Skip to content

relay: re-TreeConnect IPC$ in RemoteRegistry restore#20

Merged
psycep merged 1 commit intomainfrom
fix-restore-svcctl-tree
Apr 24, 2026
Merged

relay: re-TreeConnect IPC$ in RemoteRegistry restore#20
psycep merged 1 commit intomainfrom
fix-restore-svcctl-tree

Conversation

@psycep
Copy link
Copy Markdown
Collaborator

@psycep psycep commented Apr 24, 2026

Summary

Follow-up to #19. After a successful relay samdump/secretsdump the deferred restoreRemoteRegistryState was calling CreatePipe("svcctl") and getting STATUS_OBJECT_NAME_NOT_FOUND (0xc0000034). The attack downloads its hives from ADMIN$ before returning, which switches the SMB session's tree away from IPC$, and svcctl lives on IPC$.

Fixed by re-TreeConnect'ing to IPC$ at the top of restoreRemoteRegistryState. The function is now tree-state-agnostic and safe to invoke from any defer position without coupling to the attack's tree management.

Test plan

  • go build ./... clean
  • go vet ./... clean
  • go test ./... passes
  • Live against GOAD: set srv02 RemoteRegistry to Stopped+Manual, relayed eddard.stark via net use, watched: 
    [*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xd7efaab1c41ab132c3583b4b89791070
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:...:dbd13e1c4e338284ac4e9874f7de6ef4:::
...
[*] Cleanup complete
[*] Stopping service RemoteRegistry          ← this is the new behavior
  • Post-attack srv02 state: Stopped Manual (was Running Manual before this fix — service was left running)
  • SAM hash output byte-identical to the pre-fix test, so the attack path itself is unchanged

@psycep
relay: re-TreeConnect IPC$ in RemoteRegistry restore
cd84633 
After a successful relay samdump/secretsdump the deferred
restoreRemoteRegistryState tried to CreatePipe("svcctl") and got
STATUS_OBJECT_NAME_NOT_FOUND (0xc0000034). The attack downloads its
hives from ADMIN$ before returning, which switches the SMB session's
tree away from IPC$, and svcctl lives on IPC$.

Fixed by re-TreeConnect'ing to IPC$ at the top of
restoreRemoteRegistryState. The function is now tree-state-agnostic
and safe to invoke from any defer position without coupling to the
attack's tree management.

Verified live against GOAD srv02 with RemoteRegistry set to
Stopped+Manual and eddard.stark relayed via net use: attack
auto-starts the service, dumps SAM hashes, then cleanup stops the
service and srv02's final state is Stopped+Manual again (was
Running+Manual before this fix).
@psycep psycep merged commit 8d16dfe into main Apr 24, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@psycep