{"id":13840859,"url":"https://github.com/Gr1mmie/AtlasC2","last_synced_at":"2025-07-11T09:33:46.189Z","repository":{"id":37384262,"uuid":"442021530","full_name":"Gr1mmie/AtlasC2","owner":"Gr1mmie","description":"C# C2 Framework centered around Stage 1 operations","archived":false,"fork":false,"pushed_at":"2022-04-04T16:16:15.000Z","size":170,"stargazers_count":203,"open_issues_count":0,"forks_count":41,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-08-05T17:26:01.047Z","etag":null,"topics":["command-and-control","post-exploitation","red-teaming","stage-1"],"latest_commit_sha":null,"homepage":"https://grimmie.net/atlasc2-carrying-the-weight-of-net-assemblies/","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Gr1mmie.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null},"funding":{"github":null,"ko_fi":"grimmie"}},"created_at":"2021-12-27T01:40:52.000Z","updated_at":"2024-07-22T07:50:43.000Z","dependencies_parsed_at":"2022-07-21T00:14:40.423Z","dependency_job_id":null,"html_url":"https://github.com/Gr1mmie/AtlasC2","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Gr1mmie%2FAtlasC2","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Gr1mmie%2FAtlasC2/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Gr1mmie%2FAtlasC2/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Gr1mmie%2FAtlasC2/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Gr1mmie","download_url":"https://codeload.github.com/Gr1mmie/AtlasC2/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225712779,"owners_count":17512484,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["command-and-control","post-exploitation","red-teaming","stage-1"],"created_at":"2024-08-04T17:00:58.359Z","updated_at":"2024-11-21T10:30:52.622Z","avatar_url":"https://github.com/Gr1mmie.png","language":"C#","funding_links":["https://ko-fi.com/grimmie"],"categories":["C# #"],"sub_categories":[],"readme":"# AtlasC2\nC# C2 Framework centered around Stage 1 operations\n\nAtlas is based around gaining a foothold within an environment and further utilizing it to smuggle in C# (currently strictly C#) weaponry utilizing an HTTP based implant. Isn't exactly very OPSEC safe in it's current state...at all. Currently targets only windows environments\n\nNote: Default connection settings on implant are set to connect to localhost on port 8080, this can be changed [here](https://github.com/Gr1mmie/AtlasC2/blob/master/Implant/Program.cs#L72)  \n\n## Usage\n\n### Starting TeamServer\n\nAfter generating an exe of the client, teamserver, and implant, simply execute `Teamserver.exe` to start up the teamserver\n\n### Starting/Managing Listeners\nTo start a new listener, use the `StartListener` command. This command takes two params: Listener name and the port to run on\n\n\u003cimg width=\"356\" alt=\"image\" src=\"https://user-images.githubusercontent.com/57014148/159146033-692c0db2-b7cd-4f10-adff-b8717ae4e990.png\"\u003e\n\nThe `Listeners` command lists all listeners, `ViewListener` returns data on the specified listener, and `RemoveListener` can be used to remove a listener from the list\n\n\u003cimg width=\"345\" alt=\"image\" src=\"https://user-images.githubusercontent.com/57014148/159146101-61a73e5d-51f4-411f-bd43-f7121b28ec6e.png\"\u003e\n\n### Interfacing W/ Implants\nListing connected implants can be done using the `Implants` command\n\n\u003cimg width=\"489\" alt=\"image\" src=\"https://user-images.githubusercontent.com/57014148/159146433-3c6858f4-226a-4f9c-ae8d-a50105336880.png\"\u003e\n\nConnecting to an implant is as simple as `Connect \u003cImplantId\u003e`. See what I did there?...ok I'll see myself out. Just as the `Connect` command is used to select an implant. `ViewImplant` can be used to view more information on the selected implant. The `Disconnect` command will deselect the currently selected implant as shown below. \n\n\n\u003cimg width=\"487\" alt=\"image\" src=\"https://user-images.githubusercontent.com/57014148/159146537-9fa722a9-ac90-42f7-86c1-a7d8502cc876.png\"\u003e\n\n### Executing Tasks\nTo use a task, a task must first be selected using `SetTask`. Options can be viewed using `TaskOpts` and set using `SetTaskOpt`. Tasks are executing using `SendTask`\n\n\u003cimg width=\"489\" alt=\"image\" src=\"https://user-images.githubusercontent.com/57014148/159146660-38af02d0-bdb7-4c8e-a1f7-e0b56b27cbcd.png\"\u003e\n\n### Viewing Previous Tasks\nIt's posible to view the output of a previously run task using `TaskOut`. `TasksOut` can be used to view all previously run tasks pertaining to the selected implant.