There’s been a disturbance in pentesting, have you felt it? More mature environments have finally caught on that Powershell can be used for malicious gains and pentesters could own your domain with a few Powershell commands, so admins have began to lock it down, EDRs have began to alert, and thus the saying goes, necessity is the mother of invention. Exit Powershell, enter C#.
So why C#? Simply put, it has access to the .NET framework like Powershell does. The other big reason is that Microsoft has unsigned executables that will compile and execute C# code and those unsigned executables are installed by default with the .NET Framework installation, which means it’s everywhere. Matt Graber found one of the executables and did an excellent write-up of it here. The TL;DR of it is that Microsoft.Workflow.Compiler.exe, which is installed as part of the .NET framework, will run C# code that is in a XOML file. There’s been a huge movement to use LOL (living off the land) tactics, meaning use what you have at your disposal instead of downloading things to victim machines, so this is huge. Of course, people immediately started to look at how to weaponize this as msbuild.exe was also another binary that would do compile and run C# code. byt3bl33d3r, who wrote crackmapexec, Empire, and Deathstar, developed a tool called SILENTTRINITY, which utilizes IronPython to create the C# code in python, then develop the XML file needed by msbuild (If using that payload option). This is how it works:
Using Kali, install Python3
apt-get install python3.7 apt-get install python3.7-dev
Then download SILENTTRINITY
git clone https://github.com/byt3bl33d3r/SILENTTRINITY
Then install the requirements.
cd SILENTTRINITY/Server python3.7 -m pip install -r requirements.txt
Then start SILENTTRINITY
cd Server python3.7 st.py
Before starting SILENTTRINITY we’ll spin up a Samba server so that we don’t have to drop files to disk on the target and instead fetch the payload via SMB path. To do this, impacket has a set of tools in their github repository here, one of which is smbserver.py which will spin up a quick SMB server.
First download & install the impacket repository
git clone https://github.com/SecureAuthCorp/impacket.git cd impacket pip install -r requirements.txt python setup.py install
Then create a folder that will be shared
Then run smbserver.py. Since it was ‘installed’ it can be ran anywhere via
smbserver.py -smb2support SMB /root/SMB
Then start SILENTTRINITY
cd SILENTTRINITY/Server/ python3.7 st.py
You should then be seeing this
Next is to spin up an HTTP listener, as shown below.
Once that is spun up, next is to generate the actual stager, which is what will be executed. In this case, we’re using msbuild.
The XML file is generated in the same directory as st.py, so copy that to the Samba share that was made which in this case is at /root/SMB.
cp msbuild.xml /root/SMB
Finally, the trick now is to get the victim to execute the xml file via SMB path. Of course this is easy if you already have a shell on the machine, otherwise it’s possible to embed this link in a phishing email.
You’ll see a command prompt open up and if you look back at SILENTTRINITY, you’ll have a session.
And to list the sessions:
Now you can use modules against that session, like in Empire
The purpose of this is to show that you never have to drop files to disk and can actually execute code remotely, in memory, by using SMB and binaries that exist on most current Windows deployments. The interesting thing is that this isn’t a bug with msbuild.exe or or workflow.complier.exe, those binaries are meant to do this, we’re just exploiting it for offensive purposes.