Bug: script block logging bypass not working
williamknows opened this issue · 5 comments
Config:
- commit
3c3e059
(currently the latest) compiled with the default configuration for .NET 4. - Tested against Server 2016 and Windows 10 (from DetectionLab)
- Execution via CNA script (import then execute of PowerView commands).
The script block logging bypass used no longer appears to work. I'm seeing a lot of 4104 logs for executed commands.
Damn, that's unfortunate. I'll look into this as soon as I find a spare minute.
Thanks for this issue report. Will keep it open until I address it.
Regards,
Mariusz.
There was a patch for the first bypass. It’s written down here:
https://cobbr.io/ScriptBlock-Logging-Bypass.html
https://gist.github.com/cobbr/d8072d730b24fbae6ffe3aed8ca9c407
It was changed somewhere around November 2017. I got the gists bypass working two days ago ;-)
Thanks @S3cur3Th1sSh1t for your heads-up! Makes it way much easier to fix that one. Will try to hunt it down in a matter of days.
Cheers Mate!
Mariusz.
stracciatella-remote doesn't seem to work , the command still executes on localhost though.
stracciatella-remote -v remote ip adress + pipe name + command , here's the syntax I used, weird it still execute on localhost.
Any help ? :) thx
This issue with Script Block Logging should be now addressed in the latest version. :)
Let me know if problem remains.