Operation Timed Out (Fork and Run Commands)

[thiagomayllart]

I've been trying to run commands that spawn a sacrificial process (e.g. execute-assembly, keylog, powerpick, etc). I had no success with any of them. I can see the process spawning but the only output i get is this:

Error in execute-assembly (PID: 2644). Reason: The operation has timed out.

or

Something went wrong: The operation has timed out. (For the keylog command).

I've tried with a fresh mythic installation and in 3 different windows systems without success...

I'm also not sure if this is just happening in my systems..

[djhohnstein]

I'm guessing there's something going wrong with the injection process itself. Just out of curiosity, change the architecture of the process you're injecting into and see if that changes anything. Otherwise, I'll try and reproduce.

[thiagomayllart]

I’ve tried changing it to x86, but no success.. I’ve also tried changing the injection technique and the target process of injection.

I think the timeout might be related to the namedpipe connection. When running the assembly_inject command I noticed that the timeout refers to the connect function to the named pipe.

[djhohnstein]

Yeah, it is. That error means the shellcode did not successfully execute in the remote process. If the remote process isn't crashing you're injecting into, you may not have privileges to inject at all (I can't remember if I bubble errors up or not from that.) Last thing to try is launch as admin -> run getprivs -> use something like powerpick. If that fails, then I'll try to see what's happening.

[thiagomayllart]

I’ve tried running it as SYSTEM, but no success..

If you need more information just feel free to ask!

[djhohnstein]

When you run getprivs, what's the output? And after injection (say, using psinject), does the process you inject into crash?

[thiagomayllart]

By running getprivs as admin i get:

SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeSecurityPrivilege Manage auditing and security log Disabled SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled SeLoadDriverPrivilege Load and unload device drivers Disabled SeSystemProfilePrivilege Profile system performance Disabled SeSystemtimePrivilege Change the system time Disabled SeProfileSingleProcessPrivilege Profile single process Disabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled SeCreatePagefilePrivilege Create a pagefile Disabled SeBackupPrivilege Back up files and directories Disabled SeRestorePrivilege Restore files and directories Disabled SeShutdownPrivilege Shut down the system Disabled SeDebugPrivilege Debug programs Disabled SeSystemEnvironmentPrivilege Modify firmware environment values Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled SeUndockPrivilege Remove computer from docking station Disabled SeManageVolumePrivilege Perform volume maintenance tasks Disabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled SeCreateSymbolicLinkPrivilege Create symbolic links Disabled SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled

I'm actually able to inject to process using different tools like: https://github.com/3xpl01tc0d3r/ProcessInjection running as normal user and Administrator.

And yes.. after trying to inject to process I can see the process being spawned but crashing right after. I've tried using both APCQueue and CreateRemoteThreadInjection.

[thiagomayllart]

Mimikatz payload is working fine. IRC mimikatz also does process injection and named pipe connections. I've also tried to do process injection by modifying APCqueue to something similar to the repository mentioned before without success...

I believe this might be something related to the independent shellcode generation, but not sure.

UPDATE: I've managed to run the commands mentioned (execute_assembly, powerpick, etc) in one of my Windows machines. However, the others are still failing for no reason o.O