Jump to content
YOUR-AD-HERE
HOSTING
TOOLS
SERVICE

Search the Community

Showing results for tags 'payload'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Staff Control
    • Staff Announcements
  • General doubts | News
    • General doubts
    • News
  • Hacking | Remote Administration | Bugs & Exploits
    • Hacking
    • Remote Administration
    • Bugs & Exploits
  • Programming | Web | SEO | Prefabricated applications
    • General Programming
    • Web Programming
    • Prefabricated Applications
    • SEO
  • Pentesting Zone
    • Pentesting Accounts
    • Reverse Engineering
  • Security & Anonymity
    • Security
    • Wireless Security
    • Web Security
    • Anonymity
  • Operating Systems | Hardware | Programs
    • Operating systems
    • Hardware
    • PC programs
    • iOS
    • Android
  • Graphic Design
    • Graphic Design
  • vBCms Comments
  • live stream tv
    • live stream tv
  • Marketplace
    • Sell
    • Services
    • Request
  • Pentesting Premium
    • Pentesting Accounts
  • Modders Section
    • Source Codes
    • Manuals | Videos
    • Tools
    • Others
  • PRIV8-Section
    • Exploits
    • Accounts|Dumps
    • Crypter|Binder|Bots
    • Tutorials|Videos
    • Cracked Tools
    • Make Money
    • More Tools
    • Databeses
    • Ebooks
  • Pentesting Zone PRIV8
    • Pentesting Accounts
    • Reverse Engineering
    • Cracker Preview Area
  • Carding Zone PRIV8
    • Carding
    • Phishing
    • Defacing
    • Doxing
    • Special User Premium Preview Area
  • Recycle Bin
    • Recycle
  • Null3D's Nulled Group

Product Groups

  • PRIV8
  • Advertising
  • Access Basic
  • Seller
  • Services

Categories

  • Files
  • Online Book
  • Services

Categories

  • Hacking

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


About Me

  1. ScareCrow is a payload creation framework for generating loaders for the use of side loading (not injection) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, utilizing a technique to flush an EDR’s hook out the system DLLs running in the process’s memory. This works because we know the EDR’s hooks are placed when a process is spawned. ScareCrow can target these DLLs and manipulate them in memory by using the API function VirtualProtect, which changes a section of a process’ memory permissions to a different value, specifically from Execute–Read to Read-Write-Execute. Changelog v5.1 Bug Fixes Fixed issue with the --outpath and the sha256 [hide][Hidden Content]]
  2. CrossC2 framework is a security framework for enterprises and Red Team personnel supports CobaltStrike’s penetration testing of other platforms (Linux / MacOS / …), supports custom modules, and includes some commonly used penetration modules. Feature For a faster way, see cna introduction GO Linux & MacOS supports no file landing, load and execute from memory dynamic library or executable file GO Flexibly customize the data return type of the execution file, portscan, screenshot, keystrokes, credentials and other user-defined development to achieve more convenient implementation GO Custom communication protocol GO Android & iPhone support GO Restricted description: CobaltStrike: currently only supports the last version of cs 3.14(bug fixes). Linux: For particularly old systems, you can choose the “Linux-GLIBC” option in cna (around 2010) MacOS: Latest systems only support 64-bit programs iOS: sandbox, restricted cmd Embedded: only *nix ⍻ : Loader is still in progress [hide][Hidden Content]]
  3. Invoke-PSObfuscation v1.0.0 - obfuscating the individual components of a PowerShell payload Traditional obfuscation techniques tend to add layers to encapsulate standing code, such as base64 or compression. These payloads do continue to have a varied degree of success, but they have become trivial to extract the intended payload and some launchers get detected often, which essentially introduces chokepoints. The approach this tool introduces is a methodology where you can target and obfuscate the individual components of a script with randomized variations while achieving the same intended logic, without encapsulating the entire payload within a single layer. Due to the complexity of the obfuscation logic, the resulting payloads will be very difficult to signature and will slip past heuristic engines that are not programmed to emulate the inherited logic. While this script can obfuscate most payloads successfully on its own, this project will also serve as a standing framework that I will use to produce future functions that will utilize this framework to provide dedicated obfuscated payloads, such as one that only produces reverse shells. Dedicated Payloads As part of my ongoing work with PowerShell obfuscation, I am building out scripts that produce dedicated payloads that utilize this framework. These have helped to save me time and hope you find them useful as well. You can find them within their own folders at the root of this repository. Get-ReverseShell Get-DownloadCradle Get-Shellcode v1.0.0 This project has been live for a while, but publishing a release for some versioning history. [hide][Hidden Content]]
  4. Details: no crt functions imported syscall unhooking using KnownDllUnhook api hashing using Rotr32 hashing algo payload encryption using rc4 - payload is saved in .rsrc process injection - targetting 'SettingSyncHost.exe' ppid spoofing & blockdlls policy using NtCreateUserProcess stealthy remote process injection - chunking using debugging & NtQueueApcThread for payload execution [hide][Hidden Content]]
