README
¶
The ThunderStorm Project
Golang Full C2 Solution using XMT
ThunderStorm is made up of multiple components that work together.
Documentation repository is live with new stuff, including:
- The Quickstart Guide!
- Bolt Console Command Line Reference guide.
- Data Identifiers Reference guide.
Cirrus
I smell a storm comming
Cirrus is a ReST cradle for XMT and acts as the primary "teamserver". This can be used to control and task Bolts (implants).
Cirrus will automatically capture Jobs and new Bolts and has a websocket interface that can be used to get quick up-to-date information on what's happening.
ReST documentation is in progress (I swear!)
Bolt
Sometimes lighting does strike twice
A Bolt is a basic implant that can be used on any client device. Bolts can be built in multiple modes and will initially talk to the C2 with whatever their built-in Profile is.
Bolts can be customized to run as services/daemons or as DLLs.
JetStream
Fly Forward, Fast
JetStream is a compact, complex Bolt builder engine. JetStream is able to create new Bolts for many different platforms (including Windows DLLs) and can obfuscate, encrypt, sign and pack binaries easily.
CloudSeed
Let it Pour
CloudSeed complements JetStream and is able to build Bolts and Flurries in batches. Using JetStream, CloudSeed can build hundreds of instances ready to be deployed.
It's OUR answer to Defense-in-Depth.
Flurry
Just layer it on
Flurry (old name Launcher) taps into the Guardian function of XMT and can automatically resurrect a killed or crashed Bolt in a dirrent process. These rely on a configured Guardian type and a list of stored filesystem paths (or URLS!) to get a Bolt from.
Doppler
You gotta find the eye of the Storm to know where the action is
Doppler is a Python frontend CLI that can be used to interact with Cirrus. Doppler supports multiple users at once (it can be ran multiple times) and uses the Cirrus websocket to get real time data on Jobs and Bolts.
The layout of how commands works is similar to the PowerShell Empire format. (Except exiting the shell doesn't kill the server). Doppler will automatically manage filepaths for you (for downloads, uploads, shellcode) and can manage multiple Bolts
Doppler can take command line arguments, environment variables or event a config file!
The layout of the config file with the matching env and arguments is below:
{
"cirrus": "http://localhost:7777", // env:DOPPLER_HOST args:[-a, --api]
"cirrus_password": "<password>", //env:DOPPLER_PW args:[-p, --password]
"default_exec": true, // env:DOPPLER_NO_EMPTY args:[-N, ==no-empty]
"default_asm": "<path_to_asm_file>", // env:DOPPLER_ASM args:[-A, --as,]
"default_dll": "<path_to_dll_file>", // env:DOPPLER_DLL args:[-D, --dll]
"default_pipe": "<migrate_spawn_pipe_name>" // env:DOPPLER_PIPE args:[-P, --pipe]
}
Actual JSON config file:
{
"cirrus": "http://localhost:7777",
"cirrus_password": "<password>",
"default_exec": true,
"default_asm": "<path_to_asm_file>",
"default_dll": "<path_to_dll_file>",
"default_pipe": "<migrate_spawn_pipe_name>"
}
TODOs:
Updated 11/18/22
- Write Cirrus API documentation
Directories
¶
| Path | Synopsis |
|---|---|
|
Package bolt contains the functions for launching a Bolt instance.
|
Package bolt contains the functions for launching a Bolt instance. |
|
Package cirrus is the primary package container for the Cirrus ReST service.
|
Package cirrus is the primary package container for the Cirrus ReST service. |
|
Package flurry contains the functions for launching a Flurry instance.
|
Package flurry contains the functions for launching a Flurry instance. |