I wrote this to try to bring some reality to people trying to break into cyber. People will disagree with some (all) of it but hopefully somebody benefits from what I saw when I worked as a pentester.
Quick post on keeping admin level persistence without dropping EXEs to disk.
I just published Home Grown Red Team: Bypassing Applocker, UAC and Getting Administrative Persistence
Custom UACME binary>Lateral Movement with CrackMapExec and SharpWMI > Session Pass to Covenant > DCsync
I just published Home Grown Red Team: From Workstation To Domain Controller With Havoc C2 and Microsoft EDR
Using
@D1rkMtr
's ExecRemoteAssembly you can bypass UAC on Windows 11 using DLL hijacking without alerting Defender for Endpoint. Upload ERA to the target, host your bypass and execute from your C2. Pretty cool!
Part 2 of malware for dummies like me. Scripting out obfuscation of an implant.
I just published Home Grown Red Team: Let’s Make Some Malware In C: Part 2
With this season of Hell's Kitchen being over, I thought I would do a follow up to my post based on some of the feedback I got. I won't do another one. Next Level Chef starts this week.
Here's a short write-up on using PS credentials for scheduled task privilege escalation.
Home-Grown Red Team: Local Admin Phishing For Privilege and Persistence
A few people have reached out asking about how you can host encrypted shellcode files for staging. Here ya go.
I just published Home Grown Red Team: Hosting Encrypted Stager Shellcode
Using this compile command "x86_64-w64-mingw32-g++ -shared -o proc.dll template.cpp -lcomctl32 -Wl,--subsystem,windows -fpermissive -Wno-narrowing" I added -O2 and went from 4 to 2 detections on . Simple tip for AV evasion.
Don't you hate it when a cool new tool drops and it's written in C? If only I could convert it to shellcode with Donut and use a C# runner to run it with inline-execute assembly! Would be cool to pull the raw shellcode from a URL too...
Anybody ever phished a local admin with $credential = Get-Credential and passed it to a scheduled task for privilege escalation before? I can't tell if this is dumb or not.
Here is a short bash script to install all dependencies needed for GOAD on a brand new Ubuntu install. It will automatically start the GOAD provisioning process after the dependencies are installed.
Took the plunge and got the long term access to
@MalDevAcademy
I have learned a lot. I even created a new tool for automating staged implants. I'm not releasing it as the code will get burned immediately. Great course! Highly recommended.
After some testing I was able to fully compromise my home lab with Microsoft Defender for Endpoint on a rooted Samsung Tab s6 running Nethunter. I ran the team server in the cloud to compile Havoc shellcode Nethunter was able to handle the rest.
A raw msf shellcode file got flagged by Defender so I added aes encryption to the payload file located on the Shared folder and got a meterpreter shell back. DFE doesn't seem to care either.
C2s on C2s on C2s. Havoc payload > Powershelll lateral movement > Session pass to Covenant > DCSync krbtgt for domain persistence. Microsoft Defender for Endpoint? Takin' a snooze
Quick tutorial on adding icons to your Linux compiled malware. Mainly published so I don't forget how to do it.
I just published Home Grown Red Team: Adding Icons To Windows Based Executables Compiled In Linux
Made a tool based on my staged shellcode from SMB blog post. Automates the process of creating standalone AES encrypted shellcode files and a dropper to pull it over SMB.
With some feedback from infosec Twitter I used this command for compiling "x86_64-w64-mingw32-g++ -o inj3c.exe template.cpp -fpermissive -Wno-narrowing -O2" and got 1/26 on . I added all the optimization options -O2 -O3 -Os and reached 0/26. Pretty cool!
All Harriet modules have been updated to get past Defender. Perfect for CTFs or lab evasion. Compile on Kali or upgrade your Mingw version past 11. Enjoy!
One instance of my loader wasn't caught by ESET Endpoint but was caught by Defender. I forgot I had an instance of VirtualAllocEx in the loader. I made a pointer and now it's not detected by either. Just a simple example of AV blindspots. Paid isn't ALWAYS better.
Here is a repo that I'm adding to all the time. Some helpful scripts and code snippets that I use on a regular basis. Just added a token duplicator in C#.
OMG girlfriend.I wake up this morning and put on my black hoodie ready to hack EvilCorp and over night they have sigged my C# stager AGAIN. First they detect my base64 encoded strings, now they have found out about Curl. No way Microsoft knows about Thread.Sleep(10000000) right??
As we all celebrate the resurrection of the C# stager that once called Process.Start(rundll32.exe,DllMain) without obfuscation and executed a dll from a plaintext URL, and now is the same code but base64'd, let's also remember that last year ESET allowed its sister written in C.
I'm learning alot tonight. Apparently Defender has to be configured to catch userland WinAPis and RWX memory allocations and it's not EDRs job to block process injection on initial access vectors. Why have I been using syscalls when I can just VirtualAlloc my way to DA?
Part III of the shitty C# stager. It has once again risen from the bowels of Defender. 1337 tip, switch out WebClient for Curl. Keep it under your hat!
If you're following the saga of the shitty C# stager that called Process.Start("rundll32.exe,Go) in plaintext, you now know that Microsoft flagged it. They are very smart, but apparently they haven't heard of base64. The stager lives on!
Well, it happened. After I published my medium article about LNK files, Microsoft has flagged the shittiest stager in infosec. Time of death on a C# binary that can call Process.Start(rundll32.exe,DllMain) without obfuscation and get past DFE - 10/7/2023 approx 8:30 am
Happy Holidays! Harriet got a little facelift today. All modules have been updated for evasion. Tested against Windows 11. Self-signed certs and an embedded Windows icon! More changes to come.
Simple change my dropper and it gets through. Probably the most utilized user-land style dropper. VirtualAlloc > RTLCopyMemory > VirtualProtect > CreateThread > WaitForSingleObject
Since some EDRs be sippin on Hater-Aid I'm switching to self signed certs instead of cert cloning with SigThief in my tools (invalid cert alerts). Too bad because SigThief was so easy to implement.
SigThief seems to be enough to get past downloading unsigned DLLs against Avast free edition. In this screenshot proc.dll wasn't signed while procnul.dll was. This also seems to be the case with EXEs.
Smartscreen seems to be getting better at finding malware. I brought my implant's entropy down by a few points and I'm able to get it through. The fix was really stupid tho. Who knew iostream.h was so bulky?
Infosec Twitter beefs are hilarious.
"We'll see if you say that to my face at B-Sides Toledo!"
"Whatever asshole, only skids go to that con. Come see me as Blackhat Pittsburgh and some real shit will go down!"
"My company won't pay for that"
"That's what I thought, turd."
Looks who's back. Got some real malware dev tips for you. If you're shitty C# stager was sigged , declare your variables in a different order in your source code. Try again Defender For Endpoint (trial edition).
This morning I've been trying some of my other loader projects with the updated MingW on Kali instead of my outdated version on Linux Mint. Some got through, others didn't (outdated and signatured). Time to resurrect some Harriet modules, particularly process injection!
@EricaZelic
@MalDevAcademy
lifetime pass is cheaper and offers almost everything on the syllabus. Even regular defender catches most CreateRemoteThread process injection at this point.
At 3k followers I will stop all infosec tweets and this will transition into a Hells Kitchen fan account. Who is going to fuck up the resoto this week? Stay tuned.
I love the
@RedTeamTactics
account so much. They're always tweeting like the lonely innkeeper who can't get a date to the town Christmas festival in a Hallmark movie.