Execution
Execution: Command and Scripting Interpreter: Windows Command Shell
1. Crafting the Malicious Document
First, you need to create a macro-enabled document (e.g., a Word document with a .docm extension) that contains a macro. This macro will execute when the victim enables macros in their Office application.
2. Embedding the Macro
Within the document, embed a macro that executes when the document is opened. The macro will use the cmd
command to invoke a PowerShell script. Below is an example of a VBA (Visual Basic for Applications) macro that could be used:
This macro does the following:
Uses
WScript.Shell
to run a command in the Windows Command Shell (cmd
).The
cmd
command runs a PowerShell script that:Downloads a secondary payload (
payload.ps1
) from a remote server (https://staging.server/payload.ps1
) usingInvoke-WebRequest
.Executes the downloaded script in a hidden window.
3. PowerShell Script (payload.ps1)
The downloaded PowerShell script (payload.ps1
) is responsible for downloading and installing the secondary payload, disabling Windows Defender, and modifying execution policies. An example of the content of payload.ps1
is shown below:
4. Changing the Staging Server's IP Address
To evade IP-based blacklists, you should frequently change the staging server's IP address. This can be achieved by using a dynamic DNS service or rotating through a list of IP addresses. The staging server hosts both the initial PowerShell script (payload.ps1
) and the secondary payload (secondary_payload.exe
).
Execution: User Execution: Malicious File
1. Crafting the Malicious File
First, you need to create an executable that performs the malicious actions. This executable will be disguised as a PDF document and placed inside a zip file.
Creating the Executable
Use a programming language like C or C++ to create an executable that installs a backdoor. You will also use techniques such as UPX packing and encrypted strings to avoid detection.
Example C code snippet:
Packing the Executable with UPX
Use UPX (Ultimate Packer for eXecutables) to pack the executable, making it more challenging for antivirus software to detect.
2. Creating the Disguised File
Rename the packed executable to make it appear as a PDF document, such as Important_Update.pdf.exe
. Ensure the file extension remains .exe
but use an icon that resembles a PDF document.
3. Compressing the File
Compress the disguised executable into a zip file named Important_Update.zip
.
4. Distribution
Distribute the Important_Update.zip
file through phishing emails or other social engineering techniques, encouraging the victim to download and open the file.
5. Execution and Backdoor Installation
When the victim downloads and extracts the zip file, they see a file named Important_Update.pdf.exe
. Upon executing this file, it runs the packed executable which installs the backdoor.
Execution: Command and Scripting Interpreter: PowerShell
1. Crafting the Initial PowerShell Script
The initial PowerShell script will be obfuscated using base64 encoding and various aliases to make it harder for endpoint security tools to detect.
Example PowerShell Script (Obfuscated)
This PowerShell script does the following:
Defines the URL for the advanced backdoor and the output path.
Downloads the backdoor and executes it using
Invoke-WebRequest
andStart-Process
.Encodes the script in base64 and uses aliases to obfuscate the final command.
2. Running the Obfuscated PowerShell Command
Executing the Command from Command-Line
3. Advanced Backdoor
The advanced backdoor executable should be capable of performing various malicious activities such as keylogging, screen capturing, and downloading additional payloads.
Example Functionalities of the Advanced Backdoor
Keylogging:
Screen Capturing:
Downloading Additional Payloads:
Execution: Native API
1. Understanding the Windows Native API
The Windows Native API provides functions to interact with the operating system, such as creating processes, reading, and writing memory. These functions can be used to perform malicious activities while appearing legitimate to the operating system and security software.
2. Writing a C/C++ Program to Use Native API
Example Program
Create a C/C++ program that uses the CreateProcess
, ReadProcessMemory
, and WriteProcessMemory
functions to launch malicious processes and manipulate system memory.
Example C code:
3. Compiling the Program
Compile the C/C++ program using a compiler like Visual Studio or GCC for Windows (MinGW).
4. Running the Malicious Program
Execute the compiled program from the command-line to perform the malicious activities.
