GadgetToJScript

Back in April 2017, James Forshaw (hail) released a tool called DotNetToJScript which was capable of generating JScript, VBA and VBScript that could run an arbitrary .NET assembly (mostly) from memory. Although not its intended purpose, it was quickly picked up by tool developers, pentesters, red teamers, bad guys etc and used to deliver .NET-based payloads via methods such as HTA.

Microsoft and other AV vendors started writing signatures for DN2JS, and we all know how that makes James feel (Exhibits A and B). Microsoft even went as far as to make some under-the-hood changes from Windows 10 / 2K16 to mitigate the use of DN2JS payloads, as evidenced by these notes in Covenant:

These factors seem to have resulted in a decline in prevalence for these payloads, or at least, they’re not hyped about so much.

Enter GadgetToJScript by Mohamed El Azaar. This tool generates .NET serialized gadgets that can trigger assembly load/execution when deserialized via BinaryFormatter from JScript, VBScript or VBA. So it once again, allows for a similar tradecraft as was originally provided by DN2JS and it works on Windows 10.


Continue reading

Covenant Tasks 101

Covenant is a .NET Command and Control framework that boasts a number of exciting features for red teamers. The Covenant implants are called Grunts, which are capable of executing post-exploitation “tasks” on a compromised machine. Covenant v0.1 released with a number of useful tasks, but the repository has really grown from contributions from the Covenant community.

Tasks can extend the functionality and versatility of a Grunt, such as providing new lateral movement, persistence or privilege escalation techniques and more. Contributing a Task to Covenant is an excellent way to support the project.

This post will provide an introduction for those wishing to create and contribute new Tasks.


Continue reading

TikiService

TikiService is a new .NET Service Binary that allows you to run a TikiTorch payload via the Service Control Manager (à la PsExec). TikiTorch.cna has also been updated to create a new Cobalt Strike function: tikiexec, that automates its use. This blog post provides a brief overview and usage examples.
Continue reading

Covenant v0.1 was first released in February 2019 and has since received a lot of really good updates. v0.2 was released in May which added p2p comms over SMB named pipes, and v0.3 was released in August which added a brand new web interface. Even though it’s such a young project, it has really proven itself to be a capable tool for offensive operators. I’ve not taken a look at Covenant since v0.1.x but since providing some new additions to SharpSploit, it kinda got my geek going. One of my areas of interest is weaponising the Grunt stager.
Continue reading

TikiVader

I’ve added a new experimental project to TikiTorch, called TikiVader. I originally thought of “vader” as a play-on for “evade”/“evader”, until I realised TikiVader was never meant to evade anything… but nevermind 😒
Continue reading

Author's picture

Rasta Mouse

Taylor Swift fan, wannabe Red Teamer & 1337 hax0r (in that order).

Penetration Tester

UK