Skip to content

Instantly share code, notes, and snippets.

@infosecn1nja
Last active January 7, 2024 21:51
Show Gist options
  • Save infosecn1nja/04ab2d8ea15f98880bbf7b70168fa3dd to your computer and use it in GitHub Desktop.
Save infosecn1nja/04ab2d8ea15f98880bbf7b70168fa3dd to your computer and use it in GitHub Desktop.
APT Group/Red Team Weaponization Phase
APT Group/Red Team Weaponization Phase
=======================================
C2 tools :
- Cobalt Strike
- Empire
- PoshC2
- PupyRAT
- Metasploit
Weaponize tools :
- Invoke-Obfuscation
- demiguise
- Veil-evasion
- Invoke-DOSfuscation
- morphHTA
- Unicorn
- Ruler
Execute kill chain :
ruler -> powershell/pubprn.vbs/regsvr32/msiexec/rundll32 drop dll/drop exe/installutil/msbuild -> persistence schtask/reg run keys/logon scripts/wmi
zip -> CHM -> powershell/pubprn.vbs/regsvr32/msiexec/rundll32 drop dll/drop exe/installutil/msbuild -> persistence schtask/reg run keys/logon scripts/wmi
zip -> LNK -> powershell/pubprn.vbs/regsvr32/msiexec/rundll32 drop dll/drop exe/installutil/msbuild -> persistence schtask/reg run keys/logon scripts/wmi
zip -> mshta -> masquerading -> certutil -> powershell -> installutil -> persistence schtask/reg run keys/logon scripts/wmi
zip -> mshta -> cmstp -> sct -> powershell -> persistence schtask/reg run keys/logon scripts/wmi
pdf auto open -> settingcontent-ms -> mshta -> powershell/pubprn.vbs/regsvr32/msiexec/rundll32 drop dll/drop exe/installutil/msbuild -> persistence schtask/reg run keys/logon scripts/wmi
mshta -> certutil -> cmstp -> powershell/pubprn.vbs/regsvr32/msiexec/rundll32 drop dll/drop exe/installutil/msbuild -> persistence schtask/reg run keys/logon scripts/wmi
mshta -> certutil -> powershell/pubprn.vbs/regsvr32/msiexec/rundll32 drop dll/drop exe/installutil/msbuild -> persistence schtask/reg run keys/logon scripts/wmi
Microsoft word macro -> powershell -> persistence schtask/reg run keys/logon scripts/wmi
Microsoft word macro -> mshta -> powershell -> persistence schtask/reg run keys/logon scripts/wmi
Microsoft word macro -> regsvr32/pubprn.vbs -> powershell -> persistence schtask/reg run keys/logon scripts/wmi
Microsoft word CVE-2017-8570 -> sct -> powershell/pubprn.vbs/regsvr32/msiexec/rundll32 drop dll/drop exe/installutil/msbuild -> persistence schtask/reg run keys/logon scripts/wmi
Microsoft word CVE-2017-0199 -> hta -> powershell/pubprn.vbs/regsvr32/msiexec/rundll32 drop dll/drop exe/installutil/msbuild -> persistence schtask/reg run keys/logon scripts/wmi
Microsoft word DDE -> powershell -> persistence schtask/reg run keys/logon scripts/wmi
Microsoft excel IQY -> DDE -> certutil -> regasm
Microsoft word OLE -> settingcontent-ms -> mshta load hta -> powershell/pubprn.vbs/regsvr32/msiexec/rundll32 drop dll/drop exe/installutil/msbuild -> persistence schtask/reg run keys/logon scripts/wmi
Microsoft word OLE -> mshta load hta -> powershell/pubprn.vbs/regsvr32/msiexec/rundll32 drop dll/drop exe/installutil/msbuild -> persistence schtask/reg run keys/logon scripts/wmi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment