Hidden Desktop (sometimes called HVNC) is a instrument that permits operators to work together with a distant desktop session with out the person realizing. The VNC protocol isn’t concerned, however the result’s an analogous expertise. This Cobalt Strike BOF implementation was created as a substitute for TinyNuke/forks which might be written in C++.
There are 4 parts of Hidden Desktop:
-
BOF initializer: Small program accountable for injecting the HVNC code into the Beacon course of.
-
HVNC shellcode: PIC implementation of TinyNuke HVNC.
-
Server and operator UI: Server that listens for connections from the HVNC shellcode and a UI that permits the operator to work together with the distant desktop. At the moment solely helps Home windows.
-
Software launcher BOFs: Set of Beacon Object Information that execute functions within the new desktop.
Utilization
Obtain the newest launch or compile your self utilizing make
. Begin the HVNC server on a Home windows machine accessible from the teamserver. You’ll be able to then execute the shopper with:
HiddenDesktop <server> <port>
It is best to see a brand new clean window on the server machine. The BOF doesn’t execute any functions by default. You should utilize the applying launcher BOFs to execute frequent applications on the brand new desktop:
hd-launch-edge
hd-launch-explorer
hd-launch-run
hd-launch-cmd
hd-launch-chrome
You too can launch applications by means of File Explorer utilizing the mouse and keyboard. Different functions may be executed utilizing the next command:
hd-launch <command> [args]
Demo
Hidden.Desktop.mp4
Implementation Particulars
- The Aggressor script generates random pipe and desktop names. These are handed to the BOF initializer as arguments. The desktop identify is saved in CS preferences at execution and is utilized by the applying launcher BOFs. HVNC visitors is forwarded again to the workforce server utilizing
rportfwd
. Standing updates are despatched again to Beacon by means of a named pipe. - The BOF initializer begins by resolving the required modules and capabilities. Arguments from the Aggressor script are resolved. A pointer to a construction containing the arguments and performance addresses is handed to the
InputHandler
operate within the HVNC shellcode. It makes use ofBeaconInjectProcess
to execute the shellcode, that means the habits may be personalized in a Malleable C2 profile or with course of injection BOFs. You may modify Hidden Desktop to focus on distant processes, however this isn’t presently supported. That is accomplished so the BOF can exit and the HVNC shellcode can proceed operating. InputHandler
creates a brand new named pipe for Beacon to hook up with. As soon as a connection has been established, the desired desktop is opened (OpenDesktopA
) or created (CreateDesktopA
). A brand new socket is established by means of a reverse port ahead (rportfwd
) to the HVNC server. The enter handler creates a brand new thread for theDesktopHandler
operate described under. This thread will obtain mouse and keyboard enter from the HVNC server and ahead it to the desktop.DesktopHandler
establishes a further socket connection to the HVNC server by means of the reverse port ahead. This thread will monitor home windows for modifications and ahead them to the HVNC server.
Compatibility
The HiddenDesktop BOF was examined utilizing instance.profile on the next Home windows variations/architectures:
- Home windows Server 2022 x64
- Home windows Server 2016 x64
- Home windows Server 2012 R2 x64
- Home windows Server 2008 x86
- Home windows 7 SP1 x64
Identified Points
- The beginning menu isn’t purposeful.
Credit