mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
a
This commit is contained in:
parent
06da15b531
commit
f4f8791dd9
@ -33,9 +33,15 @@ This [page](https://docs.microsoft.com/en-us/windows/security/identity-protectio
|
||||
|
||||
Some programs are **autoelevated automatically** if the **user belongs** to the **administrator group**. These binaries have inside their _**Manifests**_ the _**autoElevate**_ option with value _**True**_. The binary has to be **signed by Microsoft** also.
|
||||
|
||||
Many auto-elevate processes expose **functionality via COM objects or RPC servers**, which can be invoked from processes running with medium integrity (regular user-level privileges). Note that COM (Component Object Model) and RPC (Remote Procedure Call) are methods Windows programs use to communicate and execute functions across different processes. For example, **`IFileOperation COM object`** is designed to handle file operations (copying, deleting, moving) and can automatically elevate privileges without a prompt.
|
||||
|
||||
Note that some checks might be performed, like checking if the process was run from the **System32 directory**, which can be bypassed for example **injecting into explorer.exe** or another System32-located executable.
|
||||
|
||||
Another way to bypass these checks is to **modify the PEB**. Every process in Windows has a Process Environment Block (PEB), which includes important data about the process, such as its executable path. By modifying the PEB, attackers can fake (spoof) the location of their own malicious process, making it appear to run from a trusted directory (like system32). This spoofed information tricks the COM object into auto-elevating privileges without prompting the user.
|
||||
|
||||
Then, to **bypass** the **UAC** (elevate from **medium** integrity level **to high**) some attackers use this kind of binaries to **execute arbitrary code** because it will be executed from a **High level integrity process**.
|
||||
|
||||
You can **check** the _**Manifest**_ of a binary using the tool _**sigcheck.exe**_ from Sysinternals. And you can **see** the **integrity level** of the processes using _Process Explorer_ or _Process Monitor_ (of Sysinternals).
|
||||
You can **check** the _**Manifest**_ of a binary using the tool _**sigcheck.exe**_ from Sysinternals. (`sigcheck.exe -m <file>`) And you can **see** the **integrity level** of the processes using _Process Explorer_ or _Process Monitor_ (of Sysinternals).
|
||||
|
||||
### Check UAC
|
||||
|
||||
|
@ -155,6 +155,8 @@ Notice how it prepends `amsi:` and then the path to the executable from which th
|
||||
|
||||
We didn't drop any file to disk, but still got caught in-memory because of AMSI.
|
||||
|
||||
Moreover, starting with **.NET 4.8**, C# code is run through AMSI as well. This even affects `Assembly.Load(byte[])` to load in-memory execution. Thats why using lower versions of .NET (like 4.7.2 or below) is recommended for in-memory execution if you want to evade AMSI.
|
||||
|
||||
There are a couple of ways to get around AMSI:
|
||||
|
||||
- **Obfuscation**
|
||||
@ -202,9 +204,35 @@ This technique was initially discovered by [@RastaMouse](https://twitter.com/_Ra
|
||||
> [!NOTE]
|
||||
> Please read [https://rastamouse.me/memory-patching-amsi-bypass/](https://rastamouse.me/memory-patching-amsi-bypass/) for a more detailed explanation.
|
||||
|
||||
There are also many other techniques used to bypass AMSI with powershell, check out [**this page**](basic-powershell-for-pentesters/index.html#amsi-bypass) and [this repo](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell) to learn more about them.
|
||||
There are also many other techniques used to bypass AMSI with powershell, check out [**this page**](basic-powershell-for-pentesters/index.html#amsi-bypass) and [**this repo**](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell) to learn more about them.
|
||||
|
||||
This tools [**https://github.com/Flangvik/AMSI.fail**](https://github.com/Flangvik/AMSI.fail) also generates script to bypass AMSI.
|
||||
|
||||
**Remove the detected signature**
|
||||
|
||||
You can use a tool such as **[https://github.com/cobbr/PSAmsi](https://github.com/cobbr/PSAmsi)** and **[https://github.com/RythmStick/AMSITrigger](https://github.com/RythmStick/AMSITrigger)** to remove the detected AMSI signature from the memory of the current process. This tool works by scanning the memory of the current process for the AMSI signature and then overwriting it with NOP instructions, effectively removing it from memory.
|
||||
|
||||
**AV/EDR products that uses AMSI**
|
||||
|
||||
You can find a list of AV/EDR products that uses AMSI in **[https://github.com/subat0mik/whoamsi](https://github.com/subat0mik/whoamsi)**.
|
||||
|
||||
**Use Poershell version 2**
|
||||
If you use PowerShell version 2, AMSI will not be loaded, so you can run your scripts without being scanned by AMSI. You can do this:
|
||||
|
||||
```powershell
|
||||
powershell.exe -version 2
|
||||
```
|
||||
|
||||
## PS Logging
|
||||
|
||||
PowerShell logging is a feature that allows you to log all PowerShell commands executed on a system. This can be useful for auditing and troubleshooting purposes, but it can also be a **problem for attackers who want to evade detection**.
|
||||
|
||||
To bypass PowerShell logging, you can use the following techniques:
|
||||
|
||||
- **Disable PowerShell Transcription and Module Logging**: You can use a tool such as [https://github.com/leechristensen/Random/blob/master/CSharp/DisablePSLogging.cs](https://github.com/leechristensen/Random/blob/master/CSharp/DisablePSLogging.cs) for this purpose.
|
||||
|
||||
|
||||
|
||||
Or this script taht via memory patching will patch each new Powersh
|
||||
|
||||
## Obfuscation
|
||||
|
||||
|
@ -210,6 +210,7 @@ The steps performing API cal hooking of .NET methods are:
|
||||
|
||||
### AMSI Bypass - More Resources
|
||||
|
||||
- Check the page about **[Bypassing AVs & AMSI](../av-bypass.md)**
|
||||
- [S3cur3Th1sSh1t/Amsi-Bypass-Powershell](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell)
|
||||
- [Amsi Bypass on Windows 11 In 2023](https://gustavshen.medium.com/bypass-amsi-on-windows-11-75d231b2cac6) [Github](https://github.com/senzee1984/Amsi_Bypass_In_2023)
|
||||
|
||||
@ -343,6 +344,11 @@ Get-LocalGroupMember Administrators | ft Name, PrincipalSource #Members of Admin
|
||||
Get-Clipboard
|
||||
```
|
||||
|
||||
Perform some clipboard monitoring using:
|
||||
|
||||
- [https://github.com/HarmJ0y/Misc-PowerShell/blob/master/Start-ClipboardMonitor.ps1](https://github.com/HarmJ0y/Misc-PowerShell/blob/master/Start-ClipboardMonitor.ps1)
|
||||
- [https://github.com/slyd0g/SharpClipboard](https://github.com/slyd0g/SharpClipboard)
|
||||
|
||||
## Processes
|
||||
|
||||
```powershell
|
||||
|
@ -38,6 +38,7 @@ If you already has the file you want to host in a web sever just go to `Attacks
|
||||
|
||||
<pre class="language-bash"><code class="lang-bash"># Execute local .NET binary
|
||||
execute-assembly </path/to/executable.exe>
|
||||
# Note that to load assemblies larger than 1MB, the tasks_max_size property of the malleable profile needs to be modified.
|
||||
|
||||
# Screenshots
|
||||
printscreen # Take a single screenshot via PrintScr method
|
||||
@ -54,9 +55,14 @@ portscan [pid] [arch] [targets] [ports] [arp|icmp|none] [max connections] # Inje
|
||||
portscan [targets] [ports] [arp|icmp|none] [max connections]
|
||||
|
||||
# Powershell
|
||||
# Import Powershell module
|
||||
## Import Powershell module
|
||||
powershell-import C:\path\to\PowerView.ps1
|
||||
powershell <just write powershell cmd here>
|
||||
powershell-import /root/Tools/PowerSploit/Privesc/PowerUp.ps1
|
||||
powershell <just write powershell cmd here> # This uses the highest supported powershell version (not oppsec)
|
||||
powerpick <cmdlet> <args> # This creates a sacrificial process specified by spawnto, and injects UnmanagedPowerShell into it for better opsec (not logging)
|
||||
powerpick Invoke-PrivescAudit | fl
|
||||
psinject <pid> <arch> <commandlet> <arguments> # This injects UnmanagedPowerShell into the specified process to run the PowerShell cmdlet.
|
||||
|
||||
|
||||
# User impersonation
|
||||
## Token generation with creds
|
||||
@ -97,6 +103,7 @@ steal_token <pid> #Steal token from process created by mimikatz
|
||||
|
||||
## Pass the ticket
|
||||
## Request a ticket
|
||||
execute-assembly /root/Tools/SharpCollection/Seatbelt.exe -group=system
|
||||
execute-assembly C:\path\Rubeus.exe asktgt /user:<username> /domain:<domain> /aes256:<aes_keys> /nowrap /opsec
|
||||
## Create a new logon session to use with the new ticket (to not overwrite the compromised one)
|
||||
make_token <domain>\<username> DummyPass
|
||||
@ -134,8 +141,8 @@ jump [method] [target] [listener]
|
||||
|
||||
remote-exec [method] [target] [command]
|
||||
## Methods:
|
||||
<strong>## psexec Remote execute via Service Control Manager
|
||||
</strong>## winrm Remote execute via WinRM (PowerShell)
|
||||
## psexec Remote execute via Service Control Manager
|
||||
## winrm Remote execute via WinRM (PowerShell)
|
||||
## wmi Remote execute via WMI
|
||||
|
||||
## To execute a beacon with wmi (it isn't ins the jump command) just upload the beacon and execute it
|
||||
@ -176,6 +183,15 @@ beacon> socks 1080
|
||||
# SSH connection
|
||||
beacon> ssh 10.10.17.12:22 username password</code></pre>
|
||||
|
||||
## Execute-Assembly
|
||||
|
||||
`execute-assembly` uses a sacrificial process using remote process injection to execute the indicated .Net program. Howeevr, there are some custom tools that can be used to load something in the same process:
|
||||
|
||||
- [https://github.com/anthemtotheego/InlineExecute-Assembly](https://github.com/anthemtotheego/InlineExecute-Assembly)
|
||||
- [https://github.com/CCob/BOF.NET](https://github.com/CCob/BOF.NET)
|
||||
- [https://github.com/kyleavery/inject-assembly](https://github.com/kyleavery/inject-assembly)
|
||||
|
||||
|
||||
## Avoiding AVs
|
||||
|
||||
### Artifact Kit
|
||||
|
Loading…
x
Reference in New Issue
Block a user