Simple script to obfuscate Grunt strings
Adapted from: Fixing Some .NET Tradecraft
- Random replace for 'Grunt' , 'Covenant' , and 'Stage'
- Hard-coded replace for 2 GUID strings
- Install Cov
- Head to Templates > GruntHTTP
- Copy the Stager code into stager.cs
- Copy the Executor code into executor.cs
- Run the py scipt
python3 gruntfuscator.py stager.cs obf-stager.cs
python3 gruntfuscator.py executor.cs obf-executor.cs
- Copy the contents of each back into the GUI's template
Finally, create your listener, then launcher(s).
- the Stager and Executor can be compiled in Visual Studio and ThreatCheck/DefenderCheck can be run on them
- Change the hard-coded replaces
- Add more strings to be replaced
- Throw in an AMSI bypass