If you do so, the application will only trigger if the body of an email contains "it can also be a sentence!". You can also specify the body option like the followingīofnet_execute On_Demand_C2_BOF.OnDemandC2Class body "it can also be a sentence!" *This is a COVLD-19 with a small L to ensure uniqueness The email will directly get redirected to Deleted Items and beacon will be calling home again! NET project (cheers to CCob for the brilliant work!) and follow CCob's guide here to load the the dll into the beaconĢ ) Execute it using the following: bofnet_execute On_Demand_C2_BOF.OnDemandC2Class subject COVlD-19*ģ ) Now, to have a callback from your beacon, you can send an email like As an extra, the email with the given word will be deleted before the user get notified about it. When you are done you can run the BOF again and the beacon will sleep until you send another email. When the beacon calls home, it will call home with whatever sleep time configured in the malleable profile. This way your beacon will only call home ONLY when you want it to call home. The beacon will enter a sleep state until an email with a given word (in subject or body) is provided. This is an implementation of an on-demand C2 using dotnet BOF. Most of the heavy lifting was done by wumb0in 4 ) On-demand C2 This one uses WMI events for lateral movement. 3 ) WMI Lateral Movement - Event Subscription This method uses the class Win32_Process. Similar concepts to the previous one, but an interesting learning experince. 2 ) WMI Lateral Movement - Win32_Process Create A short article can be about using COM objects in C can be found here. To use the current user, just leave the domain, username, and password empty. 1 ) DCOM Lateral MovementĪ quick PoC that uses DCOM (ShellWindows) via beacon object files for lateral movement.You can either specify credentials or use the current user. Special thanks to Philip Tsukerman for pointing out to me that Excel 4.0 macros are exposed via DCOM.Collection of beacon BOF. This also means that you should execute this method from a 32 bit PowerShell host or beacon. Note that x86 installs on 圆4 systems are fine. Secondly, due to XLM data type constraints (read our blog for details), this method only targets 32 bit installs of Excel.exe - which fortunately is the vast majority of installations. I just need to find some time to brush up my code. It should be possible to do this in chunks of 10 bytes, while still remaining under XLM line-length limits. Note that this is mostly due to the Proof of Concept implementation which injects the payload byte-by-byte in order to avoid XLM macro line-length constraints. The Cobalt Strike staging payload (roughly 800 bytes) requires about 1 to 2 minutes to be injected in a remote host. What are the disadvantages of this method?įirstly, this method is slow. And as a plus, AMSI only works for VBA macros and not for XLM, making this method very difficult to detect by AV. Hence, this method can be completely "fileless". In contrast to most other lateral movement methods (including practically all DCOM-based ones), this technique does not rely on powershell.exe or any other LOLBIN at the target. Why would I use this method over lateral movement method XYZ?Ī big plus for this method is that it does direct shellcode injection into excel.exe via Windows API calls. Make sure to execute this from a 32 bit PowerShell host (%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe). This will inject a x86 staging payload into excel.exe on the target host. Invoke-Excel4DCOM -ComputerName -Payload Make sure to execute this from a 32 bit beacon (which can be running on a 64 bit system). We modified our process injection XLM macro sample to work on remote hosts as well via DCOM and we hereby release it in PowerShell and Cobalt Strike script versions. It turns out that Excel 4.0 macros are also exposed to DCOM via the ExecuteExcel4Macro method. The original blog can be found here, which includes a process injection sample: This is a macro language which is completely different from VBA and which has been embedded within Excel since 1992. Last year, after our presentation at Derb圜on, we released a blog post detailing the abuse of Excel 4.0 macros (also called XLM macros). PowerShell and Cobalt Strike scripts for lateral movement using Excel 4.0 / XLM macros via DCOM (direct shellcode injection in Excel.exe).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |