July 24, 2018
A SharpView and More Aggressor
Any red team looking to improve is constantly adapting, changing their tactics and implementing new techniques & procedures. To many professionals in the industry, this is known as
Tradecraft – a term that resonates with me. Previously, I had written about various tools that are used by the Tevora Threat Team such as
Cobalt Strike. Something that we have seen dominate the post exploitation scene is PowerShell due to its power for lack of a better word. PowerShell offers an adversary major offensive capability, making it a popular choice for post exploitation activities. However, with how much attention that it has gotten Microsoft has made great strides in hardening PowerShell against offensive use. As a result, the use of PowerShell can sometimes lead to a higher chance of getting caught, thus not always being able to take advantage of feature filled go-to’s like PowerView – a gift that seems to keep on giving.
In Cobalt Strike 3.11 we saw a new feature introduced into the tool called
execute-assembly which gave the ability to execute C# assemblies in memory. This is a great concept for red teamers to start re-modify their toolset and push post exploitation away from PowerShell and toward other avenues. Today we are releasing
SharpView which is a .NET port of one of our favorite tools
SharpView offers the ability to use any of the PowerView functions and arguments in a .NET assembly. If you’re familiar with PowerView, SharpView will be easy to pick up.
SharpView.exe Get-DomainController -Domain test.local -Server dc.test.local -Credential firstname.lastname@example.org/password
In Cobalt-Strike with aggressor script
SharpView can be found here
In addition to releasing
SharpView we are also releasing an aggressor script for PowerView 3. The script will provide a graphic interface to use
SharpView all in one. This is very similar to the last
PowerView aggressor script that was released with a few changes. This aggressor script now supports
PowerView 3.0 (current Dev branch) and like last time has the ability to select either PowerPick or PowerShell for the execution method. Adding to the execution method is the implementation of
SharpView that leverages
However, there is a caveat with using SharpView. One of the awesome things about PowerShell and PowerView is the ability to pipe commands. As of right now there is currently no way (that I know of) that would allow for commands to be piped with execute-assembly.
One of the things that
PowerView 3.0 offers that was not widely used in
PowerView 2.0 was the ability to create and use credential objects and simulate ‘runas’. The latest aggressor script offers the ability to take a credential from Cobalt Strike “domain\user password” and parse it into a credential object.
The format for the credential differs between PowerShell, PowerPick, and Execute-Assembly but to the end user it does not make a difference as long as it stays in the format of “domain\user password”. Something to be aware of is the credential being used will be in the command much like the examples in
PowerView. Finally, the script has a help button that gives the description of the function and the parameters (what is given in the PowerView.ps1 source).
PowerView3 aggressor can be found here