This tool started out as a simple Python script. After discovering Python just couldn't cut it for my intended use I decided to learn and move to Golang. So far I'm quite happy with that decision.
This was borne from me having completed Sektor7's malware essentials course. Metsubushi was supposed to be a simple way of automating the generation of droppers. I feel it's accomplished that with a few bells and whistles added as the project progressed.
We're using the Go-donut package by Binject. Credit to those guys - Dan Borges and Symbol Crash were both helpful while I have been developing this project. For anyone interested in this type of tooling it's worth checking the Binject github repo's, and taking a look at Dan's book: Adversarial Tradecraft in Cybersecurity.
I have recently added the ability to obfuscate the generated implant binary with the Garble Golang obfuscator and spoof code signing with Limelighter. See requirements below.
OPSEC NOTE: When using code signing avoid using microsoft domains as Defender has a habit of sniffing those out. Credit to @AffineSec for pointing it out.
Requirements for Metsubushi are:
Go compiler- Obviously?! https://golang.org/Garble- Go obfuscator. https://github.com/burrowers/garbleopenssl- For Limlighter binary signing functionsosslsigncode- For Limelighter binary signing functions
To install Metsubusi just run:
go install github.com/Bytejunkies-co-uk/metsubushi@latestThe flags for metsubushi are as follows:
-p <file> Payload. Pass it a Windows binary or file containing raw shellcode.
-t <file> Template. Pass the name of the template file you wish to generate a dropper from.
-o <file> OutFile. The name you wish you give the generated dropper.
-a <arch> Architecture. Either x86 or x64.
-d <args> Donut. If present the payload will be put through Binject's Go-donut package.
-s <domain> Sign implant using Limelighter library. Provide the domain to spoof cert from. Eg. www.microsoft.com
-g Use Garble obfuscator to generate the implant binary.
-q Quiet. Do not display ASCII art banner.If you're using the in-built Go-donut shellcode generator (from Binject) you can customise the Donut configuration. The arguments are passed to Donut as a string which is then parsed into a configuration struct.
The Go-donut options are:
Module options
n=string Module name. Generated at random if entropy is enabled.
u=url URL. HTTP server that hosts the donut module.
e=num Entropy. 1=disable, 2=use random names, 3=random names + symmetric encryption (default)
PIC/Shellcode options
a=string Target Architecture: x32, x64, or x84
b=num Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.
y=address Create a new thread for loader. Optionally execute original entrypoint of host process.
x=num Exiting. 1=exit thread, 2=exit process
File options
c=string Optional class name. (required for .NET DLL)
d=string AppDomain name to create for .NET. Randomly generated by default with entropy enabled.
m=string Optional method or API name for DLL. (a method is required for .NET DLL)
p=string Optional parameters/command line inside quotations for DLL method/function or EXE.
w=true|false Command line is passed to unmanaged DLL function in UNICODE format. (default is false)
r=string CLR runtime version. This will override the auto-detected version.
t=true|false Create new thread for entrypoint of unmanaged EXE. (default is false)
z=num Pack/Compress file. 1=disable, 2=LZNT1, 3=Xpress, 4=Xpress HuffmanExample:
-d "a=x84,b=3,x=1"This would set Arch to x84, Bypass to setting 3, and ExitOpt to exit thread.
NOTE: it is a good idea to inspect all generated implants with Redress and test the binary in a lab environment