Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/ntraiseharderror/kaiser

Fileless persistence, attacks and anti-forensic capabilties.
https://github.com/ntraiseharderror/kaiser

anti-forensics file-less forensics malware-research persistence powershell security winapi wmi

Last synced: about 2 months ago
JSON representation

Fileless persistence, attacks and anti-forensic capabilties.

Host: GitHub
URL: https://github.com/ntraiseharderror/kaiser
Owner: NtRaiseHardError
Created: 2018-09-27T03:27:07.000Z (over 6 years ago)
Default Branch: master
Last Pushed: 2018-12-06T08:36:07.000Z (about 6 years ago)
Last Synced: 2024-08-04T22:14:59.959Z (5 months ago)
Topics: anti-forensics, file-less, forensics, malware-research, persistence, powershell, security, winapi, wmi
Language: C
Size: 2.2 MB
Stars: 85
Watchers: 6
Forks: 34
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-anti-forensic - Kaiser - less persistence, attacks and anti-forensic capabilities (Windows 7 32-bit). (Tools / Hiding process)

README

# Kaiser
File-less persistence, attacks and anti-forensic capabilities (Windows 7 32-bit).

**NOTE**: This project was **NOT** designed to evade AV detection.

Related paper: https://github.com/NtRaiseHardError/NtRaiseHardError.github.io/blob/master/_posts/2018-12-06-Anti-forensic-Malware-and-File-less-Malware.md

**This project is discontinued.**

## How to Build/Use:

1. Compile _Kaiser.dll_ in Release mode
2. Upload _Kaiser.dll_ such that it can be directly downloaded as a raw binary
3. Update the _BuildKaiser.ps1_ script to include the URL for _Kaiser.dll_
4. Run _BuildKaiser.ps1_ to build the _Payload.ps1_ script
5. Upload the _Payload.ps1_ script such that it can be directly downloaded as raw text
6. Update the _BuildKaiser.ps1_ script to include the URL of _Payload.ps1_
7. Run _BuildKaiser.ps1_ to build the _Installer.ps1_ script
8. Run the _Installer.ps1_ script with administrative privileges on the target machine

## Known bugs:

* Threaded `XxxNetSend` sends will buffer (reason unknown)
* `PurgeXxx` functions are not guaranteed to work (perhaps this is because it uses `ShellExecuteEx`
* More?

## TODO

* `CommandPrintStatus` to print the status of Kaiser?
* Convert functions in `firewall.c` to WinAPI
* [OPTIONAL] Make C2 connection loop until established
* Convert Functions in `registry.c` to WinAPI
* Send debugging warnings/errors back to C2
* Make `PurgeProcessMonitor` asynchronous (`IWbemServices::ExecNotificationQueryAsync`)