Petaq: Purple Team Command & Control Server
PetaQ is a malware which is being developed in .NET Core/Framework to use websockets as Command & Control (C2) channels. It’s designed to provide a Proof of Concept (PoC) websocket malware to the adversary simulation exercises (Red & Purple Team exercises).
I have used Petaq actively in my purple team exercises for my previous and current employers. Don’t consider it as a full replacement of your C2, but would enrich your toolkit, interactive environment or evasive actions. It’s not suitable for any production level use, but can be used for test purposes.
- Petaq Service – The Command & Control Service (.NET Core)
- Petaq Implant – The Malware (.NET Framework)
- Prepare scenarios and send them to implant to run
- TTP support for the scenarios to construct
- WebSocket through HTTP(S) (Implant to C2)
- SMB Named Pipe (Implant to Implant)
- TCP (Implant to Implant)
- UDP (Implant to Implant)
- Execute a process (cmd.exe, powershell.exe or your choice)
- Execute a PowerShell file/script using .NET System Automation
- Execute .NET assemblies from remote (no touching disk)
- Execute .NET source code from remote (no touching disk)
- Execute .NET source code like a .NET C# shell (no touching disk)
- Execute X86/X64 shellcode using QueueUserAPC with Parent PID spoofing
- All executions can also be a thread to avoid Petaq Implant to wait it finishing (e.g. execthread)
Multi-Level Linking Implants to Implants
- Implants can be linked to other implants pretty much like Cobalt Strike. This is supported on TCP, UDP and SMB Named Pipe.
- Up to 8 levels of linking worked well, and quite useful for lateral movement. However, I prefer to use TCP or UDP instead of SMB Named Pipe as its IO is not quite ready for multi-level implant communications.
- WMI W32 Create is preferred/integrated
- In case of variety required; it’s possible to use schtasks, sc, admin$ and powershell can be used through execthread command
Copyright (c) 2020 Fatih Ozavci