[Stockpile Ability] DLL sideloading ability

[Ke3n007]

Description

This ability leverages DLL hijacking to establish persistence by executing arbitrary code to deploy an agent. The ability involves the following steps:

• Downloads the portable version of Notepad++ (v8.5.4) from GitHub to C:\Users\Public\npp.zip
• Extracts the ZIP file to C:\Users\Public\npp directory
• Creates a run.txt file in C:\Users\Public with a PowerShell command to execute the splunkd.exe payload
• Places a malicious UxTheme.dll in the Notepad++ directory, which will be loaded instead of the legitimate Windows DLL
• Launches Notepad++.exe, which will load the malicious DLL due to Windows’ DLL search order

The payload uses Windows API calls to open, read, and load the commands from the txt file into a buffer. Another Windows API call then executes the commands stored in the buffer to deploy an agent.

Cleanup Commands remove both the zip file and the txt file.

Type of change

Please delete options that are not relevant.

• New feature (non-breaking change which adds functionality)

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

This ability has been tested by running a successful operation.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works

[uruwhy]

can you also include our DLL source code with compilation instructions in comments at the top? You can put the file in the same payloads directory

[Ke3n007]

can you also include our DLL source code with compilation instructions in comments at the top? You can put the file in the same payloads directory

I don't have access to the source code, but I placed it in the Box file share.

[Copilot]

Pull Request Overview

This PR adds a new Stockpile ability that implements DLL sideloading for persistence using Notepad++ v8.5.4. The ability exploits Windows' DLL search order by placing a malicious UxTheme.dll in the Notepad++ directory to execute arbitrary code and deploy an agent.

Key changes:

• Downloads and extracts portable Notepad++ v8.5.4 to establish the target application
• Creates a malicious DLL hijacking scenario using UxTheme.dll
• Implements payload execution through a text file containing PowerShell commands

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The description contains excessive blank lines and formatting inconsistencies. The cleanup section should be properly formatted without unnecessary whitespace.

[github-actions]

This pull request is stale because it has had no activity for 60 days. Remove the stale label or comment or this will be closed in 60 days