The Post Exploitation Module
Last updated
Last updated
We have taken the approach of decoupling tools from the main beacon for numerous reasons, including our long terms plans for extended logical attacks against XDRs, and MDR teams. Read more about our approach in the link below:
We also seek to break down these following actions to be contained in the post-exploitation modules rather than the beacon process itself, so that we can break down these actions into numerous components on numerous hosts eventually:
We will outline our further plans and development pipeline here in due course.
We have implemented six tools so far - those we believe have most utility for rapid Red Team domain escalation and bee-lining to target systems - into our first Post Exploitation module which is also uniquely generated each deployment via the API, and can be named, and deployed into any folder.
Sharpview
Rubeus
Sharpsniper
Certify
SharpDomainSpray
Sigwhatever
The post-exploitation module is similar to the implants, in that it is also generated using an alpha version of the MalwareGAN but will be incorporating much more to come around dynamic evasions both against single systems, both off a single host, to also more complex attacks using multiple deployed modules on seperate hosts working in parallel to evade numerous automated and human threat hunting tools, NDRs, XDRs and MDR teams.
E5 Defender
✔
in Progress
Sophos EDR
✔
✔
CrowdStrike
Untested
Untested
E5 Sentinel
in Progress
ETC
in Progress
ETC
in Progress
To deploy the post expolitation module, use the deploy module -d PATH_TO_DEPLOY
After the module is deployed, you can use the tools inside it with their own commands.
To determine the location set for the module in the agent, use the
get module path
command.
If you already have a module deployed on the victim's computer, then use the
set module path -d MODULE_PATH
command to instruct the agent on where to locate the module.