From 8ea4ca58451c740296630e3c394f70e38cb955af Mon Sep 17 00:00:00 2001 From: "Mariusz B. / mgeeky" Date: Mon, 30 Aug 2021 20:11:59 +0200 Subject: [PATCH] Added ElusiveMice --- .gitmodules | 3 +++ red-teaming/ElusiveMice | 1 + red-teaming/README.md | 1 + red-teaming/cobalt-arsenal | 2 +- 4 files changed, 6 insertions(+), 1 deletion(-) create mode 160000 red-teaming/ElusiveMice diff --git a/.gitmodules b/.gitmodules index ef9cc06..dc02849 100644 --- a/.gitmodules +++ b/.gitmodules @@ -55,3 +55,6 @@ [submodule "red-teaming/RedWarden"] path = red-teaming/RedWarden url = https://github.com/mgeeky/RedWarden +[submodule "red-teaming/ElusiveMice"] + path = red-teaming/ElusiveMice + url = https://github.com/mgeeky/ElusiveMice diff --git a/red-teaming/ElusiveMice b/red-teaming/ElusiveMice new file mode 160000 index 0000000..bfa8889 --- /dev/null +++ b/red-teaming/ElusiveMice @@ -0,0 +1 @@ +Subproject commit bfa8889dfb830a59dfa8d1852404f0697e403d29 diff --git a/red-teaming/README.md b/red-teaming/README.md index 216ed52..fecc8ec 100755 --- a/red-teaming/README.md +++ b/red-teaming/README.md @@ -113,6 +113,7 @@ amsiInitFailed - **`Download-Cradles-Oneliners.md`** - Various Powershell Download Cradles purposed as one-liners ([gist](https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38)) +- **`ElusiveMice`** - Cobalt Strike's User-Defined Reflective Loader with AV/EDRs evasion in mind. Utilizes AMSI, ETW and WLDP (Windows Lockdown Policy) memory patches that thwart some optics monitored by EDRs. - **`Export-ReconData.ps1`** - Powershell script leveraging [PowerSploit Recon](https://github.com/PowerShellMafia/PowerSploit) module (PowerView) to save output from Reconnaissance cmdlets like `Get-*`, `Find-*` into _Clixml_ files. Those files (stored in an output directory as separate XML files) can later be extracted from attacked environment and loaded to a new powershell runspace using the same script. Very useful when we want to obtain as many data as possible, then exfiltrate that data, review it in our safe place and then get back to attacked domain for lateral spread. **Warning**: Be careful though, as this script launches many reconnaissance commands one by one, this WILL generate a lot of noise. Microsoft ATA for instance for sure pick you up with _"Reconnaissance using SMB session enumeration"_ after you've launched `Invoke-UserHunter`. diff --git a/red-teaming/cobalt-arsenal b/red-teaming/cobalt-arsenal index 6989ca2..2a6f5ee 160000 --- a/red-teaming/cobalt-arsenal +++ b/red-teaming/cobalt-arsenal @@ -1 +1 @@ -Subproject commit 6989ca299040554508be22da70a2159f11226f38 +Subproject commit 2a6f5ee44ecce877224853d531eaf5f7642b2675