-2
+run ADD_SESSION
+set Atomic T1110.002-1
+run ADD_SESSION
+set Atomic T1003.001-4
+run ADD_SESSION
+set Atomic T1003.001-7
+run ADD_SESSION
+set Atomic T1003.002-2
+run ADD_SESSION
+set Atomic T1003.002-3
+run ADD_SESSION
+set Atomic T1003.003-3
+run ADD_SESSION
+set Atomic T1003.003-2
+run ADD_SESSION
+set Atomic T1003-2
+run ADD_SESSION
+set Atomic T1110.001-1
+run ADD_SESSION
+set Atomic T1110.003-1
+run ADD_SESSION
+set Atomic T1040-1
+run ADD_SESSION
+set Atomic T1003.004-1
+run ADD_SESSION
+set Atomic T1003.003-1
+run ADD_SESSION
+set Atomic T1003.003-6
+run ADD_SESSION
+set Atomic T1003.003-4
+run ADD_SESSION
+set Atomic T1040-2
+run ADD_SESSION
+set Atomic T1003.002-1
+run ADD_SESSION
+set Atomic T1003.001-1
+run ADD_SESSION

blackbot/core/automate/attack_chain/atomic_credentialaccess_powershell

@@ -0,0 +1,24 @@
+atomic
+use CredentialAccess/powershell
+set Atomic T1003.003-5
+run ADD_SESSION
+set Atomic T1098-2
+run ADD_SESSION
+set Atomic T1056.001-1
+run ADD_SESSION
+set Atomic T1110.003-2
+run ADD_SESSION
+set Atomic T1003-1
+run ADD_SESSION
+set Atomic T1003.002-4
+run ADD_SESSION
+set Atomic T1003-3
+run ADD_SESSION
+set Atomic T1003.001-3
+run ADD_SESSION
+set Atomic T1098-1
+run ADD_SESSION
+set Atomic T1056.002-1
+run ADD_SESSION
+set Atomic T1056.004-1
+run ADD_SESSION