I Solemnly Swear I Am Up To No Good. Introducing the Marauders Map

Maldoc, Red Team 5 Minutes

This blogpost will be a bit different, as it’s going to tell a bit of a story…

In this blogpost I want to achieve 2 objectives:

  • address a question I keep hearing and seeing pop up in my DM every now and then, “how do I become a red teamer/ how do I become a toolsmith / how do I learn more about internals”,…) and I will do so by telling about an experience that happened to me recently.
  • Introduce the Marauders Map, heavily inspired on the great work of MDSec’s SharpPack.

Without further ado, let’s get into it…

Why you should think before you run.

Quite recently one of our clients has asked us to do an assessment of their environment. We got initial foothold through an assumed breach scenario, giving us full access on a workstation as a normal user.
This organization is pretty well secured, and has been a client of us for a few years now. It’s always nice to see your clients mature as you advise them from a consultant point of view. That being said, we wanted to try something “different” than our other approaches.

Being a bit of a toolsmith myself, I was already working on 2 offensive tools, as it turns out both already existed in the open source world, as pointed out to me by @shitsecure (Fabian Mosch) and @domchell (Dominic Chell). Dominic from MDSec pointed me to a (fairly) old blogpost on their own blog, called SharpPack: The Insider Threat Toolkit and Fabian pointed me to a cool project from @Flangvik called NetLoader.

If you start releasing tools (or if you are a pentester/red teamer using OST (= Open Source Tooling)) you’ll see a few names pop up over and over again. In general, it’s a good idea from both red and blue to keep an eye on their work, as it is often of pretty high quality and nothing less than amazing.

Recently, I have come across some discussion in the infosec community about the OSCP and how a student (initially) failed their exam because they ran linPEAS. This brings me to the following point. If you want to become better at something, you should DO IT. A stupid but accurate example which will prove my point is the following: If you want to learn to drive a car, you will not learn it from watching other people drive a car. At one point, you’ll have to take place behind the wheel and drive for yourself, even if can be a bit scary.

Coding, pentesting and red teaming is no different. Let me ask you this, if you run tools you did not write yourself, and you never look at the source code of said tools, how can you understand what it does, and more importantly, how are you bringing value to your client? How can you give accurate and to the point recommendations, if you don’t even know how the exploit or tool works?

Unfortunately, I see a lot of pentesters and even red teamers make this mistake. And to be perfectly honest, I have made that mistake too. I just hope that this post might convince you to think twice before you “go loco” in your clients infrastructure next time

The Maraudersmap, a copy of Sharppack?

As I was already writing the tooling before I noticed sharppack was already a thing, I had three options:

  1. Trash my project
  2. Continue my project, taking sharppack into account
  3. Submit PR’s to sharppack

I was just on the verge of trashing my project, when my friend Fabian (@shitsecure) DM’d me noticing I had removed a tweet, and he stated something along the lines of, just continue the project and learn from it, and he was right. So two more options remained.

My code base was already out of sync with sharppack, as for example, I was leveraging IONIC.ZIP to execute binaries from encrypted zips, much like my other tool sharpziprunner does. Submitting PR’s would also mean I would have to take into account I should probably test the project extensively to see if my code would end up breaking things.

For that reason I decided to continue with the project as a separate project, and honestly, now that the project is release ready, I’m glad I did it like this, because I learned a thing or two along the way about reflection. Such as the Assembly.EntryPoint property. I have given a reflection brown bag a while ago, but as you can see, even an old dog can learn new tricks.

Introducing the Marauders Map

The Marauders map is quite similar to SharpPack, although there are some subtle differences, as already mentioned I’m using ionic’s zip nuget package for all my encrypted zip shenanigans, additionally I added functionality to bypass ETW and AMSI (although on the open source version of this project, you will have to bring your own) and I added functionality to retrieve binaries over the web.

I recommend reading the excellent work of MDSec in their blogpost, but to give you a quick rundown of what Marauders Map (and sharppack, by extent) do ….

MaraudersMap is a DLL written completely in C# using the DLLExport project which is pretty much magic in a box. This project makes it possible to decorate any static function with the [DllExport] tag, making it possible to serve as an entrypoint for unmanaged code.
Essentially this means you can now run C# using rundll32 for example.

A much more interesting functionality however can be seen below:

The primary use case of the marauder map is to be used for internal pentests, or for leg up scenarios where you get full GUI access to a workstation or citrix environment.

Marauders map can be leveraged by the office suite to do all the juicy stuff listed below:

  • Run powershell commands such as whoami, or even full-fleged downloadcradles a la IEX(New-Object … )
  • Run powershell scrips from within an encrypted zip, unpacking it completely in memory
  • Run C# binaries from within an encrypted zip, unpacking it completely in memory
  • Run C# binaries fetched from the internet

All these options can be extended with ETW and AMSI bypasses, which are not included in the project by default, attempting to run as-is will result in output stating “bring your own :)”.

Seems to work on both 32 bit and 64 bit office versions, you just have to compile to the correct architecture.

The GitHub project and its necessary documentation can be found here: https://github.com/NVISOsecurity/blogposts/tree/master/MaraudersMap

Improvement

My initial thought was to get a PowerShell shell running in office, but for some reason the AllocConsole win32API call is not agreeing with office. If anyone knows how to fix this, submit a PR or shout me out on twitter. I had high hopes for this one. RIP PoshOffice (for now atleast)

Conclusion

Although open source tooling is great, you should not blindly run any tool you can find on GitHub without proper vetting of said tool first. It could lead to disasterous results such as leaving a permanent backdoor open at your clients environment. Additionally, leverage existing OST to hone your own coding skills further, when possible submit pull requests or create your own versions of existing OST. It will serve as a good learning school to learn more about coding but also about internal workings of specific processes.

Last but not least….

Jean-François Maes
Jean-François Maes

Jean-François Maes is a red teaming and social engineering expert working in the NVISO Cyber Resilience team. 
When he is not working, you can probably find Jean-François in the Gym or conducting research.
Apart from his work with NVISO, he is also the creator of redteamer.tips, a website dedicated to help red teamers.
Jean-François is currently also in the process of becoming a SANS instructor for the SANS SEC699: Purple Team Tactics – Adversary Emulation for Breach Prevention & Detection course

Twitter
LinkedIn

Published by NVISO

Published

2 thoughts on “I Solemnly Swear I Am Up To No Good. Introducing the Marauders Map

  1. Pingback: Weekly News Roundup — April 25 to May 1 - Malware News - Malware Analysis, News and Indicators
  2. Pingback: I Solemnly Swear I Am Up To No Good. Introducing the Marauders Map – NVISO Labs – Nanda Parbat

Leave a Reply