Skip to content

Add PPID spoofing for cursed commands and improve implant path resolution#2268

Draft
MKMithun2806 wants to merge 5 commits into
BishopFox:masterfrom
MKMithun2806:feature/stealth-improvements
Draft

Add PPID spoofing for cursed commands and improve implant path resolution#2268
MKMithun2806 wants to merge 5 commits into
BishopFox:masterfrom
MKMithun2806:feature/stealth-improvements

Conversation

@MKMithun2806

@MKMithun2806 MKMithun2806 commented May 27, 2026

Copy link
Copy Markdown
Contributor

PR Title

feat: Add PPID spoofing for cursed commands and improve implant path resolution


This PR implements several critical stealth improvements and resolves long-standing technical debt in the implant’s process execution and registration lifecycle.

These changes significantly enhance the framework’s OPSEC by giving operators better control over process lineage and ensuring reliable self-identification of the implant on target hosts.

Changes

1. PPID Spoofing for Cursed Commands

Operators can now spoof the Parent Process ID (PPID) when using the cursed suite of commands (chrome, edge, and electron).

This allows spawned browser processes to appear as children of legitimate system processes (e.g. explorer.exe or svchost.exe), making them much harder for EDR solutions to detect based on anomalous process trees.

  • Added --ppid / -P flag to all browser-based cursed commands
  • Implemented support in the generic Execute handler for Windows targets
  • Added cross-platform generic spoofing interface

2. Robust Implant Path Resolution

Resolved a long-standing TODO in the implant registration logic.

The implant now uses a more resilient method to determine its absolute path during initial check-in:

  • Falls back to os.Args[0] if os.Executable() fails
  • Ensures the server always receives accurate path metadata (critical for persistence, cleanup, and logging)

3. Windows Locale Handling Cleanup

Cleaned up and properly documented hardcoded locale constants in the jibberjabber package while maintaining full compatibility with the Windows API.

Technical Details

  • Branch: feature/stealth-improvements
  • Affected Components: Client CLI, Implant Handlers, Implant Runner
  • Key Files Changed:
    • client/command/cursed/commands.go
    • implant/sliver/handlers/handlers.go
    • implant/sliver/runner/runner.go
    • implant/sliver/spoof/spoof_generic.go (New file)

Checklist

  • PPID spoofing implemented for cursed commands
  • Resolved absolute path resolution TODO
  • Added cross-platform compatibility
  • Cleaned up and documented locale handling
  • Commits are signed

@MKMithun2806
MKMithun2806 requested a review from a team as a code owner May 27, 2026 05:45
@MKMithun2806
MKMithun2806 requested a review from FlakoJohnson May 27, 2026 05:45
@moloch--
moloch-- requested review from moloch-- and removed request for FlakoJohnson May 30, 2026 16:45
@MKMithun2806
MKMithun2806 marked this pull request as draft June 26, 2026 18:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants