Comments (6)
Are you trying to use the Living Off The Land PoC to evade detection of the r77 Rootkit? If it's regarding the detection of r77, there is already an open issue, which I'll be investigating this week. I hope I'm able to fix it soon.
r77 is actually using the technique that the LOTL PoC implements, except it uses scheduled tasks instead of registry startup - and has an improved RunPE. You won't achieve AV evasion by encapsulating the rootkit in the LOTL demo, but I'm working on evasion of r77 at the moment. LOTL is actually just a reference implementation for a fileless persistence. If you need to implement fileless persistence for a project of yours, you can use lots of the code in the LOTL project.
But tell me, what exactly is your intention? You said you want to start two executables. That's possible (add a new line here), but what is your goal?
from living-off-the-land.
When I understand you correctly, you're trying to implement a workaround against the detection of r77 prior to an r77 update that fixes the issue.
However, using the LOTL demo to start the installer or both stager executables won't help you with this for following reasons:
- r77 must run with elevated privileges. Otherwise, the rootkit only gets injected into medium IL processes. The TaskMgr, for example, is an elevated process. This is why the r77 installer requires admin privileges once - and from that point forward persistates elevated privileges using scheduled tasks. (Documentation: 1.4.1 Elevated Privileges)
- r77 uses scheduled tasks instead of the Run\ registry key in order to persist elevated privileges. LOTL uses the registry key, because it's a PoC and anything beyond PoC is an excersise to the reader. r77 already implements the techniques you see in LOTL, but with some extended functionality: Scheduled tasks and RunPE 64 bit injection.
- Therefore, if r77 has problems with detection, LOTL will likely have the same issues.
Hence, it's inevitable to fix detection issues. There is no easy workaround. It's definitely good practice to start Install.exe
using RunPE rather than dropping the file. But if the stager is failing due to AV detection, then I need to fix this, as it is an internal component that's not working correctly.
But as I mentioned before, evading AV detection is a daunting task and definitely not something that I can fix with a few lines of code by tomorrow. It's currently the number 1 priority for the r77 project.
What I will try next is to fiddle with the Powershell commandline of the stager, as well as the name of the scheduled tasks to see, if there is a signature based detection involved.
from living-off-the-land.
Hi,
My goal is to start a stager first, that will download the files of the rookit. Its works fine.
My second exe is the rootkit I downloaded, but when the stager try to execute it, even any other regular exe, it's blocked by Windows AV, and I get 1223 error..
That's the reason I asked if it was possible to start 2 exes with Living off the land exe.
BR
from living-off-the-land.
Hi,
Well, I don't really get why you're talking about r77, is this an other project? Can you tell me more?
BR
from living-off-the-land.
I just assumed that you were talking about r77, because your description somehow perfectly matched - my bad for not asking.
r77 is another project of mine, hosted here on GitHub. It's a rootkit that uses the techniques from my LOTL PoC, except using scheduled tasks instead of the registry key to retain elevated privileges across reboots.
Is this question related to issue #5 ?
from living-off-the-land.
Hi,
I think we could close this issue, since the better in this situation is to make my rootkit persistent, it will be started at the next boot.
from living-off-the-land.
Related Issues (15)
- Is it possible to explain more how to set our own executable? HOT 1
- Windows defender detection HOT 6
- No longer works in Windows 11? HOT 6
- Error when compiling with my own exactable: "The magic number in GZip header is not correct. Make sure you are passing in a GZip stream." HOT 2
- Can't obfuscate OR encrypt run/start commands HOT 1
- How to Compile HOT 1
- Issue with the powershell command
- Example of UI error HOT 2
- Compilation error HOT 22
- Living off the Land exe don't start at bootup in Windows VM HOT 10
- Is it possible to use your project to start a dll file? HOT 2
- Can you explain more about the persistence mechanism? HOT 1
- Payload size HOT 3
- How do i run the payload execution command in powershell? HOT 34
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from living-off-the-land.