search

mitre-attack / attack-arsenal

A collection of red team and adversary emulation resources developed and released by MITRE.
Apache License 2.0
485 stars 79 forks source link

Can't find Powershell one-liner Payload #23

Closed omkarbhat1995 closed 3 years ago

omkarbhat1995 commented 3 years ago

In the Red Team Setup part, we need to "Generate an encoded PowerShell oneliner payload" but I didnt see any instructions about how to generate this payload nor any information about what that is supposed to do. Can some one help me generate this payload ? apt29

jcwilliamsATmitre commented 3 years ago

hey @omkarbhat1995!

This section is an extension of https://github.com/mitre-attack/attack-arsenal/tree/master/adversary_emulation/APT29/Emulation_Plan/Day%202#red-team-systems, where you need to generate a PowerShell payload that calls back to whatever C2 framework you choose to use. We used PoshC2, where a stager is automatically generated when you start the C2 server (https://poshc2.readthedocs.io/en/latest/install_and_setup/config-and-starting.html#c2-server) but you can replace this value with any one-liner payload that you want to work into the emulation scripts.

omkarbhat1995 commented 3 years ago

Also, in case of DLL file, in the next section, where do I get that file? Is it one of the files that Posh C2 generates? If so how to select the correct dll file?

jcwilliamsATmitre commented 3 years ago

Correct! Similar to the PS payload, you can use any DLL that calls back to your C2 framework. We used the PoshC2 Sharp_v4_x64.dll file.