khyberspache
/ AzureInitialAccess.html
Created
September 9, 2022 15:17
Deploy payloads onto Azure VMs :)
View AzureInitialAccess.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <div id="plugin-header" class="profile-heading-container"> | |
| <div class="body"> | |
| <strong class="profile-heading">Initial access on Azure resources</strong> | |
| <p> | |
| Use Operator to get initial access on your Azure deployed resources. This will allow you deploy Pneuma (or PneumaEX for professional license holders) onto | |
| virtual machines running in Resource Groups on Microsoft Azure. | |
| </p> | |
| </div> | |
| </div> |
View iam_policy.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ec2:AuthorizeSecurityGroupIngress", | |
| "ec2:DescribeAddresses", | |
| "ec2:DescribeImages", | |
| "ec2:DescribeInstances", |
khyberspache
/ hush_handle_api_task.js
Created
September 3, 2021 19:12
Example of hush handling an API task
View hush_handle_api_task.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if (task[0] === 'api') { | |
| if (task[2]) { | |
| try { | |
| task[2] = JSON.parse(task[2]); | |
| } catch (e) { | |
| throw new Error("Could not parse module params: "+e.toString()); | |
| } | |
| } | |
| return runModule(task[0], task[1], task[2] || null); | |
| } |
View hush_run.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function run(argv) { | |
| beacon = new Beacon((argv.length > 0) ? (argv[0] || argv) : 'http://localhost:3391', (argv.length > 1) ? argv[1] : 'http'); | |
| while (true) { | |
| try { | |
| let tasks = runModule('c2', beacon.contact, {beacon: beacon}); | |
| beacon.Links = tasks.map(task => executeTask(Object.assign(new Instruction(), task, {Pid: beacon.pid}))); | |
| } catch (e) { | |
| console.log(`Beacon failed. ${e}`) | |
| } | |
| console.log(`Sleeping for ${beacon.Sleep} seconds`); |
khyberspache
/ commands_windows_example.go
Created
September 3, 2021 18:39
Example CallNativeAPI implementation
View commands_windows_example.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package commands | |
| import ( | |
| "encoding/json" | |
| "log" | |
| "os" | |
| "syscall" | |
| "unsafe" | |
| ) |
View api_keyword.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| platforms: | |
| windows: | |
| keyword: | |
| command: api.ps |
khyberspache
/ clipboard_module_ideal.yml
Created
September 3, 2021 18:28
Example of what a good Keyword TTP would look like
View clipboard_module_ideal.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| platforms: | |
| darwin: | |
| keyword: | |
| command: collect.captureClipboard |
View clipboard_module.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: 2897b095-3356-456f-876c-3103f91352ab | |
| metadata: | |
| version: 1 | |
| authors: | |
| - khyberspache | |
| tags: | |
| - thinktank | |
| name: Capture clipboard using a module | |
| description: | | |
| Installs a user-land clipboard capture binary and collects the clipboard every 30 seconds for 10 minutes. |
khyberspache
/ build.sh
Created
January 19, 2021 15:09
CGO build command for Windows DLL with 64-bit address ASLR and NX compatibility on
View build.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| GOOS=windows CC=x86_64-w64-mingw32-gcc CGO_ENABLED=1 go build --buildmode=c-shared --ldflags='-s -w -X main.key="MYKEYISBESTKEY" -extldflags "-Wl,--nxcompat -Wl,--dynamicbase -Wl,--high-entropy-va"' -o payloads/pneuma.dll main.go; |
khyberspache
/ main.go
Created
January 19, 2021 15:08
Example main.go for pneuma to compile into a shared library with an exported function on Windows
View main.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //+build cgo | |
| package main | |
| import "C" | |
| import ( | |
| "flag" | |
| "github.com/preludeorg/pneuma/sockets" | |
| "github.com/preludeorg/pneuma/util" | |
| "log" |
NewerOlder