operator
ChainsTTPsBlogLogin
menu
Prelude chain browser

GhostLoader

Creating a staging directory and ingress a C# script. Copy a binary from system32 to the staging directory and compile the ingressed script. Stage an executable configuration file and launch the copied binary to indirectly load and run the assembly.

2021-07-06

/static/assets/windows-logo.svg
Professional
This is a professional attack chain. A professional subscription automatically gives you access to this chain + 50 more, with direct integration inside of Operator.info
Authors:khyberspache, casey smith, w0rk3r

Execute this chain

Download Operator (1.7.1)
Learn about Operator

TTPs

Compile CSharp code on target
Stage a CSharp script in a temporary directory
Create a staging directory
Copy file with Esentutl
Stage executable configuration file
Launch executable with custom config

Tags

wizard spider, kaseya vsa attack

Tactics

User-Set Custom Variables

  • payload.uri: ca4de6cd226540141c3495e713149bb4d6390f16/wrapper.cs
About PreludePrelude hardens an organization's defenses by continuously “asking” it questions through the form of safe cyberattacks. These attacks respond immediately to the latest vulnerabilities and cyber events, turning complex technical descriptions into deployable “questions”.Our mission is to increase the reach, frequency and usage of advanced security for all organizations.
twitterFollow @preludeorg on Twitter for new chains and more.
discordJoin the Prelude Discord to discuss chains and more.
githubKeep up to date with code changes and community activity on Github
operator
preludesecurity.comCareersTactics & TechniquesAttack themes
Privacy Policysupport@preludesecurity.com© 2023 Prelude Research, Inc.All rights reserved. Prelude, its logo and other trademarks are trademarks of Prelude Research, Inc. and may not be used without permission.