  5. Freeze is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner. Freeze utilizes multiple techniques to not only remove Userland EDR hooks but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls. Creating A Suspended Process When a process is created, Ntdll.dll is the first DLL that is loaded. This happens before any EDR DLLs are loaded. This means that there is a bit of a delay before an EDR can be loaded and start hooking and modifying the assembly of system DLLs. In looking at Windows syscalls in Ntdll.dll, we can see that nothing is hooked yet. If we create a process in a suspended state (one that is frozen in time), we can see that no other DLLs are loaded, except for Ntdll.dll. You can also see that no EDR DLLs are loaded, meaning that the syscalls located in Ntdll.dll are unmodified. [hide][Hidden Content]]
  6. Purpose toxssin is an open-source penetration testing tool that automates the process of exploiting Cross-Site Scripting (XSS) vulnerabilities. It consists of an https server that works as an interpreter for the traffic generated by the malicious JavaScript payload that powers this tool (toxin.js). This project started as (and still is) a research-based creative endeavor to explore the exploitability depth that an XSS vulnerability may introduce by using vanilla JavaScript, trusted certificates and cheap tricks. Disclaimer: The project is quite fresh and has not been widely tested. [hide][Hidden Content]]
  7. ScareCrow is a payload creation framework for generating loaders for the use of side loading (not injection) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, utilizing a technique to flush an EDR’s hook out the system DLLs running in the process’s memory. This works because we know the EDR’s hooks are placed when a process is spawned. ScareCrow can target these DLLs and manipulate them in memory by using the API function VirtualProtect, which changes a section of a process’ memory permissions to a different value, specifically from Execute–Read to Read-Write-Execute. When executed, ScareCrow will copy the bytes of the system DLLs stored on disk in C:\Windows\System32\. These DLLs are stored on disk “clean” of EDR hooks because they are used by the system to load an unaltered copy into a new process when it’s spawned. Since EDR’s only hook these processes in memory, they remain unaltered. ScareCrow does not copy the entire DLL file, instead only focuses on the .text section of the DLLs. This section of a DLL contains the executable assembly, and by doing this ScareCrow helps reduce the likelihood of detection as re-reading entire files can cause an EDR to detect that there is a modification to a system resource. The data is then copied into the right region of memory by using each function’s offset. Each function has an offset which denotes the exact number of bytes from the base address where they reside, providing the function’s location on the stack. In order to do this, ScareCrow changes the permissions of the .text region of memory using VirtualProtect. Even though this is a system DLL, since it has been loaded into our process (that we control), we can change the memory permissions without requiring elevated privileges. Once these the hooks are removed, ScareCrow then utilizes custom System Calls to load and run shellcode in memory. ScareCrow does this even after the EDR hooks are removed to help avoid being detected by non-userland hooked-based telemetry gathering tools such as Event Tracing for Windows (ETW) or other event logging mechanisms. These custom system calls are also used to perform the VirtualProtect call to remove the hooks placed by EDRs, described above, to avoid being detected an any EDR’s anti-tamper controls. This is done by calling a custom version of the VirtualProtect syscall, NtProtectVirtualMemory. ScareCrow utilizes Golang to generate these loaders and then assembly for these custom syscall functions. ScareCrow loads the shellcode into memory by first decrypting the shellcode, which is encrypted by default using AES encryption with a decryption and initialisation vector key. Once decrypted and loaded, the shellcode is then executed. Depending on the loader options specified ScareCrow will set up different export functions for the DLL. The loaded DLL also does not contain the standard DLLmain function which all DLLs typically need to operate. The DLL will still execute without an issue because the process we load into will look for those export functions and not worry about DLLMain being there. During the creation process of the loader, ScareCrow utilizes a library for blending into the background after a beacon calls home. This library does two things: Code signs the Loader: Files that are signed with code signing certificates are often put under less scrutiny, making it easier to be executed without being challenged, as files signed by a trusted name are often less suspicious than others. Most antimalware products don’t have the time to validate and verify these certificates (now some do but typically the common vendor names are included in a whitelist) ScareCrow creates these certificates by using a go package version of the tool limelighter to create a pfx12 file. This package takes an inputted domain name, specified by the user, to create a code signing certificate for that domain. If needed, you can also use your own code signing certificate if you have one, using the valid command-line option. Spoof the attributes of the loader: This is done by using syso files which are a form of embedded resource files that when compiled along with our loader, will modify the attribute portions of our compiled code. Prior to generating a syso file, ScareCrow will generate a random file name (based on the loader type) to use. Once chosen this file name will map to the associated attributes for that file name, ensuring that the right values are assigned. Changelog v4.1 New Features Added -outpath to put the final Payload/Loader in a specific path once it’s compiled Bug Fixes Fixed bug with the binary loaders that caused an occasional crash Fixed duplicate import when -console is called with other options Fixed issue with msiexec loader’s with Jscript file extensions Fixed typos in README [hide][Hidden Content]]
