About BallisKit

We provide products and services to support Red Teams in their offensive security engagements. BallisKit is a French company.

READ MORE

Products

We provide MacroPack Pro and ShellcodePack to generate and weaponize payloads while helping you bypass defense techniques.

READ MORE

Trainings/Services

We provide advanced trainings and our "Payload as a Service" dedicated to help advanced Offensive security teams

READ MORE

About Balliskit

Ethical hackers and Red Teams often have to spend a lot of time writing payloads to emulate adversaries and threats. These payloads need to bypass security solutions and be maintained to be adapted to various engagements. Those tasks are more difficult now that most security tools implement behavioral analysis and other advanced technology.

BallisKit helps by providing automation and weaponization of payload generation. Our products are also equipped with multiple security solution bypasses and ready to use templates to cover any scenarios the RedTeam may face. BallisKit is an array of tools and services developed to help Red Teams and Pentesters in their mission. Capabilities include, among other, penetration testing, demos and social engineering campaigns (email, USB key, etc.).

BallisKit is a French company founded by Emeric Nasi.

Contact us





Our products for RedTeams
Automation and Expertise

MacroPack Pro

MacroPack Pro is a Swiss-army knife for initial vector generation. It helps Red Teams automate, weaponize and deliver payloads while offering robust defense bypass techniques.

MacroPack Pro supports the latest trend in payload generation such as LNK, URL, ClickOnce, HTML smuggling. It can be used to generate or trojan classic Office formats (Word, Excel, PowerPoint, Publisher, OneNote, Visio, MS Project). If you are looking at Office alternatives, use MacroPack to generate scripts such as HTA, WSF, SCT, VBS, MSI, etc.

MacroPack Pro is compatible with common offensive frameworks and tools such as Sliver, Merlin, Cobalt Strike, Mythic, Empire, among others.

Payloads ByPass
AV static analysis Heuristic analysis Behavioural analysis (AMSI) Attack Surface Reduction (ASR)
Common dropper, default C2 implants
DCommon dropper, default C2 implants by MacroPack Pro

MacroPack Pro is regularly tested against multiple Antivirus and EDRs and come with regular updates as well as email and live support on our Discord customer space.
MacroPack Pro can be used to generate or trojan a diversity of formats and is highly customisable.
MacroPack Pro includes supply chain attack options. It supports generation and trojaning of Malicious MSI. But also malicious Clickonce, HTML Smuggling, malicious shortcuts, help files, or trojaned Visual Studio project.
MacroPack Pro comes with a set of templates and methods to help you generate the right payload for your objective. There are several additional advanced options enabling detection bypass.

Turnkey Templates

  • Command execution
  • Run shellcode from current process (including stageless shellcodes)
  • Inject shellcode in process
  • Download and execute exe, dll, or script
  • Download and load XSL
  • Drop and run embedded exe, dll, or script
  • Target enumeration
  • Empire/PowerShell stager

Supported Payloads

  • Popular: LNK, Clickonce,
  • Scripts: BAT, VBS, HTA, SCT, WSF, XSL
  • Office: Word, Excel, PowerPoint, Publisher, OneNote
  • MS Project & Visio
  • MSI Installers
  • Compiled help files (CHM)
  • Visual Studio Project
  • Misc: URL, INF, IQY, SLK, Excel 4.0 , etc.
  • Containers such as ISO volume, zip, 7zip, etc.
  • HTML smuggling

Security Bypass

  • AV/Edr Bypass tested during real operations
  • VBA, VBS, and command line obfuscation
  • Self decode in memory
  • Run payloads from memory
  • Multiple AMSI bypass
  • Social Engineering tricks
  • Anti sandbox and anti reverse engineering
  • ASR bypass
  • Multiple UAC bypass
  • XLM injection

MacroPack Pro comes with several ready-to-use templates as well as an array of weaponization features including EDR bypass, airgap bypass, sandbox detection, obfuscation, exe/dll embedding, etc.
We cannot list all the options here (there are 14 methods just for command line execution!), but do not hesitate to ask for user documentation or a quick call!

