Skip to content

Instantly share code, notes, and snippets.

Avatar
👾
Working from the Immaterium

Alex khyberspache

👾
Working from the Immaterium
View GitHub Profile
@khyberspache
khyberspache / AzureInitialAccess.html
Created September 9, 2022 15:17
Deploy payloads onto Azure VMs :)
View AzureInitialAccess.html
<div id="plugin-header" class="profile-heading-container">
<div class="body">
<strong class="profile-heading">Initial access on Azure resources</strong>
<p>
Use Operator to get initial access on your Azure deployed resources. This will allow you deploy Pneuma (or PneumaEX for professional license holders) onto
virtual machines running in Resource Groups on Microsoft Azure.
</p>
</div>
</div>
@khyberspache
khyberspache / iam_policy.json
Created October 25, 2021 02:33
Simple Prelude EC2 IAM Policy
View iam_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeAddresses",
"ec2:DescribeImages",
"ec2:DescribeInstances",
@khyberspache
khyberspache / hush_handle_api_task.js
Created September 3, 2021 19:12
Example of hush handling an API task
View hush_handle_api_task.js
if (task[0] === 'api') {
if (task[2]) {
try {
task[2] = JSON.parse(task[2]);
} catch (e) {
throw new Error("Could not parse module params: "+e.toString());
}
}
return runModule(task[0], task[1], task[2] || null);
}
@khyberspache
khyberspache / hush_run.js
Created September 3, 2021 18:54
Hush agent's main event loop
View hush_run.js
function run(argv) {
beacon = new Beacon((argv.length > 0) ? (argv[0] || argv) : 'http://localhost:3391', (argv.length > 1) ? argv[1] : 'http');
while (true) {
try {
let tasks = runModule('c2', beacon.contact, {beacon: beacon});
beacon.Links = tasks.map(task => executeTask(Object.assign(new Instruction(), task, {Pid: beacon.pid})));
} catch (e) {
console.log(`Beacon failed. ${e}`)
}
console.log(`Sleeping for ${beacon.Sleep} seconds`);
@khyberspache
khyberspache / commands_windows_example.go
Created September 3, 2021 18:39
Example CallNativeAPI implementation
View commands_windows_example.go
package commands
import (
"encoding/json"
"log"
"os"
"syscall"
"unsafe"
)
@khyberspache
khyberspache / api_keyword.yml
Created September 3, 2021 18:36
API keyword example
View api_keyword.yml
platforms:
windows:
keyword:
command: api.ps
@khyberspache
khyberspache / clipboard_module_ideal.yml
Created September 3, 2021 18:28
Example of what a good Keyword TTP would look like
View clipboard_module_ideal.yml
platforms:
darwin:
keyword:
command: collect.captureClipboard
@khyberspache
khyberspache / clipboard_module.yml
Last active September 3, 2021 18:35
Example PneumaEX module TTP
View clipboard_module.yml
id: 2897b095-3356-456f-876c-3103f91352ab
metadata:
version: 1
authors:
- khyberspache
tags:
- thinktank
name: Capture clipboard using a module
description: |
Installs a user-land clipboard capture binary and collects the clipboard every 30 seconds for 10 minutes.
@khyberspache
khyberspache / build.sh
Created January 19, 2021 15:09
CGO build command for Windows DLL with 64-bit address ASLR and NX compatibility on
View build.sh
GOOS=windows CC=x86_64-w64-mingw32-gcc CGO_ENABLED=1 go build --buildmode=c-shared --ldflags='-s -w -X main.key="MYKEYISBESTKEY" -extldflags "-Wl,--nxcompat -Wl,--dynamicbase -Wl,--high-entropy-va"' -o payloads/pneuma.dll main.go;
@khyberspache
khyberspache / main.go
Created January 19, 2021 15:08
Example main.go for pneuma to compile into a shared library with an exported function on Windows
View main.go
//+build cgo
package main
import "C"
import (
"flag"
"github.com/preludeorg/pneuma/sockets"
"github.com/preludeorg/pneuma/util"
"log"