Any red team looking to improve is constantly adapting, changing their tactics and implementing new techniques & procedures. To many professionals in the industry, this is known as Tradecraft
– a term that resonates with me. Previously, I had written about various tools that are used by the Tevora Threat Team such as PowerView
and Cobalt Strike
. Something that we have seen dominate the post exploitation scene is PowerShell due to its power for lack of a better word. PowerShell offers an adversary major offensive capability, making it a popular choice for post exploitation activities. However, with how much attention that it has gotten Microsoft has made great strides in hardening PowerShell against offensive use. As a result, the use of PowerShell can sometimes lead to a higher chance of getting caught, thus not always being able to take advantage of feature filled go-to’s like PowerView - a gift that seems to keep on giving.
In Cobalt Strike 3.11 we saw a new feature introduced into the tool called execute-assembly
which gave the ability to execute C# assemblies in memory. This is a great concept for red teamers to start re-modify their toolset and push post exploitation away from PowerShell and toward other avenues. Today we are releasing SharpView
which is a .NET port of one of our favorite tools PowerView
. SharpView
offers the ability to use any of the PowerView functions and arguments in a .NET assembly. If you're familiar with PowerView, SharpView will be easy to pick up.
SharpView.exe Get-DomainController -Domain test.local -Server dc.test.local -Credential admin@test.local/password
In Cobalt-Strike with aggressor script
SharpView
can be found here
In addition to releasing SharpView
we are also releasing an aggressor script for PowerView 3. The script will provide a graphic interface to use PowerView
and SharpView
all in one. This is very similar to the last PowerView
aggressor script that was released with a few changes. This aggressor script now supports PowerView 3.0
(current Dev branch) and like last time has the ability to select either PowerPick or PowerShell for the execution method. Adding to the execution method is the implementation of SharpView
that leverages execute assembly
.
However, there is a caveat with using SharpView. One of the awesome things about PowerShell and PowerView is the ability to pipe commands. As of right now there is currently no way (that I know of) that would allow for commands to be piped with execute-assembly.
One of the things that PowerView 3.0
offers that was not widely used in PowerView 2.0
was the ability to create and use credential objects and simulate 'runas'. The latest aggressor script offers the ability to take a credential from Cobalt Strike "domain\user password" and parse it into a credential object.
The format for the credential differs between PowerShell, PowerPick, and Execute-Assembly but to the end user it does not make a difference as long as it stays in the format of "domain\user password". Something to be aware of is the credential being used will be in the command much like the examples in PowerView
. Finally, the script has a help button that gives the description of the function and the parameters (what is given in the PowerView.ps1 source).
PowerView3
aggressor can be found here