Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.
Integrity
field to the agents.Agent and messages.SysInfo structuresinfo
command now shows the agent's integrity level
2
-Medium, 3
-High, 4
-System3
- member of sudo group, 4
- running as rootThe Server downloads contain a copy of all compiled agents in the data/bin directory
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin
The Server downloads contain a copy of all compiled agents in the data/bin directory
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin
rm
command to remove, or delete, files using native Go functionsrunas
Windows command to create a process as another user with their passwordssh
Connect to a remote host over SSH and execute a command (non-interactive)token
Windows command to interact with Windows Access Tokens
make
Create a new token with a username and password; Unlisted make_token
aliasprivs
List the current or remote process token privilegesrev2self
Drop any created or stolen access token and revert to original configuration; Unlisted rev2self
aliassteal
Steal a token from another process; Unlisted steal_token
aliaswhoami
Enumerate process and thread token username, logon ID, privilege count, token type, impersonation level, and integrity levelBuild ID: db3c882747558721bd61bda78185bd52708ed714
The Server downloads contain a copy of all compiled agents in the data/bin directory
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin
note
- Add a note to an agentgroup
- Create groups of agents to interact withsdelete
- Securely delete a fileps
- Get a Windows process listtouch
- Timestomp a filenetstat
- List network connectionspipes
- List Windows named pipesenv
- View, add, remove environment variablesuptime
- View the host's uptimequeue
- Queue up commands for agents or groups, even if they are not known to the serversessions
and interact
command from any menuBuild ID: 1aafa40023ba77346537035416a85742178a67fc
The Server downloads contain a copy of all compiled agents in the data/bin directory
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin
main.go
to repository root for the Merlin server and removed the cmd
directory all togetherInvoke-Melrin.ps1
and merlin.js
from codebase completelyBuild ID: 7ea5237b6d25a86e9308395666857305f1b42da7
The Server downloads contain a copy of all compiled agents in the data/bin directory
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin
nslookup
command to execute a DNS query using native Goload-assembly
to load a .NET assembly into memoryinvoke-assembly
to execute a previously loaded .NET assemblylist-assemblies
to list previously loaded .NET assembliesmemfd
command to run Linux executables in-memory as an anonymous fileBuild ID: 19bffe562021a44d7d9086b01247e21bfeea2155`
The Server downloads contain a copy of all compiled agents in the data/bin directory
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin
windows/x64/go/exec/createProcess
extended module with redirected STDOUT/STDERR over anonymous pipeswindows/x64/csharp/misc/SharpGen
extended module that leverages SharpGen
execute-assembly
, execute-pe
, and sharpgen
commands to Agent menujobs
command to view created and sent jobsclear
command to remove any jobs that have not been sent to the agentagent-windows-debug
build target to enable viewing verbose and debug messagesshell
command to actually use the operating system's default shellcmd
& shell
commands to just use the run
command which executes the program directly without a shellcmd
command from the Agents menuBuild ID: be117de982e568bca441e2b57ff4ed5739148f41
The Server downloads contain a copy of all compiled agents in the data/bin directory
The compressed files have a password of
merlin
The Server downloads contain a copy of all compiled agents in the data/bin directory
Build ID: 803c9861aa8c7f0318971d010d40937f80fa1458
The compressed files have a password of
merlin
https://127.0.0.1:443/news.php
)http
, https
, and h2c
protocolsBuild ID: 506ebc462fa040ff0a1b35004adc0cfdf0c88053
The compressed files have a password of
merlin