  8. ScareCrow ScareCrow is a payload creation framework for generating loaders for the use of side loading (not injection) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, utilizing a technique to flush an EDR’s hook out the system DLLs running in the process’s memory. This works because we know the EDR’s hooks are placed when a process is spawned. ScareCrow can target these DLLs and manipulate them in memory by using the API function VirtualProtect, which changes a section of a process’ memory permissions to a different value, specifically from Execute–Read to Read-Write-Execute. When executed, ScareCrow will copy the bytes of the system DLLs stored on disk in C:\Windows\System32\. These DLLs are stored on disk “clean” of EDR hooks because they are used by the system to load an unaltered copy into a new process when it’s spawned. Since EDR’s only hook these processes in memory, they remain unaltered. ScareCrow does not copy the entire DLL file, instead only focuses on the .text section of the DLLs. This section of a DLL contains the executable assembly, and by doing this ScareCrow helps reduce the likelihood of detection as re-reading entire files can cause an EDR to detect that there is a modification to a system resource. The data is then copied into the right region of memory by using each function’s offset. Each function has an offset which denotes the exact number of bytes from the base address where they reside, providing the function’s location on the stack. In order to do this, ScareCrow changes the permissions of the .text region of memory using VirtualProtect. Even though this is a system DLL, since it has been loaded into our process (that we control), we can change the memory permissions without requiring elevated privileges. Once these the hooks are removed, ScareCrow then utilizes custom System Calls to load and run shellcode in memory. ScareCrow does this even after the EDR hooks are removed to help avoid being detected by non-userland hooked-based telemetry gathering tools such as Event Tracing for Windows (ETW) or other event logging mechanisms. These custom system calls are also used to perform the VirtualProtect call to remove the hooks placed by EDRs, described above, to avoid being detected an any EDR’s anti-tamper controls. This is done by calling a custom version of the VirtualProtect syscall, NtProtectVirtualMemory. ScareCrow utilizes Golang to generate these loaders and then assembly for these custom syscall functions. ScareCrow loads the shellcode into memory by first decrypting the shellcode, which is encrypted by default using AES encryption with a decryption and initialisation vector key. Once decrypted and loaded, the shellcode is then executed. Depending on the loader options specified ScareCrow will set up different export functions for the DLL. The loaded DLL also does not contain the standard DLLmain function which all DLLs typically need to operate. The DLL will still execute without an issue because the process we load into will look for those export functions and not worry about DLLMain being there. During the creation process of the loader, ScareCrow utilizes a library for blending into the background after a beacon calls home. This library does two things: Code signs the Loader: Files that are signed with code signing certificates are often put under less scrutiny, making it easier to be executed without being challenged, as files signed by a trusted name are often less suspicious than others. Most antimalware products don’t have the time to validate and verify these certificates (now some do but typically the common vendor names are included in a whitelist) ScareCrow creates these certificates by using a go package version of the tool limelighter to create a pfx12 file. This package takes an inputted domain name, specified by the user, to create a code signing certificate for that domain. If needed, you can also use your own code signing certificate if you have one, using the valid command-line option. Spoof the attributes of the loader: This is done by using syso files which are a form of embedded resource files that when compiled along with our loader, will modify the attribute portions of our compiled code. Prior to generating a syso file, ScareCrow will generate a random file name (based on the loader type) to use. Once chosen this file name will map to the associated attributes for that file name, ensuring that the right values are assigned. Changelog v4.0 New Features Introduced AMSI bypass mechanisms to prevent AMSI events from being generated. Added a -noamsi command option to not patch AMSI. Added graphic icons to all binary loaders that match the binary. Added Garble for compiling all loaders. Added a -sha256 command to list the sha256 hash of the loaders. Removed all IoC’s for certain well-known Anti-Malware products. Rewrote the shellcode and decrypt function into a library rather than a function in the main file. Updated binary loader method of allocating and executing shellcode. Updated system DLL method from base64 to byte array. Removed _CGO_Dummy_Export From all DLL-based loaders. Removed CGO for compiling binary loaders. Bug Fixes Fixed bug with certain attributes not properly showing for binary loaders. Fixed code bug with HTA files with WScript, Control, and MSIexec loaders. Fixed Index error for WScript loaders. Added error messaging for when -O is not defined with WScript and Excel loaders. Fixed issue with the -unmodified command line breaking. Updated help menu & README. [hide][Hidden Content]]
