Bug: script block logging bypass not working #4

williamknows · 2021-01-23T03:25:22Z

Config:

commit 3c3e059 (currently the latest) compiled with the default configuration for .NET 4.
Tested against Server 2016 and Windows 10 (from DetectionLab)
Execution via CNA script (import then execute of PowerView commands).

The script block logging bypass used no longer appears to work. I'm seeing a lot of 4104 logs for executed commands.

The text was updated successfully, but these errors were encountered:

mgeeky · 2021-03-12T19:44:05Z

Damn, that's unfortunate. I'll look into this as soon as I find a spare minute.

Thanks for this issue report. Will keep it open until I address it.

Regards,
Mariusz.

S3cur3Th1sSh1t · 2021-03-13T11:20:44Z

There was a patch for the first bypass. It’s written down here:

It was changed somewhere around November 2017. I got the gists bypass working two days ago ;-)

mgeeky · 2021-03-14T01:08:25Z

Thanks @S3cur3Th1sSh1t for your heads-up! Makes it way much easier to fix that one. Will try to hunt it down in a matter of days.

Cheers Mate!
Mariusz.

ghost · 2021-09-25T19:56:40Z

stracciatella-remote doesn't seem to work , the command still executes on localhost though.

stracciatella-remote -v remote ip adress + pipe name + command , here's the syntax I used, weird it still execute on localhost.
Any help ? :) thx

mgeeky · 2022-05-17T01:57:44Z

This issue with Script Block Logging should be now addressed in the latest version. :)

Let me know if problem remains.

Provide feedback