Melkor

FuzzySecurity · Jun 13, 2021 · 2837f1f · 2837f1f
1 parent 3eeb4e0
commit 2837f1f
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/README.md b/README.md
@@ -537,7  537,7 @@ For further details check out => [BlueHatIL 2020: Staying # and Bringing Covert
 
 ### Melkor
 
-Melkor is a simplistic POC. Melkor is able to read `.Net assemblies` and encrypt them in memory using `DPAPI` with the `CRYPTPROTECT_LOCAL_MACHINE` flag. These assemblies are kept encrypted when they are at rest. On demand Melkor can decrypt the assemblies and execute methods from them in a separate `AppDomain`. Once execution finishes the `AppDomain` is be unloaded and only the encrypted assembly remains in memory. This POC is adapted from a TTP I read about in [this](https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf) report by ESET where the threat actor `InvisiMole` used `DPAPI` to encrypt part of their kit so it could only be decrypted/executed on that host.
 Melkor is a simplistic POC. Melkor is able to read `.Net assemblies` and encrypt them in memory using `DPAPI` with the `CRYPTPROTECT_LOCAL_MACHINE` flag. These assemblies are kept encrypted when they are at rest. On demand Melkor can decrypt the assemblies and execute methods from them in a separate `AppDomain`. Once execution finishes the `AppDomain` is unloaded and only the encrypted assembly remains in memory. This POC is adapted from a TTP I read about in [this](https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf) report by ESET where the threat actor `InvisiMole` used `DPAPI` to encrypt part of their kit so it could only be decrypted/executed on that host.
 
 With some proper bookkeeping and a code rework Melkor could be adapted to serve as a plugin interface for an implant. The LP could send assemblies (aka capabilities) to the implant which keeps them encrypted in memory. On demand, the interface could `decrypt -> execute in new AppDomain -> destroy AppDomain -> clean up`. This architecture would also allow the LP to perform an update of a capability that already exists in the implant.