Blog

Voodoo Version 1.12 Released

Voodoo Version 1.12 Released
Voodoo S2’s Post Exploitation Platform

We designed Voodoo from the ground up to be a cross-platform post-exploitation toolkit. We knew from the beginning we wanted an agent design that is similar across targets. An agent that didn’t require operators to learn different syntax or nuances based on what OS or architecture the current target was. Thus, the voodoo agent was written with support for all modern OSes in mind. The command syntax is the same across targets and the core versatile is yet simple. The cross-platform design allows for us to quickly port the agent to new architectures and systems.

This is exemplified by our recent work to add support for Apple M1 Silicon chips. With the release of version 1.12 Voodoo can run natively on the MocOs ARM64 architecture, with no need to rely on Apple’s Rosetta implementation to port x64 code over.

However, we acknowledge that having a cross-platform first approach means we haven’t hyper-focused on one OS. Many of our customers who are coming from a Cobalt Strike background have come to expect key Windows-only features. With this update, we hope to address some of those concerns. We’ve spent a heavy portion of this update cycle keying in on ways we can improve the capabilities and stealth of our agent in Windows environments.

Abusing Windows user tokens is a large component of any operation against Windows domains. To assist operators with this we’ve added native commands to Voodoo to allow token impersonation, we’ve also added the ‘runas’ command to execute subcommands as other users. We added more capabilities to our DLL stagers to allow them to be utilized in DLL sideload attacks which allow for stealthier persistence and additional avenues for gaining execution.

We already had the ability to run .NET Assemblies and PowerShell scripts from memory but we added to that hidden command-line options. Now users can pass command line arguments to those in memory modules without them being detected by EDRs that parse process PEB blocks.

Finally, we’ve taken a lot of the feedback from users of our toolkit and improved the UX to provide more information and context to the operators at a glance. The side panel now shows what agents have tasks in the process and if any agents have died without having to navigate to that agents’ tab. This allows operators to have better situational awareness and respond quickly to a changing environment.

Numerous other minor bugs and features are also addressed in this update. As we continue to develop upon Voodoo and add additional capabilities I get more and more excited about where this product is going. We have many additional ideas on the roadmap and we hope to tackle them as quickly as time permits.

Happy hunting,

Waylon