logo

I'll See Your Missile and Raise You A MIRV: An overview of the Genesis Scripting Engine

Conference:  Defcon 26

2018-08-01

Summary

G Script is a dropper tool used in Red Team operations to bundle multiple scripts into a single executable for easy deployment and protection of TTPs.
  • G Script bundles multiple scripts into a single executable for easy deployment
  • It is used in Red Team operations to protect TTPs
  • G Script is written in JavaScript and compiled into a native binary for specific architectures
  • The dropper can be contextually aware and have contextually aware implants
  • G Script was developed to abstract specific techniques and make a pure dropper that can be used for any technique
The speaker shared how they used G Script in a national CCDC competition to drop six to ten implants on each team's system for maximum impact. They also shared how G Script was developed to address the forensic drawbacks of using shell scripts and PowerShell in Red Team operations.

Abstract

Typically, the activities of a malware attack occur on an execution timeline that generally consists of 3 segments—the vector, the stage, and the persistence. First, a vector, or method of exploitation is identified. This could be anything from logging in over a credentialed method like RDP or SSH and running a malicious payload directly, to exploiting a memory corruption vulnerability remotely. Second, that access is leveraged into running malicious code that prepares the victim for the deployment of persistence (commonly "implant"). While segments one and three have been extensively automated, a effective automated utility for deploying persistence in a dynamic and unified context has yet to present itself. Enter the Genesis Scripting Engine. The Genesis Scripting Engine, or Gscript for short, is a framework for building multi-tenant executors for several implants in a stager. The engine works by embedding runtime logic (powered by the V8 Javascript Virtual Machine) for each persistence technique. This logic gets run at deploy time on the victim machine, in parallel for every implant contained with the stager. The Gscript engine leverages the multi-platform support of Golang to produce final stage one binaries for Windows, Mac, and Linux. This talk will consist of an overview of the origins of the project, a technical deep dive into the inner workings including the modified Javascript VM, a walk through of the CLI utility, and examples of how we've leveraged Gscript in the real world. Multiple demos involving practical application scenarios will be presented, as well as an opportunity for audience members to submit their own implants and have them built into a hydra on stage in a matter of minutes.

Materials:

Tags: