Giter Club home page Giter Club logo

Comments (4)

moloch-- avatar moloch-- commented on June 1, 2024

Typically memory scans are triggered via process behavior or based on a timer, avoiding the memory scan triggers is typically the best way to evade them.

from sliver.

rkervella avatar rkervella commented on June 1, 2024

Advanced EDR and AV can catch sliver implants even if they use SGN

This might be due to a combination of things, one of them being the obfuscator missing some key elements that are currently used as IOCs.

from sliver.

kamisw03 avatar kamisw03 commented on June 1, 2024

Thanks for the reponse, i was looking more deeply aat how we can try to reduce a bit the memory permissions, and i found a Cobalstrike Agressor script, that imporves the way of compiling the shellcode to avoid thishttps://github.com/kyleavery/AceLdr
i wonder if there is a way to implement this on sliver, because the memory permissions that it uses is exessive and can be catched easily.
for exmaple i was looking at it with moneta and other memory scanners, and you can clearly see it.

   _____                        __
  /     \   ____   ____   _____/  |______
 /  \ /  \ /  _ \ /    \_/ __ \   __\__  \
/    Y    (  <_> )   |  \  ___/|  |  / __ \_
\____|__  /\____/|___|  /\___  >__| (____  /
        \/            \/     \/          \/

Moneta v1.0 | Forrest Orr | 2020

... failed to grant SeDebug privilege to self. Certain processes will be inaccessible.

tls1.exe : 14900 : x64 : C:\Users\powned\Desktop\av\OPSEC IN PROCESS EXEC(SGN)OBF\x64\Release\tls1.exe
  0x0000000002230000:0x001f8000   | DLL Image           | C:\Windows\System32\ntdll.dll | Missing PEB module
  0x0000000002C70000:0x01065000   | Private
    0x0000000002C70000:0x01065000 | X        | 0x00000000 | Abnormal private executable memory
  0x0000000007C40000:0x010d4000   | Private
    0x0000000007C40000:0x010d4000 | RWX      | 0x00000000 | Abnormal private executable memory | Thread within non-image memory region | Thread within non-image memory region | Thread within non-image memory region | Thread within non-image memory region | Thread within non-image memory region | Thread within non-image memory region | Thread within non-image memory region
      Thread 0x0000000007C9D080 [TID 0x00003a5c]
      Thread 0x0000000007C9D5C0 [TID 0x00002f14]
      Thread 0x0000000007C9D5C0 [TID 0x00002e24]
      Thread 0x0000000007C9D5C0 [TID 0x00002ccc]
      Thread 0x0000000007C9D5C0 [TID 0x000014e4]
      Thread 0x0000000007C9D5C0 [TID 0x000009e8]
      Thread 0x0000000007C9D5C0 [TID 0x00001d90]
  0x0000000140000000:0x00045000   | EXE Image           | C:\Users\powned\Desktop\av\OPSEC IN PROCESS EXEC(SGN)OBF\x64\Release\tls1.exe | Unsigned module
  0x00007FFD943B0000:0x0001f000   | DLL Image           | C:\Windows\System32\amsi.dll
    0x00007FFD943B1000:0x00010000 | RX       | .text    | 0x00001000 | Modified code
  0x00007FFD98B20000:0x0002d000   | DLL Image           | C:\Windows\System32\wldp.dll
    0x00007FFD98B21000:0x00017000 | RX       | .text    | 0x00004000 | Modified code
  0x00007FFD9BAD0000:0x001f8000   | DLL Image           | C:\Windows\System32\ntdll.dll
    0x00007FFD9BAD1000:0x0011c000 | RX       | .text    | 0x0011a000 | Modified code
    0x00007FFD9BAD1000:0x0011c000 | RX       | PAGE     | 0x0011a000 | Modified code
    0x00007FFD9BAD1000:0x0011c000 | RX       | RT       | 0x0011a000 | Modified code
      Thread 0x00007FFD9BB22B30 [TID 0x000036dc]
      Thread 0x00007FFD9BB22B30 [TID 0x00003be8]
      Thread 0x00007FFD9BB22B30 [TID 0x0000292c]
      Thread 0x00007FFD9BB22B30 [TID 0x00002474]
      Thread 0x00007FFD9BB22B30 [TID 0x00002380]
      Thread 0x00007FFD9BB22B30 [TID 0x00001470]
      Thread 0x00007FFD9BB22B30 [TID 0x0000128c]
      Thread 0x00007FFD9BB22B30 [TID 0x00002da4]

in that situation is just loaded my shellcode, in memory, so everything above from this line 0x0000000002C70000:0x01065000 | X | 0x00000000 | Abnormal private executable memory is after loading the shellcode in memory with my custom loader.

i will try to see if there is a way to implement the Aggressor script from that repo, which would highly improve the mitigation of this type of scanners.
the issue is that the aggressor script modifies how the shellcode is compiled, so I do not know how compatible can that be with the structure of sliver.

from sliver.

rkervella avatar rkervella commented on June 1, 2024

Sliver shellcodes are built using go-donut, which is a go implementation of donut. This means that any artifacts or suspicious behavior that donut leaves or generates, Sliver will probably have them.

from sliver.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.