{"id":21230374,"url":"https://github.com/idov31/sandman","last_synced_at":"2025-04-04T05:09:06.186Z","repository":{"id":57706738,"uuid":"527181009","full_name":"Idov31/Sandman","owner":"Idov31","description":"Sandman is a NTP based backdoor for red team engagements in hardened networks.","archived":false,"fork":false,"pushed_at":"2024-03-31T17:40:15.000Z","size":272,"stargazers_count":785,"open_issues_count":0,"forks_count":107,"subscribers_count":15,"default_branch":"master","last_synced_at":"2025-03-28T04:16:33.554Z","etag":null,"topics":["backdoor","csharp","cybersecurity","infosec","python","red-team","red-team-tools","redteam","windows"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Idov31.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-08-21T11:04:45.000Z","updated_at":"2025-03-24T00:52:24.000Z","dependencies_parsed_at":"2024-03-31T18:32:09.976Z","dependency_job_id":"ae6abc0e-ceab-48e8-99f1-3e7bc8f73a07","html_url":"https://github.com/Idov31/Sandman","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Idov31%2FSandman","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Idov31%2FSandman/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Idov31%2FSandman/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Idov31%2FSandman/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Idov31","download_url":"https://codeload.github.com/Idov31/Sandman/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247123107,"owners_count":20887261,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["backdoor","csharp","cybersecurity","infosec","python","red-team","red-team-tools","redteam","windows"],"created_at":"2024-11-20T23:37:42.403Z","updated_at":"2025-04-04T05:09:06.160Z","avatar_url":"https://github.com/Idov31.png","language":"C#","readme":"# Sandman\n\n![Image](https://img.shields.io/badge/C%23-239120?style=for-the-badge\u0026logo=c-sharp\u0026logoColor=white\") ![image](https://img.shields.io/badge/Python-3776AB?style=for-the-badge\u0026logo=python\u0026logoColor=white) ![image](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge\u0026logo=windows\u0026logoColor=white)\n\nSandman is a backdoor that is meant to work on hardened networks during red team engagements.\n\nSandman works as a stager and leverages NTP (a protocol to sync time \u0026 date) to get and run an arbitrary **shellcode** from a pre-defined server.\n\nSince NTP is a protocol that is overlooked by many defenders resulting in wide network accessibility.\n\n## Usage\n\n![Sandman](images/sandman.png)\n\n### SandmanServer (Usage)\n\nRun on windows / *nix machine:\n\n```sh\npython3 sandman_server.py \"Network Adapter\" \"Payload Url\" \"optional: ip to spoof\"\n```\n\n- Network Adapter: The adapter that you want the server to listen on (for example Ethernet for Windows, eth0 for *nix).\n\n- Payload Url: The URL to your shellcode, it could be your agent (for example, CobaltStrike or meterpreter) or another stager.\n\n- IP to Spoof: If you want to spoof a legitimate IP address (for example, time.microsoft.com's IP address).\n\n### SandmanBackdoor (Usage)\n\nTo start, you can compile the SandmanBackdoor as [mentioned below](#setup), because it is a single lightweight C# executable you can execute it via ExecuteAssembly, run it as an NTP provider or just execute/inject it.\n\n### SandmanBackdoorTimeProvider (Usage)\n\nTo use it, you will need to follow simple steps:\n\n- Add the following registry value:\n\n```bat\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpClient\" /v DllName /t REG_SZ /d \"C:\\Path\\To\\TheDll.dll\"\n```\n\n- Restart the w32time service:\n\n```bat\nsc stop w32time\nsc start w32time\n```\n\n**NOTE: Make sure you are compiling with the x64 option and not any CPU option!**\n\n## Capabilities\n\n- Getting and executing an arbitrary payload from an attacker's controlled server.\n\n- Can work on hardened networks since NTP is usually allowed in FW.\n\n- Impersonating a legitimate NTP server via IP spoofing.\n\n## Setup\n\n### SandmanServer (Setup)\n\n- Python 3.9\n\n- The requirements are specified in the [requirements](/SandmanServer/requirements.txt) file.\n\n### SandmanBackdoor (Setup)\n\nTo compile the backdoor I used Visual Studio 2022, but as mentioned in the [usage section](#usage) it can be compiled with both VS2022 and CSC.\nYou can compile it either using the USE_SHELLCODE and use Orca's shellcode or without USE_SHELLCODE to use WebClient.\n\n### SandmanBackdoorTimeProvider (Setup)\n\nTo compile the backdoor I used Visual Studio 2022, you will also need to install [DllExport](https://github.com/3F/DllExport) (via Nuget or any other way) to compile it.\nYou can compile it either using the USE_SHELLCODE and use Orca's shellcode or without USE_SHELLCODE to use WebClient.\n\n## IOCs\n\n- A shellcode is injected into RuntimeBroker.\n\n- Suspicious NTP communication starts with a known magic header.\n\n- YARA rule.\n\n## Contributes\n\n- [Orca](https://github.com/ORCx41/) for the shellcode.\n\n- Special thanks to [Tim McGuffin](https://twitter.com/NotMedic) for the [time provider idea](https://twitter.com/NotMedic/status/1561354598744473601).\n\nThanks to those who already contributed and I'll happily accept contributions, make a pull request and I will review it!\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fidov31%2Fsandman","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fidov31%2Fsandman","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fidov31%2Fsandman/lists"}