Locked shad0w: post exploitation framework

[itsMe]

This is the hidden content, please

• Sign In
• or
• Sign Up

SHAD0W is a modular C2 framework designed to successfully operate in mature environments.

It will use a range of methods to evade EDR and AV while allowing the operator to continue using tooling tradecraft they are familiar with. It’s powered by Python 3.8 and C, using Donut for payload generation. By using Donut alongside the process injection capabilities of SHAD0W it gives the operator the ability to execute .NET assemblies, EXEs, DLLs, VBS, JS, or XSLs fully inside the memory. Dynamically resolved syscalls are heavily used to avoid userland API hooking, anti-DLL injection to make it harder for EDR to load code into the beacons, and official Microsoft mitigation methods to protect spawn processes.

The main features of the SHAD0W C2 are:

    Built For Docker – It runs fully inside docker allowing cross-platform usage
    Live Proxy & Mirror – The C2 server is able to mirror any website in real-time, relaying all non C2 traffic to that site making it look less subject when viewed in a web browser
    HTTPS C2 Communication – All traffic between beacons and the C2 will be encrypted and transmitted over HTTPS
    Modern CLI – The CLI is built on prompt-toolkit
    JSON Based Protocol – Custom beacons are able to built and used easily with an easy to implement the protocol
    Extremely Modular – Easy to create new modules to interact and task beacons

The main features of SHAD0W beacons are:

    Shellcode, EXE, Powershell & More – Beacons can be generated and used in many different formats
    Process Injection – Allowing you to migrate, shinject, dllinject and more
    Bypass AV – Payloads are frequently updated to evade common Anti-Virus products
    Highly configurable – Custom jitters, user agents and more
    Proxy Aware – All callbacks will use the current system proxy
    HTTPS C2 Communication – Traffic to and from the C2 is encrypted via HTTPS

Current Modules:

    GhostPack – With the binary compiled nightly via an Azure pipeline. Thanks to @Flangvik
    Unmanaged Powershell – With built-in AMSI bypass
    Ghost In The Logs – Disable ETW & Sysmon, more info can be found here
    Elevate – Built-in PrivEsc exploits
    SharpSocks – Reverse socks proxy over HTTPS
    SharpCollection – A ton of .NET offensive tools, more info can be found here
    Mimikatz – For all your credential theft needs
    Upload & Download – Easy data exfiltration
    StdAPI – Common commands to interact with the file system

This is the hidden content, please

• Sign In
• or
• Sign Up