About BallisKit

We provide products and services to support Red Teams in their offensive security engagements. BallisKit is a French company.

READ MORE

Products

We provide MacroPack Pro and ShellcodePack to generate and weaponize payloads while helping you bypass defense techniques.

READ MORE

Services

Our "Payload as a Service" offer consists in custom payloads, weaponization, zero-day research, and advanced services for Red Teams

READ MORE

About Balliskit

BallisKit is an array of tools and services developed to help Red Teams and Pentesters in their mission. Capabilities include, among other, penetration testing, demos and social engineering campaigns (email, USB key, etc.). Ethical hackers and Red Teams often have to spend a lot of time writing payloads to emulate adversaries and threats. These payloads need to bypass security solutions and be maintained to be adapted to various engagements. Those tasks are more difficult now that most security tools implement behavioral analysis and other advanced technology.

BallisKit helps by providing automation and weaponization of payload generation. Our products are also equipped with multiple security solution bypasses and ready to use templates to cover any scenarios the RedTeam may face.

Contact us





Our products for RedTeams
Automation and Expertise

MacroPack Pro

MacroPack Pro is the Swiss-army knife for initial vector generation. Its the Pro edition of MacroPack Community. The Pro edition includes all the advanced features listed below. It helps Red Teams automate, weaponize and deliver payloads while offering robust defense bypass techniques.

MacroPack Pro is compatible with common offensive frameworks and tools such as Sliver, Cobalt Strike, Meterpreter, Empire, among others.

Payloads ByPass
Default AV static analysis Other AV static analysis Behavioural analysis (AMSI) Attack Surface Reduction (ASR)
Common dropper, default Meterpreter and Empire stagers
Dropper, Meterpreter and Empire by MacroPack Community
Dropper, Meterpreter and Empire by MacroPack Pro

MacroPack Pro can be used to generate or trojan a diversity or Office formats (Word, Excel, PowerPoint, Publisher, OneNote, Visio, MS Project). If you are looking at Office alternatives, use MacroPack to generate scripts such as HTA, SCT, VBS, etc. The special HTA macro feature allows it to leverage advanced payload on other formats like shortcuts or help files.
MacroPack Pro can help you to bypass MOTW restrictions by various means (ISO, LNK, OLE embedded object, support of OneNote and Publisher, and more.)
MacroPack Pro includes supply chain attack options. It supports HTML Smuggling, malicious shortcuts, help files, or trojaned Visual Studio project. MacroPack Pro comes with a set of templates and methods to help you generate the right payload for your objective. There are several additional advanced options enabling detection bypass.

Turnkey Templates

  • Command execution
  • Run shellcode from current process (including stageless shellcodes)
  • Inject shellcode in process
  • Download and execute exe, dll, or script
  • Download and load XSL
  • Drop and run embedded exe, dll, or script
  • Target enumeration
  • Empire/PowerShell stager

Supported Payloads

  • Microsoft Office (Word, Excel, PowerPoint, Publisher, OneNote)
  • MS Project & Visio
  • VB script files: VBS, HTA, SCT, WSF, XSL
  • Shortcuts: LNK, SLK, SCF, etc
  • Compiled help files (CHM)
  • Visual Studio Project
  • Misc: INF, IQY, etc.
  • Excel 4.0 XLM.
  • Containers such as ISO volume
  • HTML smuggling

Security Bypass

  • AV/Edr Bypass
  • VBA, VBS, and command line obfuscation
  • Self decode in memory
  • Run payloads from memory
  • Multiple AMSI bypass
  • Social Engineering tricks
  • Anti sandbox and anti reverse engineering
  • Various MOTW workarounds
  • ASR bypass
  • Multiple UAC bypass
  • XLM injection

MacroPack Pro comes with several ready-to-use templates as well as an array of weaponization features including antivirus bypass, airgap bypass, sandbox detection, obfuscation, exe/dll embedding, etc.
We cannot list all the options here (there are 14 methods just for command line execution!), but do not hesitate to ask for user documentation or a quick call!

Contact us for more information.

