Payload Execution Guardrails - Environment Variable Checks

[attl4s]

Why

Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign (more info).

Additions

This PR adds environment variable checks for the Grunt HTTP Stager before executing any of the stages. The desired environment variables can be specified when creating a new HTTP launcher in the following format:
enVar1=value1;envVar2=value2;envVar3=value3....

Example: USERNAME=ATTL4S;USERDOMAIN=SIMONE;LOGONSERVER=\\DC01

If this form is empty, the Stager will just run without checking anything.

Future Work?

The way we implemented this has an obvious caveat: all the logic is hardcoded in the Stager, so anyone will be able to see who is the actual target. In addition, this implementation doesn't protect in any way the final payload, as anyone could bypass this env check and just jump to the stages and actual code.

• As we are using a Stager, we could leverage one of the stages to perform a server-side check of the variables so their values are not hardcoded in the actual Stager. If this check results in false, the server doesn't continue with further stages.
• For stageless payloads, we could encrypt the payload using those values (the only data harcoded would be the env var names to check)

Cheers!