byt3bl33d3r

This is a variation of the technique originally discovered by subtee and described here

TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.

This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)

1. Copy some binary you love to say, C:\Test. Lets use aspnet_compiler.exe as an example
2. Compile test.cs to test.dll with a signed strong name, this is required to load an assembly outside of a .NET applications base directory.
3. Host test.dll on a remote SMB or HTTP(S) server

byt3bl33d3r

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.

byt3bl33d3r

{
        # This instructs Caddy to hit the LetsEncrypt staging endpoint, in production you should remove this.
        acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

(proxy_upstream) {
        # Enable access logging to STDOUT
        log
        
        # This is our list of naughty client User Agents that we don't want accessing our C2

byt3bl33d3r

#! /usr/bin/env python3

# 
# Requires Python 3.7+ & aiohttp (speedups recommended)
# pip3 install aiohttp[speedups]
#

import sys
import asyncio
import aiohttp

byt3bl33d3r

Links describing the leaked EQ Group tools for Windows

Repositories and ports

• Lost in Translation - A repository of the leaked tools

• MS17-010 - Port of some of the exploits to Windows 10

Installation and usage guides

byt3bl33d3r

import pathlib
from playwright.sync_api import Playwright, sync_playwright


def run(playwright: Playwright) -> None:
    browser = playwright.chromium.launch(headless=False)
    context = browser.new_context()
    page = context.new_page()
    page.goto("https://www.archives.gov/research/jfk/release-2025")
    page.get_by_label("Show 102550100200All entries").select_option("All")

byt3bl33d3r

#[

    Author: Marcello Salvati, Twitter: @byt3bl33d3r
    License: BSD 3-Clause

    AES256-CTR Encryption/Decryption
]#

import nimcrypto
import nimcrypto/sysrand

byt3bl33d3r

/*

Requires reference to System.Web.Extensions

*/

using System;
using System.Collections.Concurrent;
using System.Web.Script.Serialization;
using System.Text;

byt3bl33d3r

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

byt3bl33d3r

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes, padding
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from secrets import token_bytes


class DiffieHellman:
    def __init__(self):