cobbr
commented
4 years ago What code did you edit? And what Stage does the Grunt make it to before the error? (i.e. Stage0, Stage1, Stage2, etc.)
Closed chr0n1k closed 4 years ago
cobbr
commented
4 years ago What code did you edit? And what Stage does the Grunt make it to before the error? (i.e. Stage0, Stage1, Stage2, etc.)
chr0n1k
commented
4 years ago Modified this line 54: string MessageFormat = @"{{""GUID"":""{0}"",""Type"":{1},""Meta"":""{2}"",""IV"":""{3}"",""EncryptedMessage"":""{4}"",""HMAC"":""{5}""}}"; with a base64 string like this: byte [] MessageFormatByte = Convert.FromBase64String(@"QCJ7eyIiR1VJRCIiOiIiezB9IiIsIiJUeXBlIiI6ezF9LCIiTWV0YSIiOiIiezJ9IiIsIiJJViIiOiIiezN9IiIsIiJFbmNyeXB0ZWRNZXNzYWdlIiI6IiJ7NH0iIiwiIkhNQUMiIjoiIns1fSIifX0iOw=="); string MessageFormat = Encoding.UTF8.GetString (MessageFormatByte, 0, MessageFormatByte.Length);
I believe this is happening before Stage0 cause there is nothing that comes up on the server.
chr0n1k
commented
4 years ago I also changed words like "Grunt”, “Stager”, “Execute” and “Covenant” to other variables.
py7hagoras
commented
4 years ago @chr0n1k Ur Base64 encoded representation of MessageFormat is not correct.
chr0n1k
commented
4 years ago @py7hagoras thanks for spotting that out. I edited the code to look as below but still get the 404 Error: Not Found:
byte[] MessageFormatByte = Convert.FromBase64String(@"e3siIkdVSUQiIjoiInswfSIiLCIiVHlwZSIiOnsxfSwiIk1ldGEiIjoiInsyfSIiLCIiSVYiIjoiInszfSIiLCIiRW5jcnlwdGVkTWVzc2FnZSIiOiIiezR9IiIsIiJITUFDIiI6IiJ7NX0iIn19");
Where could I be going wrong?
py7hagoras
commented
4 years ago I wrote an article about it here - should be the same as the one there. Though i doubt if it still gets past defender.
chr0n1k
commented
4 years ago @py7hagoras I was following your blog actually to test it out.
Unfortunately AMSI does pick it up now even if you change the MessageFormat.
chr0n1k
commented
4 years ago @py7hagoras I found the error in my base64 conversion. Tested the exe and got a connection back to the server. Of course this was all done with defender off.
cobbr
commented
4 years ago Thanks for helping to figure this out @py7hagoras and @chr0n1k
py7hagoras
commented
4 years ago @py7hagoras I found the error in my base64 conversion. Tested the exe and got a connection back to the server. Of course this was all done with defender off.
What I do sometimes is modify the stager and executor codes, convert to shellcode with donut and use one of Odzhan's injection techniques. to bypass both AVs and EDRs.
Bug
Description: Compiling GruntStager code for binary after making some edits to the code to be able to bypass Windows Defender detection returns a 404 error from the server: The remote server returned an error: (404) Not Found.
Change made to code Modified this line: string MessageFormat = @"{{""GUID"":""{0}"",""Type"":{1},""Meta"":""{2}"",""IV"":""{3}"",""EncryptedMessage"":""{4}"",""HMAC"":""{5}""}}"; with a base64 string.
Expected behavior A connection to the C2 server.
Covenant Server Information:
Target Information (System that implant is running on):