Open 0xjbb opened 2 years ago
Yes, we currently create a new process and then inject the .NET assembly into it, so it doesn't pair well with the bypass BOFs. We probably should implement a better way to combine the two.
Thanks for confirming, thought I was going crazy tbh.
@rkervella you know the execute-assembly
code better than me, would it be hard to add a pid
or something?
@rkervella you know the
execute-assembly
code better than me, would it be hard to add apid
or something?
Not really hard no, there's a bunch of stuff I plan on adding around excute-assembly
and sideload
for session prepping (like parent PID spoofing or command line argument selection for the sacrificial process). Selecting an existing process could be another option, although the risk of crashing the host process is usually not worth it.
Another option would be to port https://github.com/anthemtotheego/InlineExecute-Assembly that way we could load assemblies in the sliver process.
Finally, execute-assembly
is just a wrapper around https://github.com/Binject/go-donut these days, which already includes an AMSI bypass (which we enable by default). It's possible the Donut loader itself is flagged too.
Yea, I've actually not seen Defender flag execute-assembly
before, but we've not jumped thru hoops to make it harder to detect either afaik.
Please note, I could be an absolute idiot and have this all wrong ( if this is the case please inform me of my error and close this :) )
When using execute-assembly, defender obviously picks up things like sharphound/rubeus whatever, no problem... just bypass it.
However, even using the bof-etw/amsi-bypass on the sliver.exe implant doesn't actually work for the execute-assembly, I'm assuming it's because sliver appears to be creating a new process "notepad.exe" and doing the execute-assembly in that then closing (meaning you couldn't catch the PID and inject into the notepad.exe) (I've not looked at the code to confirm, this was just my observation whilst debugging my problem)
I've even created my own dropper, with builtin ETW + AMSI bypass with the same results.
The only way I could think of doing this from my perspective would be to scan for new processes, when found, suspend notepad.exe and inject etw/amsi.
Again, I could be an idiot and have this wrong :D
To Reproduce Steps to reproduce the behavior:
Expected behavior Ideally, patch etw/amsi in the notepad.exe.
Desktop (please complete the following information):
Additional context I understand that bypassing AV isn't really the goal of sliver and I completely understand that, but off the top of my head I don't see anyway around this currently except for the way I mentioned about which is a pit of a pita.