MacroPack – A Deep Dive into How Researchers Masked and Militarized .NET Assemblies

In the ever-evolving landscape of cybersecurity, offensive security tools have increasingly turned to the .NET framework for their flexibility and integration with Windows environments.

Tools like Rubeus, SeatBelt, and SharpDPAPI are now household names among penetration testers and red teamers.

However, the popularity of .NET has also made it a prime target for defensive security solutions, which have become adept at analyzing and flagging .NET binaries for suspicious activity.

Recently, the security research group BallisKit has developed a groundbreaking scenario integrated into MacroPack Pro, designed to obfuscate and weaponize .NET assemblies for use in advanced red team operations.

The new “WEAPONIZE_DOTNET” template, along with its suite of options, is revolutionizing the game for both threat actors and defenders.

Obfuscation: The Art of Concealing .NET Assemblies

At the heart of BallisKit’s innovation is a private .NET obfuscator, embedded within MacroPack Pro. This obfuscator can be invoked with a simple command, such as:

textecho "Rubeus.exe" | macro_pack.exe -G "Rubeus_obf.exe" --template=WEAPONIZE_DOTNET --obfuscate-dotnet-reflection-handling --obfuscate-dotnet-dinvoke-mutation

The tool supports several advanced options:

• –obfuscate-dotnet-dinvoke-mutation: Replaces static PInvoke imports with dynamic DInvoke calls, making it harder for security solutions to analyze which native functions are being invoked.
• –obfuscate-dotnet-reflection-handling: Addresses the challenge of reflection in obfuscated assemblies by mapping obfuscated symbols back to their original names at runtime.
• –obfuscate-dotnet-embed: Embeds the assembly inside a .NET loader, which dynamically loads the obfuscated code, preventing it from ever touching the disk.
• –obfuscate-dotnet-inflate: Decreases the entropy of the resulting binary at the cost of increased file size, further evading entropy-based detection mechanisms.

These techniques not only mask the true intent of the assembly but also ensure that most security solutions are unable to detect or block the payload.

Weaponization: Delivering and Executing Obfuscated Payloads

Once a .NET assembly is obfuscated, the next challenge is delivering and executing it on a target system. MacroPack Pro offers several delivery mechanisms:

• Executable: The obfuscated binary can be transferred and executed directly.
• Scripting Languages: The assembly can be packed into VBS, JavaScript, HTA, or Batch scripts, allowing for flexible execution methods. For example, an HTA payload can be generated and launched with command-line arguments:textecho "Seatbelt.exe" | macro_pack.exe -G "Seatbelt.hta" --template=WEAPONIZE_DOTNET --obfuscate-form --obfuscate-names --obfuscate-strings --charsetmethod=random_heur_bypass --obfuscate-dotnet-reflection-handling --obfuscate-dotnet-dinvoke-mutation
• Office Documents: The assembly can be embedded in Office macros, with support for passing arguments via environment variables.

MacroPack Pro also includes bypass profiles tailored to specific security solutions, such as Windows Defender, making it even harder for defenders to detect and block these advanced payloads.

Compatibility and Testing

BallisKit has ensured that their obfuscated assemblies remain compatible with .NET Framework 3.5 and above, covering a wide range of Windows environments.

Extensive testing has been conducted on popular offensive tools, including KrbRelay, Rubeus, Mythic Apollo Implant, SeatBelt, SharpDPAPI, and SharpHound.

These assemblies have been validated to function as expected after obfuscation and have demonstrated the ability to bypass most security solutions.

In conclusion, MacroPack Pro’s advanced obfuscation and weaponization capabilities represent a significant leap forward in the cat-and-mouse game between attackers and defenders.

As security solutions continue to evolve, so too do the tools and techniques used by those seeking to bypass them. The cybersecurity arms race shows no signs of slowing down.