sliver icon indicating copy to clipboard operation
sliver copied to clipboard

Published 20 hours ago verified publisher icon BishopFox

Execute-Assembly AMSI / ETW

Open 0xjbb opened this issue 2 years ago • 5 comments

Please note, I could be an absolute idiot and have this all wrong ( if this is the case please inform me of my error and close this :) )

When using execute-assembly, defender obviously picks up things like sharphound/rubeus whatever, no problem... just bypass it.

However, even using the bof-etw/amsi-bypass on the sliver.exe implant doesn't actually work for the execute-assembly, I'm assuming it's because sliver appears to be creating a new process "notepad.exe" and doing the execute-assembly in that then closing (meaning you couldn't catch the PID and inject into the notepad.exe) (I've not looked at the code to confirm, this was just my observation whilst debugging my problem)

I've even created my own dropper, with builtin ETW + AMSI bypass with the same results.

The only way I could think of doing this from my perspective would be to scan for new processes, when found, suspend notepad.exe and inject etw/amsi.

Again, I could be an idiot and have this wrong :D

To Reproduce Steps to reproduce the behavior:

  1. Set up sliver
  2. Run implant on windows with defender running
  3. run inject-etw-bypass + inject-amsi-bypass
  4. run execute-assembly or rubeus/sharphound from the armory
  5. watch defender ruin your day. ( atleast in my testing this is how it goes )

Expected behavior Ideally, patch etw/amsi in the notepad.exe.

Desktop (please complete the following information):

  • OS: Windows 10
  • Sliver version: 1.5.3

Additional context I understand that bypassing AV isn't really the goal of sliver and I completely understand that, but off the top of my head I don't see anyway around this currently except for the way I mentioned about which is a pit of a pita.

0xjbb avatar Feb 15 '22 20:02 0xjbb

Yes, we currently create a new process and then inject the .NET assembly into it, so it doesn't pair well with the bypass BOFs. We probably should implement a better way to combine the two.

moloch-- avatar Feb 15 '22 20:02 moloch--

Thanks for confirming, thought I was going crazy tbh.

0xjbb avatar Feb 15 '22 20:02 0xjbb

@rkervella you know the execute-assembly code better than me, would it be hard to add a pid or something?

moloch-- avatar Feb 15 '22 20:02 moloch--

@rkervella you know the execute-assembly code better than me, would it be hard to add a pid or something?

Not really hard no, there's a bunch of stuff I plan on adding around excute-assembly and sideload for session prepping (like parent PID spoofing or command line argument selection for the sacrificial process). Selecting an existing process could be another option, although the risk of crashing the host process is usually not worth it.

Another option would be to port https://github.com/anthemtotheego/InlineExecute-Assembly that way we could load assemblies in the sliver process.

Finally, execute-assembly is just a wrapper around https://github.com/Binject/go-donut these days, which already includes an AMSI bypass (which we enable by default). It's possible the Donut loader itself is flagged too.

rkervella avatar Feb 15 '22 20:02 rkervella

Yea, I've actually not seen Defender flag execute-assembly before, but we've not jumped thru hoops to make it harder to detect either afaik.

moloch-- avatar Feb 15 '22 21:02 moloch--