Closed trickster0 closed 2 years ago
Hi @trickster0 , Check if the AV is blocking the execution
Hello Ahmed, thanks for the all the hard work you have done here.
I have the exact same problem as trickster0. I cannot get an agent/beacon or anything to show up in list after running all payloads. The only payload that does anything is the HTA, and that just says: [+] New Agent Request HTA PAYLOAD. But there is nothing in List.
I also have turned off all AV/Real time Defender when testing.
Is the problem due to changes with MicroSoft Security updates earlier this year? https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide
I kindly thank you.
Hi Dubo.
I tested the HTA payload with defender turned off and it run without issues . can you provide me details about the system your testing HTA on like OS type and OS version .
Hi Ahmed,
Thanks but I am still having the same problem as trickster0 mentioned above.
When I run any of the powershell payloads (with defender off), nothing happens. The ports and IPs and my lab set up is correct and I have used several other C2s in my research.
So, with the powershells I get only:
(Ninja : main)
And with the mshtas, I get:
(Ninja : main) [+] New Agent Request HTA PAYLOAD (IP-ADDRESS)
But no connection. Then, I try 'list', but get no beacon/agents:
(Ninja : main) list ID Status ExternalIP InternalIP OS Arch ComputerName Username PID
(Ninja : main)
I have tried all of the above with and without the default ssl cert.
Thank you again for looking into this.
Best wishes.
Windows10 vm and WIndows10 machine.
Hello,
After running the payloads I get no beacon back. I do get that the malicious link was reached and a new request happened for HTA payload but that is it.