MSec Operations
@MSecOps • 1,656 subscribers
Videos
Tools such as from Impacket are usually flagged for lateral movement due to the pre-built service executable that is dropped on the remote system. However, some vendors also flag Impacket based on its behaviour. With RustPack, you can easily create service executables that won't be detected by signatures or behaviour-based detection. 😎 In this demo video, an unsigned service executable is generated. This will only fire the payload on a system with the hostname 'Win11' — environmental keying will prevent the payload from showing up in a sandbox or cloud analysis. To avoid Impacket detection, we drop and execute the binary via the recently released Titanis protocol library from TrustedSec: The result is an Adaptix C2 connection in the SYSTEM context. 🫡 #Pentest #RedTeam #Malware #OST
MSec Operations70,578 Aufrufe • vor 7 Monaten
![How do you create your payloads in 2025? At MSec Operations we prefer to use DLL sideloading for EDR evasion. This technique allows our malicious code to run within a signed, legitimate executable. Combining this technique with other useful techniques will provide stable execution to fly under the radar. 🛸 The following video demonstrates the use of #RustPack to create such a payload in just a few seconds. The command line usage shows that our input payload is a simple unmodified Apollo C2 executable. We want to clone all the exported functions from the original Windows wininet.dll to create our own library with the same name. The execution of the payload will be delayed by ~5 seconds in this case, without using the Win32 sleep function, but by performing random calculations. ⏲️ Hardware breakpoints are used to bypass the Antimalware Scan Interface (AMSI). Without an AMSI bypass, Apollo would be flagged as a C# assembly when loaded. 🎓 Our payload will only fire on a domain joined system, this basically prevents it from running in e.g. sandbox environments. 🤠 Last but not least, in this example, the encrypted payload itself is stored in a separate file on the target system and not even in the same folder as our malicious DLL. Anyone analysing just the DLL will never be able to find out what the payload is. Automatic sample submissions for cloud analysis usually only upload the executable or DLL, emulators won't see the real payload either. 🤠 Tired of creating such payloads yourself? With #RustPack it's really easy, and payloads always look completely different, even if the same payload is packed twice to avoid signature-based detection Contact us via info[at] for more information! 👍](https://image.24vids.com/tw-1881421688572952651/ext_tw_video_thumb/1881420234654953473/pu/img/J3hM_loRV7uoHe3r.jpg)
How do you create your payloads in 2025? At MSec Operations we prefer to use DLL sideloading for EDR evasion. This technique allows our malicious code to run within a signed, legitimate executable. Combining this technique with other useful techniques will provide stable execution to fly under the radar. 🛸 The following video demonstrates the use of #RustPack to create such a payload in just a few seconds. The command line usage shows that our input payload is a simple unmodified Apollo C2 executable. We want to clone all the exported functions from the original Windows wininet.dll to create our own library with the same name. The execution of the payload will be delayed by ~5 seconds in this case, without using the Win32 sleep function, but by performing random calculations. ⏲️ Hardware breakpoints are used to bypass the Antimalware Scan Interface (AMSI). Without an AMSI bypass, Apollo would be flagged as a C# assembly when loaded. 🎓 Our payload will only fire on a domain joined system, this basically prevents it from running in e.g. sandbox environments. 🤠 Last but not least, in this example, the encrypted payload itself is stored in a separate file on the target system and not even in the same folder as our malicious DLL. Anyone analysing just the DLL will never be able to find out what the payload is. Automatic sample submissions for cloud analysis usually only upload the executable or DLL, emulators won't see the real payload either. 🤠 Tired of creating such payloads yourself? With #RustPack it's really easy, and payloads always look completely different, even if the same payload is packed twice to avoid signature-based detection Contact us via info[at] for more information! 👍
MSec Operations26,003 Aufrufe • vor 1 Jahr
Creating COM hijacking payloads has never been easier than with RustPack! With COM Hijacking, you can persist on a target system by 'living' in trusted user processes, such as the Chrome browser. You only need to bring one DLL. When the user opens Chrome, for example, a C2 connection is established. 🔥 Achieving stable payload execution without crashing or freezing the target system requires an understanding of what is relevant. Additionally, lots of processes may attempt to load the hijacked CLSID; you don't want to receive 43 beacons per day from the same system. Limiting execution to a defined process is important here! 🎓 What about combining that payload with environmental keying, anti-emulation, anti-sandboxing, as well as AMSI and ETW bypasses? Doing all this yourself will take time. With RustPack, however, you can create such a payload in a few seconds, and it's stable! The video demonstrates how to create a payload DLL to execute Adaptix C2 shellcode in the Chrome browser. 🛸
MSec Operations16,004 Aufrufe • vor 11 Monaten
![In one of our previous videos we demonstrated how to generate sideloading binaries by cloning the exports of an existing DLL to forward them - . However, using Microsoft DLLs and Microsoft-signed binaries is not the best OPsec, as it's easy for EDR vendors to create a detection rule for e.g. "version.dll" being loaded from a non-System32 directory. 🧐 We therefore recommend using third party signed executables that attempt to load their own DLL. This is much harder to track/map on the endpoint. If you know which functions are imported from your signed binary (see import table), you can also generate a sideloading DLL for persistence or initial access use cases. Bring your own third-party signed binary and voila - you're trusted! In this example, we sideload into java.exe, which is signed by Oracle. It attempts to load several DLLs - including jli.dll as shown in the video. #RustPack can easily create such DLLs with custom export functions - anti-debugging features, sandbox evasion, signature evasion and anti-emulation can be easily added. 🔥🔥 Userland hooks are bypassed by default options and you can enable custom AMSI/ETW bypasses for the process on top. If you want to use it for persistence, you can of course still clone the original DLL exports as we did in the previous video and forward them accordingly. 👍 Interested in buying RustPack? Contact us at info[at] ! #RedTeam #Pentest #OST #Maldev #Malware #Havoc](https://image.24vids.com/tw-1901306053851074805/ext_tw_video_thumb/1901302192675364864/pu/img/WNhK9e0HPtuIWPz_.jpg)
In one of our previous videos we demonstrated how to generate sideloading binaries by cloning the exports of an existing DLL to forward them - . However, using Microsoft DLLs and Microsoft-signed binaries is not the best OPsec, as it's easy for EDR vendors to create a detection rule for e.g. "version.dll" being loaded from a non-System32 directory. 🧐 We therefore recommend using third party signed executables that attempt to load their own DLL. This is much harder to track/map on the endpoint. If you know which functions are imported from your signed binary (see import table), you can also generate a sideloading DLL for persistence or initial access use cases. Bring your own third-party signed binary and voila - you're trusted! In this example, we sideload into java.exe, which is signed by Oracle. It attempts to load several DLLs - including jli.dll as shown in the video. #RustPack can easily create such DLLs with custom export functions - anti-debugging features, sandbox evasion, signature evasion and anti-emulation can be easily added. 🔥🔥 Userland hooks are bypassed by default options and you can enable custom AMSI/ETW bypasses for the process on top. If you want to use it for persistence, you can of course still clone the original DLL exports as we did in the previous video and forward them accordingly. 👍 Interested in buying RustPack? Contact us at info[at] ! #RedTeam #Pentest #OST #Maldev #Malware #Havoc
MSec Operations10,686 Aufrufe • vor 1 Jahr
Keine weiteren Inhalte verfügbar