Payload is not executed?

[trickster0]

Hello,

After running the payloads I get no beacon back. I do get that the malicious link was reached and a new request happened for HTA payload but that is it.

[ahmedkhlief]

Hi @trickster0 , Check if the AV is blocking the execution

[dubo12]

Hello Ahmed, thanks for the all the hard work you have done here.

I have the exact same problem as trickster0. I cannot get an agent/beacon or anything to show up in list after running all payloads. The only payload that does anything is the HTA, and that just says: [+] New Agent Request HTA PAYLOAD. But there is nothing in List.

I also have turned off all AV/Real time Defender when testing.

Is the problem due to changes with MicroSoft Security updates earlier this year? https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide

I kindly thank you.

[ahmedkhlief]

Hi Dubo.

I tested the HTA payload with defender turned off and it run without issues . can you provide me details about the system your testing HTA on like OS type and OS version .

[dubo12]

Hi Ahmed,

Thanks but I am still having the same problem as trickster0 mentioned above.

When I run any of the powershell payloads (with defender off), nothing happens. The ports and IPs and my lab set up is correct and I have used several other C2s in my research.

So, with the powershells I get only:

(Ninja : main)

And with the mshtas, I get:

(Ninja : main) [+] New Agent Request HTA PAYLOAD (IP-ADDRESS)

But no connection. Then, I try 'list', but get no beacon/agents:

(Ninja : main) list ID Status ExternalIP InternalIP OS Arch ComputerName Username PID

---

(Ninja : main)

I have tried all of the above with and without the default ssl cert.

Thank you again for looking into this.

Best wishes.

[dubo12]

Windows10 vm and WIndows10 machine.