Comments (4)
Typically memory scans are triggered via process behavior or based on a timer, avoiding the memory scan triggers is typically the best way to evade them.
from sliver.
Advanced EDR and AV can catch sliver implants even if they use SGN
This might be due to a combination of things, one of them being the obfuscator missing some key elements that are currently used as IOCs.
from sliver.
Thanks for the reponse, i was looking more deeply aat how we can try to reduce a bit the memory permissions, and i found a Cobalstrike Agressor script, that imporves the way of compiling the shellcode to avoid thishttps://github.com/kyleavery/AceLdr
i wonder if there is a way to implement this on sliver, because the memory permissions that it uses is exessive and can be catched easily.
for exmaple i was looking at it with moneta and other memory scanners, and you can clearly see it.
_____ __
/ \ ____ ____ _____/ |______
/ \ / \ / _ \ / \_/ __ \ __\__ \
/ Y ( <_> ) | \ ___/| | / __ \_
\____|__ /\____/|___| /\___ >__| (____ /
\/ \/ \/ \/
Moneta v1.0 | Forrest Orr | 2020
... failed to grant SeDebug privilege to self. Certain processes will be inaccessible.
tls1.exe : 14900 : x64 : C:\Users\powned\Desktop\av\OPSEC IN PROCESS EXEC(SGN)OBF\x64\Release\tls1.exe
0x0000000002230000:0x001f8000 | DLL Image | C:\Windows\System32\ntdll.dll | Missing PEB module
0x0000000002C70000:0x01065000 | Private
0x0000000002C70000:0x01065000 | X | 0x00000000 | Abnormal private executable memory
0x0000000007C40000:0x010d4000 | Private
0x0000000007C40000:0x010d4000 | RWX | 0x00000000 | Abnormal private executable memory | Thread within non-image memory region | Thread within non-image memory region | Thread within non-image memory region | Thread within non-image memory region | Thread within non-image memory region | Thread within non-image memory region | Thread within non-image memory region
Thread 0x0000000007C9D080 [TID 0x00003a5c]
Thread 0x0000000007C9D5C0 [TID 0x00002f14]
Thread 0x0000000007C9D5C0 [TID 0x00002e24]
Thread 0x0000000007C9D5C0 [TID 0x00002ccc]
Thread 0x0000000007C9D5C0 [TID 0x000014e4]
Thread 0x0000000007C9D5C0 [TID 0x000009e8]
Thread 0x0000000007C9D5C0 [TID 0x00001d90]
0x0000000140000000:0x00045000 | EXE Image | C:\Users\powned\Desktop\av\OPSEC IN PROCESS EXEC(SGN)OBF\x64\Release\tls1.exe | Unsigned module
0x00007FFD943B0000:0x0001f000 | DLL Image | C:\Windows\System32\amsi.dll
0x00007FFD943B1000:0x00010000 | RX | .text | 0x00001000 | Modified code
0x00007FFD98B20000:0x0002d000 | DLL Image | C:\Windows\System32\wldp.dll
0x00007FFD98B21000:0x00017000 | RX | .text | 0x00004000 | Modified code
0x00007FFD9BAD0000:0x001f8000 | DLL Image | C:\Windows\System32\ntdll.dll
0x00007FFD9BAD1000:0x0011c000 | RX | .text | 0x0011a000 | Modified code
0x00007FFD9BAD1000:0x0011c000 | RX | PAGE | 0x0011a000 | Modified code
0x00007FFD9BAD1000:0x0011c000 | RX | RT | 0x0011a000 | Modified code
Thread 0x00007FFD9BB22B30 [TID 0x000036dc]
Thread 0x00007FFD9BB22B30 [TID 0x00003be8]
Thread 0x00007FFD9BB22B30 [TID 0x0000292c]
Thread 0x00007FFD9BB22B30 [TID 0x00002474]
Thread 0x00007FFD9BB22B30 [TID 0x00002380]
Thread 0x00007FFD9BB22B30 [TID 0x00001470]
Thread 0x00007FFD9BB22B30 [TID 0x0000128c]
Thread 0x00007FFD9BB22B30 [TID 0x00002da4]
in that situation is just loaded my shellcode, in memory, so everything above from this line 0x0000000002C70000:0x01065000 | X | 0x00000000 | Abnormal private executable memory
is after loading the shellcode in memory with my custom loader.
i will try to see if there is a way to implement the Aggressor script from that repo, which would highly improve the mitigation of this type of scanners.
the issue is that the aggressor script modifies how the shellcode is compiled, so I do not know how compatible can that be with the structure of sliver.
from sliver.
Sliver shellcodes are built using go-donut, which is a go implementation of donut. This means that any artifacts or suspicious behavior that donut leaves or generates, Sliver will probably have them.
from sliver.
Related Issues (20)
- New version of mingw seems to break implants HOT 6
- Free automatic execution HOT 2
- Sliver DNS C2 HOT 1
- How to StartW a implant reflectively injected HOT 2
- Shikataganai not available in New Profiles HOT 4
- failed to perform armory install on windows HOT 3
- migrate : `record not found` HOT 6
- Error when starting Listener In http with new profile HOT 1
- DNS C2 still broken? HOT 2
- DNS implant beacon interval without function?
- Sliver rpc error: code = Unknown desc = exit status 1 (Attempting to Generate Wireguard Implant) HOT 5
- `procdump` crashes inconsistently HOT 1
- QUESTION. How to run BOF Files with Coff-loader. HOT 1
- Run on load not working HOT 6
- Generate error on Windows server HOT 2
- Readline lib eats backslash characters HOT 2
- i am facing armory extension installation error in linux HOT 1
- Error: rpc error: code = Unknown desc = exit status 1 - Please make sure Metasploit framework >= v6.2 is installed and msfvenom/msfconsole are in your PATH HOT 2
- No UserAgent on windows implants
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sliver.