Privilege Escalation & Post-Exploitation


Table of Contents

Linux Post Exploitation OS X Post Exploitation Windows Post Exploitation
Execution Execution Execution
Persistence Persistence Persistence
Privilege Escalation Privilege Escalation Privilege Escalation
Defense Evasion Defense Evasion Defense Evasion
Credential Access Credential Access Credential Access
Discovery Discovery Discovery
Lateral Movement Lateral Movement Lateral Movement
Collection Collection Collection
Linux Defense Evasion macOS Defense Evasion Windows Defense Evasion
Application Whitelistng Anti-Malware Scan Interface
Endpoint Security Framework Application Whitelisting
Gatekeeper Windows Defender
System Integrity Protection Microsoft ATA/P
XProtect Device Guard
Linux Specific Technologies macOS Specific Technologies Windows Specific Technologies
Alternate Data Streams
Code Signing AppLocker
Endpoint Security Framework Application Shims
GateKeeper ClickOnce
Credential Guard
System Integrity Protection Code Signing
Transparency, Consent, and Control (Distributed) Component-Object-Model(COM)
XProtect Dynamic Link Library
Data Protection API(DPAPI)
Device Guard
Event Tracing for Windows
Print & Fax
File Extensions
LNK Files
Windows Logging
MS-SQL Server
Named Pipes
PowerShell
PowerShell Desired State
Windows Communication Foundation
Windows Notification Facility
Windows Remote Management
Windows Scripting Host

To Do

  • Change AV Avoidance stuff to specific OS
  • Sort AMSI stuff
  • ATA Section - Consolidate

Privilege Escalation


Hardware-based Privilege Escalation

  • Writeups
  • Tools
    • Inception
      • Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe HW interfaces.
    • PCILeech
      • PCILeech uses PCIe hardware devices to read and write from the target system memory. This is achieved by using DMA over PCIe. No drivers are needed on the target system.
    • physmem
      • physmem is a physical memory inspection tool and local privilege escalation targeting macOS up through 10.12.1. It exploits either CVE-2016-1825 or CVE-2016-7617 depending on the deployment target. These two vulnerabilities are nearly identical, and exploitation can be done exactly the same. They were patched in OS X El Capitan 10.11.5 and macOS Sierra 10.12.2, respectively.
    • rowhammer-test
      • Program for testing for the DRAM "rowhammer" problem
    • Tools for "Another Flip in the Wall"

Post-Exploitation


General Post Exploitation


Post-Exploitation Linux

  • 101
  • Discovery
    • Articles/Blogposts/Writeups
    • Account Discovery
    • Browser Bookmark Discovery
    • File and Directory Discovery
    • Network Service Scanning
    • Network Sniffing
    • Password Policy Discovery
    • Permission Groups Discovery
    • Process Discovery
      • Articles/Blogposts/Writeups
      • Tools
        • pspy
          • pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. The tool gathers the info from procfs scans. Inotify watchers placed on selected parts of the file system trigger these scans to catch short-lived processes.
    • Remote System Discovery
      • nullinux
        • nullinux is an internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB. If no username and password are provided, nullinux will attempt to connect to the target using an SMB null session. Unlike many of the enumeration tools out there already, nullinux can enumerate multiple targets at once and when finished, creates a users.txt file of all users found on the host(s). This file is formatted for direct implementation and further exploitation.This program assumes Python 2.7, and the smbclient package is installed on the machine. Run the setup.sh script to check if these packages are installed.
    • Software Discovery
    • System Information Discovery
    • System Network Configuration Discovery
    • System Network Connections Discovery
    • System Owner/User Discovery
  • Execution
  • Persistence
    • Account Manipulation
      • Additional Azure Service Principal Credentials
      • Exchange Email Delegate Permissions
      • Add Office 365 Global Administrator Role
      • SSH Authorized Keys
    • BITS Jobs
    • Boot or Logon Autostart Execution
      • Registry Run Keys / Startup Folder
      • Authentication Package
      • Time Providers
      • Winlogon Helper DLL
      • Security Support Provider
      • Kernel Modules and Extensions
      • Re-opened Applications
      • LSASS Driver
      • Shortcut Modification
      • Port Monitors
      • Plist Modification
    • Boot or Logon Initialization Scripts
      • Logon Script (Windows)
      • Logon Script (Mac)
      • Network Logon Script
      • Rc.common
      • Startup Items
      • Browser Extensions
    • Browser Extensions
    • Compromise Client Software Binary
      • Tools
    • Create Account
      • Local Account
      • Domain Account
      • Cloud Account
    • Create or Modify System Process
      • Launch Agent
      • Systemd Service
      • Windows Service
      • Launch Daemon
    • Event Triggered Execution
      • Change Default File Association
      • Screensaver
      • Windows Management Instrumentation Event Subscription
      • .bash_profile and .bashrc
      • Trap
      • LC_LOAD_DYLIB Addition
      • Netsh Helper DLL
      • Accessibility Features
      • AppCert DLLs
      • AppInit DLLs
      • Application Shimming
      • Image File Execution Options Injection
      • PowerShell Profile
      • Emond
      • Component Object Model Hijacking
    • External Remote Services
    • Hijack Execution Flow
      • Services File Permissions Weakness
      • Executable Installer File Permissions Weakness
      • Services Registry Permissions Weakness
      • Path Interception by Unquoted Path
      • Path Interception by PATH Environment Variable
      • Path Interception by Search Order Hijacking
      • DLL Search Order Hijacking
      • DLL Side-Loading
      • LD_PRELOAD
      • Dylib Hijacking
      • COR_PROFILER
      • Implant Container Image
    • Implant Container Image
    • Office Application Startup
      • Add-ins
      • Office Template Macros
