khyberspache
/ AzureInitialAccess.html
Created
September 9, 2022 15:17
Deploy payloads onto Azure VMs :)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <div id="plugin-header" class="profile-heading-container"> | |
| <div class="body"> | |
| <strong class="profile-heading">Initial access on Azure resources</strong> | |
| <p> | |
| Use Operator to get initial access on your Azure deployed resources. This will allow you deploy Pneuma (or PneumaEX for professional license holders) onto | |
| virtual machines running in Resource Groups on Microsoft Azure. | |
| </p> | |
| </div> | |
| </div> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ec2:AuthorizeSecurityGroupIngress", | |
| "ec2:DescribeAddresses", | |
| "ec2:DescribeImages", | |
| "ec2:DescribeInstances", |
khyberspache
/ hush_handle_api_task.js
Created
September 3, 2021 19:12
Example of hush handling an API task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if (task[0] === 'api') { | |
| if (task[2]) { | |
| try { | |
| task[2] = JSON.parse(task[2]); | |
| } catch (e) { | |
| throw new Error("Could not parse module params: "+e.toString()); | |
| } | |
| } | |
| return runModule(task[0], task[1], task[2] || null); | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function run(argv) { | |
| beacon = new Beacon((argv.length > 0) ? (argv[0] || argv) : 'http://localhost:3391', (argv.length > 1) ? argv[1] : 'http'); | |
| while (true) { | |
| try { | |
| let tasks = runModule('c2', beacon.contact, {beacon: beacon}); | |
| beacon.Links = tasks.map(task => executeTask(Object.assign(new Instruction(), task, {Pid: beacon.pid}))); | |
| } catch (e) { | |
| console.log(`Beacon failed. ${e}`) | |
| } | |
| console.log(`Sleeping for ${beacon.Sleep} seconds`); |
khyberspache
/ commands_windows_example.go
Created
September 3, 2021 18:39
Example CallNativeAPI implementation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package commands | |
| import ( | |
| "encoding/json" | |
| "log" | |
| "os" | |
| "syscall" | |
| "unsafe" | |
| ) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| platforms: | |
| windows: | |
| keyword: | |
| command: api.ps |
khyberspache
/ clipboard_module_ideal.yml
Created
September 3, 2021 18:28
Example of what a good Keyword TTP would look like
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| platforms: | |
| darwin: | |
| keyword: | |
| command: collect.captureClipboard |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: 2897b095-3356-456f-876c-3103f91352ab | |
| metadata: | |
| version: 1 | |
| authors: | |
| - khyberspache | |
| tags: | |
| - thinktank | |
| name: Capture clipboard using a module | |
| description: | | |
| Installs a user-land clipboard capture binary and collects the clipboard every 30 seconds for 10 minutes. |
khyberspache
/ build.sh
Created
January 19, 2021 15:09
CGO build command for Windows DLL with 64-bit address ASLR and NX compatibility on
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| GOOS=windows CC=x86_64-w64-mingw32-gcc CGO_ENABLED=1 go build --buildmode=c-shared --ldflags='-s -w -X main.key="MYKEYISBESTKEY" -extldflags "-Wl,--nxcompat -Wl,--dynamicbase -Wl,--high-entropy-va"' -o payloads/pneuma.dll main.go; |
khyberspache
/ main.go
Created
January 19, 2021 15:08
Example main.go for pneuma to compile into a shared library with an exported function on Windows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //+build cgo | |
| package main | |
| import "C" | |
| import ( | |
| "flag" | |
| "github.com/preludeorg/pneuma/sockets" | |
| "github.com/preludeorg/pneuma/util" | |
| "log" |
NewerOlder