NimPlant v1.4 - Black Hat Edition

NimPlant is back for Black Hat season! This release adds a fully-featured Rust implant besides the "classic" Nim version. The Rust implant is written from scratch and is designed to be more conscious about memory management (e.g. configuration parsing), while supporting all the goodies that the Nim version does¹. The release also adds Docker for all your (cross-)compilation or server hosting needs - without the dependency issues!

New features

• Added fully-featured, Rust-based implant 🦀🎉
• Added Dockerfile to allow easy compilation and server portability without dependency issues
  • Docker image is published to chvancooten/nimplant by CI/CD
  • Added example docker-compose.yml that demonstrates how to use Nginx as reverse proxy

Enhancements

• Replace manual argument parsing with argparse in nimplant.py helper script (939ed19)
• Various enhancements to CI/CD pipeline

Bugfixes

• Improve argument parsing and transmission (close #21)
• Fix bug with server exit logic when nimplants are late (74a581f)
• Fix bug where jitter was set incorrectly (ee98e2d)

Other

• Added strings_test.yar to allow opsec checks on disk and/or in-memory
• Added VS Code devcontainer configuration
• Update dependencies for GUI and Python components

Full Changelog: v1.3...v1.4

¹ Sleep masking not yet supported for the Rust implant.

NimPlant v1.3

New features

• Ekko sleep obfuscation can now be used in non-exe payloads #25
  • Thanks @notb9!

Enhancements

• Improve quoted command parsing, allow non-UTF8 decoding for cat via fallback encodings, fix gzip issue behind AWS lambda, fix niche issue with old SSL support, improve server logging and exception handling #28
  • Thanks @yamakadi!
• Major refactor of the NimPlant server side Python code #29
• Update UI dependencies, refactor UI for latest Mantine major release #31

Bugfixes

• Fix unicode issues in whoami and getHost() function
  • Fixes #23

Other

• Bump dependency versions for the NimPlant server. Dependabot begone 😤

Full Changelog: v1.2...v1.3

NimPlant v1.2

New features

• Add command tab completion to GUI (in addition to arrow keys)

Enhancements

• Add Nimplant info to download gui
  • Closes #12
• Improve error handling for 'cleanup' command
• Tweak small navbar size to avoid wrapping
• Remove winim manifest file

Bugfixes

• Implement workaround for broken copyFile in Nim stdlib
  • Fixes #11
  • Also see upstream: nim-lang/Nim#21504)
• Fix incorrect path normalization with cd command
  • Closes #10

Other

• Bump Python requirement versions

NimPlant v1.1

New features

• Added new screenshot command (Close #7)
• Added GUI modal for shinject command (Close #2)

Enhancements

• The reg command is now able to list all values in a key by specifying the query sub-command with only the path
• Added utility cleanup command to NimPlant.py to easily clean up server data (logs, uploads, downloads, database)
• Tweaked detection rule performance (Close #3)
• Unhid .logs directory

Bugfixes

• Fixed issues with reg command (Close #6)
• Add correct parsing of IP address behind forwarder based on X-Forwarded-For header (Close #5)

Other

• Tweaked GitHub linguist config to ignore auto-generated HTML as part of the codebase

Note: Two new libraries are added to the Nim codebase (pixie and winregistry) to support the new features. Make sure to re-run nimble install -d before compiling v1.1 payloads. The chvancooten/nimbuild docker container has already been updated so continues to work as the preferred compilation method.

NimPlant v1.0: Initial public release

NimPlant v1.0: Initial public release 🥳