.NET Assembly from Windows Script Hosting
MITRE ATT&CK™ Reflective Code Loading - Technique T1620
Last updated
MITRE ATT&CK™ Reflective Code Loading - Technique T1620
Last updated
You can load and execute .NET (C#) assemblies directly into memory from a compiled binary using Jscript, VBScript, or VBA Mcros, by using the DotNetToJScript technique from James Forshaw.
As double-clicking .js
or .vbs
or other script files on Windows will by default execute them through the Windows-Based Script Host, this technique can efficiently be used for phishing and even phishing with HTML Smuggling.
SharpShooter (Python) can be used to creat payloads in a variety of formats, including HTA, JS, VBS and WSF. It leverages James Forshaw's DotNetToJavaScript tool to invoke methods from the SharpShooter DotNet serialised object.
SharpShooter supports both staged and stageless payload execution.
Stagless payload will embed the whole .NET in the generated file.
Staged payloads will attempt to retrieve a CSharp source code file that has been zipped and then base64 encoded using the chosen delivery technique (DNS or HTTP). The CSharp source code will be downloaded and compiled on the host using the .NET CodeDom compiler. Reflection is then subsequently used to execute the desired method from the source code. A summary of how SharpShooter operates during staging is shown in the diagram below:
However for both types of payload, we should first generate a shellcode.
When generating HTA payloads, we should always use 32-bit shellcodes due to mshta.exe being a 32-bit binary.
We can now generate stageless payloads as follows.
We can generate stageled payloads as follows.
For previous example, SharpShooter will have created 3 separate files in the output directory, evil.html, evil.js and evil.payload.
evil.js: JavaScript payload that the user will eventually execute. If you are using HTML smuggling, this file does not need to be sent to the user, it’s provided purely for information and debugging purposes.
evil.html: is the HTML file that we will ultimately coerce the user in to opening by whatever means. This file contains the encrypted copy of evil.js which is decrypted using JavaScript then served to the user using the navigator.mssaveBlob technique.
evil.payload: is the C Sharp source code that will be retrieved, compiled and executed on the target host. In this case, the file contains a harness that will execute the supplied shellcode. The source code file is zipped then base64 encoded. The file should be hosted at the URI http://www.evil.com/evil.payload
Alternatively, we can retreive a custom .NET from our staged payload: