Onyx Raid Documentation

Onyx Raid provides a comprehensive suite of red team tooling, engineered for professionals who require a high level of control, stealth, and operational reliability. Below is the full breakdown of functionality available in the latest version. It should be noted that where avaliable the 'Automatic' setting should be picked, unless specific reasons dictate otherwise.

Builder

The builder is what produces the Onyx Raid stub which runs on the target machine. The stub is a reflective injector executable, which has the dll payload embedded within it in AES-256 encrypted form.

Connection

• IP Address – Here the user should enter the public IP address / domain name of the computer they are running the C2 on.
• Port – This is the networking port you would like to accept connections to the C2 on. ones if injection fails.
• Whilst currently TCP is the only connection method, plans for a HTTP C2 option are underway - keep an eye out!

Execution

• Automatic Process Selection – Scans the targets machine at runtime for a reliable process to inject, and injects into that process. If disabled, the user may type in the name of the custom process they would like to inject.
• Execution Delay – Delays the execution of the payload by x seconds, specified by the user. Default is zero. Useful for evading behavioral monitoring tools that trigger on immediate execution.
• Run as Administrator – This tells the payload to request elevation when it runs. If elevation is rejected by the user, it will run with usermode permissions.

Injection Methods

• Automatic – Automatically starts with the most stealthy method and falls back to more reliable ones if injection fails.
  Order: NoMapViewOfSection → QueueUserAPC → NtCreateThreadEx → CreateRemoteThread
• CreateRemoteThread – ✅ Very Reliable, ❌ Low Stealth.
  Creates a remote thread in the target process using a well-known Windows API. Heavily hooked and detected by most antivirus and EDR solutions.
• NtCreateThreadEx – ✅ Reliable, ⚠️ Moderate Stealth.
  A lower-level API than CreateRemoteThread. Less commonly hooked, reducing detection, but still visible to many modern security products.
• QueueUserAPC – ⚠️ Less Reliable, ✅ High Stealth.
  Injects code by queuing an Asynchronous Procedure Call (APC) to a thread in an alertable state. If successful, this is a highly stealthy method, but can be unreliable if no suitable threads are found.
• NoMapViewOfSection – ✅ Reliable, ✅ Very High Stealth.
  Remaps memory in the target process with a copy of the Onyx Raid image using low-level section manipulation. Bypasses many user-mode hooks and traditional AV detection vectors.

Persistence and Stealth

• Delete Injector after Execution – When enabled, this removes the injector once the payload is successfully injected into memory. However, if the injector is deleted, startup persistence is impossible, so it is disabled.
• Startup Persistence – When enabled, this prompts the user to select a startup persistence method from the list below. Default and recommended is Automatic.

Persistence Methods

• Automatic – Defaults to Registry Run Key installation for the perfect balance of reliability and stealth.
• Startup Folder Installation – Copies the injector to the user's Startup folder and assigns a stealthy, legitimate-looking name to blend in with system utilities. Ensures automatic execution on login.
• Registry Run Key Installation – Places the injector in a randomly generated subdirectory within %AppData% (Roaming), then adds a persistent Run key in the Windows registry pointing to the obfuscated file. Stealthy and resilient.

---

• Watchdog Process – Launches a lightweight background process that continuously monitors the status of the payload. If it is terminated or crashes, the watchdog automatically reinjects it, ensuring uninterrupted persistence. Note that this requires startup persistence being enabled.

Environment Detection

• Block VM Execution – When enabled the payload detects whether it is running within a VM, and if so terminates immediately.
• Block Sandbox Execution – When enabled the payload detects whether it is running within a sandbox, and if so terminates immediately.
• Block Debugger Execution – When enabled the payload detects whether it has a debugger attached to it, and if so terminates immediately. This is a recurring check unlike the others.
• Note that these checks first occur before execution delay.

Post Execution Tasks

• Keylogging – This logs keypresses by the user and securely stores them AES-256 encrypted on disk along with their timestamp & active window for later viewing from the C2 panel.
• Clipboard Logging – This logs the contents of the clipboard and securely stores it AES-256 encrypted on disk along with its timestamp & active window for later viewing from the C2 panel. The log updates with every clipboard change.

Executable Customisation

• Custom Icon – This allows the user to select a custom icon for the payload executable.
• Custom Assembly Information – This allows the user to enter custom assembly information for the payload executable.
• UPX Compression – This reduces the size of the payload executable. Enabled by default.

Debugging

• Enable Debugging Console – When enabled this tells the payload to allocate a console once it has been injected into memory. This console outputs debugging information as Raid runs in order to see what might be going wrong. This should only ever be used in a testing setting.

C2 Panel

Client

• Client Configuration – This screen can be used to view the following details about the client:
  • Path of the process the payload has been injected into.
  • Path of the injector if it has not been deleted.
  • Enable / Disable - Startup Persistence, Keylogging, Clipboard Logging
  • View the client version.
  • View the priviledges the client has and request elevation through UAC.
• Transfer Manager – This screen can be used to view information about existing and complete file transfers between the server and client, including their status and size.

System

• System Statistics – This screen can be used to view the following details about the remote system:
  • CPU usage %.
  • RAM usage %.
  • Disk usage %.
  • Operating System.
  • CPU Name.
  • Amount of RAM installed.
• Process Manager – This screen can be used to view and interact with the processes running on the remote system. It allows the user to do the following:
  • Kill Process.
  • Dump Process Memory to .dmp file (this is downloaded to the C2 panel as soon as the dump is complete).
  • View the properties of the process executable.
  • Refresh the list of running processes.
• File Explorer – This screen can be used to view and interact the filesystem of the remote system. It allows the user to do the following:
  • Navigate through the filesystem in an environment that mimics windows explorer.
  • Execute files.
  • View the properties of files.
  • Delete folders & files.
  • Zip folders and files.
  • Download files to the client.
  • Upload files to the C2.
  • Refresh the files list for the current directory.
• Registry Editor – This screen can be used to view and interact the registry of the remote system. It allows the user to do the following:
  • Navigate through the registry in an environment that mimics windows regedit.
  • Create and delete registry keys.
  • Create and delete registry values (Strings, Multi String values, Expandable string values, DWORDS, QWORDS, Binary Values)
  • Modify existing values including their contents, and name.
• Command Prompt – This screen can be used to remotely execute shell commands to cmd.exe on the client, and recieve responses. It is commonly referred to as a remote shell.

Network

• Active Connections – This screen allows the user to view all of the remote connections on the client. It displays the following:
  • Direction
  • Protocol
  • Local Address
  • Remote Address
  • State
• Download and Execute – This screen allows the user to select a file to download and execute on the client. There are two execution options:
  • Normal Execution
  • Windowless Execution

Recovery

• Keylogger – This screen allows the user to view the keylogs from the client. The user can:
  • Download all logs as a zip file.
  • Get the list of logs by date.
  • Select a log by date and display it on the keylogging screen.
• Remote Desktop – This screen allows the user to remotely control the clients screen. The user can:
  • Enable / Disable Keyboard Input.
  • Enable / Disable Mouse Input.
  • See the framerate of the remote desktop.
  • Start / Stop the remote desktop feature.

Power

• Sleep – This puts the client machine into sleep mode.
• Restart – This restarts the client machine.
• Shutdown – This shuts down the client machine.

Connection

• Restart Connection – This restarts the connection between the client and the C2.
• Uninstall Client – This deletes all disk artifacts left by the client including the injector, and then makes the client become dormant in memory, where it will stay until the next reboot.