20.5 C
London
Tuesday, September 17, 2024

HiddenDesktop – HVNC For Cobalt Strike




HiddenDesktop – HVNC For Cobalt Strike

Hidden Desktop (sometimes called HVNC) is a instrument that permits operators to work together with a distant desktop session with out the person realizing. The VNC protocol isn’t concerned, however the result’s an analogous expertise. This Cobalt Strike BOF implementation was created as a substitute for TinyNuke/forks which might be written in C++.

There are 4 parts of Hidden Desktop:

  1. BOF initializer: Small program accountable for injecting the HVNC code into the Beacon course of.

  2. HVNC shellcode: PIC implementation of TinyNuke HVNC.

  3. Server and operator UI: Server that listens for connections from the HVNC shellcode and a UI that permits the operator to work together with the distant desktop. At the moment solely helps Home windows.

  4. Software launcher BOFs: Set of Beacon Object Information that execute functions within the new desktop.

Utilization

Obtain the newest launch or compile your self utilizing make. Begin the HVNC server on a Home windows machine accessible from the teamserver. You’ll be able to then execute the shopper with:

HiddenDesktop <server> <port>

It is best to see a brand new clean window on the server machine. The BOF doesn’t execute any functions by default. You should utilize the applying launcher BOFs to execute frequent applications on the brand new desktop:

hd-launch-edge
hd-launch-explorer
hd-launch-run
hd-launch-cmd
hd-launch-chrome

You too can launch applications by means of File Explorer utilizing the mouse and keyboard. Different functions may be executed utilizing the next command:

hd-launch <command> [args]

Demo

Hidden.Desktop.mp4

Implementation Particulars

  1. The Aggressor script generates random pipe and desktop names. These are handed to the BOF initializer as arguments. The desktop identify is saved in CS preferences at execution and is utilized by the applying launcher BOFs. HVNC visitors is forwarded again to the workforce server utilizing rportfwd. Standing updates are despatched again to Beacon by means of a named pipe.
  2. The BOF initializer begins by resolving the required modules and capabilities. Arguments from the Aggressor script are resolved. A pointer to a construction containing the arguments and performance addresses is handed to the InputHandler operate within the HVNC shellcode. It makes use of BeaconInjectProcess to execute the shellcode, that means the habits may be personalized in a Malleable C2 profile or with course of injection BOFs. You may modify Hidden Desktop to focus on distant processes, however this isn’t presently supported. That is accomplished so the BOF can exit and the HVNC shellcode can proceed operating.
  3. InputHandler creates a brand new named pipe for Beacon to hook up with. As soon as a connection has been established, the desired desktop is opened (OpenDesktopA) or created (CreateDesktopA). A brand new socket is established by means of a reverse port ahead (rportfwd) to the HVNC server. The enter handler creates a brand new thread for the DesktopHandler operate described under. This thread will obtain mouse and keyboard enter from the HVNC server and ahead it to the desktop.
  4. DesktopHandler establishes a further socket connection to the HVNC server by means of the reverse port ahead. This thread will monitor home windows for modifications and ahead them to the HVNC server.

Compatibility

The HiddenDesktop BOF was examined utilizing instance.profile on the next Home windows variations/architectures:

  • Home windows Server 2022 x64
  • Home windows Server 2016 x64
  • Home windows Server 2012 R2 x64
  • Home windows Server 2008 x86
  • Home windows 7 SP1 x64

Identified Points

  • The beginning menu isn’t purposeful.

Credit



Latest news
Related news

LEAVE A REPLY

Please enter your comment!
Please enter your name here