      • Outlook Forms
      • Outlook Rules
      • Outlook Home Page
      • Office Test
    • Pre-OS Boot
      • System Firmware
      • Component Firmware
      • Bootkit
    • Scheduled Task/Job
      • At (Windows)
      • Scheduled Task
      • At (Linux)
      • Launchd
      • Cron
    • Server Software Component
      • SQL Stored Procedures
      • Transport Agent
      • Web Shell
    • Traffic Signaling
      • Port Knocking
    • Valid Accounts
      • Default Accounts
      • Domain Accounts
      • Local Accounts
      • Cloud Accounts
  • Privilege Escalation
  • Defense Evasion
    • Binary Padding
    • Clear Command History
    • Compile After Delivery
    • Connection Proxy
    • Disabling Security Tools
    • Execution Guardrails
    • Exploitation for Defense Evasion
    • File and Directory Permissions Modification
    • File Deletion
    • Hidden Files and Directories
    • HISTCONTROL
    • Indicator Removal from Tools
    • Indicator Removal on Host
    • Install Root Certificate
    • Masquerading
    • Obfuscated Files or Information
    • Port Knocking
    • Process Injection
    • Redundant Access
    • Rootkit
    • Scripting
    • Space after Filename
    • Timestomp
    • Valid Accounts
    • Web Service
  • Credential Access
    • Bash History
      • Articles/Blogposts
      • Tools
    • Brute Force
      • Articles/Blogposts
      • Tools
    • Credential Dumping
      • Articles/Blogposts
        • Where 2 Worlds Collide: Bringing Mimikatz et al to UNIX - Tim(-Wadha) Brown
          • What this talk is about: Why a domain joined UNIX box matters to Enterprise Admins; How AD based trust relationships on UNIX boxes are abused; How UNIX admins can help mitigate the worst side effects;
        • linikatz
          • This repository contains all of the scripts and source code for "Where 2 Worlds Collide: Bringing Mimikatz et al to UNIX". In addition to the main linikatz.sh script, this also includes auditd policies, John the Ripper rules, Metasploit post-exploitation modules and fuzzers. More will follow in due course.
        • Kerberos Credential Thiever (GNU/Linux) - Ronan Loftus, Arne Zismer
          • Kerberos is an authentication protocol that aims to reduce the amount of sensitive data that needs to be sent across a network with lots of network resources that require authentication. This reduces the risk of having authentication data stolen by an attacker. Network Attached Storage devices, big data processing applications like Hadoop, databases and web servers commonly run on GNU/Linux machines that are integrated in a Kerberos system. Due to the sensitivity of the data these services deal with, their security is of great importance. There has been done a lot of research about sniffing and replaying Kerberos credentials from the network. However, little work has been done on stealing credentials from Kerberos clients on GNU/Linux. We therefore investigate the feasibility of extracting and reusing Kerberos credentials from GNU/Linux machines. In this research we show that all the credentials can be extracted, independently of how they are stored on the client. We also show how these credentials can be reused to impersonate the compromised client. In order to improve the security of Kerberos, we also propose mitigations to these attacks.
        • Exfiltrating credentials via PAM backdoors & DNS requests - x-c3ll
      • Tools
        • linikatz
        • mimipenguin
          • A tool to dump the login password from the current linux user
        • 3snake
          • Targeting rooted servers, reads memory from sshd and sudo system calls that handle password based authentication. Doesn't write any memory to the traced processes. Spawns a new process for every sshd and sudo command that is run. Listens for the proc event using netlink sockets to get candidate processes to trace. When it receives an sshd or sudo process ptrace is attached and traces read and write system calls, extracting strings related to password based authentication.
        • Tickey
          • Tool to extract Kerberos tickets from Linux kernel keys. Paper
        • Impost3r
          • Impost3r is a tool that aim to steal many kinds of linux passwords(including ssh,su,sudo) written by C
    • Credentials from Web Browsers
      • Articles/Blogposts
      • Tools
    • Credentials in Files
      • Articles/Blogposts
      • Tools
        • KeyTabExtract
          • KeyTabExtract is a little utility to help extract valuable information from 502 type .keytab files, which may be used to authenticate Linux boxes to Kerberos. The script will extract information such as the realm, Service Principal, Encryption Type and NTLM Hash.
        • swap_digger
          • swap_digger is a bash script used to automate Linux swap analysis for post-exploitation or forensics purpose. It automates swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, HTTP basic authentication, WiFi SSID and keys, etc.
    • Exploitation for Credential Access
      • Articles/Blogposts
      • Tools
    • Input Capture
      • Articles/Blogposts
      • Tools
        • SudoHulk
          • This tool change sudo command, hooking the execve syscall using ptrace, tested under bash and zsh
    • Network Sniffing
      • Articles/Blogposts
      • Tools
    • Private Keys
      • Articles/Blogposts
      • Tools
    • Steal Web Session Cookie
      • Articles/Blogposts
      • Tools
    • Two-Factor Authentication Interception
      • Articles/Blogposts
      • Tools
  • Lateral Movement
  • Collection
    • Audio Capture
    • Automated Collection
    • Clipboard Data
    • Data from Information Repositories
    • Data from Local System
      • Tools
        • swap_digger
          • swap_digger is a bash script used to automate Linux swap analysis for post-exploitation or forensics purpose. It automates swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, HTTP basic authentication, WiFi SSID and keys, etc.
    • Data from Network Shared Drive
    • Data from Removable Media
    • Data Staged
    • Input Capture
    • Screen Capture

