Petaq: Purple Team Command & Control Server

by do son ·

PetaQ

PetaQ is a malware which is being developed in .NET Core/Framework to use websockets as Command & Control (C2) channels. It’s designed to provide a Proof of Concept (PoC) websocket malware to the adversary simulation exercises (Red & Purple Team exercises).Petaq

I have used Petaq actively in my purple team exercises for my previous and current employers. Don’t consider it as a full replacement of your C2, but would enrich your toolkit, interactive environment or evasive actions. It’s not suitable for any production level use, but can be used for test purposes.

  • Petaq Service – The Command & Control Service (.NET Core)
  • Petaq Implant – The Malware (.NET Framework)

Features

Scenario Support

  • Prepare scenarios and send them to implant to run
  • TTP support for the scenarios to construct

Communications

  • WebSocket through HTTP(S) (Implant to C2)
  • SMB Named Pipe (Implant to Implant)
  • TCP (Implant to Implant)
  • UDP (Implant to Implant)

File Operations

  • Upload
  • Download

Execution

  • Execute a process (cmd.exe, powershell.exe or your choice)
  • Execute a PowerShell file/script using .NET System Automation
  • Execute .NET assemblies from remote (no touching disk)
  • Execute .NET source code from remote (no touching disk)
  • Execute .NET source code like a .NET C# shell (no touching disk)
  • Execute X86/X64 shellcode using QueueUserAPC with Parent PID spoofing
  • All executions can also be a thread to avoid Petaq Implant to wait it finishing (e.g. execthread)

Multi-Level Linking Implants to Implants

  • Implants can be linked to other implants pretty much like Cobalt Strike. This is supported on TCP, UDP and SMB Named Pipe.
  • Up to 8 levels of linking worked well, and quite useful for lateral movement. However, I prefer to use TCP or UDP instead of SMB Named Pipe as its IO is not quite ready for multi-level implant communications.

Lateral Movement

  • WMI W32 Create is preferred/integrated
  • In case of variety required; it’s possible to use schtasks, sc, admin$ and powershell can be used through execthread command

Install & Use

Copyright (c) 2020 Fatih Ozavci