Tool Shed Demo: Ek47 – Kevin Clark

Ek47 is a payload encryptor that leverages user-selected environmental keys associated with a target execution context. In the absence of these environmental keys, Ek47 payloads will not decrypt and execute. This creates a strong resistance to automated/manual analysis and reverse engineering of payloads. Ek47 supports many different environmental keys such as current user, domain, computer name, installed programs, and more. Additionally, Ek47 supports packing payloads of .NET assemblies, unmanaged DLLs, and raw shellcode. Ek47 payloads are themselves .NET assemblies and can be uploaded to disk or executed reflectively via any execute-assembly method. By default, a standard AMSI/ETW bypass is executed before the main payload is executed, but Ek47 makes it easy to add custom bypasses for more advanced evasion functionality. Additional miscellaneous features are provided such as entropy management, PE header stomping, and a myriad of payload output types.

link to project:
https://gitlab.com/KevinJClark/ek47

Kevin Clark is a Software Developer turned Penetration Tester at TrustedSec. He focuses on initial access and Active Directory exploitation. He contributes to open-source tools such as PowerShell Empire and Metasploit. He also writes his own custom security tools such as Badrats and Ek47. Kevin has a passion for education and volunteers on the Midwest Collegiate Cyber Defense Competition (CCDC) red team. He teaches courses with BC-SECURITY at BlackHat and other venues about Evasion, Red Teaming, and Empire Operations. Kevin authors a cybersecurity blog at https://henpeebin.com/kevin/blog.