sliver
sliver copied to clipboard
BishopFox
Improve `sessions` data
Is your feature request related to a problem? Please describe. I would like to see what process (name is fine) an implant is running as/under (like if we migrate), as well as the Integrity level of the process (if it's a Windows implant). It would help keep track of which sessions were elevated (for instance, via fodhelper UAC bypass) or already migrated (like if the session exists in explorer or another process)
Describe the solution you'd like Display a new column in the sessions display. Alternatively these could be added to an expanded view like Meterpreter has (I believe via the -x or -X flag)
Describe alternatives you've considered Right now I have to constantly run getpid & ps along with whoami /groups to see what process the implant is running under and the integrity level. This adds noise and increases the chance an implant will get picked up by AV/EDR/etc
Additional context N/A
ps should colorize the current implant process as green, but you still have a good point that this data should be more accessible.
Also, in the meantime, there's a getprivs command that has been merged into master recently (no release yet) that gives you the list of privileges for the current process. Should allow you to avoid calling whoami /groups with a call to CreateProcess:
sliver (ILL_OFF-RAMP) > getprivs
Privilege Information for Current Process
-----------------------------------------
Name Description Attributes
==== =========== ==========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process (Enabled, Enabled by Default)
SeSecurityPrivilege Manage auditing and security log (Enabled, Enabled by Default)
SeTakeOwnershipPrivilege Take ownership of files or other objects (Enabled, Enabled by Default)
SeLoadDriverPrivilege Load and unload device drivers (Enabled, Enabled by Default)
SeSystemProfilePrivilege Profile system performance (Enabled, Enabled by Default)
SeSystemtimePrivilege Change the system time (Enabled, Enabled by Default)
SeProfileSingleProcessPrivilege Profile single process (Enabled, Enabled by Default)
SeIncreaseBasePriorityPrivilege Increase scheduling priority (Enabled, Enabled by Default)
SeCreatePagefilePrivilege Create a pagefile (Enabled, Enabled by Default)
SeBackupPrivilege Back up files and directories (Enabled, Enabled by Default)
SeRestorePrivilege Restore files and directories (Enabled, Enabled by Default)
SeShutdownPrivilege Shut down the system (Enabled, Enabled by Default)
SeDebugPrivilege Debug programs (Enabled, Enabled by Default)
SeSystemEnvironmentPrivilege Modify firmware environment values (Enabled, Enabled by Default)
SeChangeNotifyPrivilege Bypass traverse checking (Enabled, Enabled by Default)
SeRemoteShutdownPrivilege Force shutdown from a remote system (Enabled, Enabled by Default)
SeUndockPrivilege Remove computer from docking station (Enabled, Enabled by Default)
SeManageVolumePrivilege Perform volume maintenance tasks (Enabled, Enabled by Default)
SeImpersonatePrivilege Impersonate a client after authentication (Enabled, Enabled by Default)
SeCreateGlobalPrivilege Create global objects (Enabled, Enabled by Default)
SeIncreaseWorkingSetPrivilege Increase a process working set (Enabled, Enabled by Default)
SeTimeZonePrivilege Change the time zone (Enabled, Enabled by Default)
SeCreateSymbolicLinkPrivilege Create symbolic links (Enabled, Enabled by Default)
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session (Enabled, Enabled by Default)
This issue is quite old but I agree with the integrity level not being shown in the session table is a bummer.
I understand that this is an additional call, that you might not want to execute on each implant, but would it be possible to add a trailing * to the username or session, once we ran getprivs in a particular session?
