Command transforms are a way to automatically manipulate a command between what an operator types and what is pulled down by the agent.
Consider the following scenarios:
You want to evade command-line logging with some obfuscation, but don't want to manually adjust your command each time
You want to evade command-line logging by pre-pending or appending information to your command, but don't want to have to type it each time
You want to compile code for each command, but want the process integrated into your workflow
This is where command transforms shine.
Command transform code lives in the "Manage Operations" -> "Transform Management" page from the top navigation bar.
Apfell will automatically take the code from here and parse the type-hints to provide options when editing a command:
There are a few important pieces here to look at:
Step - You can have multiple transforms applied to a command, so providing an order in which they need to execute is important
Transform - This is a dropdown where you select the actual command to execute. This will pull the list of functions within the
CommandTransformOperation class seen on the `Transform Management1 page.
Parameter - If the transform takes a parameter, you can pass it in here. For example, the
base64EncodeLinuxCommand transform takes a string parameter of which parameter to base64 encode.
Active - Each transform can be toggled as active or not active, and only active ones will be applied. This is a global setting that is applied to all operations.
Once you apply a transform to a command, it is applied globally. From the "Operational Views" -> "Active Callbacks" page on the top navigation bar, click interact with a callback. Normally, next to the
Submit button at the bottom of the screen, there is a
green gear icon. This indicates that you're good to go, there are no transforms being applied to your command. If you apply a transform to a command, the apfell-jxa
shell command for example, then when you type
shell , the
green gear icon will change to
orange. This indicates that something potentially dangerous is about to happen under the hood.
If you click that
orange gear icon, a dialog will pop up to indicate which transforms are being applied. They can individually be toggled on/off for just while you're on that page. You can submit your changes to be applied globally, or you can also toggle the
test command which will take your command, have it go through all of the transforms, record the output of each step along the way, and return that back to you (without ever actually tasking the agent). This is helpful to make sure that all of your transforms and their order is working as expected.
In order to use command transforms, there must be a corresponding payload type container (Containers) that is signaling heartbeats.
When a task is submitted with command transforms, it enters a "pre-processing" phase. In this phase, the task and associated command transform information is sent to the corresponding payload type's docker container for execution of the command transforms. Once the container is done executing the transforms, it sends the updated parameters back to Apfell.
If the original parameters are different from these new ones, then a button like above is displayed to allow the user to view the transformed parameters. Either way, the agent will always pull down the final parameter values.
If there is no associated payload type container, this this process cannot happen. This is fine if there are no command transforms though.