Alan Framework is a post-exploitation framework useful during red-team activities.
If you find my tool useful, please consider to sponsor me.
You can download the binary from: https://github.com/enkomio/AlanFramework/releases/latest
- You can run your preferred tool directly in-memory
- Supported agent types: Powershell (x86/x64), DLL (x86/x64), Executable (x86/x64), Shellcode (x86/x64)
- Server.exe can be executed in Linux (via dotnet core)
- The network communication is fully encrypted with a session key not recoverable from the agent binary or from a traffic dump
- Communication performed via HTTP/HTTPS
- No external dependencies or libraries need to be installed
- A powerfull command shell
- The agent configuration can be updated on the fly (you can change port and protocol too)
- Introduction
- Update agent profile at runtime
- A powerful command-shell and agent migration
- Alan post-exploitation framework v4.0 demo
- Alan 5.0 C2 Framework - All You Can In-Memory Edition
Blog posts
- Alan c2 Framework v5.0 - All you can in-memory edition
- Alan - A post exploitation framework
- Alan post-exploitation framework v4.0 released
For more information on its usage please read the documentation.
- Implemented
runcommand - Implemented
killcommand - Implemented
execcommand - Removed
injectmessage since it can be achieved with theruncommand in background - Created stager and PE loader to make the agent stealthier. Each generated agent file has a different hash
- Improved code injection to bypass Dynamic Code Policy Mitigation
- It is now possible to specify the agent file name to create during the wizard
- Fixed error in
uploadanddownloadcommands - Fixed error in shell creation. The command shell process token did not have the same agent integrity level
- Removed exported function from DLL agent artifact
- Added current working directory to
infocommand - Extended
shellcommand to execute a single command
- Added
injectcommand. This command allows the operator to inject code into a remote process - Added
sleepcommand performed in short sleep of 400 msec each. - Introduced Jitter concept in
sleep - Ported agent to x64 bit (included PE32+ loader)
- Fixed errors in x86 PE loader
- .NET agent runner is now executed in a stealthier way to avoid detection
- It is now possible to specify a custom Web server in the HTTP/S listener response
- Removed command
listenerssince superfluous - Improved
infocommand with more information - Error message are more explanatory
- Added information on process token type (elevated or not)
- Added information on process token privileges
- Added information on process token groups
- Renamed agent shell
quitcommand toexit - Implemented agent migration via
migratecommand - Fixed error in retrieving OS version
- Added DLL as agent format in the creation wizard.
- Implemented
pscommand to list the currently running processes - Implemented
downloadcommand to locally download a file or an entire directory - Implemented
uploadcommand to upload files to the compromised host - Implemented
SuccessRequestas HTTP server response option to customize the http/s listener response - Implemented
ErrorRequestto customize the http/s listener response for bad requests - Implemented
prependandappendas HTTP server request option to specify in the agent prof
- Implemented agent
detachcommand to temporary exit from a joined agent - Implemented shell
detachcommand to temporary exit from a command shell - Implemented
listenerscommand to list the available listeners - Implemented HTTPS listener to communicatewith the agent via TLS
- Implemented
get-configcommand to download the current agent configuration - Implemented
updatecommand to update the agent configuration - Windows7 is now supported
- First Release