search

MythicAgents / Apollo

A .NET Framework 4.0 Windows Agent
BSD 3-Clause "New" or "Revised" License
442 stars 91 forks source link

reg_write_value Discrepancies #111

Closed djhohnstein closed 4 months ago

djhohnstein commented 2 years ago

From Slack:

[FoobarLegend](https://app.slack.com/team/U024Y0R5M25)
  [6 days ago](https://bloodhoundhq.slack.com/archives/CHG769BL2/p1661499912287659)
[@djhohnstein](https://bloodhoundhq.slack.com/team/U784E8R9A)
 Hi Dwight. We are testing Apollo in our lab environment but encountering some troubles with executing the reg_write_value command. We get an unauthorized exception (we're sure that we've got admin rights an our target machine). Following is the command we're trying to execute: reg_write_value -Hive HKLM -Key SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\ -Name 'UseLogonCredential' -Value '1'.  The command parsed by Mythic looks totally different btw so I think our arguments our wrong or in the wrong format that Apollo expects. Can you provide the given command in the correct format?

[djhohnstein](https://app.slack.com/team/U784E8R9A)
  [6 days ago](https://bloodhoundhq.slack.com/archives/CHG769BL2/p1661525323567149?thread_ts=1661499912.287659&cid=CHG769BL2)
What is the command parsed by Mythic?

[djhohnstein](https://app.slack.com/team/U784E8R9A)
  [6 days ago](https://bloodhoundhq.slack.com/archives/CHG769BL2/p1661525464000189?thread_ts=1661499912.287659&cid=CHG769BL2)
It's not a command I tested fully I think once the rewrite happened so it's possible something got screwed up

[U Schmidt](https://app.slack.com/team/U03B8PV7AJ2)
  [6 days ago](https://bloodhoundhq.slack.com/archives/CHG769BL2/p1661567716187749?thread_ts=1661499912.287659&cid=CHG769BL2)
The Readme shows ` at the beginning and end of the whole command compared to other commands, do those perhaps need to be included to parse correctly?
New

[FoobarLegend](https://app.slack.com/team/U024Y0R5M25)
  [6 hours ago](https://bloodhoundhq.slack.com/archives/CHG769BL2/p1662027816176069?thread_ts=1661499912.287659&cid=CHG769BL2)
Problem solved. reg_write_value documented that a leading slash was needed but when provided it leads to a NRE. Looks like a bug or discrepancy between docs and code. Solution could be adding leading and trailing slashes in code where applicable so the user doesn't  need to add them (for simplicity) in command minimising discrepancies. Also the call to OpenSubKey in code needed a true value for second argument if you need write access to the key
its-a-feature commented 4 months ago

This should be fixed in the latest merge for Version 2.2.5