Post-Exploitation OS X


macOS Technologies


Post-Exploitation Windows


Windows Technologies

C# & .NET Stuff

  • 101
  • Training
  • Discovery
    • Clipboard
      • Clippi-B
        • Steals clipboard data written in c#, executable by cobalt-strike or any other unmanaged CLR loader. you'll need costura.fody NuGet package to compile. Targets .NET 4.0 or above, but is potentially backwards compatible with 3.5 if you use an older costura fody NuGet (untested)
    • ActiveDirectory
      • Recon-AD
        • As a proof of concept, we[OutflankNL] developed an C/C++ Active Directory reconnaissance tool based on ADSI and reflective DLLs which can be used within Cobalt Strike. The tool is called “Recon-AD” and at this moment consist of seven Reflective DLLs and a corresponding aggressor script. This tool should help you moving away from PowerShell and .NET when enumerating Active Directory and help you stay under the radar from the latest monitoring and defense technologies being applied within modern environments.
      • SharpView
    • Browser
      • SharpChromium
        • SharpChromium is a .NET 4.0+ CLR project to retrieve data from Google Chrome, Microsoft Edge, and Microsoft Edge Beta.
    • File Discovery/Hunting
      • SharpShares
        • Enumerate all network shares in the current domain. Also, can resolve names to IP addresses.
      • SauronEye
        • Search tool to find specific files containing specific words, i.e. files containing passwords..
      • SharpFiles
      • SharpFinder
        • Searches for files matching specific criteria on readable shares within the domain.
    • Network Services
    • Printers
      • SharpPrinter
        • Printer is a modified and console version of ListNetworks
    • Screenshots
      • ScreenShooter
        • C# program to take a full size screenshot of the window. Takes in 0 or 1 flag for a filename.
        • Blogpost
    • Services
      • AtYourService
        • C# .NET Assembly and python script for Service Enumeration. Queries all services on a host and filters out services running as LocalSystem, NT Authority\LocalService, and NT Authority\NetworkService
    • Situational Awarness
      • Reconerator
        • This is a custom .NET assembly which will perform a number of situational awareness activities.
      • Scout
        • Scout is a .NET assembly used to perform recon on hosts during a pentest. Specifically, this was created as a way to check a host before laterally moving to it.
      • SitRep
        • SitRep is intended to provide a lightweight, extensible host triage alternative. Checks are loaded dynamically at runtime from stand-alone files. This allows operators to quickly modify existing checks, or add new checks as required.
      • SharpAppLocker
        • C# port of the Get-AppLockerPolicy PS cmdlet
      • Seatbelt
        • Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
      • HastySeries
        • A C# toolset to support offensive operators to triage, asses and make intelligent able decisions. Provided operators access to toolsets that can be integrated into other projects and workflow throughout a Red Team, Pentest or host investigation. We built this toolset over a period of a few days, hence the tool prefix of "Hasty".
    • User-Hunting
      • SharpSniper
        • Find specific users in active directory via their username and logon IP address
    • Web
      • SharpWitness
        • SharpWitness is my attempt at cobbling together a C# version of EyeWitness by Christopher Truncer. It still barely functions right now, but will hopefully become more useful once I put some dev time into it.
      • SharpFruit
        • A C# penetration testing tool to discover low-haning web fruit via web requests.
      • SharpShot
        • Capture screenshots from .NET, using either native Windows APIs or .NET methods. Screenshots can be saved to disk using a randomly generated file name, or output to the console in base64 encoded form (does not touch disk).
  • Execution Tactics/Techniques
    • 101
    • Articles/Blogposts/Writeups
    • Talks/Presentations/Videos
      • .NET Manifesto - Win Friends and Influence the Loader - Casey Smith(Derbycon2019)
        • Everything you never wanted to know about .NET manifests and influencing binary loading. A growing number of security tools, both offensive and defensive rely on the .NET Framework. This talk will focus on a narrow but important aspect. We will cover Application and Machine configuration files, as well as Registration-Free and Side-By-Side Assembly loading. What do all these have in common?Manifests. XML manifest can influence how the Operating System locates and executes binaries. We will explore additional concepts around influencing assembly loads. This talk will provide excellent insight into how these mechanisms work. How they can be subverted, and how they can be instrumented to aid defenders.
      • Staying # & Bringing Covert Injection Tradecraft to .NET - The Wover, Ruben Boonen(BlueHat IL 2020)
        • As .NET has taken over as the preferred platform for development on Windows, many attackers have chosen to take advantage of its features for post-exploitation tradecraft. Legitimate APIs can be leveraged for nearly every imaginable task, managed code can be loaded and executed from memory with extraordinary ease, and scalable monitoring for suspicious usage of .NET APIs is a problem yet to be solved. However, offensive .NET tools are still hindered by a fundamental weakness: the inability to leverage unmanaged code (such as the Win32/NT APIs) safe from observation by EDR. Managed code must eventually invoke unmanaged code in order to interface with the operating system. It is here that the attacker may be caught in the hooks of any system keen on watching for fundamentally malicious behavior. To expose the depth of tradecraft still unexplored in .NET and highlight the fragility of many existing detections, we will detail the tools we have built for evading these hooks. All of our efforts have been integrated into SharpSploit, a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers. Over the past few months we have added numerous new tools and techniques for loading and executing unmanaged code safely from .NET. Unmanaged APIs may be safely accessed and modules loaded either from memory or from disk in the new DInvoke API, a dynamic replacement for .NET's PInvoke API. It also includes manual mapping, a generic syscall wrapper, a new technique we call Module Overloading, and more. Additionally, we have added a modular process injection API that allows tool developers to build their own injection technique. Simply select an allocation and injection primitive, pass in any options, and execute the result with your preferred payload. This exposes all possible design decisions to the user, and allows for easy adaptation when existing tools fail. In our talk we will focus on explaining the fundamental tradecraft behind these new developments, the challenges and requirements associated with them, and how they can be adapted to suit your needs. Additionally, we will discuss how SharpSploit can be combined with other open-source projects to be integrated into a red team's tooling. As much as possible, we will also discuss how to counter and detect the techniques that we have developed. Finally, we will explain the community-focused development of these projects and how you too can contribute to advance open-source .NET tradecraft
    • Tools
      • SharpGen
        • SharpGen is a .NET Core console application that utilizes the Rosyln C# compiler to quickly cross-compile .NET Framework console applications or libraries.
      • SharpCompile
        • SharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in realtime. This is a more slick approach than manually compiling an .NET assembly and loading it into Cobalt Strike. The project aims to make it easier to move away from adhoc PowerShell execution instead creating a temporary assembly and executing using beacon's 'execute-assembly' in seconds.
      • NetLoader
        • Loads any C# binary from filepath or url, patching AMSI and bypassing Windows Defender on runtime
      • AppDomainExample
        • A .NET tool that uses AppDomain's to enable dynamic execution and escape detection.
      • SharpAttack
        • SharpAttack is a console for certain things I use often during security assessments. It leverages .NET and the Windows API to perform its work. It contains commands for domain enumeration, code execution, and other fun things.
      • PowerSharpPack
        • Many usefull offensive CSharp Projects wraped into Powershell for easy usage.
      • peloader.cs
        • This scripts loads a base64 encoded x64 PE file (eg: Mimikatz or a Meterpreter) into memory and reflectively executes it.
      • RunSharp
        • Simple program that allows you to run commands as another user without being prompted for their password. This is useful in cases where you don't always get feedback from a prompt, such as the case with some remote shells.
    • Adversary Simulation
      • PurpleSharp
        • PurpleSharp is a C# adversary simulation tool that executes adversary techniques with the purpose of generating attack telemetry in monitored Windows environments
