|
2 | 2 | Loki is a stage-1 command and control (C2) framework written in Node.js, built to script-jack vulnerable Electron apps _[MITRE ATT&CK T1218.015](https://attack.mitre.org/techniques/T1218/015/)_. Developed for red team operations, Loki enables evasion of security software and bypasses application controls by exploiting trusted, signed Electron apps. |
3 | 3 |
|
4 | 4 | Script-jacking hijacks the execution flow of an Electron app by modifying JavaScript files loaded in at runtime with arbitrary Node.js code. This technique can be leveraged to: |
5 | | -- __Backdoor the Electron app__ |
6 | | -- __Hollow out the Electron app__ |
| 5 | +- __Backdoor Electron app__ |
| 6 | +- __Hollow Electron app__ |
7 | 7 | - Chain execution to another process |
8 | 8 |
|
9 | 9 | _While several tools already address leveraging script-jacking to chain execution to another process, Loki is the first to enable backdooring and hollowing of signed Electron apps without invalidating their code signing signature._ |
@@ -72,6 +72,7 @@ _All agent commands are written in native Node.JS and do not require additional |
72 | 72 | | `scan` | Perform TCP network scan across CIDR range with selected ports | |
73 | 73 | | `dns` | DNS lookup. Leverages systems DNS configuration | |
74 | 74 | | `set` | Set the Node load paths for assembly node and scexec nodes | |
| 75 | +| `bof` | Execute a COFF file and return output | |
75 | 76 |
|
76 | 77 | #### `Set` - Loading Nodes from Application Control Exclusion Paths |
77 | 78 | - If there are application control rules preventing library loads for the node files you can use the `set` command to change the load paths for `assembly.node` and `scexec.node`. |
@@ -186,7 +187,6 @@ bobby$ node obfuscateAgent.js |
186 | 187 | - Click the agent from the dashboard table to open the agent window |
187 | 188 | - Test to ensure Loki works properly |
188 | 189 |
|
189 | | - |
190 | 190 | ## Backdooring Electron Apps and Keeping the real Application Working as Normal |
191 | 191 | The most straightforward way to use Loki is to replace the files in `{ELECTRONAPP}/resources/app/` with the Loki files. This hollows out the app, meaning the app won't function normally -- Loki replaced its functionality. |
192 | 192 |
|
@@ -282,7 +282,5 @@ I do not recommend compiling the agent and using it for operations. Agent compil |
282 | 282 | - [Pavel Tsakalidis](https://x.com/sadreck) |
283 | 283 | - [BEEMKA - Electron Exploitation Toolkit](https://github.com/ctxis/beemka) |
284 | 284 |
|
285 | | - |
286 | 285 | ## License |
287 | | -This project is licensed under the Business Source License 1.1. Non-commercial use is permitted under the terms of the license. Commercial use requires the author's explicit permission. On April 3, 2030, this license will convert to Apache 2.0. See [LICENSE](./LICENSE) for full details. |
288 | | - |
| 286 | +This project is licensed under the Business Source License 1.1. Non-commercial use is permitted under the terms of the license. Commercial use requires the author's explicit permission. On April 3, 2030, this license will convert to Apache 2.0. See [LICENSE](./LICENSE) for full details. |
0 commit comments