Runion
This is a sample guest message. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!
What's the best RAT? (async rat, remcos, .. )
- Thread starter Vecna9
- Start date
Why expending money on something that will create on your process a bunch of RWX privileges memory, is hard to crypt and is written by who ever know?
Stick to a well known c2 framework like Cobalt, Havoc, Sliver, Brute Ratel, Merlin. Learn to operate and find a good packer/shellcode loader.
Save money for other purposes, most of the can be find cracked over the internet/forum and others are open source (Havoc, Sliver, Merlin)
For HVNC there are many other options where you can load them with execution-assembly if they are a BOF from cobalt strike for example. If not you can add exclusions and drop another rat with HVNC purposes. HVNCs are very noisy, they send hundreds of http get post request so watch out.
It is difficult to work on encryption with this basic and unsafe tools, the best and technically more professional method is to generate shellcode and from there executes and load into memory. You can spawn new process, inject into others. Work with dlls... The limit is the sky.
Try to look on the tools I have mentioned, all of them, figure out the standar c2 framework tools. Have a look into what is a shellcode reflective loader and how to operate with it, start with the basic, there are videos and info everywhere.
Good luck and I recommend you to learn a little bit of code. At least understand the principles.
Stick to a well known c2 framework like Cobalt, Havoc, Sliver, Brute Ratel, Merlin. Learn to operate and find a good packer/shellcode loader.
Save money for other purposes, most of the can be find cracked over the internet/forum and others are open source (Havoc, Sliver, Merlin)
For HVNC there are many other options where you can load them with execution-assembly if they are a BOF from cobalt strike for example. If not you can add exclusions and drop another rat with HVNC purposes. HVNCs are very noisy, they send hundreds of http get post request so watch out.
It is difficult to work on encryption with this basic and unsafe tools, the best and technically more professional method is to generate shellcode and from there executes and load into memory. You can spawn new process, inject into others. Work with dlls... The limit is the sky.
Try to look on the tools I have mentioned, all of them, figure out the standar c2 framework tools. Have a look into what is a shellcode reflective loader and how to operate with it, start with the basic, there are videos and info everywhere.
Good luck and I recommend you to learn a little bit of code. At least understand the principles.
You're probably misunderstanding this thread, command and control frameworks are not RATs, they have a completely different usage (especially HVNCs)
Normally RATs are programmed using C# with uses CLR, it is totally fine have RWX memory maps, since it has a JIT engine and JIT engines uses RWX a lot.
From my perspective, is a lot better use a software designed to what you're looking for instead of a software with a lot of abstractions.
OBS: A lot of other C2 are very unstable with CLR loading and executing (especially cobalt strike) they wait for the result of command and make the beacon unstable after sometime because they wait for output but there is no output.
This is very relative, for example quasar rat does not use HTTP(s) to send screen buffers, it uses TCP.
Again, relative, C# binaries (without dependencies) are very easy to crypt (crypters are useless now days anyways)
OBS: Public source command and control frameworks have a lot of known TTPs (meaning that will be easy to detect), one example is sleep obfuscation from havoc.
Stop spraying misinformation to users
s0nus сказал(а):
Again, relative, C# binaries (without dependencies) are very easy to crypt (crypters are useless now days anyways)
OBS: Public source command and control frameworks have a lot of known TTPs (meaning that will be easy to detect), one example is sleep obfuscation from havoc.
Stop spraying misinformation to users
Honesly I didnt see any good recomendation
I will try one by your good words. I stick for what works well for me, so I just can recommend this toolset, under my point of view, you just need a little code knowledge to develop your own stealer + hvnc functions apart from your initial access.You are right, is good to save time and stick to full operative tools but at the end you need a crypt/packer so you can save this money and invest here which is the really main important deal. To get an initial access.
I prefer to blend the traffic but oh well...
You are true with that, actually these frameworks have lot of them but with a little bit of care and love are easy to modify them.
Peace and love brother, just explaining the fella where to save money and gain knowledge! I would accept a good suggestion by you
домкрат сказал(а):
Honesly I didnt see any good recomendation
Depending on the operation, zero stage command and control frameworks could be used before dropping the HVNC or RAT, doing less noise and preserving the access.
Create your own stealer or hvnc is great too, but take a lot of time and effort, and doesn't looks like the people on this thread wanna to.
This depends on the tool to be honest, for example, lumma stealer (or lumma c2) could be run without crypters/packers, since they designed their code in a way that it is fud.
Crypters and packers are pretty much useless (at least from my point of view), since the original binary being runned in memory could be easily detected because of malware behavior.
Me too, but thinking better, TCP is a lot more reliable and fast compared to sending a lot of HTTP(s) requests (an rat using websocket would be great :0)
Would be a lot better use something already "fud", that doesn't have detections (like a private stub or smth like that) from RATs/HVNCs like brute ratel
Absolutely yes, for me I have not encountered any problem from getting persistance and upgrading to an elevate session, but at the beggining I was getting caught with the UAC bypasses
You can use code from other projects but yes, it is a lot of time consuming.
I didn't know that, have you tested it on ESET or AVIRA? I assume it is on WD?
Sorry for my bad explanation, I wanted to say reflctive shellcode loader, you can play with your og binary too: sgn, mac addresses...
Never tested the behavioral of a TCP conexion under a spawned new process or injection into another. I don't know on runtime how it would see
Well if its exist ands its cheap it its good, you save lot of time for sure, but... how much time have to be paying for that? Would be fud with low prices and lot of people spaming it without prior knowledge?
Wanted to test latest brute ratel but seems that not many people have access to it, looks great btw.