A SharpView and More Aggressor

Any red team looking to improve is constantly adapting, changing their tactics and implementing new techniques & procedures. To many professionals in the industry, this is known as Tradecraft – a term that resonates with me. Previously, I had written about various tools that are used by the Tevora Threat Team such as PowerView and Cobalt Strike. Something that we have seen dominate the post exploitation scene is PowerShell due to its power for lack of a better word. PowerShell offers an adversary major offensive capability, making it a popular choice for post exploitation activities. However, with how much attention that it has gotten Microsoft has made great strides in hardening PowerShell against offensive use. As a result, the use of PowerShell can sometimes lead to a higher chance of getting caught, thus not always being able to take advantage of feature filled go-to’s like PowerView - a gift that seems to keep on giving.

In Cobalt Strike 3.11 we saw a new feature introduced into the tool called execute-assembly which gave the ability to execute C# assemblies in memory. This is a great concept for red teamers to start re-modify their toolset and push post exploitation away from PowerShell and toward other avenues. Today we are releasing SharpView which is a .NET port of one of our favorite tools PowerView. SharpView offers the ability to use any of the PowerView functions and arguments in a .NET assembly. If you're familiar with PowerView, SharpView will be easy to pick up.

SharpView.exe Get-DomainController -Domain test.local -Server dc.test.local -Credential admin@test.local/password

In Cobalt-Strike with aggressor script
cs-sview
SharpView can be found here

In addition to releasing SharpView we are also releasing an aggressor script for PowerView 3. The script will provide a graphic interface to use PowerView and SharpView all in one. This is very similar to the last PowerView aggressor script that was released with a few changes. This aggressor script now supports PowerView 3.0 (current Dev branch) and like last time has the ability to select either PowerPick or PowerShell for the execution method. Adding to the execution method is the implementation of SharpView that leverages execute assembly.

powerview3
However, there is a caveat with using SharpView. One of the awesome things about PowerShell and PowerView is the ability to pipe commands. As of right now there is currently no way (that I know of) that would allow for commands to be piped with execute-assembly.

One of the things that PowerView 3.0 offers that was not widely used in PowerView 2.0 was the ability to create and use credential objects and simulate 'runas'. The latest aggressor script offers the ability to take a credential from Cobalt Strike "domain\user password" and parse it into a credential object.
powerview2

The format for the credential differs between PowerShell, PowerPick, and Execute-Assembly but to the end user it does not make a difference as long as it stays in the format of "domain\user password". Something to be aware of is the credential being used will be in the command much like the examples in PowerView. Finally, the script has a help button that gives the description of the function and the parameters (what is given in the PowerView.ps1 source).
powerview4

PowerView3 aggressor can be found here

Steven F

Read more posts by this author.