Command Transforms

What are they?

Command transforms are a way to automatically manipulate a command between what an operator types and what is pulled down by the agent.

Why are they useful?

Consider the following scenarios:

  • You want to evade command-line logging with some obfuscation, but don't want to manually adjust your command each time

  • You want to evade command-line logging by pre-pending or appending information to your command, but don't want to have to type it each time

  • You want to compile code for each command, but want the process integrated into your workflow

This is where command transforms shine.

Where are they?

Command transform code lives in the "Manage Operations" -> "Transform Management" page from the top navigation bar.

Transform Management page

Apfell will automatically take the code from here and parse the type-hints to provide options when editing a command:

Command Transform for shell

There are a few important pieces here to look at:

  • Step - You can have multiple transforms applied to a command, so providing an order in which they need to execute is important

  • Transform - This is a dropdown where you select the actual command to execute. This will pull the list of functions within the CommandTransformOperation class seen on the `Transform Management1 page.

  • Parameter - If the transform takes a parameter, you can pass it in here. For example, the base64EncodeLinuxCommand transform takes a string parameter of which parameter to base64 encode.

  • Active - Each transform can be toggled as active or not active, and only active ones will be applied. This is a global setting that is applied to all operations.

How do you use them?

Once you apply a transform to a command, it is applied globally. From the "Operational Views" -> "Active Callbacks" page on the top navigation bar, click interact with a callback. Normally, next to the Submit button at the bottom of the screen, there is a green gear icon. This indicates that you're good to go, there are no transforms being applied to your command. If you apply a transform to a command, the apfell-jxa shell command for example, then when you type shell , the green gear icon will change to orange. This indicates that something potentially dangerous is about to happen under the hood.

No command transforms being applied
Command transforms will be applied

If you click that orange gear icon, a dialog will pop up to indicate which transforms are being applied. They can individually be toggled on/off for just while you're on that page. You can submit your changes to be applied globally, or you can also toggle the test command which will take your command, have it go through all of the transforms, record the output of each step along the way, and return that back to you (without ever actually tasking the agent). This is helpful to make sure that all of your transforms and their order is working as expected.

Toggle control of command specific transforms temporarily
Example test submission for command transform

Containers

In order to use command transforms, there must be a corresponding payload type container (Containers) that is signaling heartbeats.

When a task is submitted with command transforms, it enters a "pre-processing" phase. In this phase, the task and associated command transform information is sent to the corresponding payload type's docker container for execution of the command transforms. Once the container is done executing the transforms, it sends the updated parameters back to Apfell.

If the original parameters are different from these new ones, then a button like above is displayed to allow the user to view the transformed parameters. Either way, the agent will always pull down the final parameter values.

If there is no associated payload type container, this this process cannot happen. This is fine if there are no command transforms though.