TikiService is a new .NET Service Binary that allows you to run a TikiTorch payload via the Service Control Manager (à la PsExec). TikiTorch.cna has also been updated to create a new Cobalt Strike function:
tikiexec, that automates its use. This blog post provides a brief overview and usage examples.
As with all TikiTorch projects, the bulk of the process hollowing code lives within the TikiLoader - so the service binary is relatively simple. In my the previous post I explained my design decision for passing in user-specified arguments as parameters, so that we can compile a “generic” binary and have Aggressor provide shellcode on-the-fly.
Instead of trying to provide these on the command line, I opted to utilise the Configuration Manager. This is often seen in the Solution Explorer as
Within this file, you can add
appSettings options that come in the form of a
key with an associated
value. Here we create “placeholders” for
Now in the binary, we can use the
ConfigurationManager class to read these values in at runtime and just handle them as normal.
tikiexec command expects a listener and architecure, for which it will generate base64 encoded shellcode.
It will then read in the config and[insert the
TikiService.exe.config are uploaded to
C:\Windows\Temp on the target.
CsExec is then executed via
execute_assembly to create, start, stop and delete a new service.
The service name, description and binpath etc are passed in as args, so these can be changed in the CNA to suite your preference.
We attempt to link to the new beacon, and then the binary and config file are removed.