  9. Agartha { LFI | RCE | Auth | SQLi | Http-Js } Agartha is a penetration testing tool that creates dynamic payload lists and user access matrix to reveal injection flaws and authentication/authorization issues. There are many different attack payloads that exist, but Agartha creates run-time, systematic, and vendor-neutral payloads with many different possibilities and bypassing methods. It also draws attention to user session and URL relationships, which makes it easy to find user access violations. And additionally, it converts Http requests to JavaScript to help dig up XSS issues. In summary: Payload Generator: It creates payloads/wordlists for different attacks. Directory Traversal/Local File Inclusion: It creates file dictionary lists with various encoding and escaping characters. Remote Code Execution: It creates command dictionary lists for both Unix and Windows environments with different combinations. SQL Injection: It creates Batched Queries, Boolean-Based, Union-Based and Time-Based SQLi wordlist for various databases to help find vulnerable spots. Authorization Matrix: It creates an access role matrix based on user sessions and URL lists to determine authorization/authentication-related access violation issues. And Http Request to JavaScript Converter: It converts Http requests to JavaScript code to be useful for further XSS exploitation and more. [hide][Hidden Content]]
  10. CAPE is a malware sandbox. It was derived from Cuckoo with the goal of adding automated malware unpacking and config extraction - hence its name is an acronym: 'Config And Payload Extraction'. Automated unpacking allows classification based on Yara signatures to complement network (Suricata) and behavior (API) signatures. [hide][Hidden Content]]
  11. What is DNSStager? DNSStager is an open-source project based on Python used to hide and transfer your payload using DNS. DNSStager will create a malicious DNS server that handles DNS requests to your domain and return your payload as a response to specific record requests such as AAAA or TXT records after splitting it into chunks and encoding the payload using different algorithms. It can generate a custom agent written in C or GoLang that will resolve a sequence of domains, retrieve the payload, decode it and finally inject it into the memory based on any technique you want. You can edit the code of the DNSStager agent as you wish, and build it using your own custom execution techniques. The main goal of using DNSStager is to help red teamers/pentesters to deliver their payloads in the stealthy channel using DNS. DNSStager key features: DNSStager has some key features such as: Hide and Resolve your payload in IPV6 records. Hide and Resolve your payload in TXT records. XOR encoder to encode your payload. Base64 encoder to encode your payload (only for TXT records). Pure agent wrote in C with the ability to customise it. Pure agent wrote in GoLang with the ability to customise it. The ability to use sleep between each DNS request. AND MUCH MORE TO COME! Changelog v1.0 New features added such as: The ability to generate DNSStager DLL agents. C agent with enhanced OPSEC and performance. Print the total number of DNS requests. Fixed the following issues: Dynamic shellcode size allocation instead of hardcoded value. Remove unused variables inside the agent C code. Also, general code enhancements were made. [hide][Hidden Content]]
  12. Description ScareCrow is a payload creation framework for side loading (not injecting) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, it utilizes a technique to flush an EDR’s hook out of the system DLLs running in the process's memory. This works because we know the EDR’s hooks are placed when a process is spawned. ScareCrow can target these DLLs and manipulate them in memory by using the API function VirtualProtect, which changes a section of a process’ memory permissions to a different value, specifically from Execute–Read to Read-Write-Execute. [hide][Hidden Content]]
  13. EXOCET – AV-evading, undetectable, payload delivery tool EXOCET is superior to Metasploit’s “Evasive Payloads” modules as EXOCET uses AES-256 in GCM Mode (Galois/Counter Mode). Metasploit’s Evasion Payloads uses an easy to detect RC4 encryption. While RC4 can decrypt faster, AES-256 is much more difficult to ascertain the intent of the malware. [hide][Hidden Content]]
  14. CrossC2 framework – Generator CobaltStrike’s cross-platform beacon CrossC2 framework is a security framework for enterprises and Red Team personnel supports CobaltStrike’s penetration testing of other platforms (Linux / MacOS / …), supports custom modules, and includes some commonly used penetration modules. Feature For a faster way, see cna introduction GO Linux & MacOS supports no file landing, load and execute from memory dynamic library or executable file GO Flexibly customize the data return type of the execution file, portscan, screenshot, keystrokes, credentials and other user-defined development to achieve more convenient implementation GO Custom communication protocol GO Android & iPhone support GO Restricted description: CobaltStrike: currently only supports the last version of cs 3.14(bug fixes). Linux: For particularly old systems, you can choose the “Linux-GLIBC” option in cna (around 2010) MacOS: Latest systems only support 64-bit programs iOS: sandbox, restricted cmd Embedded: only *nix ⍻ : Loader is still in progress Changelog v3.0 fix File download speed increased New MacOS & Linux support dynamic library beacon. LD_PRELOAD=./libbeacon.so java Dynamic library beacon supports entering the background to run.(export CC_BG=1) export CC_BG=1 && LD_PRELOAD=./libbeacon.so java [hide][Hidden Content]]
