iquidSnake

Liquid Snake is a program aimed at performing lateral movement against Windows systems without touching the disk.

The tool relies on WMI Event Subscription in order to execute a .NET assembly in memory, the .NET assembly will listen for a shellcode on a named pipe and then execute it using a variation of the thread hijacking shellcode injection.

The project is composed by two separate solutions:

• CSharpNamedPipeLoader - the component that will be transformed in VBS via GadgetToJScript

• LiquidSnake - the component responsible to creating the WMI Event Subscription on the remote system

Install:

Open both solutions in Visual Studio and build. Make sure to target x64 architecture for the CSharpNamedPipeLoader.

Output: Two separate EXEs: CSharpNamedPipeLoader.exe and LiquidSnake.exe

Full build information can be found here.

Usage:

Use LiquidSnake.exe agains a host where you have administrative access over as follows:

LiquidSnake.exe <host> [<username> <password> <domain>]
LiquidSnake.exe dc01.isengard.local
LiquidSnake.exe dc01.isengard.local saruman DeathToFrodo123 isengard.local

If everything went fine, you should obtain an output similar as the following:

[*] Event filter created.
[*] Event consumer created.
[*] Subscription created, now sleeping
[*] Sending some DCOM love..
[*] Sleeping again... long day

General usage information can be found here.

Full LiquidSnake usage information can be found here.