- Joined
- Jan 8, 2019
- Messages
- 56,623
- Solutions
- 2
- Reputation
- 32
- Reaction score
- 100,455
- Points
- 2,313
- Credits
- 32,750
6 Years of Service
76%
1 ) DCOM Lateral Movement
A quick PoC that uses DCOM (ShellWindows) via beacon object files for lateral movement. You can either specify credentials or use the current user. To use the current user, just leave the domain, username, and password empty. A short article can be about using COM objects in C can be found here.
2 ) WMI Lateral Movement – Win32_Process Create
Similar concepts to the previous one, but an interesting learning experience. Code adopted from CIA Vault 8. This method uses the class Win32_Process.
3 ) WMI Lateral Movement – Event Subscription
This one uses WMI events for lateral movement. Most of the heavy lifting was done by wumb0in
4 ) On-demand C2
This is an implementation of an on-demand C2 using dotnet BOF. The beacon will enter a sleep state until an email with a given word (in subject or body) is provided. This way your beacon will only call home ONLY when you want it to call home. When the beacon calls home, it will call home with whatever sleep time configured in the malleable profile. When you are done, you can run the BOF again, and the beacon will sleep until you send another email. As an extra, the email with the given word will be deleted before the user gets notified about it.