  15. Mystikal Mystikal is a macOS payload generator integrated with Mythic. Mystikal leverages Mythic scripting to log in and creates the necessary payload for the selected initial access method. Mystikal creates an Apfell or Leviathan payload depending on the chosen initial access method. A common payload used for initial access is the installer package. These packages are eXtensible ARchiver (XAR) archives that conform to a specific folder structure and have a .pkg file extension. The easy comparison to Windows would be Windows installers which typically have the .msi file extension. As with Windows installers, installer packages execution typically results in an install wizard presented to the end-user for installation. For offensive use, typical installer package execution relies upon preinstall and postinstall scripts, which are simple bash scripts that execute during the installation process. An alternative method depends upon the abuse of JavaScript within distribution Extensible Markup Language (XML) files using InstallerJS. Apple’s InstallerJS is an Application Programming Interface (API) leveraged in distribution XML files to perform installation checks. Within the InstallerJS API is the system.run tag, which can execute system commands. The Silver Sparrow malware recently used this method. By abusing the distribution XML file, attackers can perform the same tasks typically within preinstall / postinstall scripts. The benefit of this method is that it makes it slightly harder to see what actions the installer package is performing. Additionally, due to the invocation time of the distribution XML file, the installer package does not need to finish the installation process for execution to occur. Changelog v2.2.13 Merge pull request #107 from its-a-feature/2.2-updates added in a few more pages for the new ui, updated mythic-cli to include… [hide][Hidden Content]]
  16. PageTableInjection Code Injection, Inject malicious payload via pagetables pml4. Introduction This is just a proof-of-concept of the page table injection technique to inject malicious code into the arbitrary user processes. On Windows(and some modern OSes), every process has a its PML4 a.k.a Directory Table Base. Thus the process A cannot access process B without APIs. but how about if we can inject arbitrary PML4 entry? of course, the PML4 entry will point to the corresponding physical address of entries, PDP, PD, and PT as exactly the same as the backing process. In order to inject malicious PML4 entry to the target process, we need to have an actual resident page (physical memory) that backing the malicious PML4 entry. Thus literally the resident page must be a resident, otherwise, the system will crash or would become unstable, because, during the MMU translating to the physical address, there is nothing that MMU expects, as well as there is nothing the windows memory manager has nothing expects. Let’s look at the both backing process and target process buffers. In this case, the buffers are: Backing Process VA: 0x1A45F810000 Deployment Process Injected VA: 0x6EA45F810000 Before step to the next, some of you may think that the 2nd address(0x6EA45F810000) looks weird like usually, we allocated buffer via malloc or VirtualAlloc, the virtual address should look like 0x17C7CAC0000 0x23BE9D80000 0x19FE76F0000 or some sort of these. it’s because the malicious PML4 entry is not involved to the memory manager of windows, and is not managed as well. of course every virtual address on Windows 64-bit process could possibly have any value within a range of user memory range. So if we look into both addresses… [hide][Hidden Content]]
  17. What is DNSStager? DNSStager is an open-source project based on Python used to hide and transfer your payload using DNS. DNSStager will create a malicious DNS server that handles DNS requests to your domain and return your payload as a response to specific record requests such as AAAA or TXT records after splitting it into chunks and encoding the payload using different algorithms. It can generate a custom agent written in C or GoLang that will resolve a sequence of domains, retrieve the payload, decode it and finally inject it into the memory based on any technique you want. You can edit the code of the DNSStager agent as you wish, and build it using your own custom execution techniques. The main goal of using DNSStager is to help red teamers/pentesters to deliver their payloads in the stealthy channel using DNS. How does it work? Based on your DNS resolution option, DNSStager will split your payload into chunks and save each chunk of the payload as a response for a subdomain. For example, if you choose IPV6 as your option to retrieve the payload, the DNS response will be something like: cloud-srv-1.test.mydnsserver.live. 300 IN AAAA 5648:31d2:6548:8b52:6048:8b52:1848:8b52 Where 5648:31d2:6548:8b52:6048:8b52:1848:8b52 is a part of your payload? So, the agent will resolve some domains to retrieve the payload and then decode it and finally inject it into memory. Currently, DNSStager only supports two records, AAAA and TXT. You can encode your payload using XOR for the AAAA record and by default, it will be encoded as base64 if you choose TXT record. DNSStager key features: DNSStager has some key features such as: Hide and Resolve your payload in IPV6 records. Hide and Resolve your payload in TXT records. XOR encoder to encode your payload. Base64 encoder to encode your payload (only for TXT records). Pure agent wrote in C with the ability to customise it. Pure agent wrote in GoLang with the ability to customise it. The ability to use sleep between each DNS request. AND MUCH MORE TO COME! [hide][Hidden Content]]
