2020-11-26 17:31

elevate when Windows Defender is active

Describe the bug If Windows Defender is running on target and the "elevate" command is run, it can cause a persistent issue that stops any exe from being executed on target.

If Windows Defender is set to remove threats automatically, or a user manually removes the UACBypass threat that occurs when elevate is ran, Defender will not allow the 'c:\windows\system32\windowspowershell\v1.0\powershell.exe -c " + command' registry value within HKCU\Software\Classes\exefile\shell\open\command registry to execute however will not remove the registry value. Because the registry value is still there, any time an executable is ran, Defender will stop the executable.

Code in question can be found at "github.com/bishopfox/sliver/sliver/priv/s47_windows.go"

To Reproduce Steps to reproduce the behavior: 1. Create a payload, set listener, and execute Sliver payload as usual (on Windows with updated Defender) 2. Open Windows Defender on target 3. Run "elevate" command associated with the above session 4. A Windows Defender alert will pop up associated with UACBypass. Select to remove this threat. 5. Attempt to open any exe. ie try to run cmd within search field on taskbar

Expected behavior The registry values within Software\Classes\exefile\open\command should be removed whether elevate is successful or not. At this time, if Defender stops UACBypass, the registry values will not be removed, causing the issue.

Desktop (please complete the following information): - OS: Microsoft Windows 10 Pro - Version 10.0.18362 Build 18362

Additional context To manually fix the issue, ctrl+shift+right click desktop and select "Open Powershell window here". run "reg delete HKCU\Software\Classes\exefile\open\command" to delete registry manually.


  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答


  • weixin_39852647 weixin_39852647 5月前

    Closing this one, as elevate will be removed once the grpc branch will be merged.

    点赞 评论 复制链接分享
  • weixin_39852647 weixin_39852647 5月前

    Good catch, I'm gonna push a fix today when I find the time.

    As a side note, the elevate command might be removed in future versions, or improved to support multiple techniques (and not just the slui.exe one).

    点赞 评论 复制链接分享
  • weixin_39852647 weixin_39852647 5月前

    I can't reproduce on Windows 10 - Build 10.0.18362.

    The Software\Classes\exefile\open\command and Software\Classes\exefile\open are deleted in HKCU, and looks like defender placed a default one in HKLM.

    C:\Users\lab>reg query HKLM\Software\Classes\exefile\shell\open\command
        (Default)    REG_SZ    "%1" %*
        IsolatedCommand    REG_SZ    "%1" %*
    C:\Users\lab>reg query HKCU\Software\Classes\exefile\shell\open\command
    ERROR: The system was unable to find the specified registry key or value.

    Running any other program after the elevate command fails (due to Defender detecting it) does trigger unexpected behavior either.

    点赞 评论 复制链接分享
  • weixin_39852647 weixin_39852647 5月前

    I pushed a small update on 4a6a8bb, but I don't think it will solve your case (as I bet Defender will kill the sliver process before the shellExecuteW calls fails).

    点赞 评论 复制链接分享
  • weixin_39609051 weixin_39609051 5月前

    I've attempted to reproduce my initial results and the issue appears to be inconsistent. About half the time Software\Classes\exefile\open\command and Software\Classes\exefile\open are deleted after the UACBypass threat has been identified/removed by Defender and the other half they are not. I am unsure if the values/keys are being removed by Defender or removed by Sliver. I have noticed that the issue is more likely to occur the longer you allow elevate command to run (waiting 15+ seconds before removing UACBypass threat with Defender).

    The above was done after applying the 4a6a8bb update. I can reattempt to reproduce the issue without this update if you feel it would be beneficial.

    I hope this helps in recreating the issue. Either way thanks for looking into this.

    点赞 评论 复制链接分享