Skip to content

Security: akefallonitis/larac2shell

Security

SECURITY.md

Security Policy

Reporting a vulnerability

If you believe you have found a security issue in LaraC2 Shell, please report it privately. Do not open a public issue.

Please include:

  • Affected version / commit SHA
  • Reproduction steps or proof-of-concept
  • Impact assessment (what an attacker could do)
  • Any suggested remediation

You can expect an acknowledgement within 72 hours and a remediation plan (fix, workaround, or coordinated disclosure timeline) within 14 days of initial contact.

Scope

In scope:

  • Authentication bypass or credential mishandling in the shell itself
  • Injection flaws in command construction, B64 encoding, or library upload paths
  • Improper handling of user-supplied data that could compromise the operator
  • Dependency vulnerabilities affecting shell/ runtime behaviour

Out of scope:

  • MDE API behaviour or Microsoft service vulnerabilities — report those to MSRC
  • Misuse of the tool by an authorised operator against their own tenant (this is the tool's intended purpose, per DISCLAIMER.md)
  • Rate-limit evasion, since the framework intentionally respects MDE's documented limits

Supported versions

Only the latest commit on main is supported. This is a single-branch project distributed via git clone; there are no tagged releases at this time.

Credential handling notes

These are not vulnerabilities — they are documented design trade-offs. Operators should review them before choosing an auth method.

  • Internal auth method 1 (Credentials + TOTP) retains the supplied username, password, and TOTP secret in-memory (inside $script:Int_ReauthParams) for the lifetime of the shell process. This is required for silent re-auth when the portal sccauth cookie expires (~1 hr). The values are never written to disk or passed on the command line, but they are resident in the PowerShell runspace. For stronger isolation, prefer method 2 (passkey / Azure Key Vault HSM) or method 7 (client credentials with a config-file secret).
  • Config files containing clientSecret should have their filesystem permissions restricted. The shell does not enforce or check this.
  • PSReadLine history is disabled (HistorySaveStyle = SaveNothing) while the shell is running, so commands typed at the [API ...]> prompt are not persisted to the history file. History from other PowerShell sessions is unaffected.
  • No secrets on CLI: the shell never accepts secrets via command-line arguments. Secrets come from config files or interactive prompts only.

Acknowledgements

Security researchers who report valid issues will be credited in release notes unless they request otherwise.

There aren't any published security advisories