sliver icon indicating copy to clipboard operation
sliver copied to clipboard
verified publisher icon BishopFox

Donut WLDP and AMSI patching enabled

Open CodeXTF2 opened this issue 1 year ago • 3 comments

Describe the bug When generating shellcode in Sliver, Donut has the AMSI and WLDP options enabled, which can add detections.

To Reproduce Steps to reproduce the behavior:

  1. Start Sliver
  2. generate --http {any ip here} --os windows --format shellcode

Expected behavior Elastic flags the beacon for patching AMSI and WLDP even though -e (which would normally enable AMSI patching) is disabled.

OS Windows (implant)

CodeXTF2 avatar Aug 16 '24 10:08 CodeXTF2

The --evasion flag has no impact on this. Right now, most of the Donut loader options are hardcoded: https://github.com/BishopFox/sliver/blob/7676fc6c37fc33ea17a6ce34784bec1e8107dce6/server/generate/donut.go#L50

I should probably update that so it can be user controlled.

rkervella avatar Aug 16 '24 11:08 rkervella

yeah im aware. I just referenced the --evasion flag in terms of intended behaviour. For now manually using donut with -b1 on sliver binaries works fine

CodeXTF2 avatar Aug 16 '24 11:08 CodeXTF2

@CodeXTF2 Thanks for the tip. When I create the shellcode manually using donut and -b1 it works, but whenever I try to run any of the armory packages and / or execute-assembly with --in-process, I get the error:

rpc error: code = Unknown desc = the appdomain.Load_3 function returned a non-zero HRESULT: 0x8007000b

Any ideas? Does it have something to do with the CLR DLL not being loaded in my implant?

My donut command was: donut -i SLIVER.EXE -b1 -a 2 -t 0

EDIT FOR ANYONE SEEING THIS LATER: so the problem was that there was no AMSI bypass because it was disabled in Donut. If I ran any armory alias with the -M -i flags, it works as expected, so for example: sliver> seatbelt -M -i -- Applocker works and then on subsequent calls, you don't need the -M flag.

s3nn avatar Nov 22 '24 05:11 s3nn