PROJECTS

Features

Server

• HTTPS communication
• Multiple Agent accessibility
• Persistent access to Agents/Listeners
• Payload generation w/ mingw
• Extremely minimal & lightweight

Atreides Agent

• Remote shellcode injection via threadpools
• Syscall spoofing via VEH & HWBP's
• Enumeration of all running processes

Detections

The Atreides agent currently yields 8/73 detections as of 12/05/2024. However, most main stream AV platforms (Crowdstrike, Microsoft, Sophos) were evaded. All except for SentinelOne.

The Atreides agent was also tested against an Elastic EDR environment with Elastic Defender enabled and yielded no alerts. Fair warning this was tested with a Windows Visual Studio compiled version. I noticed that the agent compiled on Linux with mingw yielded more detections 10/73, so if you would like to compile using Visual Studio I have provided the solution file.

Additional Notes

• Although more evasion techniques could be added to the Agent like cough cough* API Hashing, I believe this should be left to the user and how they would like to personalize the Agent.
• This is also my first "real" public repository so if I messed something up message me at silentk0i@proton.me
• This project was mainly built for my learning, but I hope others can learn from this repository as well.
• Also if you haven't seen Dune watch that and you'll understand.

Acknowledgements

• Please please please check out 0xRick's Blog as a lot of the core design of this C2 stems from his blog on C2's.
• Thanks to rad9800 for providing an incredibly detailed write up and code for Tampering Syscalls
• Finally, give thanks to Uri3n for the write up on different techniques for threadpool injection. You can find the write up here and the code here

License

This code is licensed under the GPL-3.0 license.

TODO

• Diferent payload formats
• Domain-Fronting Support
• More execution options (BOF loading, Reflective DLL injection)
• Sleep obfuscation
• Call Stack Spoofing