From 5384760ae0d90fb48dbf6199eddd430c08052b7b Mon Sep 17 00:00:00 2001 From: cobbr Date: Fri, 5 Feb 2021 22:01:07 -0600 Subject: [PATCH] Added BypassETW task --- CHANGELOG.md | 1 + Covenant/Data/Tasks/SharpSploit.Evasion.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c2b1f4c1..1877b5ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Added Covenant trace logging - Added ServiceBinary launcher, added PSExecCommand Task - Added OutputKind to LauncherForm +- Added BypassETW task ### Changed - Disallow Administrators from changing other user's passwords diff --git a/Covenant/Data/Tasks/SharpSploit.Evasion.yaml b/Covenant/Data/Tasks/SharpSploit.Evasion.yaml index 0c5aa350..1bffb796 100644 --- a/Covenant/Data/Tasks/SharpSploit.Evasion.yaml +++ b/Covenant/Data/Tasks/SharpSploit.Evasion.yaml @@ -42,7 +42,7 @@ Description: SharpSploit is a library for C# post-exploitation modules. Location: SharpSploit\SharpSploit\ Language: CSharp - CompatibleDotNetVersions: &o0 + CompatibleDotNetVersions: - Net35 - Net40 ReferenceAssemblies: @@ -91,9 +91,9 @@ EmbeddedResources: [] ReferenceAssemblies: [] EmbeddedResources: [] -- Name: DisableETW +- Name: BypassETW Aliases: [] - Description: Disable ETW by patching the EtwEventWrite function. + Description: Bypass ETW by patching the EtwEventWrite function. Author: Name: 'Simone Salucci & Daniel López' Handle: 'saim1z, attl4s' @@ -113,7 +113,7 @@ { try { - if (ETW.PatchEtw()) + if (ETW.PatchETWEventWrite()) { return "ETW Patch Succeeded."; } @@ -134,7 +134,7 @@ Description: SharpSploit is a library for C# post-exploitation modules. Location: SharpSploit\SharpSploit\ Language: CSharp - CompatibleDotNetVersions: &o0 + CompatibleDotNetVersions: - Net35 - Net40 ReferenceAssemblies: