Undetected ClickFix delivery method

[tainted_l0ve]

Цена

500

Контакты

DM first

Hi,

By now you're all probably familiar with ClickFix (Win+R) payload delivery method.

You also might have noticed that all regular delivery commands (powershell, cmd curl, mshta, etc..) are now immediately detected by Windows Defender & co.

I am selling a new method I found for delivery, using a command that is fully undetected.

What you will get:
1. new command (Windows native) + correct usage format <== this is the part which victims will use Ctrl + V in "Run" dialog
2. the method, source and tools to create the container archive <== this is downloaded and unpacked by the command

This method allows you to pack either direct .exe payload, or signed .exe with DLL (for DLL Sideload, which is what I personally use and recommend you do too).

Output is 1 file, ready to be hosted on your server and awaiting deployment.

Benefits:

• full stealth, no suspicious processes invoked, no UAC, etc
• no MotW
• on delivery, payload is executed automatically
• on delivery, command is automatically deleted from user "Run" history
• (optional) this method allows to achieve start-up persistence independently (evade behavioral analysis)
• (optional) custom decoy steps can be added (auto-open URL or PDF file for user on payload execution, etc)

What this is NOT:
- this does not encrypt your payload. Crypting is on your side. This only ensures delivery and execution in 1 command.

Base price (no modifications): $500
If you want mods: let's discuss.

If interested, please DM me first. I will share Tox only through DM (I do not have Telegram).

Will only sell to 2 buyers. Guarantee welcome.

 

[tainted_l0ve]

v1.1 update:
* Added ability to run any Powershell command - this way you can run powershell commands like you used to before, completely stealthy with 0 detections. Useful if you want to bypass AV with no payload dropped to disk. Added tool and step-by-step instructions on how to build the new payload container.
* Added ability to run custom .vbs - if you prefer classic VB script delivery method, this is also possible. Also runs silently.

Base price has been increased to $1000.

Please note that although I have done my best to include instructions with the source code and document the build steps, the base price does not include custom code or extensive support. Base package comes AS IS - the method works, but comes with no modifications or me teaching how to code. If you want the code configured and tested 100% for your use case, contact me to discuss your needs.

 

[tainted_l0ve]

Good news everyone. I am opening up sales to a couple more people because I found 2 new download-to-execution one-liners, one 0/1day and another rare one, updated to be fully undetected and ready to help you bypass Clickfix/Win+R detections.

v1.2 update:

• 0/1day one-liner using Windows signed binary. Never before used in the wild (!!!). Tested and working on Windows 10 and 11 (including Enterprise editions). Functionality is that it downloads any .exe from a remote host via TCP and automatically runs it without any restrictions (full MotW bypass). Fully working on User level.
• Added and updated another rare lolbin that has been adapted as a one-liner for ClickFix.

If you want all 3 methods, the entire package price is $3500. Individually the 0/1day is $2000, and accordingly for the rest of them. Please note that I reserve the right to increase price at any time.

Previous customers can get the new methods at a difference from what they paid initially.

If interested, DM me for Tox contact.

 

[tainted_l0ve]

Demo

Undetected Clickfix Demo

This is "Undetected Clickfix Demo" by Tarek Ahmed on Vimeo, the home for high quality videos and the people who love them.

vimeo.com

Also letting you know that this is not only a Win + R method. These methods can be used for payload delivery on BadUSB (RubberDucky, Malduino, etc. (I have a special script for such scenarios). Also, for red-team pentesters who need lolbins that download and bypass restrictions and EDR monitors -- this is also for you.


FAQ (En + Ru):

Q: How are your ClickFix (Win+R) methods unique from other methods?

A: all my methods bypass Win + R and allow payload delivery but the area/range of how this is done varies slightly:

Method 1 - works on Win 7, 8, 10, 11 (all editions, including Windows Server). Allows to deliver .exe, .exe with .dll, pure Powershell or VBS script (as you wish). This method works virtually everywhere (98% cases). The 2% of fringe cases can occur when delivering on heavily locked corporate systems where admins have set restrictive AppLocker policies (this would mean blocking certain system functionality, it's pretty rare to go this extreme but yes, sometimes it can happen).

