Thursday, April 14, 2016

Setting Up A Homestead In the Enterprise with JavaScript

Well, now that everyone has eyes on PowerShell...Lets see what we can do with JavaScript!

My all time favorite talk is here:
Living Off the Land: A Minimalist’s Guide to Windows Post-Exploitation

So, this post, doesn't exactly stay true to the idea of living in memory, never touching disk, and only using native tools...

However, I think you might find this interesting.

I've been doing lots of testing on JavaScript lately and wanted to share some of my latest stuff.

Recently I mentioned on Twitter about .SCT files. I only found this recently.  So, I think there is probably lots more cool stuff to explore here.

I really don't have time to go into all the gory COM details here. But the idea of the .SCT scriptlet, is to be able to back your COM object with a script, vb/js.  Instead of a binary.

Who cares?  Well, as you know there are lots of ways to detect, and block binary execution.  Even log when a binary is written to disk.  But if we can establish a foothold with say a text file or XML. Well we may have a chance to hide longer.

Inside COM

This document has some of the back story.

So I wrote a prototype, proof of concept.  I probably won't have anymore time for this. :-)

Here's what my backdoor does.

1. Installs a COM Object into the registry
2. Overwrites the ScriptletURL, which normally points to a local file. Now points to URL
3. Invoke the COM Object and executes dynamically from the url.

This gives me complete persistence in the registry.  I leave it up to the reader to expand and experiment.

I think its pretty cool. But who knows.

Proof of Concept Here

Happy Homesteading.