\n\n\u003cimg width=\"332\" alt=\"image\" src=\"https://user-images.githubusercontent.com/57014148/159146707-6c9ca507-eb50-413a-a7aa-03bceefe5193.png\"\u003e\n\n### Shell Execution\nAtlas allows operators to execute both PowerShell and Cmd commands using the `PSShell` and `CMDShell` tasks respectively. `PSShell` opens a new runspace and executes the command so even if `powershell.exe` is blacklisted, PowerShell commands can still be executed. This method also bypasses Constrained Language Mode. `CMDShell` opens a `cmd.exe` process and passes the command into the process. Executing a PowerShell command was shown above so that won't be shown here as well. Side note about `CMDShell`, many common commands executed including (but not limited to) whoami, ipconfig, pwd, and cd have been implemented into the implants functionality to avoid the need to execute such commands via a `cmd.exe` process.\n\n\u003cimg width=\"307\" alt=\"image\" src=\"https://user-images.githubusercontent.com/57014148/159146916-8db10341-354d-4ab2-8feb-6931d6bc8681.png\"\u003e\n\n\n### Loading C# assemblies into memory\n\nLoading assembies takes a few steps unlike something like CobaltStrike that does everything using `execute-assembly`. First, an operator must use the `ByteConvert` utility (`ByteConvert` must be told whether the file is local or remote) to convert either a locally stored or remote file into a byte array and stores this in the `assemBytes` variable. Once this is done, the `Load` task is used to load the assembly into the implant process.\n\n\u003cimg width=\"580\" alt=\"image\" src=\"https://user-images.githubusercontent.com/57014148/159147169-d24bfb6b-893e-430a-bf52-223257311bfc.png\"\u003e\n\n### Viewing Loaded Assemblies\nTo view assemblies loaded into the implant process, operators can use the `AssemQuery` and `AssemMethodQuery` tasks. The former returns all loaded assemblies while the latter returns All public methods pertaining to a loaded assembly\n\n\u003cimg width=\"613\" alt=\"image\" src=\"https://user-images.githubusercontent.com/57014148/159147810-7f0454a8-860e-43b1-a74e-4e496a59d4ce.png\"\u003e\n\nThe screenshot confirms that the `TestAssem` assembly was indeed loaded into the implant's process.\n\n`AssemMethodQuery` can then be used to return information on `TestAssem` an operator can use to return information used to execute public methods \n\n\u003cimg width=\"475\" alt=\"image\" src=\"https://user-images.githubusercontent.com/57014148/159147821-c5373915-871d-486d-b366-6b96241e1647.png\"\u003e\n\n### Executing Loaded Assemblies\nAtlas offers the option to execute an assembly from its entry point or a specified exposed method. `ExecuteAssem` can be used to execute from the entry point. This task takes only the name of the assembly. `ExecuteAssemMethod` allows for the execution of other methods using information fetched from `AssemMethodQuery`.\n\n\u003cimg width=\"616\" alt=\"image\" src=\"https://user-images.githubusercontent.com/57014148/159148129-0d558363-a4e7-4cfe-a140-acf21c22548f.png\"\u003e\n\nFor a full list of features, swing by the [wiki](https://github.com/Gr1mmie/AtlasC2/wiki)\n\n## Compilation\nOpen .sln and build all 3 components in Release mode, exit console windows and exe's should be generated in \\bin\\debug of each component. I gotta work on something better for this\n\n## To-Do\n* Authentication\n* Encode PowerShell Commands\n* Add admin utils: \n    * `cp` \n    * `upload`/`download`\n* Keylogger (probs make standalone to load into implant)\n* Some barebones persistence commands (idk something like creating a user via ADSI, WMI subscription creation. probs make these standalone assems to load into implant)\n* Allow for the changing of the sleep timing on implant and implement jitter\n* Allow for operator to change port TeamServer starts on via CLI \n* Encrypted comms (yikes, ik)\n* AppDomain Manipulation - Allow for the creation/removal of AppDomains and allow operator the ability to select which AppDomain to load assemblies into\n* Better extensability capabilities\n* Implement some sort of profiling system\n* Automated Compilation:\n    * implant\n    * droppers/loaders/stagers  \n* Shellcode generation via Donut\n* BOFs would be cool \n\n## Disclaimer\nAtlas was designed soley for educational/ethical purposes. I do not condone nor am I responsible for actions taken by users of Atlas\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FGr1mmie%2FAtlasC2","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FGr1mmie%2FAtlasC2","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FGr1mmie%2FAtlasC2/lists"}