Golang Full C2 Solution using XMT
ThunderStorm is made up of multiple components that work together.
Documentation repository is live with new stuff, including:
- The Quickstart Guide!
- Bolt Console Command Line Reference guide.
- Data Identifiers Reference guide.
I smell a storm comming
Cirrus is a ReST cradle for XMT and acts as the primary "teamserver". This can be used to control and task Bolts (implants).
Cirrus will automatically capture Jobs and new Bolts and has a websocket interface that can be used to get quick up-to-date information on what's happening.
ReST documentation is in progress (I swear!)
Sometimes lighting does strike twice
A Bolt is a basic implant that can be used on any client device. Bolts can be built in multiple modes and will initially talk to the C2 with whatever their built-in Profile is.
Bolts can be customized to run as services/daemons or as DLLs.
Fly Forward, Fast
JetStream is a compact, complex Bolt builder engine. JetStream is able to create new Bolts for many different platforms (including Windows DLLs) and can obfuscate, encrypt, sign and pack binaries easily.
Let it Pour
CloudSeed complements JetStream and is able to build Bolts and Flurries in batches. Using JetStream, CloudSeed can build hundreds of instances ready to be deployed.
It's OUR answer to Defense-in-Depth.
Just layer it on
Flurry (old name Launcher) taps into the Guardian function of XMT and can automatically resurrect a killed or crashed Bolt in a dirrent process. These rely on a configured Guardian type and a list of stored filesystem paths (or URLS!) to get a Bolt from.
You gotta find the eye of the Storm to know where the action is
Doppler is a Python frontend CLI that can be used to interact with Cirrus. Doppler supports multiple users at once (it can be ran multiple times) and uses the Cirrus websocket to get real time data on Jobs and Bolts.
The layout of how commands works is similar to the PowerShell Empire format. (Except exiting the shell doesn't kill the server). Doppler will automatically manage filepaths for you (for downloads, uploads, shellcode) and can manage multiple Bolts
Doppler can take command line arguments, environment variables or event a config file!
The layout of the config file with the matching env and arguments is below:
{
"cirrus": "http://localhost:7777", // env:DOPPLER_HOST args:[-a, --api]
"cirrus_password": "<password>", //env:DOPPLER_PW args:[-p, --password]
"default_exec": true, // env:DOPPLER_NO_EMPTY args:[-N, ==no-empty]
"default_asm": "<path_to_asm_file>", // env:DOPPLER_ASM args:[-A, --as,]
"default_dll": "<path_to_dll_file>", // env:DOPPLER_DLL args:[-D, --dll]
"default_pipe": "<migrate_spawn_pipe_name>" // env:DOPPLER_PIPE args:[-P, --pipe]
}
Actual JSON config file:
{
"cirrus": "http://localhost:7777",
"cirrus_password": "<password>",
"default_exec": true,
"default_asm": "<path_to_asm_file>",
"default_dll": "<path_to_dll_file>",
"default_pipe": "<migrate_spawn_pipe_name>"
}
Updated 02/24/23
- Write Cirrus API documentation
- WC2 Setup / Config API
- Interactive way to create Profiles
DISCLAIMER: Please use for legal reasons only. I'm not responsible if you get in trouble for using this improperly or if someone owns your environment and is using ThunderStorm (or a derivative of it).