Loading video...
Video Failed to Load
Creating COM hijacking payloads has never been easier than with RustPack! With COM Hijacking, you can persist on a target system by 'living' in trusted user processes, such as the Chrome browser. You only need to bring one DLL. When the user opens Chrome, for example, a C2 connection... show more
16,004 views • 11 months ago •via X (Twitter)
0 Comments
No comments available
Comments from the original post will appear here
![How do you create your payloads in 2025? At MSec Operations we prefer to use DLL sideloading for EDR evasion. This technique allows our malicious code to run within a signed, legitimate executable. Combining this technique with other useful techniques will provide stable execution to fly under the radar. 🛸 The following video demonstrates the use of #RustPack to create such a payload in just a few seconds. The command line usage shows that our input payload is a simple unmodified Apollo C2 executable. We want to clone all the exported functions from the original Windows wininet.dll to create our own library with the same name. The execution of the payload will be delayed by ~5 seconds in this case, without using the Win32 sleep function, but by performing random calculations. ⏲️ Hardware breakpoints are used to bypass the Antimalware Scan Interface (AMSI). Without an AMSI bypass, Apollo would be flagged as a C# assembly when loaded. 🎓 Our payload will only fire on a domain joined system, this basically prevents it from running in e.g. sandbox environments. 🤠 Last but not least, in this example, the encrypted payload itself is stored in a separate file on the target system and not even in the same folder as our malicious DLL. Anyone analysing just the DLL will never be able to find out what the payload is. Automatic sample submissions for cloud analysis usually only upload the executable or DLL, emulators won't see the real payload either. 🤠 Tired of creating such payloads yourself? With #RustPack it's really easy, and payloads always look completely different, even if the same payload is packed twice to avoid signature-based detection Contact us via info[at] for more information! 👍](https://image.24vids.com/tw-1881421688572952651/ext_tw_video_thumb/1881420234654953473/pu/img/J3hM_loRV7uoHe3r.jpg)
![In one of our previous videos we demonstrated how to generate sideloading binaries by cloning the exports of an existing DLL to forward them - . However, using Microsoft DLLs and Microsoft-signed binaries is not the best OPsec, as it's easy for EDR vendors to create a detection rule for e.g. "version.dll" being loaded from a non-System32 directory. 🧐 We therefore recommend using third party signed executables that attempt to load their own DLL. This is much harder to track/map on the endpoint. If you know which functions are imported from your signed binary (see import table), you can also generate a sideloading DLL for persistence or initial access use cases. Bring your own third-party signed binary and voila - you're trusted! In this example, we sideload into java.exe, which is signed by Oracle. It attempts to load several DLLs - including jli.dll as shown in the video. #RustPack can easily create such DLLs with custom export functions - anti-debugging features, sandbox evasion, signature evasion and anti-emulation can be easily added. 🔥🔥 Userland hooks are bypassed by default options and you can enable custom AMSI/ETW bypasses for the process on top. If you want to use it for persistence, you can of course still clone the original DLL exports as we did in the previous video and forward them accordingly. 👍 Interested in buying RustPack? Contact us at info[at] ! #RedTeam #Pentest #OST #Maldev #Malware #Havoc](https://image.24vids.com/tw-1901306053851074805/ext_tw_video_thumb/1901302192675364864/pu/img/WNhK9e0HPtuIWPz_.jpg)
