Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unobfuscated strings in binary #1760

Open
CodeXTF2 opened this issue Aug 16, 2024 · 3 comments
Open

Unobfuscated strings in binary #1760

CodeXTF2 opened this issue Aug 16, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@CodeXTF2
Copy link

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

  1. Generate a Sliver beacon for windows in exe format. e.g. generate --http {ip} --os windows
  2. Run the beacon
  3. Run the yara rule https://github.com/elastic/protections-artifacts/blob/1e357aaca865d37279e71c8ddec10e01a051c0ab/yara/rules/Multi_Trojan_Sliver.yar#L2 using yara64.exe

Expected behavior
Unobfuscated strings are found in the Sliver binary and in memory

Desktop (please complete the following information):

  • OS: Windows

Additional context
The strings identified were:

Matched String: ").RequestResend"
Matched String: ").GetPrivInfo"
Matched String: "B/Z-github.com/bishopfox/sliver/protobuf/sliverpbb" ascii fullword
Matched String: "InvokeSpawnDllReq" ascii fullword
Matched String: "NetstatReq" ascii fullword
Matched String: "HTTPSessionInit" ascii fullword
Matched String: "ScreenshotReq" ascii fullword
Matched String: "RegistryReadReq" ascii fullword

@rkervella
Copy link
Member

This is a known issue. Still not sure if it's a regression in Garble or if something changed in the protobuf library, or a bit of both. Either way, Garble is not picking up the protobuf methods, which makes for easy signatures to be built.

@rkervella rkervella added the bug Something isn't working label Aug 16, 2024
@moloch--
Copy link
Member

At least the DNS ones are gone, not sure why these are showing up.

@dalemazza
Copy link

These are on most of the Yara rules on GitHub for sliver. I just did a dirty find and replace on the strings to get around the rules.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants