Published on September 25th, 2016 📆 | 7212 Views ⚑
0An Evil Office Document Generator: Luckystrike
An Evil Office Document Generator
Luckystrike is a PowerShell based generator of malicious .xls documents (soon to be .doc). All your payloads are saved into a database for easy retrieval & embedding into a new or existing document. Luckystrike provides you several infection methods designed to get your payloads to execute without tripping AV
Luckystrike is a menu-driven PowerShell script that uses a sqlite database to store your payloads, code block dependencies, and working sessions in order to generate malicious .xls documents.
Prerequisites:
- PowerShell v5. The script is made to run on your machine, not your targets, so this shouldnât be a problem.
- Microsoft Office. Or at least Excel. Luckystrike uses the Excel COM objects to build .xls docs.
- PowerShell PSSQLite Module. The script will try an install this for you if not found.
Installation:
To get started, run the following command from an administrative PowerShell prompt:
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Shellntel/luckystrike/master/install.ps1')
Feel free to check out all the boring database commands install.ps1 does before running. You can also git clone the repo & run install.ps1 locally if that somehow makes you feel better. ????
Install.ps1 does the following:
- Installs the PSSQLite module if you donât already have it (hence the admin rights).
- Creates .\luckystrike\
- Creates the database (ls.db) and puts it into .\luckystrike
- Copies down luckystrike.ps1 into .\luckystrike
Once everything is done, run the luckystrike.ps1 script
Getting Started
  Luckystrike allows you to work with three types of payloads: standard shell commands, PowerShell scripts, and executables (.exe). Payloads that you add are stored in the catalog, a sqlite database file that can be used repeatedly, or shared amongst teammates. Every time you select a payload to use, you must also choose the infection type, or the means by which the payload will be executed. You can infect a document with multiple payloads of different infection types.
https://www.shellntel.com/blog/2016/9/13/luckystrike-a-database-backed-evil-macro-generator/
[adsense size='1']
Infection Types
- PAYLOAD TYPE: Shell Command
- Infection Type: Shell Command:
- What you see above. Simply uses Wscript.Shell to fire a command. Shell commands run via powershell or cmd.exe do not pop a command window in the userâs view. More likely to get caught by AV.
- Infection Type: Metadata
- Embeds the payload into the fileâs metadata, specifically the Subject field. A one liner method is fired in the macro to execute whatever is in the metadata. Very low detection rate!
- Infection Type: Shell Command:
- PAYLOAD TYPE: PowerShell Script. [Note: ALL .ps1 files that you save as payloads must be non-encoded! Luckystrike will b64 encode where necessary)
- Infection Type: CellEmbed.Â
- Your âgo toâ for firing .ps1 scripts. Embeds a base64 encoded ps1 script into cells broken up into chunks. A Legend string is associated with the payload so it can be reconstructed at runtime. The payload can exist anywhere on the workable sheet, but will start, at minimum, Column 150 & Row 100. The base64 payload is saved to disk in C:\users\userid\AppData\Roaming\Microsoft\AddIns as a .txt file. The macro reads in the text file then fires with powershell.
- Infection Type: CellEmbedNonBase64
- Embedding is the same as #1 above, but is not base64 encoded. The script is read directly from the cell and fired via powershell. Never touches disk. Recommended!
- Infection Type: CellEmbed-Encrypted
- When choosing this, you will be prompted for your targetâs email domain name. Example, if your target is bob@evilcorp.com, then you would use âevilcorp.comâ (no quotes) as that string, even if itâs different than their main web url! The reason for this is luckystrike will RC4 encrypt the ps1 file (with the email domain as the key)Â prior to embedding. The macro code will then retrieve the userâs email address from Active Directory, split the string, and decrypt the payload prior to running. If an AV vendor gets ahold of the payload, they wonât be able to decrypt & run.
- Infection Type: CellEmbed.Â
- PAYLOAD TYPE: Executable
- Infection Type: Certutil.
- Based on @mattifestationâs excellent work (here), this attack embeds a base64 encoded binary into cells, then saves it as a .txt file to disk, using certutil to decode the payload & save as an .exe. Exe is then fired.
- Infection Type: Save To Disk
- What youâd think. Exe is saved to disk then fired. Straightforward
- Infection Type: ReflectivePE
- Naughty! Both the .exe and a copy of Invoke-ReflectivePEInjection (here) are saved to disk as txt files. Exe is then fired using Invoke-ReflectivePEInjection. Be sure to test this one! Very important to know the architecture of your target vs the payload youâre using. Additionally, I recommend testing your .exe with Invoke-ReflectivePEInjection prior to embedding as if your .exe is not ASLR/DEP compliant, the attack will not work (Iâm not using -ForceASLR). On the positive side, only .txt files are written to %APPDATA%, so those relying on simply blocking execution from appdata are out of luck!
- Infection Type: Certutil.
https://github.com/Shellntel/luckystrike
Gloss