Closed c0pp3r closed 1 year ago
Tylous
commented
2 years ago That is very very odd. I am not sure why it calls back once and then dies... I'll take a look but does the following happen on both binary and control loaders? atlas + CLRvoyance + scarecrow = 1 callback then dead atlas + confuserEx + donut + scarecrow = 1 callback then dead
c0pp3r
commented
2 years ago It is odd.
Both are confirmed with both binary and control (just reconfirmed them moments ago just to be safe)
Tylous
commented
2 years ago could you provide me a link to the confuserEx repo you are using I see a couple out there.
c0pp3r
commented
2 years ago This is the repo I used for the testing: https://github.com/mkaring/ConfuserEx
I downloaded the 1.5 release binary
Tylous
commented
2 years ago I am looking into this will update the thread as soon as I have info on it.
c0pp3r
commented
2 years ago Awesome. Thanks for all the work you do on this! Let me know if I can help in any way.
Tylous
commented
2 years ago Sorry, I've been off a bit, Circling back to this could you do the following to test? Can you run something like process hacker 2 and monitor the process, when you execute it, does the process terminate? Can you use binary with -console mode and paste the terminal output?
c0pp3r
commented
2 years ago Hey sorry for the late reply. The process terminates immediately after the console finishes running. Originally the console output showed no errors but now I'm seeing the following:
[DEBUG] [+] Detected Version: 10.0
[DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll
[DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll
[DEBUG] [+] EDR removed
[DEBUG] [*] Create a Pointer on stack
[DEBUG] [*] Loading shellcode into a string
[DEBUG] [*] Copy Pointer's attributes
[DEBUG] [*] Overwriten Pointer to point to shellcode String
[DEBUG] [*] Overwriting shellcode String with Pointer's attributes
Exception 0xc0000005 0x0 0x18 0x7ff9ec7811f0
PC=0x7ff9ec7811f0
signal arrived during external code execution
runtime.cgocall(0x7ff68783fd00, 0x7ff6879d6520)
runtime/cgocall.go:156 +0x4a fp=0xc000133dc0 sp=0xc000133d88 pc=0x7ff6877e392a
syscall.Syscall(0xc000372000, 0x0, 0x0, 0x0, 0x0)
runtime/syscall_windows.go:479 +0xf4 fp=0xc000133df8 sp=0xc000133dc0 pc=0x7ff68783aa54
syscall.Syscall(0x7ff6878e0050, 0xc00000e3c0, 0x5, 0x5, 0x0)
<autogenerated>:1 +0x2b fp=0xc000133e48 sp=0xc000133df8 pc=0x7ff687840bab
main.main()
BOQGcMfOIHZwwiD/OneDrive.go:613 +0x2677 fp=0xc000133f80 sp=0xc000133e48 pc=0x7ff6878a1857
runtime.main()
runtime/proc.go:255 +0x217 fp=0xc000133fe0 sp=0xc000133f80 pc=0x7ff6878167d7
runtime.goexit()
runtime/asm_amd64.s:1581 +0x1 fp=0xc000133fe8 sp=0xc000133fe0 pc=0x7ff68783e4c1
rax 0x1a6c73b0250
rbx 0x0
rcx 0x7ff98d316d8a
rdi 0x1a6c73b0250
rsi 0x1a6c738eb58
rbp 0x5021dfde10
rsp 0x5021dfdd90
r8 0x0
r9 0x1
r10 0x9
r11 0xa
r12 0x8
r13 0x48
r14 0x5021dfe4e0
r15 0x1
rip 0x7ff9ec7811f0
rflags 0x10206
cs 0x33
fs 0x53
gs 0x2bThis was using a binary loader and no confuserex (exported shellcode directly from mythic).
Tylous
commented
2 years ago Okay, so that's different than it calling home once.
who1smrrobot
commented
2 years ago Just fyi, I run into the same issue with the latest scarecrow + atlas agent:
Tylous
commented
2 years ago Bumping this thread is the shellcode in question staged or stageless?
Tylous
commented
1 year ago Scarecrow 5.0 should address this.
Hello, During testing of C2 frameworks and scarecrow I ran across interesting behavior when it came to the Mythic C2 atlas agent (https://github.com/MythicAgents/atlas)
When exporting an atlas agent executable, using donut to generate shellcode and then using scarecrow the new wrapped payload is successfully created. When executed this payload makes 1 callback to the C2 server and then ceases to run. I have tried a number of different combinations to attempt to understand the issue better:
atlas + confuserEx + donut + scarecrow = 1 callback then dead atlas + donut + scarecrow = 1 callback then dead atlas + CLRvoyance + scarecrow = 1 callback then dead atlas + confuserEx + donut + DonutTest = working implant
in addition I tried another dotnet c2 framework Covenant Grunt + confuserEx + donut + scarecrow = working implant.
I have tried binary and control loaders and I have used the console and no errors are generated at any point. I'm happy to try and other troubleshooting that anyone might recommend.
Thanks