News

Published on September 25th, 2016 📆 | 7212 Views ⚑

0

An Evil Office Document Generator: Luckystrike


Text to Speech Demo

An Evil Office Document Generator

Luckystrike is a PowerShell based generator of malicious .xls documents (soon to be .doc). All your payloads are saved into a database for easy retrieval & embedding into a new or existing document. Luckystrike provides you several infection methods designed to get your payloads to execute without tripping AV

Luckystrike is a menu-driven PowerShell script that uses a sqlite database to store your payloads, code block dependencies, and working sessions in order to generate malicious .xls documents.

 

luckystrike

 

Prerequisites:

  1. PowerShell v5. The script is made to run on your machine, not your targets, so this shouldn’t be a problem.
  2. Microsoft Office. Or at least Excel. Luckystrike uses the Excel COM objects to build .xls docs.
  3. PowerShell PSSQLite Module. The script will try an install this for you if not found.

 

Installation:

To get started, run the following command from an administrative PowerShell prompt:

iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Shellntel/luckystrike/master/install.ps1')

Feel free to check out all the boring database commands install.ps1 does before running. You can also git clone the repo & run install.ps1 locally if that somehow makes you feel better. ????

Install.ps1 does the following:





  1. Installs the PSSQLite module if you don’t already have it (hence the admin rights).
  2. Creates .\luckystrike\
  3. Creates the database (ls.db) and puts it into .\luckystrike
  4. Copies down luckystrike.ps1 into .\luckystrike

Once everything is done, run the luckystrike.ps1 script

 

Getting Started

    Luckystrike allows you to work with three types of payloads: standard shell commands, PowerShell scripts, and executables (.exe). Payloads that you add are stored in the catalog, a sqlite database file that can be used repeatedly, or shared amongst teammates. Every time you select a payload to use, you must also choose the infection type, or the means by which the payload will be executed. You can infect a document with multiple payloads of different infection types.

 

https://www.shellntel.com/blog/2016/9/13/luckystrike-a-database-backed-evil-macro-generator/

[adsense size='1']

Infection Types

  1. PAYLOAD TYPE: Shell Command
    1. Infection Type: Shell Command:
      • What you see above. Simply uses Wscript.Shell to fire a command. Shell commands run via powershell or cmd.exe do not pop a command window in the user’s view. More likely to get caught by AV.
    2. Infection Type: Metadata
      • Embeds the payload into the file’s metadata, specifically the Subject field. A one liner method is fired in the macro to execute whatever is in the metadata. Very low detection rate!
  2. PAYLOAD TYPE: PowerShell Script. [Note: ALL .ps1 files that you save as payloads must be non-encoded! Luckystrike will b64 encode where necessary)
    1. Infection Type: CellEmbed. 
      • Your “go to” for firing .ps1 scripts. Embeds a base64 encoded ps1 script into cells broken up into chunks. A Legend string is associated with the payload so it can be reconstructed at runtime. The payload can exist anywhere on the workable sheet, but will start, at minimum, Column 150 & Row 100. The base64 payload is saved to disk in C:\users\userid\AppData\Roaming\Microsoft\AddIns as a .txt file. The macro reads in the text file then fires with powershell.
    2. Infection Type: CellEmbedNonBase64
      • Embedding is the same as #1 above, but is not base64 encoded. The script is read directly from the cell and fired via powershell. Never touches disk. Recommended!
    3. Infection Type: CellEmbed-Encrypted
      • When choosing this, you will be prompted for your target’s email domain name. Example, if your target is bob@evilcorp.com, then you would use “evilcorp.com” (no quotes) as that string, even if it’s different than their main web url! The reason for this is luckystrike will RC4 encrypt the ps1 file (with the email domain as the key) prior to embedding. The macro code will then retrieve the user’s email address from Active Directory, split the string, and decrypt the payload prior to running. If an AV vendor gets ahold of the payload, they won’t be able to decrypt & run.
  3. PAYLOAD TYPE: Executable
    1. Infection Type: Certutil.
      • Based on @mattifestation’s excellent work (here), this attack embeds a base64 encoded binary into cells, then saves it as a .txt file to disk, using certutil to decode the payload & save as an .exe. Exe is then fired.
    2. Infection Type: Save To Disk
      • What you’d think. Exe is saved to disk then fired. Straightforward
    3. Infection Type: ReflectivePE
      • Naughty! Both the .exe and a copy of Invoke-ReflectivePEInjection (here) are saved to disk as txt files. Exe is then fired using Invoke-ReflectivePEInjection. Be sure to test this one! Very important to know the architecture of your target vs the payload you’re using. Additionally, I recommend testing your .exe with Invoke-ReflectivePEInjection prior to embedding as if your .exe is not ASLR/DEP compliant, the attack will not work (I’m not using -ForceASLR). On the positive side, only .txt files are written to %APPDATA%, so those relying on simply blocking execution from appdata are out of luck!

 

https://github.com/Shellntel/luckystrike



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