Also another unique thing about this method is that you have the option of having "natural" persistence, done through a system executable. This is useful if your payload is for example a RAT and you want to avoid behavioral detections (those who ever wrote RATs know that having the same executable start and automatically create keys in [Microsoft\Windows\CurrentVersion\Run] is a big red flag for AVs). With my option, you get persistence that is separate from your payload, reducing detection risk.

Method 2 - works on Win 10, 11 (all end user editions, including LTSC and Enterprise, but no Server). This one is a 0day and will bypass even AppLocker restrictions and EDRs which monitor for executable or foreign downloads. The functionality is that it downloads any file and executes it without MotW (SmartScreen) restrictions. This method is the "nuclear option" for even those 2% cases. I've increased price on this one and I'm selling it on a very limited basis.

Method 3 - works on Win 8.1, 10, 11 (all end user editions and Server). This one is an older method which I have updated to bypass current detections and I offer as a variation if you do mass traffic and want to have an alternative to the above methods (and also not to "burn" them). This one can also "revive" older methods that had detections (for example, .hta delivery can be possible with it again).


Q: How long will this crypt last?

A: This is not a crypt. I do not crypt your file, you need to do that somewhere else. This only helps you deliver a payload (and if using Method 1, can help with achieving persistence).

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Также сообщаю, что это не только метод Win + R. Эти методы можно использовать для доставки полезной нагрузки на BadUSB, RubberDucky, Malduino и т. д. (у меня есть специальный скрипт для таких сценариев). Также для пентестеров из Red-team, которым нужны lolbins для обхода ограничений и мониторов EDR — это тоже для вас.

В: Чем ваши методы ClickFix (Win+R) отличаются от других методов?

О: все мои методы обходят Win + R и позволяют доставлять полезную нагрузку, но область/диапазон того, как это делается, немного различается:

Метод 1 — работает на Win 7, 8, 10, 11 (все редакции, включая Windows Server). Позволяет доставлять .exe, .exe с .dll, чистый Powershell или скрипт VBS (по вашему желанию). Этот метод работает практически везде (98% случаев). Эти 2% оставшихся случаев приходятся на доставку в сильно заблокированные корпоративные системы, где администраторы установили определенные политики AppLocker (это означало бы блокировку определенных функций системы, довольно редко доходят до такой крайности, но да, это может случиться).

Еще одна уникальная вещь этого метода заключается в том, что у вас есть возможность иметь «естественный» персистенс, реализованный через системный исполняемый файл. Это полезно, если ваша полезная нагрузка, например, RAT, и вы хотите избежать поведенческих обнаружений (те, кто когда-либо писал RAT, знают, что наличие одного и того же исполняемого файла, запускаемого и автоматически создающего ключи в [Microsoft\Windows\CurrentVersion\Run] — большой красный флаг для AV). С моим методом вы получаете персистенс, который отделен от вашей полезной нагрузки, что снижает риск обнаружения.

Метод 2 — работает на Win 10, 11 (все версии для конечных пользователей, включая LTSC и Enterprise, но не Server). Это 0day, и он обойдет даже ограничения AppLocker и EDR, которые отслеживают посторонные загрузки. Функциональность заключается в том, что он загружает любой файл и выполняет его без ограничений MotW (SmartScreen). Этот метод является «ядерным вариантом» даже для этих 2% случаев. Я повысил цену на него и продаю его на очень ограниченной основе.

Метод 3 — работает на Win 8.1, 10, 11 (все версии для конечных пользователей и Server). Это старый метод, который я обновил, чтобы обойти текущие обнаружения, и я предлагаю его в качестве варианта, если вы делаете массовый трафик и хотите иметь альтернативу вышеперечисленным методам (а также не «сжигать» их). Этот метод также может «оживить» старые методы, которые имели обнаружения (например, доставка .hta может быть снова возможна с ним).


В: Как долго продлится этот крипт?

О: Это не крипт. Я не шифрую ваш файл, вам нужно сделать это где-то в другом месте. Это только помогает вам доставлять полезную нагрузку (и если использовать метод 1, может помочь в достижении персистенса).

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Contact me for final price and if you have any questions.

 

[Luna]

Seller delivered and everything easy and working. Second time buying from him, recommend.

