Chains
TTPs
Blog
Login
Prelude chain browser
GhostLoader
Creating a staging directory and ingress a C# script. Copy a binary from system32 to the staging directory and compile the ingressed script. Stage an executable configuration file and launch the copied binary to indirectly load and run the assembly.
2021-07-06
Professional
This is a professional attack chain. A professional subscription automatically gives you access to this chain + 50 more, with direct integration inside of Operator.
Authors:
khyberspache, casey smith, w0rk3r
Execute this chain
Download Operator (1.7.1)
Learn about Operator
TTPs
Compile CSharp code on target
Stage a CSharp script in a temporary directory
Create a staging directory
Copy file with Esentutl
Stage executable configuration file
Launch executable with custom config
Tags
wizard spider, kaseya vsa attack
Tactics
Defense-evasion
Command-and-control
Collection
Execution
User-Set Custom Variables
payload.uri: ca4de6cd226540141c3495e713149bb4d6390f16/wrapper.cs