Bug: script block logging bypass not working

Question

williamknows opened this issue 3 years ago · 5 comments

Config:

commit 3c3e059 (currently the latest) compiled with the default configuration for .NET 4.
Tested against Server 2016 and Windows 10 (from DetectionLab)
Execution via CNA script (import then execute of PowerView commands).

The script block logging bypass used no longer appears to work. I'm seeing a lot of 4104 logs for executed commands.

Answer 1 · 2021-03-12T19:44:05.000Z

Damn, that's unfortunate. I'll look into this as soon as I find a spare minute.

Thanks for this issue report. Will keep it open until I address it.

Regards,
Mariusz.

Answer 2 · 2021-03-13T11:20:44.000Z

There was a patch for the first bypass. It’s written down here:

It was changed somewhere around November 2017. I got the gists bypass working two days ago ;-)

Answer 3 · 2021-03-14T01:08:25.000Z

Thanks @S3cur3Th1sSh1t for your heads-up! Makes it way much easier to fix that one. Will try to hunt it down in a matter of days.

Cheers Mate!
Mariusz.

Answer 4 · 2021-09-25T19:56:40.000Z

stracciatella-remote doesn't seem to work , the command still executes on localhost though.

stracciatella-remote -v remote ip adress + pipe name + command , here's the syntax I used, weird it still execute on localhost.
Any help ? :) thx

Answer 5 · 2022-05-17T01:57:44.000Z

This issue with Script Block Logging should be now addressed in the latest version. :)

Let me know if problem remains.