Desktops are quickly accessible via a remote desktop session, so sometimes it makes sense to stage files on a user’s
desktop prior to exfiltrating them. While there are better locations (like the recycling bin/trash or A/V exempted
folders), the ease of accessibility sometimes takes priority over subtlety.
Many EDR tools inject custom DLLs into Windows processes to "hook" system calls for
analysis. One method an attacker can use to bypass those hooks is through remapping the .text section of the in-memory
ntdll.dll module with the on-disk .text section. This essentially removes all of the EDR's hooks by replacing them with
the correct versions of the original system call stubs. This approach is fairly common in C++, so this version uses P/invoke
to load the unmanaged code for unhooking. Thanks to @makosec and @spotheplant for excellent resources (see attached
metadata for references).
Import a registry key to the HKLM to support prelude DLL execution abilities. Export the target Registry key and save
it to the specified .REG file within an alternate data stream.
Use the built in DotNet compiler to compile a CSharp payload on the target system. This is useful to avoid writing
binary payloads directly to a target system (which can often be signatured or otherwise impossible to achieve).
Cleanup all the encrypted and decrypted files containing the suffixes ".encrypted-operator" and ".decrypted-operator".
It can easily be modified to target all files, specific extensions, and so on, to delete files off a disk.
Create a fake email that contains a link to an Excel document containing a malicious macro. If the user opens the macro, it will download a Pneuma payload (on Windows) and open a modal explaining they have accidentally installed malware.
Create a root persistence user account "prelude" via the Heap-Based Buffer Overflow in Sudo (Baron Samedit) identified
in CVE-2021-3156. Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow,
which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash
character. This appends a line to /etc/passwd so you can later `su prelude` using the generated password.
Download a custom DLL that can be attached to netsh as a helper that will call a value stored in the registry
whenever netsh is run. The DLL will make a system() call for whatever value is stored in the Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Prelude\Operator
key with the name `bin_path` (so bin_path with a string `C:\\Windows\\System32\\cmd.exe` for example). The DLL itself
uses the SysWhispers project to create a customer wrapper to NtCreateThreadEx to bypass API hooks by EDR products. Persistence
triggers any time netsh is run.
Stage a CSharp script in a local temporary file either via a built-in script or a specified URI. The provided example
will spawn a command prompt process.
Ingress a vulnerable version of Windows Defender Antimalware Service Executable (4.5.218.0) that can side-load
a properly formatted Dynamic-link Library (DLL) that exports the function ServiceCrtMain.
Spawn a beacon using the Heap-Based Buffer Overflow in Sudo (Baron Samedit) identified in CVE-2021-3156. Sudo before 1.9.5p2
contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root
via "sudoedit -s" and a command-line argument ending with a single backslash character.
Exploit the PrintNightmare vulnerability using a custom driver DLL containing a CreateProcess call that launches a Pneuma
DLL as NT AUTHORITY/SYSTEM via rundll32.exe.
Present the user with an infinitely looping prompt that forces the user to select Report a problem. If the user does this,
a Pneuma agent is downloaded on their system. The correct way to avoid this is by reaching out to IT or manually killing
the prompt process.
Display an alert to the user explaining that they have fallen victim to a credential access technique and their plaintext
credentials have been collected.
Ingress a payload that overwrites (or clones) a target payload and replaces it with a redirect to launch a script of some
kind. This script allows you spawn new agents (or display alerts) by tricking users into double-clicking on files they
assumed was the original file.
BloodHound uses .NET API calls in the SharpHound ingestor component to pull Active Directory data. This downloads a SharpHound
payload to disk and run it locally.