Author: r00t-3xp10it
Version release: v1.0.17.7
Codename: shinigami (God of death)
Distros Supported: Linux Ubuntu, Kali, Debian, BackBox, Parrot OS
Suspicious-Shell-Activity© (SSA) RedTeam develop @2020
Framework Description
This tool uses msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh | docm | docx | deb | xml | ps1 | bat | exe | elf | pdf | macho | etc ) then injects the shellcode generated into one template (example: python) "the template then execute the shellcode in RAM" and uses compilers like GCC (gnu cross compiler) mingw32 or pyinstaller.py to build the executable file.
it also starts an multi-handler to receive the remote connection (shell or meterpreter). Venom toolkit will maintain old shellcode builds (that are now being detected by AV soluctions) to serve as a library of technics used, but it will incorporate a new sub-menu categorie (since version v1.0.16) named Amsi Evasion Payloads to deal with windows defender detection (or other Anti-Virus detection).
Update Description
Since the release of venom v1.0.17 that some amsi evasion agents have started to get flagged by anti virus solutions.This update (v1.0.17.7) addresses the detection of agents in the amsi evasion category, repairs small bugs in source code
and implements five new post-exploitation modules ready to be used in our reverse tcp shell prompt (remotely).
Version v1.0.17.7 Amsi Evasion Changelog
| Categorie | Agent nº | Target OS | Update Description |
|---|---|---|---|
| Amsi Evasion | 2 | Windows systems (8|8.1|10) | OpenSSL reverse TCP shell (Amsi Detection Bypass) |
| Amsi Evasion | 3 | Windows systems (vista|7|8|8.1|10) | PSrevStr obfuscation added (Amsi Detection Bypass) |
| Amsi Evasion | 5 | Windows systems (vista|7|8|8.1|10) | CarbonCopy Pdf Trojan Binary File Signing (Amsi Bypass) |
| Amsi Evasion | 6 | Multi-Platforms (Linux|Mac|Windows) | Emojify obfuscation added (Amsi Detection Bypass) |
| Amsi Evasion | 7 | Windows systems (8|8.1|10) | OpenSSL FileLess reverse TCP shell (Amsi Bypass) |
Remark: Dont scan samples on 'VirusTotal' or similar websites because that will shorten the payload live (flags amsi detection).
Amsi Evasion Netflix (Agent nº7) Dropper/Client execution diagram (FileLess)
Venom users require to edit 'venom\settings' file and activate 'OBFUSCATION=ON' to use this hta dropper. This dropper can execute
(user choise) in an hidden terminal or present an social engineering MsgBox pretending to be one Netflix (or any other appl) installer.
Amsi Evasion (Agent nº 5) updated to sign the binary (dropper.exe) file with CarbonCopy (by @paranoidninja)
Venom users require to edit 'venom\settings' file and activate 'OBFUSCATION=ON' to use this amsi bypass technic.
Auxiliarys / Post-Exploitation Modules
| FileName | Description | Target OS | Usage |
|---|---|---|---|
| webserver | cmdlet to read/browse/download files from compromised target machine (*) | Windows | Manual |
| GetBrowsers | Standalone Powershell Script to Leak Installed Browsers Information. | Windows | Manual |
| CompDefault | UAC bypass module OR execute one command with high privileges (Admin) | Windows | Manual |
| CredsPhish | Standalone PS script that will promp the current user for a valid credential. | Windows | Manual |
| Sherlock | PowerShell script to find missing software patches for local privilege escalation | Windows | Manual |
| Persistence Handlers | Persistence handler scripts to store reverse tcp shells settings/Dependencies (**) | Windows | Auto |
| null | CmdLine & Scripts for reverse TCP shell addicts cheat sheet (venom Wiki Pages) | Windows | WiKi Pages |
(*) Venom v1.0.17.7 release will Auto-Upload the 'webserver' to attacker apache2 webroot.
(**) Venom Persistence Handlers are only available in 'Amsi Evasion' categorie builds.
Screenshot of @webserver and Sherlock working together under venom v1.0.17.7 reverse TCP shell prompt (remote)
Screenshot of @webserver And Sherlock Searching for missing KB security patchs
Screenshot of @webserver capturing keytrokes (-Keylogger parameter) under venom v1.0.17.7 reverse tcp shell prompt (remote)
Improvements / Bug-fixes
| Improvements / Issues | Description | Credits |
|---|---|---|
| venom CLI terminal displays updated | venom CLI interface outputs updated (bg colors) | @r00t-3xp10it |
| Client HTA taskbar/application icon | Added taskbar/application icon to Netflix.hta dropper | @r00t-3xp10it |
| Amsi Evasion Agent nº7 (FileLess) | replaced WinHttpRequest by Msxml2.XMLHTTP | @root-3xp10it |
| @webserver Auto-Upload | Amsi Evasion modules auto-uploads webserver to apache2 webroot | @r00t-3xp10it |
| Persistence Handlers | replace xterm by gnome-terminal in persistence handlers | @youhacker55 |
| gnome-terminal implementation | replace xterm by gnome-terminal in Amsi Evasion | @youhacker55 |
Install venom v1.0.17.7 shinigami (Christmas Gift)
git clone https://github.com/r00t-3xp10it/venom.git
Set execution permitions
cd venom
sudo find ./ -name "*.sh" -exec chmod +x {} \;
sudo find ./ -name "*.py" -exec chmod +x {} \;
Install all dependencies
cd aux && sudo ./setup.sh
Run main tool
sudo ./venom.sh
🥇 Credits & Special Thanks
| Credits | Description |
|---|---|
| Emojify (@chris-rands) | Obfuscate your python script as emoji icons ( Obfuscation ) |
| CarbonCopy (@paranoidninja) | Sign an executable for AV evasion ( Obfuscation / Binary Signing ) |
| Sherlock (@rasta-mouse) | PowerShell script to find missing software patches for local privilege escalation vulnerabilitys. |