    • Assemblies & AppDomains
    • Binary/Source Obfuscation
    • Cradles/Runners
      • SharpCradle
        • SharpCradle is a tool designed to help penetration testers or red teams download and execute .NET binaries into memory.
      • RunShellcode
        • Simple GUI program when you just want to run some shellcode.
      • CreateThread Example
        • C# code to use CreateThread to run position independent code in the running process. This code is provided AS IS, and will not be supported.
      • CSharp SetThreadContext
        • C# Shellcode Runner to execute shellcode via CreateRemoteThread and SetThreadContext to evade Get-InjectedThread
    • MSBuild-related
    • MS-SQL-related
      • Attacking SQL Server CLR Assemblies - Scott Sutherland
        • During this webinar we’ll review how to create, import, export, and modify CLR assemblies in SQL Server with the goal of privilege escalation, OS command execution, and persistence. Scott will also share a few PowerUpSQL functions that can be used to execute the CLR attacks on a larger scale in Active Directory environments.
    • Process Injection/Shellcode Execution
    • PS in C#
      • Articles/Blogposts/Writeups
      • Tools
        • NoPowerShell
          • NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No System.Management.Automation.dll is used; only native .NET libraries. An alternative usecase for NoPowerShell is to launch it as a DLL via rundll32.exe: rundll32 NoPowerShell.dll,main.
        • p0wnedShell
          • PowerShell Runspace Post Exploitation Toolkit
        • p0wnedLoader
        • Smallp0wnedShell
          • Small modification version of PowerShell Runspace Post Exploitation Toolkit (p0wnedShell)
        • CScriptShell
        • Stracciatella
          • OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, CLM and Script Block Logging disabled at startup
    • Reflection
    • Resource Embedding Single File Executable - https://docs.microsoft.com/en-us/dotnet/core/whats-new/dotnet-core-3-0#single-file-executables Assembly Linking - https://docs.microsoft.com/en-us/dotnet/core/whats-new/dotnet-core-3-0#assembly-linking https://denhamcoder.net/2018/08/25/embedding-net-assemblies-inside-net-assemblies/
      • Fody
        • The Home repository is the starting point for people to learn about Fody, the project.
      • Fody Engine
        • Extensible tool for weaving .net assemblies. Manipulating the IL of an assembly as part of a build requires a significant amount of plumbing code. This plumbing code involves knowledge of both the MSBuild and Visual Studio APIs. Fody attempts to eliminate that plumbing code through an extensible add-in model.
      • Costura
        • Embed references as resources
    • Serialization
      • Gadget2Jscript
        • GadgetToJScript - RastaMouse(2020)
        • GadgetToJScript - 3gstudent
        • GadgetToJScript
          • A tool for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS based scripts. The gadget being used triggers a call to Assembly.Load when deserialized via jscript/vbscript, this means it can be used in the same way to trigger in-memory load of your own shellcode loader at runtime. Lastly, the tool was created mainly for automating WSH scripts weaponization for RT engagements (LT, Persistence, Initial Compromise), the shellcode loader which was used for PoC is removed and replaced by an example assembly implemented in the "TestAssemblyLoader.cs" class for PoC purpose.
        • GadgetToJScript, Covenant, Donut - 3xpl01tc0d3r
      • Tools
    • Windows Services
    • WinAPI Access
    • Payloads
      • SharPyShell
        • tiny and obfuscated ASP.NET webshell for C# web applications
      • TCPRelayInjecter2
        • Tool for injecting a "TCP Relay" managed assembly into an unmanaged process
      • Salsa Tools
        • Salsa Tools is a collection of three different tools that combined, allows you to get a reverse shell on steroids in any Windows environment without even needing PowerShell for it's execution. In order to avoid the latest detection techniques (AMSI), most of the components were initially written on C#. Salsa Tools was publicly released by Luis Vacas during his Talk “Inmersión en la explotación tiene rima” which took place during h-c0n in 9th February 2019.
      • CasperStager
        • PoC for persisting .NET payloads in Windows Notification Facility (WNF) state names using low-level Windows Kernel API calls.
  • Privilege Escalation
    • SharpExchangePriv
      • A C# implementation of PrivExchange by @_dirkjan. Kudos to @g0ldenGunSec, as I relied on his code.
    • SharpUp
      • SharpUp is a C# port of various PowerUp functionality. Currently, only the most common checks have been ported; no weaponization functions have yet been implemented.
    • Watson
      • Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities
    • Net-GPPPassword
      • .NET/C# implementation of Get-GPPPassword. Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
  • Collection
    • Sharp-Profit
      • "Sharp-Profit is a C# version of my Profit script. This version can be utilized with Cobalt Strike's execute-assembly function."
    • Browser
      • FirePwd.Net
        • FirePwd.Net is an open source tool wrote in C# to decrypt Mozilla stored password.
      • SharpWeb
        • SharpWeb is a .NET 2.0 CLR compliant project that can retrieve saved logins from Google Chrome, Firefox, Internet Explorer and Microsoft Edge. In the future, this project will be expanded upon to retrieve Cookies and History items from these browsers.
    • File-Hunting
      • SharpSearch
        • Search files for extensions as well as text within.
    • Monitoring
      • WireTap
        • .NET 4.0 Project to interact with video, audio and keyboard hardware.
      • SharpLogger
        • Keylogger written in C#
  • Privilege Escalation
    • Active Directory
      • Grouper2
        • Find vulnerabilities in AD Group Policy
    • Registry
      • Reg1c1de: Windows Registry Privesc Scanner
        • Reg1c1de is a tool that scans specified registry hives and reports on any keys where the user has write permissions In addition, if any registry values are found that contain file paths with certain file extensions and they are writeable, these will be reported as well.
      • Blogpost
    • Services
      • SneakyService
        • A simple C# windows service implementation that can be used to demonstrate privilege escalation from misconfigured windows services.
  • Persistence
    • Scheduled Tasks
    • General
      • SharpStay
        • .NET project for installing Persistence
      • SharpHide
        • Technique Whitepaper
        • Just a nice persistence trick to confuse DFIR investigation. Uses NtSetValueKey native API to create a hidden (null terminated) registry key. This works by adding a null byte in front of the UNICODE_STRING key valuename.
    • Golden Tickets
      • GoldenTicket
        • This .NET assembly is specifically designed for creating Golden Tickets. It has been built with a custom version of SharpSploit and an old 2.0 alpha (x64) version of Powerkatz.
    • Registry-related
      • Reg_Built
        • C# Userland Registry RunKey persistence
    • Scheduled Tasks
    • Services
      • Unstoppable Service
        • A pattern for a self-installing Windows service in C# with the unstoppable attributes in C#.
  • Credential Attacks
    • Process Memory
      • Dumping Process Memory with Custom C# Code - 3xplo1tcod3r
      • SharpDump
        • SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality.
      • ATPMiniDump
        • Dumping LSASS memory with MiniDumpWriteDump on PssCaptureSnapShot to evade WinDefender ATP credential-theft.
      • SafetyKatz
        • SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader.
      • KittyLitter
        • This project was made for an upcoming event. It is comprised of two components, KittyLitter.exe and KittyScooper.exe. This will bind across TCP, SMB, and MailSlot channels to communicate credential material to lowest privilege attackers.
    • Clipboard
      • SharpClipboard
      • SharpClipHistory
        • SharpClipHistory is a .NET application written in C# that can be used to read the contents of a user's clipboard history in Windows 10 starting from the 1809 Build.
    • Credentials on Disk/Stored in files
      • SharpCloud
        • SharpCloud is a simple C# utility for checking for the existence of credential files related to Amazon Web Services, Microsoft Azure, and Google Compute.
    • DPAPI
      • SharpDPAPI
        • SharpDPAPI is a C# port of some Mimikatz DPAPI functionality.
    • Fake UI Prompt
      • Tools
        • SharpLocker
          • SharpLocker helps get current user credentials by popping a fake Windows lock screen, all output is sent to Console which works perfect for Cobalt Strike. It is written in C# to allow for direct execution via memory injection using techniques such as execute-assembly found in Cobalt Strike or others, this method prevents the executable from ever touching disk. It is NOT intended to be compilled and run locally on a device.
    • Kerberos
      • Rubeus
        • Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpy's Kekeo project (CC BY-NC-SA 4.0 license) and Vincent LE TOUX's MakeMeEnterpriseAdmin project (GPL v3.0 license). Full credit goes to Benjamin and Vincent for working out the hard components of weaponization- without their prior work this project would not exist.https://www.slideshare.net/aj0612/a-study-on-net-framework-for-red-team-part-i
    • LLMNR/NBNS Spoofing
      • InveighZero
        • Windows C# LLMNR/mDNS/NBNS/DNS spoofer/man-in-the-middle tool
    • Multi-Tools
      • SafetyKatz
        • SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader.
    • Password Spray
      • SharpSpray
        • SharpSpray a simple code set to perform a password spraying attack against all users of a domain using LDAP and is compatible with Cobalt Strike.
    • Proxy
      • FreshCookies
        • C# .NET 3.5 tool that keeps proxy auth cookies fresh by maintaining a hidden IE process that navs to your hosted auto refresh page. Uses WMI event listeners to monitor for InstanceDeletionEvents of the Internet Explorer process, and starts a hidden IE process via COM object if no other IE processes are running.
    • Password Spraying
      • SharpDomainSpray
        • SharpDomainSpray is a very simple password spraying tool written in .NET. It takes a password then finds users in the domain and attempts to authenticate to the domain with that given password.
    • RDP
      • RdpThief
        • RdpThief by itself is a standalone DLL that when injected in the mstsc.exe process, will perform API hooking, extract the clear-text credentials and save them to a file.
        • Blogpost
      • SharpRDPCheck
        • Use to check the valid account of the Remote Desktop Protocol(Support plaintext and ntlmhash)
    • Vault Credentials
      • SharpEdge
        • C# Implementation of Get-VaultCredential - Get-VaultCredential enumerates and displays all credentials stored in the Windows vault. Web credentials, specifically are displayed in cleartext. This script was inspired by the following C implementation: http://www.oxid.it/downloads/vaultdump.txt
    • ActiveDirectory-related
      • ADFSpoof
        • A python tool to forge AD FS security tokens. - Meant to be used with ADFSDump
      • ADFSDump
        • ADFSDump is a tool that will read information from Active Directory and from the AD FS Configuration Database that is needed to generate forged security tokens. This information can then be fed into ADFSpoof to generate those tokens. - Meant to be used with ADFSpoof
      • SharpAdidnsdump
        • c# implementation of Active Directory Integrated DNS dumping (authenticated user)
      • SprayAD
        • This tool can help Red and Blue teams to audit Active Directory useraccounts for weak, well known or easy guessable passwords and can help Blue teams to assess whether these events are properly logged and acted upon. When this tool is executed, it generates event IDs 4771 (Kerberos pre-authentication failed) instead of 4625 (logon failure). This event is not audited by default on domain controllers and therefore this tool might help evading detection while password spraying.
  • Lateral Movement
    • Multiple
    • .NET Remoting
    • DCOM
    • MSSQL
    • RDP
      • Articles/Blogposts/Writeups
      • Tools
        • SharpRPD
          • Remote Desktop Protocol .NET Console Application for Authenticated Command Execution
        • SharpDoor
          • SharpDoor is alternative RDPWrap written in C# to allowed multiple RDP (Remote Desktop) sessions by patching termsrv.dll file, for opsec considerations SharpDoor still using cmd.exe to run sc services to impersonating as trustedinstaller in the future will be avoiding cmd.exe usage, currently only support for Windows 10.
        • SharpRDP
          • Blogpost
          • Remote Desktop Protocol .NET Console Application for Authenticated Command Execution
    • Registry
      • SCShell
        • Fileless lateral movement tool that relies on ChangeServiceConfigA to run command
    • SMB
      • CSExec
        • This is an example for how to implement psexec (from SysInternals Suite) functionality, but in open source C#. This does not implement all of the psexec functionality, but it does implement the equivalent functionality to running: psexec -s \target-host cmd.exe
      • SharpInvoke-SMBExec
        • A native C# conversion of Kevin Robertsons Invoke-SMBExec powershell script.
    • WinRM
    • WMI
      • SharpWMI
        • SharpWMI is a C# implementation of various WMI functionality. This includes local/remote WMI queries, remote WMI process creation through win32_process, and remote execution of arbitrary VBS through WMI event subscriptions. Alternate credentials are also supported for remote methods.
      • SharpInvoke-WMIExec
        • A native C# conversion of Kevin Robertsons Invoke-SMBExec powershell script
  • Evasion
    • Articles/Blogposts/Writeups
    • Talks/Presentations/Videos
    • Tools
      • tvasion
        • Anti virus evasion based on file signature change via AES encryption with Powershell and C# AV evasion templates which support executable and Powershell payloads with Windows executable, Powershell or batch output. Developed with Powershell on Linux for Windows targets :)
      • AVIator
        • Antivirus evasion project
      • PEunion
        • PEunion bundles multiple executables (or any other file type) into a single file. Each file can be configured individually to be compressed, encrypted, etc. In addition, an URL can be provided for a download to be executed. The resulting binary is compiled from dynamically generated C# code. No resources are exposed that can be harvested using tools like Resource Hacker. PEunion does not use managed resources either. Files are stored in byte[] code definitions and when encryption and compression is applied, files become as obscure as they can get.
      • Self-Morphing C# Binary
        • C# binary that mutates its own code, encrypts and obfuscates itself on runtime
      • Inception-Framework
        • Inception provides In-memory compilation and reflective loading of C# apps for AV evasion. Payloads are AES encrypted before transmission and are decrypted in memory. The payload server ensures that payloads can only be fetched a pre-determined number of times. Once decrypted, Roslyn is used to build the C# payload in memory, which is then executed using reflection.
      • SharpLoadImage
        • Hide .Net assembly into png images
      • BlockETW
        • .Net Assembly to block ETW telemetry in current process
      • SharpPack
        • Blogpost
        • SharpPack is a toolkit for insider threat assessments that lets you defeat application whitelisting to execute arbitrary DotNet and PowerShell tools.
  • Script Repos/Good Stuff
    • GhostPack
    • SharpSploit
      • SharpSploit is a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers.
    • Sharp-Suite
      • FuzzySecurity: 'My musings with C#'
    • OffensiveCSharp-matterpreter
      • This is a collection of C# tooling and POCs I've created for use on operations. Each project is designed to use no external libraries. Open each project's .SLN in Visual Studio and compile as "Release".
    • bytecode-api
      • C# library with common classes, extensions and additional features in addition to the .NET Framework. BytecodeApi implements lots of extensions and classes for general purpose use. In addition, specific classes implement more complex logic for both general app development as well as for WPF apps. Especially, boilerplate code that is known to be part of any Core DLL in a C# project is likely to be already here. In fact, I use this library in many of my own projects. For this reason, each class and method has been reviewed numerous times. BytecodeApi is highly consistent, particularly in terms of structure, naming conventions, patterns, etc. The entire code style resembles the patterns used in the .NET Framework itself. You will find it intuitive to understand.
    • OutlookToolbox
      • OutlookToolbox is a C# DLL that uses COM to do stuff with Outlook. Also included is a Cobalt Strike aggressor script that uses Outlooktoolbox.dll to give it a graphical and control interface.
      • Blogpost
    • OffensiveDLR
      • Toolbox containing research notes & PoC code for weaponizing .NET's DLR
    • RedTeamCSharpScripts - Mr-Un1k0d3r
    • CSharpScripts - Arno0x
    • Named Pipes
      • This is a proof of concept / pattern concept for creating a client/server communication model with named pipes in C#. In this example, a client passes a message to the server over a named pipe which is then executed as a command on the server. The standard out and standard error are redirected back to the client over the named pipe and printed to the terminal screen.
  • Utiltiies
    • Compression
      • MiddleOut
        • This tool was created to compress files through the command line and will work with Cobalt Strike's execute-assembly.
    • Files
      • FileWriter
        • .NET project for writing files to local or remote hosts
      • LockLess
        • LockLess is a C# tool that allows for the enumeration of open file handles and the copying of locked files.
    • Scheduled Tasks

