Stracciatella icon indicating copy to clipboard operation
Stracciatella copied to clipboard

Published 20 hours ago verified publisher icon mgeeky

Bug: script block logging bypass not working

Open williamknows opened this issue 4 years ago • 5 comments

Config:

  • commit 3c3e059 (currently the latest) compiled with the default configuration for .NET 4.
  • Tested against Server 2016 and Windows 10 (from DetectionLab)
  • Execution via CNA script (import then execute of PowerView commands).

The script block logging bypass used no longer appears to work. I'm seeing a lot of 4104 logs for executed commands.

williamknows avatar Jan 23 '21 03:01 williamknows

Damn, that's unfortunate. I'll look into this as soon as I find a spare minute.

Thanks for this issue report. Will keep it open until I address it.

Regards, Mariusz.

mgeeky avatar Mar 12 '21 19:03 mgeeky

There was a patch for the first bypass. It’s written down here:

https://cobbr.io/ScriptBlock-Logging-Bypass.html

https://gist.github.com/cobbr/d8072d730b24fbae6ffe3aed8ca9c407

It was changed somewhere around November 2017. I got the gists bypass working two days ago ;-)

S3cur3Th1sSh1t avatar Mar 13 '21 11:03 S3cur3Th1sSh1t

Thanks @S3cur3Th1sSh1t for your heads-up! Makes it way much easier to fix that one. Will try to hunt it down in a matter of days.

Cheers Mate! Mariusz.

mgeeky avatar Mar 14 '21 01:03 mgeeky

stracciatella-remote doesn't seem to work , the command still executes on localhost though.

stracciatella-remote -v remote ip adress + pipe name + command , here's the syntax I used, weird it still execute on localhost. Any help ? :) thx

ghost avatar Sep 25 '21 19:09 ghost

This issue with Script Block Logging should be now addressed in the latest version. :)

Let me know if problem remains.

mgeeky avatar May 17 '22 01:05 mgeeky