C2 framework that uses Background Intelligent Transfer Service (BITS) as communication protocol and Direct Syscalls + Dinvoke for EDR user-mode hooking evasion.
██╗ ██████╗ ██╗ ██████╗ ██╗████████╗███████╗ ██║ ██╔═══██╗██║ ██╔══██╗██║╚══██╔══╝██╔════╝ ██║ ██║ ██║██║ ██████╔╝██║ ██║ ███████╗ ██║ ██║ ██║██║ ██╔══██╗██║ ██║ ╚════██║ ███████╗╚██████╔╝███████╗██████╔╝██║ ██║ ███████║ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝ ╚═╝ ╚══════╝
LOLBITS is a C2 framework that uses Microsoft's Background Intelligent Transfer Service (BITS) to establish the communication channel between the compromised host and the backend. The C2 backend is hidden behind an apparently harmless flask web application and it's only accesible when the HTTP requests received by the app contain a valid authentication header. Since this tool is meant to be used in highly monitored environments, the following features have implemented in order to avoid EDR and AV detection:
Regarding the architecture, LOLBITS is composed of 3 main elements:
In order to deny proxies content inspection, all the relevant content sent between the agent and the C2 server is encrypted using RC4 with a preshared secret key randomly generated. A high level diagram of the infrastructure behaviour would be as it's shown in the following image:
To avoid that the Blue Team could reproduce some of the old requests and discover the C2 backend infrastructure, each authentication header is randomly generated and is valid only for one single cycle (a cycle is composed of a POST request followed by a GET request, in that order). Old authentication headers will be ignored and the harmless website will be displayed for those requests.
Some of this tool features have being implemented either reusing code from other projects or thanks to the effort of several cybersecurity researchers. Here below I link some of the external work and projects that have been used in one way or another to improve this tool:
For the C2 infrastructure is required a Windows Server 2016 or above with python 3.4+ and powershell 5.1+. The C# agent has been successfully tested on Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows 7, Windows 8.1 and Windows 10. To compile it it's required: * Visual Studio 2017 or above. * .NET Framework 4.5 or above.
1.- Clone this repository on your C2 server
sh git clone https://github.com/Kudaes/LOLBITS.git2.- Install Web Server (IIS) through Windows Server Manager. Make sure to install CGI, ASP.NET and .NET Extensibility roles.
Also install .NET Framework and BITS features for IIS.
3.- Execute the setup.ps1 script as administrator to deploy the whole infrastructure and set up the C# agent.
4.- Compile the C# agent. The compilation will generate an .exe and an external dependency (Newtonsoft.Json.dll). You can generate a single .exe using ILMerge or just send both files to the compromised host. To avoid DEBUG output, make sure to compile the project as a Windows Application.
5.- (Optional) By default. the setup.ps1 script will create a new Web Site in your IIS called lawlbits listening in the default HTTP port (80/TCP). This new Web Site doesn't use HTTP over TLS and, even though the content of the requests sent by the C# agent to the C2 are encrypted using RC4 with a preshared and randomly generated secret key, it is recommended to set up the use of HTTPS for the new site. In order to do that, I recommend to use Let's Encrypt over lawlbits, which is one of the easiest ways to set up HTTPS. After that, remember to modify the variable
Urlon Program.cs to use HTTPS instead of HTTP, which is the default behaviour.
To obtain the reverse shell just type in
python lawlbin.pyon a cmd of the C2 server and execute the C# agent on the compromised host.
Since this project borns from the ashes of a previous and failed project, some of the old features have been kept. The old project was a shell where all the available commands would be executed using exclusively Living of The Land Binaries. That's where the LOL of LOLBITS comes from, and that's why the following features run using exclusively LOLBINS (this could help to bypass AWS and some AV/EDR filters):
Despite this features could be interesting in some environments (hmm download remote files without using Powershell? I like it!) I kept them just to reuse part of the old code for the C2 console. Below is a list with some other features that im sure will be more usefull in a classic red team context:
To get usage tips just type in
Any contributions will be greatly appreciated.
git checkout -b feature/AmazingFeature)
git commit -m 'Add some AmazingFeature')
git push origin feature/AmazingFeature)
Distributed under the GNU License. See
LICENSEfor more information.