The CheeseTools has been made basing onto the already existing MiscTool, so big shout-out to rasta-mouse for releasing them and for giving me the right motivation to work on them.
CheeseExec
Command Exec / Lateral movement via PsExec-like functionality. Must be running in the context of a privileged user. The tool is based on rasta-mouse CsExec, but is designed to allow additional control over the service creation, specifically:
CheeseExec.exe <targetMachine> <serviceName> <binPath> <action>
CheesePS
Cheese PS is Command Exec / Lateral Movement framework. It relies on System.Management.Automation.PowerShell
to load and run arbitrary code via PowerShell. The tool is natively capable of bypassing common restrictions creating and using PowerShell runspaces on local or remote targets. Must be running in the context of a privileged user (if using PowerShell Remoting).
The tool has been originally made as an enhancement of rasta_mouse CsPosh, but grew enough to become a framework on its own, and can now be used as a general PowerShell injector.
The idea behind this tool has been summarised in the following article:
The main functionalities implemented are:
The following screenshot is a decently accurate schema to describe the tool’s workflow:
Usage:
-t, –target=VALUE Target machine
-c, –code=VALUE Code to execute
-e, –encoded Indicates that provided code is base64 encoded
-a, –am-si-bypass=VALUE Uses the given PowerShell script to bypass A-M-S-
I (fs, smb o http[s])
–aX, –encrypted-am-si
Indicates that provided A.M.S.I. bypass is
encrypted
-i, –import=VALUE Imports additional PowerShell modules (fs, smb o
http[s])
–iX, –encrypted-imports
Indicates that provided PowerShell modules are
encrypted
-o, –outstring Append Out-String to code
-r, –redirect Redirect stderr to stdout
-d, –domain=VALUE Domain for alternate credentials
-u, –username=VALUE Username for alternate credentials
-p, –password=VALUE Password for alternate credentials
-X, –encrypt=VALUE Encrypt a script with an hardcoded key
-D, –decrypt=VALUE Test decryption of a script with an hardcoded key
-n, –skip-bypass=VALUE Skip A.M.S.I (A), WLDP (W) or ALL (*) Bypass
techniques
-l, –lockdown-escape Try to enable PowerShell FullLanguage mode using
REGINI
-w, –wldp-bypass=VALUE Uses the given PowerShell script to bypass WLDP
(fs, smb o http[s])
–wX, –encrypted-wldp Indicates that provided WLDP bypass is encrypted
-x, –executable=VALUE [Download and] Execute given executable
–xX, –encrypted-executable
Indicates that provided Exe/DLL is encrypted
–xCS, –executable-csharp
Indicates that the executable provided is C# –
(.NET)
-R, –reflective-injection Uses Invoke-ReflectivePEInjection to load the
assmebly from memory (requires Invoke-
ReflectivePEInjection to be imported!)
-P, –powershell-decrypt Force use of PowerShell-based decryption
-k, –encryption-key=VALUE Uses the provided key for encryption/decryption
–ssl Force use of SSL
-h, -?, –help Show Help
Note: If executed without a target, the script will execute against the local machine
Advantages of using the tool against raw PowerShell
CheeseDCOM
Command Exec / Lateral Movement via DCOM. Must be running in the context of a privileged user. This tool is based on rasta-mouse CsDCOM, but it’s been improved to add additional methods, adapting to the new research made by Philip Tsukerman. There is also an experimental method to “fix” eventual attempts to disable affected DCOM objects via dcomcfg, but it requires some preconditions in order to work properly.
The idea behind this tool has been summarised in the following article:
Current Methods: MMC20.Application
, ShellWindows
, ShellBrowserWindow
, ExcelDDE
, VisioAddonEx
, OutlookShellEx
, ExcelXLL
, VisioExecLine
, OfficeMacro
.
Usage:
-t, –target=VALUE Target Machine
-b, –binary=VALUE Binary: powershell.exe
-a, –args=VALUE Arguments: -enc
-m, –method=VALUE Methods: MMC20Application, ShellWindows,
ShellBrowserWindow, ExcelDDE, VisioAddonEx,
OutlookShellEx, ExcelXLL, VisioExecLine,
OfficeMacro
-r, –reg, –registry Enable registry manipulation
-h, -?, –help Show Help
Note: If executed with -t .
, the script will execute against the local machine
CheeseRDP
RDP credentials stealer via RDI (reflective DLL injection). Must be running in the context of a privileged user, or a user with SeImpersonatePrivilege. This tool is built on top of RdpThief by MDSec, but it’s been fully wrapped in a single C# to enable it to be run via .NET Reflection (Assembly.Load
and similar). In this way, it’s possible to run it via Covenant, without the struggle of uploading a DLL on the target system.
Usage:
CheeseRDP [actions]
Actions:
wait: keep listening for any new mstsc.exe process indefinitely (stop with ctrl-C)
clean: delete the credentials dump file if present
dump: dump the content of the file if present, parsing the credentials in a compact format
Note: If executed without options, the program will try to inject in an active mstsc.exe process (the default wait time is 10 seconds)
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…