  18. Mystikal is a macOS payload generator integrated with Mythic. Mystikal leverages Mythic scripting to log in and creates the necessary payload for the selected initial access method. Mystikal creates an Apfell or Leviathan payload depending on the chosen initial access method. A common payload used for initial access is the installer package. These packages are eXtensible ARchiver (XAR) archives that conform to a specific folder structure and have a .pkg file extension. The easy comparison to Windows would be Windows installers which typically have the .msi file extension. As with Windows installers, installer packages execution typically results in an install wizard presented to the end-user for installation. For offensive use, typical installer package execution relies upon preinstall and postinstall scripts, which are simple bash scripts that execute during the installation process. An alternative method depends upon the abuse of JavaScript within distribution Extensible Markup Language (XML) files using InstallerJS. Apple’s InstallerJS is an Application Programming Interface (API) leveraged in distribution XML files to perform installation checks. Within the InstallerJS API is the system.run tag, which can execute system commands. The Silver Sparrow malware recently used this method. By abusing the distribution XML file, attackers can perform the same tasks typically within preinstall / postinstall scripts. The benefit of this method is that it makes it slightly harder to see what actions the installer package is performing. Additionally, due to the invocation time of the distribution XML file, the installer package does not need to finish the installation process for execution to occur. [hide][Hidden Content]]
  19. HatVenom HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures. Features Support for most common executable formats like elf, macho, pe. Support for most common architectures like x64, x86, aarch64, armle, mipsle, mipsbe. Ability to modify shellcode by changing pre-defined offsets. Basic functions There are all HatVenom basic functions that can be used to generate a payload, covert data, or inject shellcode. ip_bytes(ip) – Converts IP address to bytes allowed by the shellcode. port_bytes(port) – Converts numeric port to bytes allowed by the shellcode. string_bytes(string) – Converts a string to bytes allowed by the shellcode. generate(file_format, arch, shellcode, offsets={}) – Generates payload for specified target and with specified shellcode. generate_to(file_format, arch, shellcode, offsets={}, filename=’a.out’) – Generates payload for specified target and with specified shellcode and saves it to the specified file. [hide][Hidden Content]]
  20. ScareCrow is a payload creation framework for generating loaders for the use of side loading (not injection) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, utilizing a technique to flush an EDR’s hook out the system DLLs running in the process’s memory. This works because we know the EDR’s hooks are placed when a process is spawned. ScareCrow can target these DLLs and manipulate them in memory by using the API function VirtualProtect, which changes a section of a process’ memory permissions to a different value, specifically from Execute–Read to Read-Write-Execute. When executed, ScareCrow will copy the bytes of the system DLLs stored on disk in C:\Windows\System32\. These DLLs are stored on disk “clean” of EDR hooks because they are used by the system to load an unaltered copy into a new process when it’s spawned. Since EDR’s only hook these processes in memory, they remain unaltered. ScareCrow does not copy the entire DLL file, instead only focuses on the .text section of the DLLs. This section of a DLL contains the executable assembly, and by doing this ScareCrow helps reduce the likelihood of detection as re-reading entire files can cause an EDR to detect that there is a modification to a system resource. The data is then copied into the right region of memory by using each function’s offset. Each function has an offset which denotes the exact number of bytes from the base address where they reside, providing the function’s location on the stack. In order to do this, ScareCrow changes the permissions of the .text region of memory using VirtualProtect. Even though this is a system DLL, since it has been loaded into our process (that we control), we can change the memory permissions without requiring elevated privileges. Once these the hooks are removed, ScareCrow then utilizes custom System Calls to load and run shellcode in memory. ScareCrow does this even after the EDR hooks are removed to help avoid being detected by non-userland hooked-based telemetry gathering tools such as Event Tracing for Windows (ETW) or other event logging mechanisms. These custom system calls are also used to perform the VirtualProtect call to remove the hooks placed by EDRs, described above, to avoid being detected an any EDR’s anti-tamper controls. This is done by calling a custom version of the VirtualProtect syscall, NtProtectVirtualMemory. ScareCrow utilizes Golang to generate these loaders and then assembly for these custom syscall functions. ScareCrow loads the shellcode into memory by first decrypting the shellcode, which is encrypted by default using AES encryption with a decryption and initialisation vector key. Once decrypted and loaded, the shellcode is then executed. Depending on the