/ThunderStorm

Golang C2 Server and Agents using XMT (https://github.com/iDigitalFlame/xmt)

Primary LanguagePythonGNU Affero General Public License v3.0AGPL-3.0

The ThunderStorm Project

License: GPL v3 Latest

cirrus doppler bolt stormfront jetstream flurry cloudseed


Golang Full C2 Solution using XMT

ThunderStorm is made up of multiple components that work together.

Documentation repository is live with new stuff, including:

cirrus Cirrus

I smell a storm comming

Cirrus is a ReST cradle for XMT and acts as the primary "teamserver". This can be used to control and task Bolts (implants).

Cirrus will automatically capture Jobs and new Bolts and has a websocket interface that can be used to get quick up-to-date information on what's happening.

ReST documentation is in progress (I swear!)

bolt Bolt

Sometimes lighting does strike twice

A Bolt is a basic implant that can be used on any client device. Bolts can be built in multiple modes and will initially talk to the C2 with whatever their built-in Profile is.

Bolts can be customized to run as services/daemons or as DLLs.

jetstream JetStream

Fly Forward, Fast

JetStream is a compact, complex Bolt builder engine. JetStream is able to create new Bolts for many different platforms (including Windows DLLs) and can obfuscate, encrypt, sign and pack binaries easily.

cloudseed CloudSeed

Let it Pour

CloudSeed complements JetStream and is able to build Bolts and Flurries in batches. Using JetStream, CloudSeed can build hundreds of instances ready to be deployed.

It's OUR answer to Defense-in-Depth.

flurry Flurry

Just layer it on

Flurry (old name Launcher) taps into the Guardian function of XMT and can automatically resurrect a killed or crashed Bolt in a dirrent process. These rely on a configured Guardian type and a list of stored filesystem paths (or URLS!) to get a Bolt from.

doppler Doppler

You gotta find the eye of the Storm to know where the action is

Doppler is a Python frontend CLI that can be used to interact with Cirrus. Doppler supports multiple users at once (it can be ran multiple times) and uses the Cirrus websocket to get real time data on Jobs and Bolts.

The layout of how commands works is similar to the PowerShell Empire format. (Except exiting the shell doesn't kill the server). Doppler will automatically manage filepaths for you (for downloads, uploads, shellcode) and can manage multiple Bolts

Doppler can take command line arguments, environment variables or event a config file!

The layout of the config file with the matching env and arguments is below:

{
    "cirrus": "http://localhost:7777", // env:DOPPLER_HOST args:[-a, --api]
    "cirrus_password": "<password>", //env:DOPPLER_PW args:[-p, --password]
    "default_exec": true, // env:DOPPLER_NO_EMPTY args:[-N, ==no-empty]
    "default_asm": "<path_to_asm_file>", // env:DOPPLER_ASM args:[-A, --as,]
    "default_dll": "<path_to_dll_file>", // env:DOPPLER_DLL args:[-D, --dll]
    "default_pipe": "<migrate_spawn_pipe_name>" // env:DOPPLER_PIPE args:[-P, --pipe]
}

Actual JSON config file:

{
    "cirrus": "http://localhost:7777",
    "cirrus_password": "<password>",
    "default_exec": true,
    "default_asm": "<path_to_asm_file>",
    "default_dll": "<path_to_dll_file>",
    "default_pipe": "<migrate_spawn_pipe_name>"
}

TODOs:

Updated 02/24/23

  • Write Cirrus API documentation
  • WC2 Setup / Config API
  • Interactive way to create Profiles

DISCLAIMER: Please use for legal reasons only. I'm not responsible if you get in trouble for using this improperly or if someone owns your environment and is using ThunderStorm (or a derivative of it).

ko-fi