Login
LOLSpoof is a an interactive shell program that automatically spoof the command line arguments of the spawned process. Just call your incriminate-looking command line LOLBin (e.g. powershell -w hidden -enc ZwBlAHQALQBwAHIAbwBjAGUA....) and LOLSpoof will ensure that the process creation telemetry appears legitimate and clear.
Process command line is a very monitored telemetry, being thoroughly inspected by AV/EDRs, SOC analysts or threat hunters.
FreshRSS lolbin.exe " " * sizeof(real arguments)
Although this simple technique helps to bypass command line detection, it may introduce other suspicious telemetry: 1. Creation of suspended process 2. The new process has trailing spaces (but it's really easy to make it a repeated character or even random data instead) 3. Write to the spawned process with WriteProcessMemory
Built with Nim 1.6.12 (compiling with Nim 2.X yields errors!)
nimble install winim
Programs that clear or change the previous printed console messages (such as timeout.exe 10) breaks the program. when such commands are employed, you'll need to restart the console. Don't know how to fix that, open to suggestions.
The full explanation what is HTML Smuggling may be found here.
The primary objective of HTML smuggling is to bypass network security controls, such as firewalls and intrusion detection systems, by disguising malicious payloads within seemingly harmless HTML and JavaScript code. By exploiting the dynamic nature of web applications, attackers can deliver malicious content to a user's browser without triggering security alerts or being detected by traditional security mechanisms. Thanks to this technique, the download of a malicious file is not displayed in any way in modern IDS solutions.
The main goal of HTMLSmuggler tool is creating an independent javascript library with embedded malicious user-defined payload. This library may be integrated into your phishing sites/email html attachments/etc. to bypass IDS and IPS system and deliver embedded payload to the target user system. An example of created javascript library may be found here.
Install yarn package manager.
Install dependencies:
yarnRead help message.
yarn build -hModify (or use my) javascript-obfuscator options in obfuscator.js, my preset is nice, but very slow.
Compile your javascript payload:
yarn build -p /path/to/payload -n file.exe -t "application/octet-stream" -cGet your payload from dist/payload.esm.js or dist/payload.umd.js. After that, it may be inserted into your page and called with download() function.
payload.esm.jsis used inimport { download } from 'payload.esm';imports (ECMAScript standart).
payload.umd.jsis used in html script SRC andrequire('payload.umd');imports (CommonJS, AMD and pure html).
A full example may be found here.
Import created script to html file (or insert it inline):
<head>
<script src="payload.umd.js"></script>
</head>Call download() function from body:
<body>
<button onclick="download()">Some phishy button</button>
</body>Happy phishing :)
A full example may be found here.
Import created script to vue file:
<script>
import { download } from './payload.esm';
</script>Call download() function:
<template>
<button @click="download()">Some phishy button</button>
</template>Happy phishing :)
Q: I have an error RangeError: Maximum call stack size exceeded, how to solve it?
A: This issue described here. To fix it, try to disable splitStrings in obfuscator.js or make smaller payload (it's recommended to use up to 2Β MB payloads because of this issue).
Q: Why does my payload build so long?
A: The bigger payload you use, the longer it takes to create a JS file. To decrease time of build, try to disable splitStrings in obfuscator.js. Below is a table with estimated build times using default obfuscator.js.
| Payload size | Build time |
|---|---|
| 525 KB | 53 s |
| 1.25 MB | 8Β m |
| 3.59 MB | 25Β m |
