GadgetToJScript, Covenant, Donut


Hello All,

In this post we will cover how can we leverage GadgetToJScript for generating payload in various supported format such as HTA, JS, VBS & VBA(macro) which will execute our covenant grunt(Grunt is the implant for Covenant C2 framework).

Wondering why are we using GadgetToJScript tool to generate Covenant payload in hta / js format wherein Covenant has default launcher to generate hta / js payload ?

Covenant uses DotNetToJScript for generating payloads in hta / js format which indeed doesn't work well with Windows 10 environment. We can see the note in the description field.


DotNetToJScript - A tool to generate a JScript which bootstraps an arbitrary .NET Assembly and class.

GadgetToJScript - A tool for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS based scripts. The gadget being used triggers a call to Assembly.Load when deserialized via jscript/vbscript, this means it can be used in the same way to trigger in-memory load of your own shellcode loader at runtime.

Covenant - Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.

Donut - Donut is a shellcode generation tool that creates position-independant shellcode payloads from .NET Assemblies. This shellcode may be used to inject the Assembly into arbitrary Windows processes. Given an arbitrary .NET Assembly, parameters, and an entry point (such as Program.Main), it produces position-independent shellcode that loads it from memory. The .NET Assembly can either be staged from a URL or stageless by being embedded directly in the shellcode. 

Thanks to Mohamed El Azaar for creating GadgetToJScript tool and helping / guiding me while weaponizing GadgetToJScript tool.

The modified TestAssemblyLoader.cs & payload.txt file can be found here.
This also bypasses latest windows defender signature. It was tested while writing the post.

Demo

In this post I will cover 2 demos:
  1. We will use the gruntstager C# code directly with GadgetToJScript tool.
  2. We will use Donut to generate shellcode for the gruntstager and APC Queue Process Injection technique to load the shellcode.
Using GruntStager C# code directly with GadgetToJScript tool.

Step 1) Copy the GruntStager code from the Covenant UI and paste it in the payload.txt file.


Step 2) Copy the payload.txt file in the directory where GadgetToJScript.exe is placed.

Step 3) Execute GadgetToJScript.exe to generate HTA payload for covenant grunt.

Required parameters:
-w : This parameter is used to specify the scriptType (js , vbs, vba or hta)
-o : This parameter is used to specify the output filename without file extension

GadgetToJScript.exe -w hta -o test


GadgetToJScript.exe will compile the code at runtime from payload.txt and generate the payload.



Step 4) Execute the test.hta file


Whoop !!! We got the HTA file executed on windows 10 1903.

Now lets try the second demo by using Donut to generate shellcode and APC Queue Process Injection technique to execute the shellcode.

Step 1) Generate the binary launcher and click on Download button to download the GruntStager.exe file.


Step 2) Create a new file named payload.txt in the folder where GadgetToJScript.exe file is placed.

Step 3) Copy the APC Queue Process Injection code from here and paste the code in the payload.txt file.

Step 4) Use Donut and generate the shellcode for the GruntStager.exe file and encode the shellcode into Base64 format and copy the Base64 encoded value to variable b64 in payload.txt file.


Step 5) Execute GadgetToJScript.exe to generate JS payload for covenant grunt.

Required parameters:
-w : This parameter is used to specify the scriptType (js , vbs, vba or hta)
-o : This parameter is used to specify the output filename without file extension

GadgetToJScript.exe -w js -o test


Step 6) Execute the test.hta file


Detection

Monitor process which are created in suspended state. Monitor Windows API calls like OpenThread, QueueUserAPC and those that can be used to modify memory within another process such as WriteProcessMemory. Also monitor process especially under (c:\Windows\System32\* or c:\Windows\SysWOW64\*) for abnormal behavior such as opening network connections.

mshta.exe 


notepad.exe



References

https://ired.team/offensive-security/code-injection-process-injection/apc-queue-code-injection
https://modexp.wordpress.com/2019/08/27/process-injection-apc/
https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All.pdf
https://attack.mitre.org/techniques/T1055/


Thanks for reading the post.

Special thanks to all my friends who help / supported / motivated me for writing blogs. 🙏

Comments

Popular posts from this blog

Introduction to Callidus

Process Injection - Part V