| https://raw.githubusercontent.com/FortyNorthSecurity/C2concealer/3630a87e56a1e36ea0d907903fc9b7460419e71f/C2concealer/components/postex.py | |
| https://raw.githubusercontent.com/MythicAgents/Apollo/49a8f4b8486a4cfd7cab5bf4ac0d457158f99606/Payload_Type/apollo/agent_code/Apollo/CommandModules/SpawnTo.cs | |
| https://raw.githubusercontent.com/kphongagsorn/c2-profiles/29fe50eaad655ddd0028fca06a9c7785e3ffaf41/amazon.profile | |
| https://raw.githubusercontent.com/MythicAgents/Apollo/49a8f4b8486a4cfd7cab5bf4ac0d457158f99606/documentation-payload/apollo/commands/spawnto_x64.md | |
| https://raw.githubusercontent.com/TheRipperJhon/CAPE/2bc977577a8fcc81a46046fe5bf9248ed3ac0c28/modules/processing/parsers/malwareconfig/CobaltStrike.py | |
| https://raw.githubusercontent.com/Tylous/SourcePoint/7bebe641d9c0d2dbc41c27ef621333f257cbd3e6/Struct/Struct.go | |
| https://raw.githubusercontent.com/MythicAgents/Apollo/92958fc2c9511d738bc1cd2dd44405c650991014/documentation-payload/apollo/opsec.md | |
| https://raw.githubusercontent.com/nsquar3/malware_analysis/e7f3070f4 |
We can do this by experimenting with .config files.
Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name
In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.
We do this by directing the application to read a config file we provide.
People
 :bowtie: |
😄 :smile: |
😆 :laughing: |
|---|---|---|
😊 :blush: |
😃 :smiley: |
:relaxed: |
😏 :smirk: |
😍 :heart_eyes: |
😘 :kissing_heart: |
😚 :kissing_closed_eyes: |
😳 :flushed: |
😌 :relieved: |
😆 :satisfied: |
😁 :grin: |
😉 :wink: |
😜 :stuck_out_tongue_winking_eye: |
😝 :stuck_out_tongue_closed_eyes: |
😀 :grinning: |
😗 :kissing: |
😙 :kissing_smiling_eyes: |
😛 :stuck_out_tongue: |