Powershell Things


Pivoting & Tunneling

  • Pivoting
    • Articles/Writeups
    • Tools
      • Socat
        • socat is a relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a file, pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.), the GNU line editor (readline), a program, or a combination of two of these. These modes include generation of "listening" sockets, named pipes, and pseudo terminals.
        • Examples of use
        • Socat Cheatsheet
      • XFLTReaT
        • XFLTReaT tunnelling framework
      • Discovery
        • nextnet
          • nextnet is a pivot point discovery tool written in Go.
      • DNS
      • HTTP/HTTPS
        • SharpSocks
          • Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell
        • Chisel
          • Chisel is a fast TCP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.
        • SharpChisel
          • C# Wrapper of Chisel from https://github.com/jpillora/chisel
        • Crowbar
          • Crowbar is an EXPERIMENTAL tool that allows you to establish a secure circuit with your existing encrypting TCP endpoints (an OpenVPN setup, an SSH server for forwarding...) when your network connection is limited by a Web proxy that only allows basic port 80 HTTP connectivity. Crowbar will tunnel TCP connections over an HTTP session using only GET and POST requests. This is in contrast to most tunneling systems that reuse the CONNECT verb. It also provides basic authentication to make sure nobody who stumbles upon the server steals your proxy to order drugs from Silkroad.
        • A Black Path Toward The Sun(ABPTTS)
          • ABPTTS uses a Python client script and a web application server page/package[1] to tunnel TCP traffic over an HTTP/HTTPS connection to a web application server. In other words, anywhere that one could deploy a web shell, one should now be able to establish a full TCP tunnel. This permits making RDP, interactive SSH, Meterpreter, and other connections through the web application server.
        • pivotnacci
          • Pivot into the internal network by deploying HTTP agents. Pivotnacci allows you to create a socks server which communicates with HTTP agents
        • graftcp
          • graftcp can redirect the TCP connection made by the given program [application, script, shell, etc.] to SOCKS5 or HTTP proxy.
        • Tunna
          • Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments.
      • HTTP2
        • gTunnel
          • A TCP tunneling suite built with golang and gRPC. gTunnel can manage multiple forward and reverse tunnels that are all carried over a single TCP/HTTP2 connection. I wanted to learn a new language, so I picked go and gRPC. Client executables have been tested on windows and linux.
      • ICMP
        • Hans - IP over ICMP - hans
          • Source
          • Hans makes it possible to tunnel IPv4 through ICMP echo packets, so you could call it a ping tunnel. This can be useful when you find yourself in the situation that your Internet access is firewalled, but pings are allowed.
        • icmptx
          • ICMPTX is a program that allows a user with root privledges to create a virtual network link between two computers, encapsulating data inside of ICMP packets.
      • PowerShell
      • RDP
        • Socks Over RDP / Socks Over Citrix
          • This tool adds the capability of a SOCKS proxy to Terminal Services (or Remote Desktop Services) and Citrix (XenApp/XenDesktop). It uses Dynamic Virtual Channel that enables us to communicate over an open RDP/Citrix connection without the need to open a new socket, connection or a port on a firewall.
        • Socks Over RDP - Balazs Bucsay(2020)
      • SMB
        • Piper
          • Creates a local or remote port forwarding through named pipes.
        • flatpipes
          • A TCP proxy over named pipes. Originally created for maintaining a meterpreter session over 445 for less network alarms.
        • Invoke-PipeShell
          • This script demonstrates a remote command shell running over an SMB Named Pipe. The shell is interactive PowerShell or single PowerShell commands
        • Invoke-Piper
          • Forward local or remote tcp ports through SMB pipes.
      • SSH
        • SSHDog
          • SSHDog is your go-anywhere lightweight SSH server. Written in Go, it aims to be a portable SSH server that you can drop on a system and use for remote access without any additional configuration.
        • MeterSSH
          • MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection. The way it works is by injecting shellcode into memory, then wrapping a port spawned (meterpeter in this case) by the shellcode over SSH back to the attackers machine. Then connecting with meterpreter's listener to localhost will communicate through the SSH proxy, to the victim through the SSH tunnel. All communications are relayed through the SSH tunnel and not through the network.
        • powermole
          • This program will let you perform port forwarding, redirect internet traffic, and transfer files to, and issue commands on, a host without making a direct connection (ie. via one or more intermediate hosts), which would undoubtedly compromise your privacy. This solution can only work when you or your peers own one or more hosts as this program communicates with SSH servers. This program can be viewed as a multi-versatile wrapper around SSH with the ProxyJump directive enabled. Powermole creates automatically a ssh/scp configuration file to enable key-based authentication with the intermediate hosts.
      • SOCKS/TCP/UDP
        • RFC1928: SOCKS Protocol Version 5
        • SOCKS: A protocol for TCP proxy across firewalls
        • shootback
          • shootback is a reverse TCP tunnel let you access target behind NAT or firewall
        • ssf - Secure Socket Funneling
          • Network tool and toolkit. It provides simple and efficient ways to forward data from multiple sockets (TCP or UDP) through a single secure TLS tunnel to a remote computer. SSF is cross platform (Windows, Linux, OSX) and comes as standalone executables.
        • PowerCat
          • A PowerShell TCP/IP swiss army knife that works with Netcat & Ncat
        • Udp2raw-tunnel
          • A Tunnel which tunnels UDP via FakeTCP/UDP/ICMP Traffic by using Raw Socket, helps you Bypass UDP FireWalls(or Unstable UDP Environment). Its Encrypted, Anti-Replay and Multiplexed. It also acts as a Connection Stabilizer.)
        • reGeorg
          • The successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
        • redsocks – transparent TCP-to-proxy redirector
          • This tool allows you to redirect any TCP connection to SOCKS or HTTPS proxy using your firewall, so redirection may be system-wide or network-wide.
        • ligolo
          • Ligolo is a simple and lightweight tool for establishing SOCKS5 or TCP tunnels from a reverse connection in complete safety (TLS certificate with elliptical curve). It is comparable to Meterpreter with Autoroute + Socks4a, but more stable and faster.
        • proxychains-windows
          • Windows and Cygwin port of proxychains, based on MinHook and DLL Injection
        • rpivot
          • This tool is Python 2.6-2.7 compatible and has no dependencies beyond the standard library. It has client-server architecture. Just run the client on the machine you want to tunnel the traffic through. Server should be started on pentester's machine and listen to incoming connections from the client.
        • Secure Socket Funneling
          • Secure Socket Funneling (SSF) is a network tool and toolkit. It provides simple and efficient ways to forward data from multiple sockets (TCP or UDP) through a single secure TLS tunnel to a remote computer. SSF is cross platform (Windows, Linux, OSX) and comes as standalone executables.
      • WMI
      • VNC
        • Invoke-Vnc
          • Invoke-Vnc executes a VNC agent in-memory and initiates a reverse connection, or binds to a specified port. Password authentication is supported.
        • jsmpeg-vnc
          • A low latency, high framerate screen sharing server for Windows and client for browsers

