TikiTorch: Process Hollowing
TikiTorch was named in homage to CACTUSTORCH by Vincent Yiu. The basic concept of CACTUSTORCH is that it spawns a new process, then uses CreateRemoteThread to run the desired shellcode within that target process. Both the process and shellcode are specified by the user.
This is pretty flexible as it allows an operator to run an HTTP agent in a process such as iexplore.exe, rather than something more arbitrary like rundll32.exe.
TikiTorch follows the same concept but uses Process Hollowing techniques instead of CRT.
TikiTorch is a Visual Basic solution, split into 6 projects.
A .NET Library that contains all the process hollowing code, used as a reference by the other Tiki projects.
A .NET Library designed to bootstrap an agent via some initial delivery can be used with DotNetToJScript in conjunction with lolbins.
A .NET exe used to spawn agents under different creds.
A .NET exe used to spawn a high integrity agent using the UAC Token Duplication bypass.
Generates a Control Panel (.cpl) formatted DLL that executes gzipped base64 encoded shellcode from a resource. Following the instructions here to generate shellcode in the correct format.
A DLL that integrates AppLocker bypasses from AllTheThings.
Copyright (C) 2019 rasta-mouse