JXA Modules

Deploy a script that dynamically resolves various implant modules. Automatically resolve and install an HTTP C2 module. At runtime, tasks are sent to the agent which is able to resolve missing modules, install them, and run both shell and keyword-based TTPs.

Use Javascript for Automation (JXA) to create a simple script that is able to dynamically resolve dependencies at runtime and automatically install missing dependencies.

The new agent, Hush, implements three kinds of modules: C2 modules, API modules, and Shell modules. C2 modules allow the agent to dynamically install and swap the current C2 channel. API modules enable TTPs that directly call APIs on macOS. Shell modules enable the agent to run TTPs inside shell environments.

The updated chain includes the ability to capture screenshots, record system audio, discover Dylib hijack opportunities, run subprocess, run shell commands, ingress various payloads, and install a plist persistence mechanism.

This chain includes the following resources:(hover over elements to read details)

TTPs
  • Print working directory using API calls
  • Run a subprocess with NSTask
  • Record room audio using microphone
  • Grab a screenshot via API
  • Discover weak Dylib loads with missing Dylibs
  • Install a Hush current user plist persistence
  • Install a payload request module
  • Install an HTTP C2 module
  • Install and test a shell execution module
Supported platforms
  • darwin
Supported executors
  • keyword
  • sh
  • bash
Payloads
  • pwd.js
  • runTask.js
  • captureAudio.js
  • Get-Screenshot.ps1
  • screenshot.js
  • dylibHijackCheck.js
  • plistPersistCurrentUser.js
  • requestPayload.js
  • http.js
  • sh.js
In The News
Cross Platform Modular Glupteba Malware Uses ManageX
Threat Intel
Home · JXA-Cookbook/JXA-Cookbook Wiki

Use Prelude chains to test your defense with simulated adversaries.
New chains drop weekly on #TTPtuesday

The Prelude Operator App

Run attack chains in the Prelude Operator app, available on all systems. Defend your organization by mimicking real adversarial attacks, and more.

Download

Operator in Action

Upcoming

Next Chain Drop
6:10:20:25
2021-11-02

More Chains

← Previous

B1-66ER (Discovery)

2021-10-12
tactics
discovery
persistence
command-and-control
Tags
b1-66er
docker
Gather target hardware details for the CPU/GPU and detect if we are running inside a container. Then display python version and list installed python pip packages and their version numbers.

Next →

B1-66ER (Initial Access)

2021-09-28
tactics
execution
initial-access
command-and-control
Tags
b1-66er
Takes the Python SciPy package and conceals the Schism agent within its files. When SciPy is installed it will launch the Schism agent in the background without the user knowing, providing initial access to the target.

Latest Drop

Sequoia

2021-10-26
tactics
discovery
resource-development
privilege-escalation
Tags
Stages a directory in the home folder to hold exploit seq_file directory structure. Performs a kernel version check and checks for vulnerable kernel settings. Discovers available system RAM and checks if it meets exploitation requirements. Finally, ingress the exploit payload and launch a privileged Pneuma agent.