Jump to content
Sign in to follow this  

Customized PSExec via Reflective DLL

Recommended Posts

Customized PSExec via Reflective DLL


Hey all,

I’m back in the pocket after doing the deep dive into hack the box. I really enjoyed the bulk of the challenges and learned some new great tricks and techniques. One box I highly recommend is Reel. It’s a great challenge with domain privilege escalation techniques that you might see in a pentest. Anyways, after reaching Guru status I decided to take a step back for a while, it’s a part-time job working all the newly released boxes.

Before I went dark I was testing Cobalt Strike’s built-in PSExec module against various Endpoint Protection Platform (EPP) products and was getting flagged. It was pretty clear that the EPPs weren’t detecting the binary but was instead flagging via heuristic analysis. It might have been the randomized filename of the binary, the timing, writing to the $ADMIN share, or some sort of combination. I wrote some skeleton code that can be further customized to help bypass heuristic analysis. The current flow of the reflective DLL and Aggressor script can be seen below.




You can find the code at https://github.com/ThunderGunExpress/Reflective_PSExec




The code and script is pretty crude and has the following limitations at the moment:

  • Use an IP address as the target, not a hostname
  • If running against a remote target ensure the session is in a medium integrity context
  • If running against a local target ensure the session is a high integrity context


Sursa: https://ijustwannared.team/2018/07/13/customized-psexec-via-reflective-dll/

  • Upvote 2

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this