Forked from infosecn1nja/gist:04ab2d8ea15f98880bbf7b70168fa3dd
Created
June 25, 2021 09:20
-
-
Save fnsank/72b9bbb4964d04dd5dbb4cb3737ebaed to your computer and use it in GitHub Desktop.
APT Group/Red Team Weaponization Phase
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| APT Group/Red Team Weaponization Phase | |
| ======================================= | |
| C2 tools : | |
| - Cobalt Strike | |
| - Empire | |
| - PoshC2 | |
| - PupyRAT | |
| - Metasploit | |
| Weaponize tools : | |
| - Invoke-Obfuscation | |
| - demiguise | |
| - Veil-evasion | |
| - Invoke-DOSfuscation | |
| - morphHTA | |
| - Unicorn | |
| - Ruler | |
| Execute kill chain : | |
| ruler -> powershell/pubprn.vbs/regsvr32/msiexec/rundll32 drop dll/drop exe/installutil/msbuild -> persistence schtask/reg run keys/logon scripts/wmi | |
| zip -> CHM -> powershell/pubprn.vbs/regsvr32/msiexec/rundll32 drop dll/drop exe/installutil/msbuild -> persistence schtask/reg run keys/logon scripts/wmi | |
| zip -> LNK -> powershell/pubprn.vbs/regsvr32/msiexec/rundll32 drop dll/drop exe/installutil/msbuild -> persistence schtask/reg run keys/logon scripts/wmi | |
| zip -> mshta -> masquerading -> certutil -> powershell -> installutil -> persistence schtask/reg run keys/logon scripts/wmi | |
| zip -> mshta -> cmstp -> sct -> powershell -> persistence schtask/reg run keys/logon scripts/wmi | |
| pdf auto open -> settingcontent-ms -> mshta -> powershell/pubprn.vbs/regsvr32/msiexec/rundll32 drop dll/drop exe/installutil/msbuild -> persistence schtask/reg run keys/logon scripts/wmi | |
| mshta -> certutil -> cmstp -> powershell/pubprn.vbs/regsvr32/msiexec/rundll32 drop dll/drop exe/installutil/msbuild -> persistence schtask/reg run keys/logon scripts/wmi | |
| mshta -> certutil -> powershell/pubprn.vbs/regsvr32/msiexec/rundll32 drop dll/drop exe/installutil/msbuild -> persistence schtask/reg run keys/logon scripts/wmi | |
| Microsoft word macro -> powershell -> persistence schtask/reg run keys/logon scripts/wmi | |
| Microsoft word macro -> mshta -> powershell -> persistence schtask/reg run keys/logon scripts/wmi | |
| Microsoft word macro -> regsvr32/pubprn.vbs -> powershell -> persistence schtask/reg run keys/logon scripts/wmi | |
| Microsoft word CVE-2017-8570 -> sct -> powershell/pubprn.vbs/regsvr32/msiexec/rundll32 drop dll/drop exe/installutil/msbuild -> persistence schtask/reg run keys/logon scripts/wmi | |
| Microsoft word CVE-2017-0199 -> hta -> powershell/pubprn.vbs/regsvr32/msiexec/rundll32 drop dll/drop exe/installutil/msbuild -> persistence schtask/reg run keys/logon scripts/wmi | |
| Microsoft word DDE -> powershell -> persistence schtask/reg run keys/logon scripts/wmi | |
| Microsoft excel IQY -> DDE -> certutil -> regasm | |
| Microsoft word OLE -> settingcontent-ms -> mshta load hta -> powershell/pubprn.vbs/regsvr32/msiexec/rundll32 drop dll/drop exe/installutil/msbuild -> persistence schtask/reg run keys/logon scripts/wmi | |
| Microsoft word OLE -> mshta load hta -> powershell/pubprn.vbs/regsvr32/msiexec/rundll32 drop dll/drop exe/installutil/msbuild -> persistence schtask/reg run keys/logon scripts/wmi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment