About BallisKit

We provide products and services to help Red Teams in their offensive security engagements

READ MORE

Products

We provide an advanced toolkit to weaponize and deliver payloads that bypass defense techniques

READ MORE

Services

Our "Payload as a Service" offer consists in custom payloads, weaponization, zero-day research, and advanced services for Red Teams

READ MORE

About Balliskit

BallisKit is an array of tools and services developed to help Red Teams and Pentesters in their mission. Capabilities include, among other, penetration testing, demos and social engineering campaigns (email, USB key, etc.). Ethical hackers and Red Teams often have to spend a lot of time writing payloads to emulate adversaries and threats. These payloads need to bypass security solutions and be maintained to be adapted to various engagements. Those tasks are more difficult now that most antiviruses implement behavioral analysis and other advanced technology.

BallisKit helps by providing automation and weaponization of payload generation and security solution bypass either via powerful generation tools such as MacroPack Pro and consulting services.

Contact us

Blog Posts

Our products and services are based on export security research, part of which are available on Sevagas blog.
If you want to get deeper into technical details, you can read the following blog posts:

 

Various ways to run shellcodes with MacroPack Pro

21 jan 2021

MacroPack Pro provides multiple options and templates to launch shellcodes. These options enable you to build VBA code which is not detected by most security solutions.

EXCEL 4.0 XLM macro in MacroPack Pro

18 Sep 2020

Excel 4.0 macros (also called XLM) have been more and more used by malicious operators. MacroPack Pro supports the generation of those vintage Excel 4.0 macros as described in the following post.

Advanced MacroPack payloads: XLM Injection

18 Sep 2020

Discover how to run Excel 4.0 macros (XLM) from Word, PowerPoint, HTA, or even shortcuts and non VB based files. This technique is called XLM injection.





Our products for RedTeams
Automation and Expertise

MacroPack Pro

Advanced payloads generation and weaponization for Red Teams. BallisKit offers products such as the Pro edition of MacroPack Community. The Pro edition includes advanced features listed below. It helps Red Teams automate, weaponize and deliver payloads while offering robust defense bypass techniques.

MacroPack Pro is compatible with common offensive frameworks and tools such as Cobalt Strike, Meterpreter, Empire, among others.

Payloads ByPass
Default AV static analysis Other AV static analysis Behavioural analysis (AMSI) Attack Surface Reduction (ASR)
Common dropper, default Meterpreter and Empire stagers
Dropper, Meterpreter and Empire by MacroPack Community
Dropper, Meterpreter and Empire by MacroPack Pro

MacroPack Pro supports a diversity of formats such as MS Office, MS Visio, Project, and vbscript formats (such as VBS or HTA). The special HTA macro feature allows it to leverage advanced payload on other formats like shortcuts or help files. MacroPack Pro comes with a set of templates and methods to help you generate the right payload for your objective. There are several additional advanced options enabling detection bypass.
Since version 2.0, MacroPack Pro also supports Excel 4.0 (XLM) payloads allowing you to expand even more the range of attacks to simulate.

Building Templates

  • Command execution
  • Download and execute
  • Download and run PowerShell
  • Download and load DLL
  • Download and load XSL
  • Meterpreter
  • Drop and run embedded files
  • Drop and run embedded DLL
  • Empire stager
  • Shellcode injection (including large stageless shellcodes)

Supported Payloads

  • Microsoft Office (Word, Excel, PowerPoint)
  • MS Project
  • MS Visio
  • MS Access
  • VB script files: VBS, HTA, SCT, WSF, XSL
  • Shortcuts: LNK, SLK, SCF, etc
  • Compiled help files (CHM)
  • Visual Studio Project
  • Misc: INF, IQY, etc.

Execution Methods

  • WMI
  • Wscript
  • Various COM objects
  • Excel4 macro
  • Rogue COM object
  • Task Scheduler
  • Combo
  • InvokeVerb
  • CreateProcess
  • Run PE

Security Bypass

  • AV Bypass
  • VB and command line obfuscation
  • Self decode in memory
  • Run in Excel memory
  • Multiple AMSI bypass
  • Social Engineering tricks
  • Anti sandbox
  • Run exe in memory
  • ASR bypass
  • Multiple UAC bypass
  • XLM injection

MacroPack Pro comes with several ready-to-use templates as well as an array of weaponization features including antivirus bypass, airgap bypass, sandbox detection, obfuscation, exe/dll embedding, etc.

Contact us for more information.

ShellcodePack

ShellcodePack helps offensive security teams to manipulate, generate, and weaponize shellcode and shellcode-based payloads. It also provides social engineering features and defense bypass techniques.

Supported file input formats:

  • Raw shellcode format: .bin
  • Nasm format assembly code: .asm
  • Portable Executable (including .NET assembly): .exe
  • Portable Executable (DLL, including .NET assembly): .dll
  • C source code launching hex shellcode: .c
  • Python source code launching hex shellcode: .py
  • Text file containing hex shellcode: .txt

Shellcode file generation formats:

  • Raw shellcode format: .bin
  • C source code launching hex shellcode: .c
  • Python source code launching hex shellcode: .py
  • Nasm format assembly code: .asm
  • Portable Executable: .exe
  • Portable Executable (DLL): .dll
  • Portable Executable (Control Panel): .cpl
  • VBA: .vba
  • Text file containing hex shellcode: .txt

ShellcodePack generates payloads in multiple formats and is compatible with common offensive frameworks/ tools such as Cobalt Strike and Meterpreter, among others. Users feed ShellcodePack a third party shellcode or use one of the ready-to-use templates. ShellcodePack also implements features to help vulnerability research and exploitation such as DLL proxy, service generation, etc.

Contact us for more information.

License Model

Our products are available on annual license basis. There are two kind of license and several additional options.

Single User License

Team License(up to 5 people)

Premium option

The single-user and the team license both offer support for payload generation plus access to regular updates including AntiVirus and AMSI bypass.

The Premium Option allows you to get your own undisclosed bypass/injection method with custom code (not shared with other customers).

The price for this option depends on the required code and is open only to customers purchasing at least one Team license.

Contact us for more information.





Professional Services
& "Payload as a
Service"

We offer consulting services for Pentesters and Red Teams. We can help you select the right payload to achieve your goals in your specific context. We also offer support on the development os specific weaponization methods and bypass os specific detection mechanisms.

 

Provide a custom macro/script payload for social engineering/ post exploitation

Provide a payload tested against designated specific security solutions

Harden an existing PE/ DLL/ shellcode to bypass protections

Rework C++/ python sources to bypass security solutions





Contact us!

To contact us, please send an email to emeric.nasi[ at ]sevagas.com or contact[ at ]balliskit.com.
Inquiries are only accepted from professional email address. Anonymous domains auch as gmail or protonmail are not accepted.
Exchanges can be secured via GPG encrypted emails.