Active Callbacks
Last updated
Last updated
The main page to see and interactive with active callbacks can be found from the "Operational Views" -> "Active Callbacks" page from the top navigation bar.
The top table has a list of current callbacks with a bunch of identifying information. All of the table headers can be clicked to sort the information in ascending or descending order.
Callback - The identifying callback number. The Interact
button will bring the bottom section into focus, load the previously issued tasks for that callback, and populate the bottom section with the appropriate information (discussed in the next section).
If the integrity_level
of the callback is <= 2, then the callback button will be blue. Otherwise it'll be red (indicating high integrity). It's up to the agent to report back its own callback level
Host - The hostname for the machine the callback is from
IP - The IP associated with the host
User - The current user context of the callback
PID - The process ID for the callback
Initial Checkin - The time when the callback first checked in. This date is stored in UTC in the database, but converted to the operator's local time zone on the page.
Last Checkin - How long it's been since the last checkin in day:hour:minute:second time\
Description - The current description of the callback. The default value for this is specified by the default tag
section when creating a payload. This can be changed either via the callback's dropdown or after selecting interact
, type set description whatever you want here
.
Filtering - This top bar allows you to filter what information is presented in the callback pane. This is specified by column
:search value
. For example, to only display callbacks from a certain host, use host:spooky
.
The available columns are: id, host, ip, user, domain, os, payload_type, integrity_level
Next to the Interact
button is a dropdown button that provides more accessible information:
Keystrokes - This opens up an additional tab at the bottom for keystrokes related to that callback
Screencaptures - This opens up an additional tab at the bottom for screencaptures related to that callback
Expand Callback - This opens up the callback in a separate window where you can either just view that whole callback full screen, or selectively add other callbacks to view in a split view
Edit Description - This allows you to edit the description of a callback. This will change the side description at the end and also rename the tab at the bottom when somebody clicks interact
. To set this back to the default value, interact with the callback and type set description reset
.
Exit Callback - Sends the exit
command to the callback. Because this can be different for each agent type, Apfell looks up the command that has is_exit
set to True
for the right payload type, and sends that command.
Remove Callback - This removes the callback from the current view and sets it to inactive. This can still be viewed in the All Callbacks
page (covered in a later section). If a callback is removed and checks back in, it'll automatically be brought back into view on this screen. Additionally, from the All Callbacks
page, you can make the callback Active
again which will bring it back into view here.
Processes - This allows you to view a unified process listing from all agents related to this host
, but issue new process listing requests from within this callback's context
Locked - If a callback is locked by a specific user, this will be indicated here (along with a changed user and lock icon instead of a keyboard on the interacting button).
The bottom area is where you'll find the tasks, keylogs, screencaptures, process listings, and comments related to specific callbacks. Clicking the keyboard icon on a callback will open or select the corresponding tab in this area.
The current agent you're interact with is highlighted at the top and bottom. The tasking bar at the very bottom will be auto populated with the user@hostname(pid)
of the callback you're tasking.
When you start typing a command, the possible commands that match what you're typing will be shown above the tasking line. You can use the up and down arrow keys to toggle through these values. Hitting Enter
or tab
will finish the command on the command line.
Submitting a command goes through a few phases that are also color coded to help visually see the state of your task:
Preprocessing - This is when the command is submitted to Apfell, but it's going through some sort of modification before being ready for the agent to pull down the task. This can include things like executing command transforms
, uploading files to the server for them to be pulled down by the agent, or even compiling modules for a load command.
Submitted- The task has finished pre-processing and is ready for the agent to request it.
Processing - The agent has pulled down the task, but has not returned anything.
Processed - The agent has returned at least one response for the task, but hasn't explicitly marked the task as completed
Completed - The agent has reported the task done successfully
Error -The agent reported that there was an error with executing the task.
Once you've submitted tasking, there's a bit of information that'll be automatically displayed.
The user that submitted the task
The task number - You can click on this task number to view just that task and its output in a separate page. This makes it easy to share the output of a task between members of an operation.
Comment - The green plus icon allows you to submit a comment on a task (more on this in the comment section)
The slider toggler - this toggles the activation of browser scripts for that specific instance of a task (see the browser scripts section for more information)
The green save icon - this allows you to save all of the responses for a task as a separate file.
The state of the task
The timestamp corresponds to the last time the state of the task changed
The command and any parameters supplied by the operator
The arrow and command/parameters are clickable to toggle hiding/showing the response. By default, when you click interact
, all of these will be collapsed and when a new response comes in, the corresponding task will expand.
At the end of a task, there's a small button that allows you to automatically copy the issued command to your clipboard so it's easy to copy long tasks.
If there are transforms applied to your command, there will be an extra button called Show transformed params
in the beginning of a task output. Click the button to see what was actually sent to the agent.
As you scroll through your tasks, the current task will be fixed to the top. This is helpful when there's a lot of task output and you don't want to scroll all the way to the top of the task to minimize it.
The very bottom right hand of the screen has a little filter button that you can click to filter out what you see in your callbacks. The filtering only applies as long as you're on that callback page (i.e. it gets reset when you refresh the page), but allows you to filter by:
Operator - user and operator's name (or part of one) to only display tasking from names that contain what you type
Task Numbers - select a lower and upper bound (inclusive on both ends) for the range of tasks you want to see
Command - only show commands of a certain type (like only shell commands, only ls, etc)
You can do as many or as few of these together as you want, and the icon in the bottom right will indicate that some are active