Avoiding/Bypassing AV(Anti-Virus)/UAC/Whitelisting/Sandboxes/Logging/etc - General Evasion Tactics & Techniques


Payloads & Shells

  • 101
  • Payloads
  • Handling Shells
    • Alveare
      • Multi-client, multi-threaded reverse shell handler written in Node.js. Alveare (hive in italian) lets you listen for incoming reverse connection, list them, handle and bind the sockets. It's an easy to use tool, useful to handle reverse shells and remote processes.
  • Tools to help generate payloads
    • How to use msfvenom
    • msfpc
      • A quick way to generate various "basic" Meterpreter payloads via msfvenom (part of the Metasploit framework).
    • Unicorn
      • Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
    • MorphAES
      • MorphAES is the world's first polymorphic shellcode engine, with metamorphic properties and capability to bypass sandboxes, which makes it undetectable for an IDPS, it's cross-platform as well and library-independent.
    • SharpShooter
      • SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code. SharpShooter is capable of creating payloads in a variety of formats, including HTA, JS, VBS and WSF. It leverages James Forshaw's DotNetToJavaScript tool to invoke methods from the SharpShooter DotNet serialised object. Payloads can be retrieved using Web or DNS delivery or both; SharpShooter is compatible with the MDSec ActiveBreach PowerDNS project. Alternatively, stageless payloads with embedded shellcode execution can also be generated for the same scripting formats.
    • gscript
      • Gscript is a framework for building multi-tenant executors for several implants in a stager. The engine works by embedding runtime logic (powered by the V8 Javascript Virtual Machine) for each persistence technique. This logic gets run at deploy time on the victim machine, in parallel for every implant contained with the stager. The Gscript engine leverages the multi-platform support of Golang to produce final stage one binaries for Windows, Mac, and Linux.
  • Techniques
    • Crypters
    • Keying
      • Articles
      • Talks/Presentations/Videos
        • Context-Keyed Payload Encoding: Fighting The Next Generation of IDS - Dimitris Glynos(AthCon2010)
          • Slides
          • Paper
          • Exploit payload encoding allows hiding maliciouspayloads from modern Intrusion Detection Systems (IDS). Although metamorphic and polymorphic encoding allow such payloads to be hidden from signature-based and anomaly-based IDS,these techniques fall short when the payload is being examined by IDS that can trace the execution of malicious code. Context-keyed encodingis a technique that allows the attacker to encrypt the malicious payload in such a way, that it canonly be executed in an environment (context) withspecific characteristics. By selecting an environment characteristic that will not be present during the IDS trace (but will be present on the target host), the attacker may evade detection by advanced IDS. This paper focuses on the current research in context-keyed payload encoding and proposes a novel encoder that surpasses many of the limitations found in its predecessors.
        • Advanced Payload Strategies: “What is new, what works and what is hoax?”
          • This talk focuses on the shellcode perspective and it’s evolution. From the simplest {shell}code to the polymorphism to bypass filters and I{D|P}S (which has lots of new ideas, like application-specific decoders, decoders based on architecture-instructions, and many others), passing through syscall proxying and injection, this talk will explain how it works and how effective they are against the new evolving technologies like network code emulation, with live demonstrations. There is long time since the first paper was released about shellcoding. Most of modern text just tries to explain the assembly structure and many new ideas have just been released as code, never been detailed or explained. The talk will try to fix this gap, also showing some new ideas and considering different architectures.
        • Genetic Malware: Designing Payloads for Specific Targets - Travis Morrow, Josh Pitts(2016)
        • Protect Your Payloads Modern Keying Techniques - Leo Loobeek(Derybcon2018)
          • Our payloads are at risk! Incident responders, threat hunters, and automated software solutions are eager to pick apart your new custom dropper and send you back to square one. One answer to this problem is encrypting your payload with key derivation functions ("keying") which leverages a variety of local and remote resources to build the decryption key. Throughout this talk I will present modern keying techniques and demo some tools to help along the way. I will start with showing how easy it is to discover attacker infrastructure or techniques in the payloads we commonly use every day. I will then quickly review how keying helps and the considerations when generating keyed payloads. Throughout the presentation many practical examples of keying techniques will be provided which can be used for typical pentests or full red team operations. Finally I will introduce KeyServer, a new piece to add to your red team infrastructure which handles advanced HTTP and DNS keying. Using unprotected payloads during ops should be a thing of the past. Let’s regain control of our malicious code and make it harder on defenders! This talk is based on the original research of environmental keying by Josh Pitts and Travis Morrow.
      • Papers
        • Environmental Key Generation towards Clueless Agents - J. Riordan and B. Schneier(1998)
          • In this paper, we introduce a collection of cryptographic key constructions built from environmental data that are resistant to adversarial analysis and deceit. We expound upon their properties and discuss some possible applications; the primary envisioned use of these constructions is in the creation of mobile agents whose analysis does not reveal their exact purpose.
        • Strong Cryptography Armoured Computer VirusesForbidding Code Analysis: the bradley virusEric Filiol(2004)
          • Imagining what the nature of future viral attacks might look like is the key to successfully protecting against them. This paper discusses how cryptography and key management techniques may definitively checkmate antiviral analysis and mechanisms. We present a generic virus, denoted bradley which protects its code with a very secure, ultra-fast symmetric encryption. Since the main drawback of using encryption in that case lies on the existence of the secret key or information about it within the viral code, we show how to bypass this limitation by using suitable key management techniques. Finally, we show that the complexity of the bradley code analysis is at least as high as that of the cryptanalysis of its underlying encryption algorithm.
        • Foundations and applications for secure triggers - Ariel Futoransky, Emiliano Kargieman, Carlos Sarraute, Ariel Waissbein(2006)
          • Imagine there is certain content we want to maintain private until some particular event occurs, when we want to have it automatically disclosed. Suppose, furthermore, that we want this done in a (possibly) malicious host. Say the confidential content is a piece of code belonging to a computer program that should remain ciphered and then “be triggered” (i.e., deciphered and executed) when the underlying system satisfies a preselected condition, which must remain secret after code inspection. In this work we present different solutions for problems of this sort, using different “declassification” criteria, based on a primitive we call secure triggers. We establish the notion of secure triggers in the universally composable security framework of Canetti [2001] and introduce several examples. Our examples demonstrate that a new sort of obfuscation is possible. Finally, we motivate its use with applications in realistic scenarios.
        • Context-keyed Payload Encoding: Preventing Payload Disclosure via Context - druid@caughq.org(2008)
        • Malicious cryptography. . . reloaded - Eric Filiol, Fr'ed'eric Raynal(CanSecWest2008)
        • Context-keyed Payload Encoding:Fighting the Next Generation of IDS - Dimitrios A. Glynos(2010)
        • Impeding Automated Malware Analysis with Environment-sensitive Malware - Chengyu Song, Paul Royal, Wenke Lee(2012)
