Other File Types
- ClickOnce Files
Using .NET languages like C# offers ease of writing and obfuscation, along with flexibility for evading detection. Leveraging the .NET framework allows easy transition to unmanaged PowerShell. However, triggering SmartScreen, requiring user interaction for execution, and reliance on Internet Explorer or Edge for payload delivery pose limitations.
CSharp (or .NET language of your choice) can be easily obfuscated and used to either load shellcode or unmanaged powershell: https://github.com/Mr-Un1k0d3r/ClickOnceGenerator
- IQY Files
IQY file-based attacks offer simplicity in development and obfuscation, with flexibility for evasion and bypassing SmartScreen. However, they face challenges such as heightened detection efforts, reliance on user interaction, and Excel's disabling of it on most systems.
IQY File + Embedded DLL POC: https://gist.github.com/Mr-Un1k0d3r/4ed3e3e0416fbbd1fd015119359eb961
IQY File Remote Payload POC: https://gist.github.com/Mr-Un1k0d3r/abdcf16ebcef5842c7f79ee6686271e7
=cmd|' /c more /E +12 %userprofile%\Downloads\poc.iqy > %temp%\poc.hex && certutil -decodehex %temp%\poc.hex%temp%\poc.dll && C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U %temp%\poc.dll'!'A1’
- LNK Files
LNK files provide ease of generation and execute arbitrary commands while evading SmartScreen. However, they are easily analyzable and may seem suspicious due to the need for accompanying ZIP files. Integration with MSI installers can enhance their deployment.
- CHM Files
CHM files offer simplicity in creation through HTML and scripting, with the advantage of bypassing SmartScreen and relative obscurity. However, they are easily analyzed, may raise suspicion among users, and have limited functionality. Additionally, local compilation using hhc.exe is necessary.
- EXE Files
EXE files offer extensive obfuscation capabilities and flexibility for evasion by chaining techniques. They enable direct use of Windows APIs for unhooking with minimal code. However, SmartScreen triggers and potential policy restrictions may hinder execution.
To evade rapid detection by antivirus software, modify generated EXE files before use. Invest time in learning assembly and Windows core to effectively obfuscate code. Additionally, zip the EXE; if the target uses a non-default archive utility, SmartScreen won't trigger, as it removes the Mark of the Web.
Last updated