loader options specified ScareCrow will set up different export functions for the DLL. The loaded DLL also does not contain the standard DLLmain function which all DLLs typically need to operate. The DLL will still execute without an issue because the process we load into will look for those export functions and not worry about DLLMain being there. During the creation process of the loader, ScareCrow utilizes a library for blending into the background after a beacon calls home. This library does two things: Code signs the Loader: Files that are signed with code signing certificates are often put under less scrutiny, making it easier to be executed without being challenged, as files signed by a trusted name are often less suspicious than others. Most antimalware products don’t have the time to validate and verify these certificates (now some do but typically the common vendor names are included in a whitelist) ScareCrow creates these certificates by using a go package version of the tool limelighter to create a pfx12 file. This package takes an inputted domain name, specified by the user, to create a code signing certificate for that domain. If needed, you can also use your own code signing certificate if you have one, using the valid command-line option. Spoof the attributes of the loader: This is done by using syso files which are a form of embedded resource files that when compiled along with our loader, will modify the attribute portions of our compiled code. Prior to generating a syso file, ScareCrow will generate a random file name (based on the loader type) to use. Once chosen this file name will map to the associated attributes for that file name, ensuring that the right values are assigned. Changelog v2.0 New Features Introduced ETW bypass mechanisms to prevent ETW events from being generated. Introduced unhooked process Injection techniques to unhook an EDR from the injected process. Added a flag to allow a custom set of JSON for Attribute Spoofing. Add a new list of DLLs for the WScript loader option. Added anti-attribution controls in binary mode. Bug Fixes Fixed some command line bugs. Updated help menu & README. [hide][Hidden Content]]
  21. MeterPwrShell Automated Tool That Generate A Powershell Oneliner That Can Create Meterpreter Shell On Metasploit,Bypass AMSI,Bypass Firewall,Bypass UAC,And Bypass Any AVs. This tool is powered by Metasploit-Framework and amsi.fail Notes NEVER UPLOAD THE PAYLOAD THAT GENERATED BY THIS PROGRAM TO ANY ONLINE SCANNER NEVER USE THIS PROGRAM FOR MALICIOUS PURPOSE SPREADING THE PAYLOAD THAT GENERATED BY THIS PROGRAM IS NOT COOL ANY DAMAGE GENERATED BY THIS PROGRAM IS NOT MY (As the program maker) RESPONSIBILTY!!! If you have some feature recommendation,post that on Issue If you have some issue with the program,try redownloading it again (trust me),cause sometimes i edit the release and fix it without telling 😂 If you want to know how tf my payload bypass any AVs,you can check on this and this Dont even try to fork this repository,you'll dont get the releases! Features (v1.5.1) Bypass UAC Automatic Migrate (using PrependMigrate) Built-in GetSYSTEM (if u use the Bypass UAC option) Disable All Firewall Profile (if u use the Bypass UAC option) Fully Bypass Windows Defender Real-time Protection (if you choose shortened payload or using Bypass UAC or both) Disable Windows Defender Security Features (if u use the Bypass UAC option) Fully unkillable payload Bypasses AMSI Successfully (if you choose shortened payload) Short One-Liner (if you choose shortened payload) Bypass Firewall (If you pick an unstaged payload) Great CLI A Lot More (Try it by yourself) [hide][Hidden Content]]
  22. ScareCrow ScareCrow is a payload creation framework for generating loaders for the use of side loading (not injection) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, utilizing a technique to flush an EDR’s hook out the system DLLs running in the process’s memory. This works because we know the EDR’s hooks are placed when a process is spawned. ScareCrow can target these DLLs and manipulate them in memory by using the API function VirtualProtect, which changes a section of a process’ memory permissions to a different value, specifically from Execute–Read to Read-Write-Execute. When executed, ScareCrow will copy the bytes of the system DLLs stored on disk in C:\Windows\System32\. These DLLs are stored on disk “clean” of EDR hooks because they are used by the system to load an unaltered copy into a new process when it’s spawned. Since EDR’s only hook these processes in memory, they remain unaltered. ScareCrow does not copy the entire DLL file, instead only focuses on the .text section of the DLLs. This section of a DLL contains the executable assembly, and by doing this ScareCrow helps reduce the likelihood of detection as re-reading entire files can cause an EDR to detect that there is a modification to a system resource. The data is then copied into the right region of memory by using each function’s offset. Each function has an offset which denotes the exact number of bytes from the base address where they reside, providing the function’s location on the stack. In order to do this, ScareCrow changes the permissions of the .text region of memory using VirtualProtect. Even though this is a system DLL, since it has been loaded into our process (that we control), we can change the memory permissions without requiring elevated privileges. Once these the hooks are removed, ScareCrow then utilizes custom System Calls to load and run shellcode in memory. ScareCrow does this even after the EDR hooks are removed to help avoid being detected by non-userland hooked-based telemetry gathering tools such