Is it possible to make LOTL starting 2 exes?

[badmanagerbmx]

Hi,

Thank for your work, it's working perfectly for me, but the issue I have right now is that I have one exe that is a stager, but it supposed to start the rootkit that it downloaded before, but it gets blocked by AV.

It seems quite normal to me, because it was my stager that was starting another exe, but I could not figure a solution for me.

Can you help me?

[bytecode77]

Are you trying to use the Living Off The Land PoC to evade detection of the r77 Rootkit? If it's regarding the detection of r77, there is already an open issue, which I'll be investigating this week. I hope I'm able to fix it soon.

r77 is actually using the technique that the LOTL PoC implements, except it uses scheduled tasks instead of registry startup - and has an improved RunPE. You won't achieve AV evasion by encapsulating the rootkit in the LOTL demo, but I'm working on evasion of r77 at the moment. LOTL is actually just a reference implementation for a fileless persistence. If you need to implement fileless persistence for a project of yours, you can use lots of the code in the LOTL project.

But tell me, what exactly is your intention? You said you want to start two executables. That's possible (add a new line here), but what is your goal?

[badmanagerbmx]

Hi,

My goal is to start a stager first, that will download the files of the rookit. Its works fine. My second exe is the rootkit I downloaded, but when the stager try to execute it, even any other regular exe, it's blocked by Windows AV, and I get 1223 error..

That's the reason I asked if it was possible to start 2 exes with Living off the land exe. BR

[bytecode77]

When I understand you correctly, you're trying to implement a workaround against the detection of r77 prior to an r77 update that fixes the issue.

However, using the LOTL demo to start the installer or both stager executables won't help you with this for following reasons:

• r77 must run with elevated privileges. Otherwise, the rootkit only gets injected into medium IL processes. The TaskMgr, for example, is an elevated process. This is why the r77 installer requires admin privileges once - and from that point forward persistates elevated privileges using scheduled tasks. (Documentation: 1.4.1 Elevated Privileges)
• r77 uses scheduled tasks instead of the Run\ registry key in order to persist elevated privileges. LOTL uses the registry key, because it's a PoC and anything beyond PoC is an excersise to the reader. r77 already implements the techniques you see in LOTL, but with some extended functionality: Scheduled tasks and RunPE 64 bit injection.
• Therefore, if r77 has problems with detection, LOTL will likely have the same issues.

Hence, it's inevitable to fix detection issues. There is no easy workaround. It's definitely good practice to start Install.exe using RunPE rather than dropping the file. But if the stager is failing due to AV detection, then I need to fix this, as it is an internal component that's not working correctly.

But as I mentioned before, evading AV detection is a daunting task and definitely not something that I can fix with a few lines of code by tomorrow. It's currently the number 1 priority for the r77 project.

What I will try next is to fiddle with the Powershell commandline of the stager, as well as the name of the scheduled tasks to see, if there is a signature based detection involved.

[badmanagerbmx]

Hi,

Well, I don't really get why you're talking about r77, is this an other project? Can you tell me more?

BR

[bytecode77]

I just assumed that you were talking about r77, because your description somehow perfectly matched - my bad for not asking.

r77 is another project of mine, hosted here on GitHub. It's a rootkit that uses the techniques from my LOTL PoC, except using scheduled tasks instead of the registry key to retain elevated privileges across reboots.

Is this question related to issue #5 ?

[badmanagerbmx]

Hi,

I think we could close this issue, since the better in this situation is to make my rootkit persistent, it will be started at the next boot.