It's been a while since any big updates but I have not been idle. I'll be showcasing two major tool updates for this article. One is IronEye v2.0 with a lot of major improvements from the previous versions. The other is my current private loader framework called IronFist that is in active development.

IronFist - Rust Based Loader Framework

I'll be utilizing AdaptixC2 v0.9 to generate some shellcode for my custom agent and listener.

Once I have my agent.bin (shellcode), I can utilize my IronFist framework with the following options to play with different loader configurations.

IronFist v0.1.0 - Modular Payload Creation Framework
══════════════════════════════════════════════════
Modular payload creation framework

Usage: iron_fist [OPTIONS]

Options:
  -C, --config <CONFIG>
          Configuration file (.iron)
      --generate-config
          Generate template configuration file
  -i, --input <INPUT>
          Path to input file (.bin for shellcode modes, .ps1 for PowerShell mode)
  -o, --output <OUTPUT>
          Output filename (.exe or .dll)
  -e, --encrypt <ENCRYPT>
          Encryption algorithm (RC4, AES, XOR)
  -k, --key <KEY>
          Encryption key (any text string, supports Unicode)
      --keyHTTP <KEY_HTTP>
          Derive encryption key from HTTP resource: URL,OFFSET (e.g., https://example.com/data.txt,1467). Default: 32 bytes from offset.
  -d, --debug
          Enable debug output in generated payload
      --show-source
          Display generated source code
      --execution-delay <EXECUTION_DELAY>
          Execution delay in seconds before shellcode runs
      --mutex <MUTEX>
          Mutex string for payload execution control
  -m, --mode <MODE>
          Injection mode: Classic (binary shellcode), LocalThreadHijack (binary shellcode), PowerShell (PowerShell script), EarlyBirdAPC (binary shellcode via suspended process APC)
      --sleep-technique <SLEEP_TECHNIQUE>
          Sleep obfuscation technique (simple, decoy)
      --sandbox [<SANDBOX>...]
          Include Sandbox Checks. Format: --sandbox domaim domainjoined 'diskspace 200G' 'memoryspace 8G' emulated windowchanges
      --domain <DOMAIN>
          Specify a domain for sandbox evasion - Requires you specify domain
      --sleep-between <SLEEP_BETWEEN> <SLEEP_BETWEEN>
          Insert sleep calls between major events: <seconds> <jitter>. Example: --sleep-between 5 10 (5-15 second sleeps)
      --rc-file <RC_FILE>
          Resource file containing version info (FileDescription, ProductName, ProductVersion, etc.)
      --icon <ICON>
          Path to icon file to embed as application icon (.ico, .png, .svg)
      --sign-domain <SIGN_DOMAIN>
          Domain to spoof certificate from (creates fake certificate)
      --sign-cert <SIGN_CERT>
          Path to legitimate .pfx certificate file
      --sign-password <SIGN_PASSWORD>
          Password for certificate file
      --dll-export <DLL_EXPORT>
          Export function name for DLL files (default: Run)
      --ppid <PPID>
          Parent process name to spoof (e.g., explorer.exe, svchost.exe)
      --target-process <TARGET_PROCESS>
          Target process for Early Bird APC injection (e.g., C:\\Windows\\System32\\notepad.exe). Default: notepad.exe
      --fluff <FLUFF>
          Path to wordlist for fluff injection (entropy reduction)
      --fluff-size <FLUFF_SIZE>
          Total fluff size in KB (default: 50) [default: 50]
  -h, --help
          Print help
  -V, --version
          Print version

IronFist Help

Let's compile a binary with RC4 encryption, early-bird APC injection, and simple sleep commands along with some binary padding. We can then run this through LitterBox to see if we have any detections off the bat.

Looks like we have no detections! Not bad for some of the more basic settings. Running on my Windows 10 host with Defender, we have no issues with a beacon callback!

While not an impressive demonstration for anyone dealing with much more sophisticated EDR products, it showcases some of the functionality and I am actively using it with tests against more mature products such as Elastic and CS. This framework is currently under active development!

Key Functionality:

HTTP Keys - Ability to use HTTP requests to grab content from a page and use it as the key, removing the risk of embedded encryption keys
Fluff - Pad the executable with a custom wordlist, lowering entropy and adding legitimacy if you use proper context words such as a configuration file
Sleep/Delays - By default, has a 30 second delay for any shellcode executions. Can also specify normal sleep or the decoy mode which performs randomized operations for the set period of time to appear less suspicious. --sleep-between can be used to set sleep periods after certain operations.
Code Signing - Utilizes a port of Limelighter for creating fake-code certificates or utilizing legitimate ones. Also can copy properties using the --rc-file and --icon to appear more legitimate.
Debugging - Can use the -d flag to set console output for debugging along with --show-source to show the compiled binary source code

IronEye v2.0

Now the really exciting stuff is the current improvements to my public 1.4 tool IronEye! My current GitLab version now at v2.0 with some major improvements:

Full Cerbero Library integration - https://gitlab.com/Zer1t0/cerbero underwent some improvements over the last few months which allowed me to fix some previous issues along with a full conversion to library format for use within IronEye.
Ccache File Ingestion - No more KRB5 conf setup required, IronEye can use ccache files set with export KRB5CCNAME=ticket.ccache for authentication.
Session Reuse - Previously a new LDAP connection was made for each request which is not OPSEC ideal for most situations. Sessions are now reused across the Connect module.
Action Menu - Can now perform certain actions to setup attacks or modify accounts via LDAP.

IronEye now uses a full library conversion of Cerbero in order to perform Kerberos operations and certain attacks.

We can use the target credentials we have obtained to pull a Kerberos ticket using the ask-tgt command.

We can then set the KRB5CCNAME environment variable from within the tool using the export <ticket> command.

Can also convert the ticket between ccache and kirbi as needed.

And if needed, you can use the hash module to calculate password hashes.

One of the great new tools is we can perform roasting for ASREP and Kerberoasting now from within the tool. Combined with the new actions provided with the Connect menu, you can set a SPN or DONT_REQUIRE_PREAUTH on a user and perform targeted attacks.

Finally, you can craft Golden and Silver tickets along with get service tickets as needed.

The connect menu now allows for authentication with ccache credentials.

The new actions menu now allows the user to perform certain modifications using LDAP such as add a computer, set a SPN, set DONT_REQUIRE_PREAUTH, and enable/disable accounts. Under the right context, these can lead to further attacks and compromise of environment when using the Kerberos module or third party tools.