 

[tainted_l0ve]

v1.3 update:

• Added MacOS (tested on Sequoia) and Linux (Debian, Fedora) Clickfix methods
• Added visual decoy tweaks for methods 1 & 3 so that you can have comments and padding which look 100% legit, like this:

Final package you're getting 3 unique and undetected Clickfix (Win + R) commands for Windows, all accessible from user level accounts, and 2 methods for MacOS and Linux.

Those who buy the full package also get a custom Javascript obfuscator, to ensure that your Clickfix delivery methods remain hidden and undetected from HTML detections (yes, those happen too

So... whatchu waiting, whatchu waiting fooooor. Hit me up.

 

[xdasss1]

so high price

 

[tainted_l0ve]

so high price

Each package purchase will sponsor the purchase of Range Rovers for children in Uganda! Please think of the children

But seriously... High compared to what? You get unique, undetected, powerful methods for payload delivery that you will not find anywhere else.

If the price was low and accessible to everyone, they would no longer be unique and just as soon would be signatured and detected.

So, that's quite fine as it is.

Moreover, I could lower the price and just give you the one liner with no instructions or support and say "go figure it out yourself". But I don't do that. I give full documentation, based on real-world usage trial and error and testing on actual targets.

I am constantly researching new lolbins or improving existing ones, finding ways how to tweak them, to make them stealthier or how to obfuscate them, or combine them in powerful new ways. All of this is added onto each new version of the package.

For example, I have just finished research and testing on how to make Method 2 also fit for delivering FUD Office Macros (.docm or .xslm). In fact, because this lolbin is so rare, these macros will live longer than most. Zero PowerShell used. This macro generator is now included for free to anyone who buys the package. You basically get a free dropper thrown in for Office files. And this is just one of the many applications of my methods. It's not just Clickfix.

Those who value their time and want proven techniques on real targets will see the value in what I have to offer.

And if not, that's ok too There's probably cheaper options out there (which will probably soon be raped by AVs and EDRs allover). I am not competing with them. I am doing my own thang.

And speaking of which, here's a video of using Method 2 as a macro dropper:

Method 2 with Office Macro Generator / Dropper

This is "Method 2 with Office Macro Generator / Dropper" by Tarek Ahmed on Vimeo, the home for high quality videos and the people who love them.

vimeo.com

I used zero obfuscation for this one. Just to show that it's really unique and not been used anywhere else.

 

[tainted_l0ve]

Tested all commands/methods on FileFix variations. Everything still works)

 

[cryptoapple]

Приятный человек, выполняет договоренности, в сети бывает часто, планирую затестировать крипт. Впечатление положительное, знает что делает

 

[alexvenutelli]

I this still available?

 

[Sprut]

посоветуйте

Hi,

By now you're all probably familiar with ClickFix (Win+R) payload delivery method.

You also might have noticed that all regular delivery commands (powershell, cmd curl, mshta, etc..) are now immediately detected by Windows Defender & co.

I am selling a new method I found for delivery, using a command that is fully undetected.

What you will get:
1. new command (Windows native) + correct usage format <== this is the part which victims will use Ctrl + V in "Run" dialog
2. the method, source and tools to create the container archive <== this is downloaded and unpacked by the command

This method allows you to pack either direct .exe payload, or signed .exe with DLL (for DLL Sideload, which is what I personally use and recommend you do too).

Output is 1 file, ready to be hosted on your server and awaiting deployment.

Benefits:

• full stealth, no suspicious processes invoked, no UAC, etc
• no MotW
• on delivery, payload is executed automatically
• on delivery, command is automatically deleted from user "Run" history
• (optional) this method allows to achieve start-up persistence independently (evade behavioral analysis)
• (optional) custom decoy steps can be added (auto-open URL or PDF file for user on payload execution, etc)

What this is NOT:
- this does not encrypt your payload. Crypting is on your side. This only ensures delivery and execution in 1 command.

Base price (no modifications): $500
If you want mods: let's discuss.

If interested, please DM me first. I will share Tox only through DM (I do not have Telegram).

Will only sell to 2 buyers. Guarantee welcome.

посоветуйте крипт под ваш метод