as Event Tracing for Windows (ETW) or other event logging mechanisms. These custom system calls are also used to perform the VirtualProtect call to remove the hooks placed by EDRs, described above, to avoid being detected an any EDR’s anti-tamper controls. This is done by calling a custom version of the VirtualProtect syscall, NtProtectVirtualMemory. ScareCrow utilizes Golang to generate these loaders and then assembly for these custom syscall functions. ScareCrow loads the shellcode into memory by first decrypting the shellcode, which is encrypted by default using AES encryption with a decryption and initialisation vector key. Once decrypted and loaded, the shellcode is then executed. Depending on the loader options specified ScareCrow will set up different export functions for the DLL. The loaded DLL also does not contain the standard DLLmain function which all DLLs typically need to operate. The DLL will still execute without an issue because the process we load into will look for those export functions and not worry about DLLMain being there. During the creation process of the loader, ScareCrow utilizes a library for blending into the background after a beacon calls home. This library does two things: Code signs the Loader: Files that are signed with code signing certificates are often put under less scrutiny, making it easier to be executed without being challenged, as files signed by a trusted name are often less suspicious than others. Most antimalware products don’t have the time to validate and verify these certificates (now some do but typically the common vendor names are included in a whitelist) ScareCrow creates these certificates by using a go package version of the tool limelighter to create a pfx12 file. This package takes an inputted domain name, specified by the user, to create a code signing certificate for that domain. If needed, you can also use your own code signing certificate if you have one, using the valid command-line option. Spoof the attributes of the loader: This is done by using syso files which are a form of embedded resource files that when compiled along with our loader, will modify the attribute portions of our compiled code. Prior to generating a syso file, ScareCrow will generate a random file name (based on the loader type) to use. Once chosen this file name will map to the associated attributes for that file name, ensuring that the right values are assigned. Changelog v1.5 Bug fixes Fixed error with delivery commands ‘htaandbits` that prevented the one-line command from displaying. Added in additional controls to allow certain types of loaders to be used with certain delivery commands (to prevent incompatibilities) Updated help menu & README to indicate which delivery commands work well with what loaders [hide][Hidden Content]]
  23. CrossC2 framework – Generator CobaltStrike’s cross-platform beacon CrossC2 framework is a security framework for enterprises and Red Team personnel supports CobaltStrike’s penetration testing of other platforms (Linux / MacOS / …), supports custom modules, and includes some commonly used penetration modules. Only for internal use by enterprises and organizations, this framework has a certain degree of instability. Non-professionals are not allowed to use it. Anyone shall not use it for illegal purposes and profitability. Besides that, publishing unauthorized modified version is also prohibited, or otherwise bear legal responsibilities. Feature For a faster way, see cna introduction GO Linux & MacOS supports no file landing, load and execute from memory dynamic library or executable file GO Flexibly customize the data return type of the execution file, portscan, screenshot, keystrokes, credentials and other user-defined development to achieve more convenient implementation GO Custom communication protocol GO Android & iPhone support GO Restricted description: CobaltStrike: currently only supports the last version of cs 3.14(bug fixes). Linux: For particularly old systems, you can choose the “Linux-GLIBC” option in cna (around 2010) MacOS: Latest systems only support 64-bit programs iOS: sandbox, restricted cmd Embedded: only *nix ⍻ : Loader is still in progress Changelog v2.1 New Supports running scripts from memory (bash/python/perl/ruby/php/..) [hide][Hidden Content]]
  24. Features Inject multiple payloads into all parameters Inject single payloads into all parameters Saves responses into output folder Displays Status Code & Response Length Can grep for patterns in the response Really fast Easy to setup [hide][Hidden Content]]
  25. Description A security framework for enterprises and Red Team personnel, supports CobaltStrike's penetration testing of other platforms (Linux / MacOS / ...), supports custom modules, and includes some commonly used penetration modules. ChangeLog release v2.0 : -fix Fix the problem of path errors caused by backslashes when uploading files in the file management office -fix Long-term testing in various scenarios in the real environment, fixing some hidden problems, and now more stable +support Support for lower kernel version systems +support Environment variables are automatically set at startup +support Delete sensitive env records at startup +support The background service process can be linked to the init process at startup +support Increase session spawn function +support Increase the function of session setting environment variables +support Increase the privilege escalation function of session getsystem +support Increase session analysis function to handle multiple merge tasks +support Increase Mac & Linux lateral movement function [hide][Hidden Content]]
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.