Contact us for more information or have a look at some nice demos

ShellcodePack

ShellcodePack helps offensive security teams to manipulate, generate, and weaponize shellcode and shellcode-based payloads. It also provides social engineering features and defense bypass techniques.

Note: Most of ShellcodePack features like encryption, domain check, bypasses, are encoded directly in assembly code inside the shellcode. Not in the launcher. This means the raw shellcode itself is weaponized, and can be used in a third party loader like MacroPack Pro.

ShellcodePack generates payloads in multiple formats and is compatible with common offensive frameworks/ tools such as Merlin and Sliver, among others. Users feed ShellcodePack a third party shellcode or use one of the ready-to-use templates. ShellcodePack also implements features to help vulnerability research and exploitation such as DLL proxy, service generation, etc.
ShellcodePack is regularly tested successfully to bypass Antivirus and advanced EDR products. ShellcodePack is delivered with ready to use bypass profiles which you can select to bypass a targeted EDR

Checkout the EDR bypass profile demo here.

Some Features:

  • Generate and trojan binary files
  • Turn DLL and .NET assemblies into shellcode
  • Custom code encryption and bypass stub
  • Assembly instructions mutation and obfuscation
  • Various guardrails (Domain and date verificationà
  • Multiple shellcode launcher methods
  • Various social engineering features (file extension spoofing, icon, decoys, etc.)
  • Signature spoofing, manifest spoofing
  • ETW patching, Dll unhooking

Supported file input formats:

  • Raw shellcode format: .bin
  • Portable Executable .exe, .dll
  • .NET assemblies (Can be used to weaponize .NET tools)
  • Nasm format assembly code: .asm
  • C source code launching hex shellcode: .c
  • Python source code launching hex shellcode: .py
  • Text file containing hex shellcode: .txt

Shellcode file generation formats:

  • Raw shellcode format: .bin
  • C source code launching hex shellcode: .c
  • Python source code launching hex shellcode: .py
  • Nasm format assembly code: .asm
  • Portable Executable: .exe
  • Portable Executable (DLL): .dll
  • Portable Executable (Control Panel): .cpl
  • Office Add-ins: .xll, .wll
  • Text file containing hex shellcode: .txt

License Model

Our products are available on annual license basis. There are two kind of license:

Single User Pricing

MacroPack: 1350€

ShellcodePack: 875€

Team License Pricing

Contact us

The single-user and the team both include one year support for payload generation and access to our Discord community. You will also receive regular updates including security solutions bypasses and customer suggested new features.

The team license is usually for about 5 people and is much cheaper than the single user license in proportion to the number of users.

Contact us for more information.



Trainings
& "Payload as a
Service"

We offer trainings and consulting services for Pentesters and Red Teams. We can help you select the right payload to achieve your goals in your specific context. We also offer support on the development os specific weaponization methods and bypass os specific detection mechanisms. Our work also includes custom payloads, weaponization, and zero-day research (bypass and vulnerability).

 



Blog Posts

Our products and services are based on export security research, part of which are available on Sevagas blog.
Below are 3 of the posts you can find on the blog. Browse the blog if you are interrested into technical details.

 

Combine Sliver C2 with BallisKit MacroPack Pro and ShellcodePack

20 Jun 2023

Discover how to drop Sliver implants while evading security solutions using BallisKit MacroPack Pro and ShellcodePack.

RedTeam With OneNote

9 august 2022

OneNote is one of the Office suite components which is often overlooked when RedTeaming. Though OneNote cannot execute VBA Macros, it has an important potential for phishing as an initial vector.

RedTeam With Publisher

28 April 2022

Microsoft Publisher is another tool of the Office suite which is often ignored when RedTeaming. However, it has been successfully used in several malware campaigns. Let’s review the pros and cons of using a Publisher document as an initial RedTeam payload.





Contact us!

To contact us, please send an email to contact[ at ]balliskit.com.
Inquiries are only accepted from professional email address. Anonymous domains auch as gmail or protonmail are not accepted.
Exchanges can be secured via GPG encrypted emails.