[Bug] BypassUACGrunt error

[jholgui]

Bug

Describe the feature request or bug

When i launch BypassUACGrunt command with a launcher (for example, BypassUACGrunt PowerShell), Covenant prints a error that you can see in the screeshot. This error it's with last github master branch. PowerShell launcher is generated.

Screenshots

Covenant Server Information:

• OS: [e.g. iOS] : Linux Debian 10
• Docker or Native: Native

Target Information (System that implant is running on):

• OS: Win7

[rasta-mouse]

My trace is:

[!] The LINQ expression 'DbSet<Launcher>
    .Where(l => l.Name.Equals(
        value: __get_Item_0, 
        comparisonType: OrdinalIgnoreCase))' could not be translated. Either rewrite the query in a form that can be translated, or switch to client evaluation explicitly by inserting a call to either AsEnumerable(), AsAsyncEnumerable(), ToList(), or ToListAsync(). See https://go.microsoft.com/fwlink/?linkid=2101038 for more information.
   at Microsoft.EntityFrameworkCore.Query.QueryableMethodTranslatingExpressionVisitor.<VisitMethodCall>g__CheckTranslated|8_0(ShapedQueryExpression translated, <>c__DisplayClass8_0& )
   at Microsoft.EntityFrameworkCore.Query.QueryableMethodTranslatingExpressionVisitor.VisitMethodCall(MethodCallExpression methodCallExpression)
   at Microsoft.EntityFrameworkCore.Query.QueryableMethodTranslatingExpressionVisitor.VisitMethodCall(MethodCallExpression methodCallExpression)
   at Microsoft.EntityFrameworkCore.Query.QueryCompilationContext.CreateQueryExecutor[TResult](Expression query)
   at Microsoft.EntityFrameworkCore.Storage.Database.CompileQuery[TResult](Expression query, Boolean async)
   at Microsoft.EntityFrameworkCore.Query.Internal.QueryCompiler.CompileQueryCore[TResult](IDatabase database, Expression query, IModel model, Boolean async)
   at Microsoft.EntityFrameworkCore.Query.Internal.QueryCompiler.<>c__DisplayClass12_0`1.<ExecuteAsync>b__0()
   at Microsoft.EntityFrameworkCore.Query.Internal.CompiledQueryCache.GetOrAddQueryCore[TFunc](Object cacheKey, Func`1 compiler)
   at Microsoft.EntityFrameworkCore.Query.Internal.QueryCompiler.ExecuteAsync[TResult](Expression query, CancellationToken cancellationToken)
   at Microsoft.EntityFrameworkCore.Query.Internal.EntityQueryProvider.ExecuteAsync[TResult](Expression expression, CancellationToken cancellationToken)
   at Microsoft.EntityFrameworkCore.EntityFrameworkQueryableExtensions.ExecuteAsync[TSource,TResult](MethodInfo operatorMethodInfo, IQueryable`1 source, Expression expression, CancellationToken cancellationToken)
   at Microsoft.EntityFrameworkCore.EntityFrameworkQueryableExtensions.ExecuteAsync[TSource,TResult](MethodInfo operatorMethodInfo, IQueryable`1 source, LambdaExpression expression, CancellationToken cancellationToken)
   at Microsoft.EntityFrameworkCore.EntityFrameworkQueryableExtensions.FirstOrDefaultAsync[TSource](IQueryable`1 source, Expression`1 predicate, CancellationToken cancellationToken)
   at Covenant.Core.CovenantService.CreateGruntTasking(GruntTasking tasking) in /opt/Covenant/Covenant/Core/CovenantService.cs:line 2747
   at Covenant.Core.CovenantService.StartGruntTasking(Grunt grunt, GruntTask task, GruntCommand command) in /opt/Covenant/Covenant/Core/CovenantService.cs:line 2489
   at Covenant.Core.CovenantService.InteractGrunt(Int32 GruntId, String UserId, String UserInput) in /opt/Covenant/Covenant/Core/CovenantService.cs:line 1668

@jholgui You can use the BypassUACCommand as a workaround, e.g.:

BypassUACCommand cmd.exe "/c powershell.exe -nop -w 1 -enc <blah>"

[rasta-mouse]

@cobbr seems this also affects all the *Grunt lateral movement commands. WMI, PowerShellRemoting, DCOM... Almost everything where you select a launcher.

[caseyvsilver1515]

I have the same issues with all of the lateral grunts. I get the error with covenant deployed on windows 10 and kali and the targets are windows 10.

[cobbr]

Thanks for the heads up everyone. This was fixed in 75d147aa4a40affb5e134466f6521a2d5a9dced8, I just forgot to update this issue.

Closing for now. If you continue to have issues with the latest code, we can reopen.