TChopper: conduct lateral movement attack

TChopper

A new technique I have discovered recently and give it a nickname (Chop chop) to perform lateral movement attack using windows services display name and WMI by smuggling the malicious binary as base64 chunks and automate the process using the TChopper tool. Read the detailed research.

How it works

• the tool will get the file you willing to smuggle and encode the file as base64 into memory stream
• divide the length of each line to fit 150-250 character length (250 is maximum allowed space for service lpDisplayname parameter https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-createservicea).
• for chop attack it will create a unique service for each segmented chunk => start the service => then delete it to avoid duplicates or you can choose to only modify the service attack mode to be more faster and stable.
• later on, it will modify the service lpbinarypath parameter with the required command line to grab the service display name and pip out the results into tmp_payload.txt
• finally, after finishing delivering all chunks of the file as base64, the tool will create another service to decode the content into valid executable and run it

while if you are conducting lateral movement using WMI technique you can also use Chopper to do that

• Tchopper will authenticate your session using WMI
• creation of multiple processes and use powershell unique command to pip out each segment to c:\users\public\chop.enc
• create a final process to use certutil to decode the content into binary and execute it

Download

git clone https://github.com/lawrenceamer/TChopper.git

Demo

Source: https://github.com/lawrenceamer/