5. Using Native API for Data Exfiltration and Backdoor Establishment
Example for Data Exfiltration
To maintain real-time data exfiltration, an attacker might continuously read sensitive data from a process memory and send it to a remote server.
Additional Code Snippet for Data Exfiltration:
Establishing a Backdoor
To establish a backdoor, the attacker could inject code that establishes a connection to a command and control server, awaiting further instructions.
Additional Code Snippet for Backdoor:
Execution: Scheduled Task/Job: Scheduled Task
1. Creating the Scheduled Task
First, you need to create a PowerShell script that will download and execute additional payloads.
Example PowerShell Script
Create a script named update_payload.ps1
:
2. Creating the Scheduled Task Using schtasks
Use the schtasks
command to create a scheduled task that runs the PowerShell script at regular intervals.
Explanation of parameters:
/tn "UpdateCheck"
: Specifies the name of the task./tr "powershell.exe -ExecutionPolicy Bypass -File C:\path\to\update_payload.ps1"
: Specifies the action to run the PowerShell script./sc daily
: Schedules the task to run daily./st 00:00
: Specifies the start time of the task./f
: Forces the creation of the task, replacing any existing task with the same name.
3. Hiding the Scheduled Task
To hide the task and avoid detection, modify the registry to delete the Security Descriptor (SD) value associated with the task. This makes the task invisible in the Task Scheduler GUI and command-line tools.
Deleting the Security Descriptor (SD) Value
Use the reg
command to delete the SD
value:
Replace {TASK-GUID}
with the actual GUID of the task, which can be found by inspecting the registry keys under:
Execution: Command and Scripting Interpreter: Visual Basic
1. Crafting the Malicious VBScript
First, write a VBScript that downloads and executes additional payloads. The script should be obfuscated and named to resemble a legitimate administrative task.
Example VBScript (Obfuscated)
Save the following script as maintenance.vbs
:
In this example:
The
Base64Decode
function decodes base64-encoded strings.The
encodedCommand
variable holds a base64-encoded PowerShell command that downloads and executes a payload.The script decodes the command and runs it using PowerShell.
2. Obfuscating the Script
Obfuscate the VBScript by encoding the PowerShell command and renaming functions and variables to generic names.
Encoding the PowerShell Command
Encode the PowerShell command using base64. Here is an example PowerShell command to download and execute a payload:
Encode this command to base64:
Use the resulting base64 string in the VBScript.
3. Embedding the Script in Routine Tasks
Rename the script to resemble a routine maintenance task and embed it in scheduled tasks or other automation frameworks used by the IT department.
Example of Scheduling the VBScript
Use schtasks
to schedule the script to run at regular intervals:
Explanation of parameters:
/tn "RoutineMaintenance"
: Names the task to resemble a routine maintenance task./tr "cscript.exe C:\path\to\maintenance.vbs"
: Specifies the action to run the VBScript usingcscript.exe
./sc daily
: Schedules the task to run daily./st 02:00
: Specifies the start time of the task./f
: Forces the creation of the task, replacing any existing task with the same name.
Execution: Windows Management Instrumentation
1. Download and Execute the Initial Payload using WMI
Use WMI to run a PowerShell command that downloads and executes the secondary payload.
Example PowerShell Command
Create a PowerShell command that downloads and runs a secondary payload:
Encode this PowerShell command in Base64 to use with WMI:
2. Execute the Encoded PowerShell Command using WMI
Use the wmic
command to run the encoded PowerShell command via WMI.
Replace <encodedCommand>
with the actual Base64 encoded string generated in the previous step.
3. Ensuring Persistence using WMI
Use WMI to schedule tasks that ensure the malware runs every time the system boots.
Create a WMI Event Subscription for Persistence
WMI event subscriptions can be used to trigger actions based on system events, such as system startup.
4. Example Script for Secondary Payload
Create the PowerShell script (maintenance.ps1
) that the event consumer will execute. This script can perform various malicious activities such as keylogging, taking screenshots, and stealing files.
