A Nice Day Phishing : Exploring Portable Python For Covert Execution

Scripting Interpreters are agreat method to achieve Command or Shellcode Execution, but one of many problems is that they:

• Are not Native to Windows
• Not always easy to use
• Limited to Command or Shellcode execution, some have both!!
• We requiere these to not be installed on the Users workstation

Python

Python is a strong language to demonstrate the capabilities of these interpreters the following screenshot demonstrates how just printing out STRINGS in their language will not get flagged, it seems that this behavior is caused because AMSI has a better grasp on Windows Native Files.

To make python feasable to our needs we have to consider this:

• Size
• Modules
• Version

We encounter the issue that some Modules are missing when trying to go beyond to executing Win32 apis now the challenge is to:

• Compile a portable version with the needed modules

Now with some debugging and lots of banging the portable version of pytohn works correctly and the modules that I needed were in the binary

With this fully functional we can utilize the portable version of python, a loader and call our payload, since the files and binary won’t run our files via double-click we need to use a parent program that will call these, and a great alternative is LNK files

For more information click here.