Note: posted on June 2017

l-2

CACTUSTORCH is a framework for payload generation that can be used in adversary simulation engagements based on James Forshaw’s DotNetToJScript tool. This tool allows C# binaries to be bootstrapped inside a payload, providing reliable means to bypass many common defences. Currently CACTUSTORCH supports the following payload types:

  • VBS

  • VBA

  • JS

  • JSE

  • WSF

  • HTA

  • VBE

Prior to this, it was not possible to invoke shellcode injection directly from multiple formats with the exclusion of VBA macros (more on this later in the post). CACTUSTORCH has a self-contained C# binary which accepts a binary name and base64 encoded shellcode to inject. Additionally, it borrows concepts from @armitagehacker / CobaltStrike’s VBA macro injection whereby it selects the 32 bit executable to inject into.

State of Current Payloads

Generation of payloads for the supported formats already exists in several frameworks, including Metasploit and Cobalt Strike. There are however some drawbacks to how these payloads are generated.

In Metasploit framework the following payload formats work as such:

  • VBS: File drop and execute — Touches disk.

  • HTA-PSH: Runs powershell.exe with a WScript.Shell object — Powershell.exe and WScript.Shell are well known to blue team.

  • VBA-EXE: File drop and execute — Touches disk.

  • VBA: Shellcode injection by declaring Kernel32 API — Known indicators for Maldoc scanning.

  • VBA-PSH: Runs powershell.exe with a Shell object — Powershell.exe is well known to blue team.

In CobaltStrike, the following payload formats work as such:

  • VBS: Weakens the target, creates a COM object to Excel, creates worksheet, injects VBA macro code and executes. — Relies on Office being installed and Kernel32 API declarations in injected VBA.

  • VBA: Shellcode injection by declaring Kernel32 API — Known indicators for Maldoc scanning.

  • HTA-EXE: File drop and execute — Touches disk.

  • HTA-PSH: Runs powershell.exe with a WScript.Shell object — Powershell.exe and WScript.Shell are well known to blue team.

  • HTA-VBA: Wraps around a VBS that does the weakening, COM object to Excel, macro injection of Kernel32 API declaration VBA code.

Benefits of CACTUSTORCH

CACTUSTORCH offers a number of improvements on current payload generation that are currently beyond the capabilities of the public frameworks:

  • Does not use Kernel32 API declarations in the payload

  • Obfuscated within the C# binary

  • Allows for arbitrary specification of target binary to spawn.

  • Allows for arbitrary shellcode to be specified.

  • Does not spawn PowerShell.exe.

  • Does not require Powershell.

  • Does not require Office.

  • Does not invoke WScript.Shell.

  • Does not require staging as the full stageless shellcode can be contained within the delivered payload.

  • No static parent to child spawn, the user can change what wscript.exe spawns.

  • exe spawning Powershell.exe is suspicious, spawning rundll32.exe is arguably less indicative of compromise. You can change this to calc.exe, ping.exe /t or similar less suspicious binaries.

Using CACTUSTORCH

Using CACTUSTORCH is relatively straight forward, the following outlines the steps required to generate a custom payload:

  • Select the payload format you want to use from the cloned directory

  • Select a binary container you want to inject into, has to exist in both SYSWOW64 and SYSTEM32

  • Generate raw shellcode for your listener

  • $> cat payload.bin | base64 -w 0 > out.txt

  • Copy the out.txt base64 raw payload into the “code” variable of the template

  1. If doing it for the VBA, run the out.txt through vbasplit.py out.txt split.txt

  2. Then copy the split.txt into the code section highlighted in the VBA template. Payload is ready

  3. Do obfuscation if you want

A video demonstrating these steps is shown below:

Integration with Cobalt Strike

As part of the process for streamlining adversary simulation engagements so that more time can be placed into creating more sophisticated and bespoke attacks, Vincent has created a CACTUSTORCH aggressor script to facilitate this.

After loading the aggressor script, the following menu is presented as an option under the “Attack” tab. You can now select the payloads you want to use and options, it will generate the payload and host it for you. In terms of the VBA code, it will be presented in a textbox where it can be copied from and pasted into a Word VBA Macro.

m-1

The aggressor script is demonstrated in the following video:

Credits

The scripts, proof of concepts and aggressor script addon is created by Vincent Yiu of the ActiveBreach team. We would like to also thank the following people for their contributions:

  • @tiraniddo: James Forshaw for DotNet2Jscript

  • @cn33liz: Inspiration with StarFighters

  • @armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into

  • @_RastaMouse: Testing and giving recommendations around README

CACTUSTORCH can be downloaded from my GitHub page.