Fileless persistence, attacks and anti-forensic capabilties.
Switch branches/tags
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Kaiser Updated Dec 6, 2018
Make Updated Dec 6, 2018
Kaiser.sln Initial commit Oct 22, 2018
README.md Update README.md Dec 6, 2018

README.md

Kaiser

File-less persistence, attacks and anti-forensic capabilities (Windows 7 32-bit).

NOTE: This project was NOT designed to evade AV detection.

Related paper: https://github.com/NtRaiseHardError/NtRaiseHardError.github.io/blob/master/_posts/2018-12-06-Anti-forensic-Malware-and-File-less-Malware.md

This project is discontinued.

How to Build/Use:

  1. Compile Kaiser.dll in Release mode
  2. Upload Kaiser.dll such that it can be directly downloaded as a raw binary
  3. Update the BuildKaiser.ps1 script to include the URL for Kaiser.dll
  4. Run BuildKaiser.ps1 to build the Payload.ps1 script
  5. Upload the Payload.ps1 script such that it can be directly downloaded as raw text
  6. Update the BuildKaiser.ps1 script to include the URL of Payload.ps1
  7. Run BuildKaiser.ps1 to build the Installer.ps1 script
  8. Run the Installer.ps1 script with administrative privileges on the target machine

Known bugs:

  • Threaded XxxNetSend sends will buffer (reason unknown)
  • PurgeXxx functions are not guaranteed to work (perhaps this is because it uses ShellExecuteEx
  • More?

TODO

  • CommandPrintStatus to print the status of Kaiser?
  • Convert functions in firewall.c to WinAPI
  • [OPTIONAL] Make C2 connection loop until established
  • Convert Functions in registry.c to WinAPI
  • Send debugging warnings/errors back to C2
  • Make PurgeProcessMonitor asynchronous (IWbemServices::ExecNotificationQueryAsync)