ShellcodePack

ShellcodePack helps offensive security teams to manipulate, generate, and weaponize shellcode and shellcode-based payloads. It also provides social engineering features and defense bypass techniques.

Note: Most of ShellcodePack features like encryption, domain check, bypasses, are encoded directly in assembly code inside the shellcode. Not in the launcher. This means the raw shellcode itself is weaponized, and can be used in a third party loader like MacroPack Pro.

ShellcodePack generates payloads in multiple formats and is compatible with common offensive frameworks/ tools such as Cobalt Strike and Meterpreter, among others. Users feed ShellcodePack a third party shellcode or use one of the ready-to-use templates. ShellcodePack also implements features to help vulnerability research and exploitation such as DLL proxy, service generation, etc.

Contact us for more information.

Some Features:

  • Generate and trojan binary files
  • Turn DLL and .NET assemblies into shellcode
  • Custom code encryption and bypass stub
  • Assembly instructions mutation and obfuscation
  • Domain verification
  • Multiple shellcode launcher methods
  • Various social engineering features (file extension spoofing, icon, decoy message, etC.)
  • Signature spoofing from third party files and URLs

Supported file input formats:

  • Raw shellcode format: .bin
  • Nasm format assembly code: .asm
  • Portable Executable (including .NET assembly): .exe
  • Portable Executable (DLL, including .NET assembly): .dll
  • C source code launching hex shellcode: .c
  • Python source code launching hex shellcode: .py
  • Text file containing hex shellcode: .txt

Shellcode file generation formats:

  • Raw shellcode format: .bin
  • C source code launching hex shellcode: .c
  • Python source code launching hex shellcode: .py
  • Nasm format assembly code: .asm
  • Portable Executable: .exe
  • Portable Executable (DLL): .dll
  • Portable Executable (Control Panel): .cpl
  • Office Add-ins: .xll, .wll
  • VBA: .vba
  • Text file containing hex shellcode: .txt

License Model

Our products are available on annual license basis. There are two kind of license and several additional options.

Single User License

Team License(up to 5 people)

Premium options

The single-user and the team both include one year support for payload generation and access to our Slack community. You will also receive regular updates including security solutions bypasses and customer suggested new features.

The Premium Option allows you to get your own undisclosed bypass/injection method with custom code (not shared with other customers). The price for this option depends on the required code and is open only to customers purchasing at least one Team license.

Contact us for more information.



Professional Services
& "Payload as a
Service"

We offer consulting services for Pentesters and Red Teams. We can help you select the right payload to achieve your goals in your specific context. We also offer support on the development os specific weaponization methods and bypass os specific detection mechanisms.

 


 

Provide a custom macro/script payload for social engineering/ post exploitation

Provide a payload tested against designated specific security solutions

Harden an existing PE/ DLL/ shellcode to bypass protections

Rework C++/ python sources to bypass security solutions



Blog Posts

Our products and services are based on export security research, part of which are available on Sevagas blog.
Below are 3 of the posts you can find on the blog. Browse the blog if you are interrested into technical details.

 

RedTeam With OneNote

9 august 2022

OneNote is one of the Office suite components which is often overlooked when RedTeaming. Though OneNote cannot execute VBA Macros, it has an important potential for phishing as an initial vector.

RedTeam With Publisher

28 April 2022

Microsoft Publisher is another tool of the Office suite which is often ignored when RedTeaming. However, it has been successfully used in several malware campaigns. Let’s review the pros and cons of using a Publisher document as an initial RedTeam payload.

Advanced MacroPack payloads: XLM Injection

18 Sep 2020

Discover how to run Excel 4.0 macros (XLM) from Word, PowerPoint, HTA, or even shortcuts and non VB based files. This technique is called XLM injection.





Contact us!

To contact us, please send an email to emeric[ at ]balliskit.com or emeric.nasi[ at ]sevagas.com.
Inquiries are only accepted from professional email address. Anonymous domains auch as gmail or protonmail are not accepted.
Exchanges can be secured via GPG encrypted emails.