Droppers

ClickOnce:

release non-malicious, then once installed release malicious updates

HTA:

can include jscript, vbscript etc

LogoGitHub - tyranid/DotNetToJScript: A tool to create a JScript file which loads a .NET v2 assembly from memory.GitHub

use that to compile c# code to jscript, vbscript, vba (very old though so will get caught)

Instead use:

LogoGitHub - med0x2e/GadgetToJScript: A tool for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA based scripts.GitHub

or

LogoGitHub - rasta-mouse/GadgetToJScript: A tool for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA based scripts.GitHub

VBA/ Macro 4.0:

LogoGitHub - TheWover/donut: Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parametersGitHub
use to generate shellcode from .NET assembly files

hover over A1 and edit the selection box (top left) and enter Auto_Open to auto run

LogoGitHub - RedSiege/EXCELntDonut: Excel 4.0 (XLM) Macro Generator for injecting DLLs and EXEs into memory.GitHub

sanbox checks:

  • check the width/hieght of the window

  • is mouse present

  • can host play sound

add guardrails to target specific users / domains / ip ranges to potentailly bypass sandboxing envs

PreviousMeterpreterNextCobaltStrike

Last updated