• Stars
    star
    500
  • Rank 88,178 (Top 2 %)
  • Language
    Python
  • Created over 7 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

morphHTA - Morphing Cobalt Strike's evil.HTA

Disclaimer

As usual, this code and tool should not be used for malicious purposes.

Written by Vincent Yiu of MDSec Consulting's ActiveBreach team. Modification of code is allowed with credits to author.

Explorer and SWBemLocator COM Moniker research is by @enigma0x3

morphHTA

Usage:

usage: morph-hta.py [-h] [--in <input_file>] [--out <output_file>]
                    [--maxstrlen <default: 1000>] [--maxvarlen <default: 40>]
                    [--maxnumsplit <default: 10>]

optional arguments:
  -h, --help            show this help message and exit
  --in <input_file>     File to input Cobalt Strike PowerShell HTA
  --out <output_file>   File to output the morphed HTA to
  --maxstrlen <default: 1000>
                        Max length of randomly generated strings
  --maxvarlen <default: 40>
                        Max length of randomly generated variable names
  --maxnumsplit <default: 10>
                        Max number of times values should be split in chr
                        obfuscation

Examples:

/morphHTA# python morph-hta.py
๏ปฟโ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•—      โ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—
โ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘      โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ•šโ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—
โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘
โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•โ• โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘โ•šโ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘
โ–ˆโ–ˆโ•‘ โ•šโ•โ• โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘      โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘
โ•šโ•โ•     โ•šโ•โ• โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•     โ•šโ•โ•  โ•šโ•โ•      โ•šโ•โ•  โ•šโ•โ•   โ•šโ•โ•   โ•šโ•โ•  โ•šโ•โ•

Morphing Evil.HTA from Cobalt Strike
Author: Vincent Yiu (@vysec, @vysecurity)


[*] morphHTA initiated
[+] Writing payload to morph.hta
[+] Payload written

Max variable name length and randomly generated string length reduced to reduce overall size of HTA output:

/morphHTA# python morph-hta.py --maxstrlen 4 --maxvarlen 4

Max split in chr() obfuscation, this reduces the number of additions we do to reduce length:

/morphHTA# python morph-hta.py --maxnumsplit 4

Change input file and output files:

/morphHTA# python morph-hta.py --in advert.hta --out advert-morph.hta

Video how to

https://www.youtube.com/watch?v=X4S2aQ4o_jA

VirusTotal Example

I suggest not uploading to VT:

Example of Obfuscated HTA content

More Repositories

1

RedTips

Red Team Tips as posted by @vysecurity on Twitter
1,015
star
2

LinkedInt

LinkedIn Recon Tool
Python
941
star
3

DomLink

A tool to link a domain with registered organisation names and emails, to other domains.
Python
781
star
4

DomainFrontingLists

A list of Domain Frontable Domains by CDN
532
star
5

ANGRYPUPPY

Bloodhound Attack Path Automation in CobaltStrike
PowerShell
307
star
6

IPFuscator

IPFuscator - A tool to automatically generate alternative IP representations
Python
238
star
7

Aggressor-VYSEC

PowerShell
195
star
8

CVE-2017-8759

CVE-2017-8759 - A vulnerability in the SOAP WDSL parser.
174
star
9

ps1-toolkit

Obfuscated Penetration Testing PowerShell scripts
PowerShell
123
star
10

genHTA

Generates anti-sandbox analysis HTA files without payloads
Python
114
star
11

CVE-2018-4878

Aggressor Script to launch IE driveby for CVE-2018-4878
88
star
12

checkO365

checkO365 is a tool to check if a target domain is using O365
Python
84
star
13

CobaltSplunk

Splunk Dashboard for CobaltStrike logs
Python
83
star
14

ATT-CK_Analysis

Repository for my ATT&CK analysis research.
Python
70
star
15

FSharp-Shellcode

F# Implementation to spawn shellcode
F#
45
star
16

Invoke-ProcessScan

Gives context to a system. Uses EQGRP shadow broker leaked list to give some descriptions to processes.
PowerShell
42
star
17

AzureAppC2

A script that can be deployed to Azure App for C2 / Proxy / Redirector
Python
27
star
18

basicAuth

Basic Auth Phish page
PHP
25
star
19

ShellcodeConversion

A collection of shell code conversion scripts that I have written over time for repetitive tasks
Python
18
star
20

RDPInception

A script to attack users who are RDPing into a machine and recurse this attack. For security testers and attack simulations.
Batchfile
18
star
21

Office365TenantsList

Office365 Tenants List
16
star
22

WindfarmDynamite-CNA

CobaltStrike Aggressor Script to utilise FuzzySec's Windows Notification Framework Research to Spawn a Shell under Explorer.exe
15
star
23

EmpireAMSI

PowerShell
13
star
24

DoH-Servers

DNS over HTTPS Servers
12
star
25

BadIP

Bad Security Vendor IPs
Shell
10
star
26

wepwnise

A generator to weaponize Macro payloads that can evade EMET and utilises native VB migration.
Python
9
star
27

PWNDB

Parse PWNDB
Python
8
star
28

autovpn

Easily connect to a VPN in a country of your choice
Go
7
star
29

CloudServiceLists

Tenants list for each cloud service.
6
star
30

CVE-2020-0796

CVE-2020-0796 - Working PoC - 20200313
6
star
31

vysecurity

6
star
32

PacketParser

A cap/pcap packet parser to make life easier when performing stealth/passive reconnaissance.
Python
5
star
33

SCTPersistence

Create COM Objects backed by Scripts, not DLLs
JavaScript
5
star
34

nuclei-templates-notags

5
star
35

CVE-2021-40444

3
star
36

DriverVulnCheck

Takes Bruteratel `drivers` output and checks it against loldrivers.io
Python
3
star
37

Linkedin_Connect_NEWUI

A Python Script that controls Selenium to automate the process of connecting on LinkedIn
Python
2
star
38

malleable-profiles

2
star
39

IIS_exploit

Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
Python
2
star
40

test-conf

1
star
41

Archive

Archive
1
star
42

vysecurity.github.io

HTML
1
star
43

DomainFrontingProxies

A list of Domain Fronting Proxies that are known to permit or break Domain Fronting
1
star
44

HOLYWATER

1
star
45

nextjs-blog-theme

1
star