senzee1984
commented
1 year ago The issue also applies to aliases.
Closed senzee1984 closed 1 year ago
senzee1984
commented
1 year ago The issue also applies to aliases.
rkervella
commented
1 year ago The execute-assembly command supports -M option, which patches ETW. However, it does not actually patch ETW for the forked process.
These flags (-M and -E) are only used in conjunction of the --in-process flag, as per the help execute-assembly command:
Usage:
======
execute-assembly [flags] filepath [arguments...]
Args:
=====
filepath string path the assembly file
arguments string list arguments to pass to the assembly entrypoint (default: [])
Flags:
======
-M, --amsi-bypass Bypass AMSI on Windows (only supported when used with --in-process)
-E, --etw-bypass Bypass ETW on Windows (only supported when used with --in-process)
-i, --in-process Run in the current sliver process
...When not using the --in-process flag, the Sliver server will convert the assembly to shellcode using go-donut, and instruct the Donut loader to try to patch AMSI/ETW, but continue on failure.
When using the --in-process flag, we're manually patching the implant's process instead.
moloch--
commented
1 year ago @rkervella should we add a warning when the flags are used incorrectly?
rkervella
commented
1 year ago Yes, it will help avoid some confusion.
Describe the bug The
execute-assemblycommand supports-Moption, which patches ETW. However, it does not actually patch ETW for the forked process.To Reproduce Steps to reproduce the behavior:
execute-assembly -M -E -p gpupdate.exe sharpup.exe audit.NET assmebliestab, still can see sharpupExpected behavior In
.NET assembliestab, the output should beUnable to start the event tracing session: This operation returned beacause the timeout period expired.Screenshots
Desktop (please complete the following information):
Additional context If use in-process execute-assembly, the issue does not exist.