Version 1.4

Linking Agents

What does it mean to link agents

This refers to the act of connecting two agents together with a peer-to-peer protocol. The details here are agnostic of the actual implementation of the protocol (could be SSH, TCP, Named Pipes, etc), but the goal is to provide a way to give one agent the context it needs to link or establish some peer-to-peer connectivity to a running agent.

This also comes into play when trying to connect to a new executed payload that hasn't gone through the checkin process with Apfell yet to get registered as a Callback.

Getting the Linking information

When creating a command, give a parameter of type Remote Agent Connection. Now, when you type your command without parameters, you'll get a popup like normal. However, for the command parameter with the Remote Agent Connection type, there will be three dropdown menus for you to fill out:

Host:

This field is auto populated based on two properties:

  • The list of all hosts where you have registered callbacks

  • The list of all hosts where Apfell is aware you've moved moved a payload to (see Spawning Agents)

Payload:

Once you've selected a host, the Payload dropdown will populate with the associated payloads that Apfell knows are on that host. These payloads are in two main groups:

  • The payloads that spawned the current callbacks on that host

  • The payloads that were moved over via a command registered with Spawning Agents

This payload simply acts as a template of information so that you can select the final piece

C2 Profile:

When trying to connect to a new agent, you have to specify which specific profile you're wanting to connect to. This is because on any given host and for any given payload, there might be multiple c2 profiles within it (think HTTP, SMB, TCP, etc). This field will auto populate based on the C2 profiles that are in the payload selected in the drop down above it.

You'll only be able to select C2 profiles that are marked as is_p2p for peer-to-peer profiles. This is because it doesn't make any sense to remotely link to an HTTP callback profile for example.

Submitting the task:

Once you've selected all of the above pieces, the task will insert all of that selected profile's specific instantiations as part of the task for the agent to use when connecting. This can include things like specific ports to connect to, specific pipe names to use, or any other information that might be needed to make the connection.

Last updated