Open OJ opened 8 years ago
:+1:
TBH I don't think anyone should be migrating any more with current tool sets and techniques? Unless actually performing an exploit on an unstable process.
There is no need to do it to grab hashes any more.
You were always much safer injecting a new session into a process than migrating anyway.
The techniques/calls should be same for injection - it'd be good to expose it for both migration and injection if so? :)
Agreed on keeping things the same for injection/migration.
Disagreed on telling people what they should and shouldn't be doing. There are more reasons to migrate than stability and hash grabbing too imho.
I think it's a valid thing to strive for, and it's still a relevant "thing to do" in many cases. So yeah, I'm keen to make this happen. Injection will get love as well.
I'm not going to tell anyone not to do anything, but its quite a risky procedure. I challenge you to name the reasons to use it currently :)
I knew that was coming ;) let me get coffee and breakfast, then I'll attempt to justify it :-)
@Meatballs1, if you exploit something but the user close the process ? That's why we migrate to something like "explorer.exe".
But better still inject into the second process and you have both instances up and running :)
@Meatballs1 I still migrate quite a bit to make sure I'm not doing comms out of notepad.exe or powershell.exe. I use preprendmigrate quite a bit as well. I also migrate when I'm using a Bind payload over a reverse, like to a DC or what not. Also, migrating helps in situations where the environment isn't right to hashdump or mimikatz.
All tradecraft issues aside, I'd love to see the other migrate options available @OJ
I think that there are a few reasons that migration gets caught, and the behavioural fingerprint is one. Another is probably things like predictable migration stubs, but once we have MSF-side migration stub generation (which is in the Named Pipe PR) we should be able to mix things up a bit.
I am not sure but these methods may help.
http://www.malwaretech.com/2014/12/zombie-processes-as-hips-bypass.html
https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html
These days quite a few HIPS apps, such as Trend and SEP, are able to detect when Meterpreter migrates. The only thing that is surprising about this is that they've only just started doing it.
There are a few other methods that we can start to use to migrate, and so we should look into these to see which would be viable.
This is a good reference for other options as well http://www.slideshare.net/enSilo/injection-on-steroids-codeless-code-injection-and-0day-techniques