shad0w: post exploitation framework
shad0w
SHAD0W is a modular C2 framework designed to successfully operate in mature environments.
It will use a range of methods to evade EDR and AV while allowing the operator to continue using tooling tradecraft they are familiar with. It’s powered by Python 3.8 and C, using Donut for payload generation. By using Donut alongside the process injection capabilities of SHAD0W it gives the operator the ability to execute .NET assemblies, EXEs, DLLs, VBS, JS, or XSLs fully inside the memory. Dynamically resolved syscalls are heavily used to avoid userland API hooking, anti-DLL injection to make it harder for EDR to load code into the beacons, and official Microsoft mitigation methods to protect spawn processes.
The main features of the SHAD0W C2 are:
- Built For Docker – It runs fully inside docker allowing cross-platform usage
- Live Proxy & Mirror – The C2 server is able to mirror any website in real-time, relaying all non C2 traffic to that site making it look less subject when viewed in a web browser
- HTTPS C2 Communication – All traffic between beacons and the C2 will be encrypted and transmitted over HTTPS
- Modern CLI – The CLI is built on prompt-toolkit
- JSON Based Protocol – Custom beacons are able to built and used easily with an easy to implement the protocol
- Extremely Modular – Easy to create new modules to interact and task beacons
The main features of SHAD0W beacons are:
- Shellcode, EXE, Powershell & More – Beacons can be generated and used in many different formats
- Process Injection – Allowing you to
migrate,shinject,dllinjectand more - Bypass AV – Payloads are frequently updated to evade common Anti-Virus products
- Highly configurable – Custom jitters, user agents and more
- Proxy Aware – All callbacks will use the current system proxy
- HTTPS C2 Communication – Traffic to and from the C2 is encrypted via HTTPS
Current Modules:
- GhostPack – With the binary compiled nightly via an Azure pipeline. Thanks to @Flangvik
- Unmanaged Powershell – With built-in AMSI bypass
- Ghost In The Logs – Disable ETW & Sysmon, more info can be found here
- Elevate – Built-in PrivEsc exploits
- SharpSocks – Reverse socks proxy over HTTPS
- SharpCollection – A ton of .NET offensive tools, more info can be found here
- Mimikatz – For all your credential theft needs
- Upload & Download – Easy data exfiltration
- StdAPI – Common commands to interact with the file system
Install
$ git clone https://github.com/bats3c/shad0w.git && cd shad0w
$ sudo ./shad0w install
Usage
Copyright (c) 2020 batsec
Source: https://github.com/bats3c/
