• XSS.stack #1 – первый литературный журнал от юзеров форума

Fileless Persistence

Отслеживать
DangerStyle

DangerStyle

CD-диск
Забанен
Регистрация
20.02.2024
Сообщения
10
Реакции
-1
Пожалуйста, обратите внимание, что пользователь заблокирован
Hi Guys,

I am currently working on Fileless Malware that persists in the Windows registry,

I use mshta to execute a hidden powershell command at the reboot.

I managed to bypass some av like Windows defender or Eset security, even with Injection of shellcode etc.

Now i have 1 problem, Mcaffe blocks every executed mshta command.

What can i use for fileless persistence and in my uac bypass exploit to run a powershell command without any poping powershell Windows?

Thank you for your help!
 
Пожалуйста, обратите внимание, что пользователь заблокирован
powershell is always RedFlag for all AV try use c++,c# i recommended c++
 
Why not use UAC bypasses for persistence?

Take fodhelper.exe for example, you can write a simple stager using powershell (without mshta) and make it start when user logs in, so when user logs, the fodhelper.exe is executed and execute your powershell script.

Resources:
https://gist.github.com/netbiosX/a114f8822eb20b115e33db55deee6692
 
salsa20 сказал(а):
download from server and execute
I don't agree with you it's better to embed the executable into the stub because it will most likely to trigger AV if you try to do some http request to pull data especially if the url ip is not clean or black listed
 
have you also tried moving the location of the mshta.exe from the default c:\Windows\SysWOW64\mshta.exe incase the detections are just using the path + filename to catch you, try moving of copying mshta.exe to another location and rename to something else and see if still get detection
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх