Amine shelld0n

## muti-stage-1.md

      
              1 file
            
          
              8 forks
            
          
              0 comments
            
          
              13 stars
            
          
                mgeeky
                / muti-stage-1.md
            
            
              Last active
              May 21, 2023 00:24
            
              
                Multi-Stage Malicious Document creation process (ala APT)
              
          
    Multi-Stage Penetration-Testing / Red Teaming Malicious Word document creation process

The below paper documents the process of creating a multi-stage IPS/AV transparent malicious document for purposes of Red Teaming / Penetration-Testing assignments.
The resulted document will be:

using OLE event autorun method
removing it's pretext shapes
Obtaining commands to be executed from document's Author property and passing them to StdIn of Powershell.exe process
Leveraging certutil technique to receive Base64 encoded malicious HTA document
Having Base64 encoded Powershell command in that Author property


## WMIPersistence.vbs
'
' SYNOPSIS:
' 	WMI Persistence method as originally presented by SEADADDY malware
'		(https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887)
' 	and further documented by Matt Graeber.
'
' 	The scheduled command will be launched after roughly 3 minutes since system
' 	gets up. Also, even if the command shall spawn a window - it will not be visible,
' 	since the command will get invoked by WmiPrvSE.exe that's running in Session 0.
'

## msfvenom-reverse-tcp-WaitForSingleObject.md

      
              1 file
            
          
              25 forks
            
          
              12 comments
            
          
              52 stars
            
          
                mgeeky
                / msfvenom-reverse-tcp-WaitForSingleObject.md
            
            
              Last active
              November 14, 2023 19:45
            
              
                (OSCE/CTP, Module #3: Backdooring PE Files) Document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches.
              
          
    Looking for WaitForSingleObject call within modern msfvenom generated payload.


Abstract
This is a document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.
Contents:
	'
	' SYNOPSIS:
	' WMI Persistence method as originally presented by SEADADDY malware
	' (https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887)
	' and further documented by Matt Graeber.
	'
	' The scheduled command will be launched after roughly 3 minutes since system
	' gets up. Also, even if the command shall spawn a window - it will not be visible,
	' since the command will get invoked by WmiPrvSE.exe that's running in Session 0.
	'