[FEATURE] Executable on unobfuscating NAA

Question

[FEATURE] Executable on unobfuscating NAA

fatmeat opened this issue a year ago · 6 comments

Describe the solution you'd like
Hello Mayyhem, is it possible to release a separated executable on unobfuscating NAA policy?
I fail to complie the source code in my environment.

Answer 1 · 2023-06-15T20:30:40.000Z

Hey @fatmeat! As of PR #28, deobfuscation of secret policies should happen automatically, but you can also use the DeobfuscateSecretString project within the SharpSCCM solution to deobfuscate the strings too. Does that answer your question? What errors does the compiler display when you try to build the solution?

Answer 2 · 2023-06-16T15:09:56.000Z

I complied the DeobfuscateSecretString and feed it with HEX, but show "Error: The operation completed successfully."

May I know the exe need to run in same SCCM client?

Answer 3 · 2023-06-16T18:50:02.000Z

@fatmeat , the exe for DeobfuscateSecretString does not need to be ran from a ConfigMgr client. Could you please paste redacted screenshots of the output of the commands you used to obtain the secret string you're trying to reverse and the output of DeobfuscateSecretString? If you'd like to send privately, please message me on the BloodHoundGang Slack. I'm @Mayyhem there too.

Answer 4 · 2023-06-21T12:41:50.000Z

Any luck @fatmeat ?

Answer 5 · 2023-07-08T15:39:28.000Z

@fatmeat I just want to bump this one more time before closing this issue. Were you able to resolve this issue?

Answer 6 · 2023-07-11T10:39:31.000Z

@Mayyhem Sorry for the late reply, it works on other endpoint. I'm gonna close this, thank you so much!