Example PowerShell Script
Execution: User Execution: Malicious Link
1. Setting Up the Malicious Website
First, you need to set up a web server that hosts the malicious payload and serves the phishing page.
Example Web Server Setup
Install a Web Server (e.g., Apache or Nginx):
Create the Malicious Payload:
Create a malicious executable and name it
document.pdf.exe
. Ensure it has an icon that resembles a PDF file.Create the Phishing Page:
Create an HTML file that looks like a legitimate login page or news site. Add obfuscated JavaScript to trigger the download.
Save this file as
index.html
in the web server’s root directory.Enable SSL:
Use Let's Encrypt to secure the website with SSL.
Follow the prompts to complete the SSL setup.
2. Crafting the Phishing Email
Craft a phishing email that includes the malicious link and sends it to the targeted staff members.
Example Phishing Email
3. Sending the Phishing Email
Use a command-line email client like sendmail
or mail
to send the phishing email to the targeted staff members.
Example Using mail
Command
First, install the mail
command if it's not already installed:
Then, send the phishing email:
Execution: Exploitation for Client Execution
1. Identifying the Vulnerability
The first step is identifying a specific vulnerability within the software installed on the client's system. Common targets include buffer overflow or memory corruption vulnerabilities. Tools like Nmap, Nessus, or OpenVAS can help identify these vulnerabilities.
2. Crafting the Exploit
Once a vulnerability is identified, the next step is to craft an exploit. For buffer overflow or memory corruption vulnerabilities, this often involves creating a payload that will overflow the buffer and overwrite the return address to point to the shellcode.
Example: Using Metasploit Framework to generate a payload.
This command generates a Windows executable payload that opens a reverse TCP connection to your IP and port.
3. Delivering the Exploit
Deliver the payload to the target system. This can be done via social engineering, phishing, or leveraging a vulnerable service to upload the payload.
Example: Using a simple HTTP server to deliver the payload.
On the target machine, the user is tricked into downloading and executing the payload:
4. Exploiting the Vulnerability and Executing the Payload
If the target system is configured to run the downloaded payload automatically (e.g., through a social engineering tactic), the payload will execute and establish a reverse connection.
5. Establishing a Backdoor
The payload executed in the previous step will attempt to connect back to the attacker's machine, providing a Meterpreter session or similar shell.
Example: Using Metasploit to handle the reverse connection.
Once the reverse connection is established, you can run arbitrary commands on the compromised system.
6. Creating a Persistent Backdoor
To maintain access, you can use the Meterpreter session to set up a persistent backdoor.
Example: Using Meterpreter to create a persistent backdoor.
This command sets up persistence, where -U
starts the backdoor at user login, -i 5
is the interval in seconds between connection attempts, -p
is the port, and -r
is the attacker's IP address.
7. Executing Arbitrary Commands
Now, with the backdoor in place, you can execute any command on the compromised system remotely.
Example: Running a command on the target system.
Execution: System Services: Service Execution
1. Create the Malicious Payload
First, you need to create a malicious payload. For this example, we will use Metasploit to generate a payload that connects back to a command and control (C2) server.
This command generates an executable payload that establishes a reverse TCP connection to your specified IP and port.
2. Transfer the Payload to the Target System
Next, you need to transfer the payload to the target system. This can be done using various methods such as using a simple HTTP server or exploiting a vulnerability to upload the file.
Example: Using Python's HTTP server to serve the payload.
On the target machine, download the payload using curl
or powershell
.
or
3. Create a New Service
Now, create a new Windows service that will execute the malicious payload. Use the sc
command to create the service. The service is named and described to resemble legitimate services to avoid detection.
4. Configure the Service
Ensure the service is configured to run automatically at startup, and with SYSTEM privileges for maximum access.
5. Start the Service
Start the newly created service to execute the malicious payload.
6. Verify the Service
Ensure the service is running correctly and verify it by checking its status.
7. Connect Back to the C2 Server
Once the service is started, it will execute the payload, which in this case is a Meterpreter shell that connects back to the attacker's C2 server.
Last updated