Step 1) Start an AMSI ETW trace from an elevated command prompt
logman start trace AMSITrace -p Microsoft-Antimalware-Scan-Interface (Event1) -o amsi.etl -ets
Step 2) Run your evil maldoc or script. Note: AMSI can capture runtime context of VBA, Excel4, JScript, VBScript, PowerShell, WMI, and .NET (4.8+) in-mem assembly loads
Step 3) Stop the AMSI trace
| #include <string.h> | |
| #include <stdio.h> | |
| #include <windows.h> | |
| #include <psapi.h> | |
| #include "beacon.h" | |
| DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD); | |
| DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD); | |
| DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD); |
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Runtime.InteropServices; | |
| namespace DinjectorWithQUserAPC | |
| { | |
| public class Program |
| package main | |
| /* | |
| Example Go program with multiple .NET Binaries embedded | |
| This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with: | |
| $ go get -u github.com/gobuffalo/packr/packr | |
| Place all your EXEs are in a "binaries" folder |
| #! /usr/bin/env python3 | |
| # | |
| # Requires Python 3.7+ & aiohttp (speedups recommended) | |
| # pip3 install aiohttp[speedups] | |
| # | |
| import sys | |
| import asyncio | |
| import aiohttp |
| #include "ntos.h" | |
| #define GLCKIO_DEVICE_TYPE (DWORD)0x8010 //same as WinIO/MsIo and all clones based on this bugfest code | |
| #define GLCKIO_REGISTER_FUNCID (DWORD)0x818 | |
| #define GLCKIO_READMSR (DWORD)0x816 | |
| #define IOCTL_GKCKIO_REGISTER \ | |
| CTL_CODE(GLCKIO_DEVICE_TYPE, GLCKIO_REGISTER_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS) |
| <# | |
| ImageFileExecutionOptions v1.0 | |
| License: GPLv3 | |
| Author: @netbiosX | |
| #> | |
| # Image File Execution Options Injection Persistence Technique | |
| # https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/ | |
| function Persist-Debugger |
| # ################################################################################ | |
| # IMPORTANT NOTE | |
| # The most recent version of this POC rule can now be found in the main repository | |
| # https://github.com/Neo23x0/sigma/blob/master/other/godmode_sigma_rule.yml | |
| # ################################################################################ | |
| # _____ __ __ ___ __ | |
| # / ___/__ ___/ / / |/ /__ ___/ /__ | |
| # / (_ / _ \/ _ / / /|_/ / _ \/ _ / -_) | |
| # \___/\___/\_,_/ /_/ /_/\___/\_,_/\__/_ | |
| # / __(_)__ ___ _ ___ _ / _ \__ __/ /__ |
| [DllImport("shell32.dll", SetLastError = true)] | |
| static extern IntPtr CommandLineToArgvW([MarshalAs(UnmanagedType.LPWStr)] string lpCmdLine, out int pNumArgs); | |
| public static string[] CommandLineToArgs(string commandLine) | |
| { | |
| int argc; | |
| var argv = CommandLineToArgvW(commandLine, out argc); | |
| if (argv == IntPtr.Zero) | |
| throw new System.ComponentModel.Win32Exception(); | |
| try |
| 1. Download the latest release of mimikatz: https://github.com/gentilkiwi/mimikatz/releases | |
| 2. Get Mimikatz PE Loader from https://gist.github.com/pljoel/42dae5e56a86a43612bea6961cb59d1a | |
| 3. use @pljoel katz.cs cs file and uncomment the building lines available on Delivery.Program.Main() & comment Exec() line of code. | |
| 4. Build it to generate file.b64, copy its content and replace Package.file string available on payload.txt file. | |
| 6. Make sure payloadPath var is properly set on "TestAssemblyLoader.cs" | |