          • To solve the scalability problem introduced by the exponential growth of malware, numerous automated malware analysis techniques have been developed. Unfortunately, all of these approaches make previously unaddressed assumptions that manifest as weaknesses to the tenability of the automated malware analysis process. To highlight this concern, we developed two obfuscation techniques that make the successful execution of a malware sample dependent on the unique properties of the original host it infects. To reinforce the potential for malware authors to leverage this type of analysis resistance, we discuss the Flashback botnet’s use of a similar technique to prevent the automated analysis of its samples.
        • Sleeping Your Way out of theSandbox - Hassan Mourad(2015)
          • In recent years,the security landscape has witnessed the rise of a new breed of malware, Advanced Persistence Threat, or APT for short. With all traditional security solutions failing to address this new threat, a demand was created for new solutions that are capable of addressing the advanced capabilities of APT. One of the offeredsolutions was file-based sandboxes,asolution that dynamically analyzes files and judgestheir threat levelsbased on their behavior in an emulated/virtual environment. But security is a cat and mouse game, and malware authors are always trying to detect/bypass such measures. Some of the common techniques used by malware for sandbox evasionwill be discussed in this paper. This paperwill also analyze how to turn somecountermeasuresused by sandboxes against it. Finally, itwill introduce some new ideas for sandbox evasion along with recommendationsto address them.
        • Hot Knives Through Butter: Evading File-based Sandboxes - Abhishek Singh, Zheng Bu(2014)
      • Tools
        • Metasploit
        • EBOWLA
          • Framework for Making Environmental Keyed Payloads
        • keyring
          • KeyRing was written to make key derivation functions (keying) more approachable and easier to quickly develop during pentesting and red team operations. Keying is the idea of encrypting your original payload with local and remote resources, so it will only decrypt on the target system or under other situations.
        • satellite
        • GoGreen
          • This project was created to bring environmental (and HTTP) keying to scripting languages. As its common place to use PowerShell/JScript/VBScript as an initial vector of code execution, as a result of phishing or lateral movement, I see value of the techniques for these languages.
        • Spotter
          • Spotter is a tool to wrap payloads in environmentally-keyed, AES256-encrypted launchers. These keyed launchers provide a way to ensure your payload is running on its intended target, as well as provide a level of protection for the launcher itself.
    • Polyglot
  • (Ex)/(S)ample Payloads and supporting tools written in various languages
    • C & C++
    • C#
      • EasyNet
        • Packs/unpacks arbitrary data using a simple Data -> Gzip -> AES -> Base64 algorithm. Generates a random AES-256 key and and IV and provides them to the user. Can be used to pack or unpack arbitrary data. Provided both as a program and a library.
      • Inception Framework
        • Inception provides In-memory compilation and reflective loading of C# apps for AV evasion. Payloads are AES encrypted before transmission and are decrypted in memory. The payload server ensures that payloads can only be fetched a pre-determined number of times. Once decrypted, Roslyn is used to build the C# payload in memory, which is then executed using reflection.
    • Go
      • Go-deliver
        • Go-deliver is a payload delivery tool coded in Go. This is the first version and other features will be added in the future.
      • Hershell
        • Simple TCP reverse shell written in Go. It uses TLS to secure the communications, and provide a certificate public key fingerprint pinning feature, preventing from traffic interception.
        • [EN] Golang for pentests : Hershell
    • HTA
      • genHTA
        • Generates anti-sandbox analysis HTA files without payloads
      • morpHTA
        • Morphing Cobalt Strike's evil.HTA
      • Demiguise
        • The aim of this project is to generate .html files that contain an encrypted HTA file. The idea is that when your target visits the page, the key is fetched and the HTA is decrypted dynamically within the browser and pushed directly to the user. This is an evasion technique to get round content / file-type inspection implemented by some security-appliances. This tool is not designed to create awesome HTA content. There are many other tools/techniques that can help you with that. What it might help you with is getting your HTA into an environment in the first place, and (if you use environmental keying) to avoid it being sandboxed.
    • LNK Files
    • MSI Binaries
    • .NET
    • Powershell
      • Powershell Download Cradles - Matthew Green
      • Invoke-PSImage
        • Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a oneliner for executing either from a file of from the web (when the -Web flag is passed). The least significant 4 bits of 2 color values in each pixel are used to hold the payload. Image quality will suffer as a result, but it still looks decent. The image is saved as a PNG, and can be losslessly compressed without affecting the ability to execute the payload as the data is stored in the colors themselves. It can accept most image types as input, but output will always be a PNG because it needs to be lossless. Each pixel of the image is used to hold one byte of script, so you will need an image with at least as many pixels as bytes in your script. This is fairly easy—for example, Invoke-Mimikatz fits into a 1920x1200 image.
      • Reverse Encrypted (AES 256-bit) Shell over TCP - using PowerShell SecureString.
      • PowerDNS
        • PowerDNS is a simple proof of concept to demonstrate the execution of PowerShell script using DNS only. PowerDNS works by splitting the PowerShell script in to chunks and serving it to the user via DNS TXT records.
    • Python
      • Pupy
        • Pupy is a remote administration tool with an embeded Python interpreter, allowing its modules to load python packages from memory and transparently access remote python objects. The payload is a reflective DLL and leaves no trace on disk
      • Winpayloads
        • Undetectable Windows Payload Generation with extras Running on Python2.7
      • Cloak
        • Cloak generates a python payload via msfvenom and then intelligently injects it into the python script you specify.
    • SCT Files
      • SCT-obfuscator
        • SCT payload obfuscator. Rename variables and change harcoded char value to random one.
    • VBA
      • VBad
        • VBad is fully customizable VBA Obfuscation Tool combined with an MS Office document generator. It aims to help Red & Blue team for attack or defense.

Linux Code Injection

  • 101
  • Articles/Blogposts/Writeups
  • Talks & Presentations
  • Tools
    • Jugaad - Thread Injection Kit
      • Jugaad is an attempt to create CreateRemoteThread() equivalent for *nix platform. The current version supports only Linux operating system. For details on what is the methodology behind jugaad and how things work under the hood visit http://null.co.in/section/projects for a detailed paper.
    • linux-injector
      • Utility for injecting executable code into a running process on x86/x64 Linux. It uses ptrace() to attach to a process, then mmap()'s memory regions for the injected code, a new stack, and space for trampoline shellcode. Finally, the trampoline in the target process is used to create a new thread and execute the chosen shellcode, so the main thread is allowed to continue. This project borrows from a number of other projects and research, see References below.
    • linux-inject
      • Tool for injecting a shared object into a Linux process
    • injectso64
      • This is the x86-64 rewrite of Shaun Clowes' i386/SPARC injectso which he presented at Blackhat Europe 2001.

macOS Code Injection

  • 101
  • General Information
  • Articles/Blogposts/Writeups
  • Techniques

Windows Code Injection Techniques