From f4f8791dd921f0209332160e16a4a96ede286c0c Mon Sep 17 00:00:00 2001
From: Carlos Polop <carlospolop@gmail.com>
Date: Thu, 3 Apr 2025 14:48:26 +0200
Subject: [PATCH] a

---
 .../uac-user-account-control.md               |  8 ++++-
 src/windows-hardening/av-bypass.md            | 32 +++++++++++++++++--
 .../basic-powershell-for-pentesters/README.md |  6 ++++
 src/windows-hardening/cobalt-strike.md        | 24 +++++++++++---
 4 files changed, 63 insertions(+), 7 deletions(-)

diff --git a/src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md b/src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md
index 37374c53f..267181738 100644
--- a/src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md
+++ b/src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md
@@ -33,9 +33,15 @@ This [page](https://docs.microsoft.com/en-us/windows/security/identity-protectio
 
 Some programs are **autoelevated automatically** if the **user belongs** to the **administrator group**. These binaries have inside their _**Manifests**_ the _**autoElevate**_ option with value _**True**_. The binary has to be **signed by Microsoft** also.
 
+Many auto-elevate processes expose **functionality via COM objects or RPC servers**, which can be invoked from processes running with medium integrity (regular user-level privileges). Note that COM (Component Object Model) and RPC (Remote Procedure Call) are methods Windows programs use to communicate and execute functions across different processes. For example, **`IFileOperation COM object`** is designed to handle file operations (copying, deleting, moving) and can automatically elevate privileges without a prompt.
+
+Note that some checks might be performed, like checking if the process was run from the **System32 directory**, which can be bypassed for example **injecting into explorer.exe** or another System32-located executable.
+
+Another way to bypass these checks is to **modify the PEB**. Every process in Windows has a Process Environment Block (PEB), which includes important data about the process, such as its executable path. By modifying the PEB, attackers can fake (spoof) the location of their own malicious process, making it appear to run from a trusted directory (like system32). This spoofed information tricks the COM object into auto-elevating privileges without prompting the user.
+
 Then, to **bypass** the **UAC** (elevate from **medium** integrity level **to high**) some attackers use this kind of binaries to **execute arbitrary code** because it will be executed from a **High level integrity process**.
 
-You can **check** the _**Manifest**_ of a binary using the tool _**sigcheck.exe**_ from Sysinternals. And you can **see** the **integrity level** of the processes using _Process Explorer_ or _Process Monitor_ (of Sysinternals).
+You can **check** the _**Manifest**_ of a binary using the tool _**sigcheck.exe**_ from Sysinternals. (`sigcheck.exe -m <file>`) And you can **see** the **integrity level** of the processes using _Process Explorer_ or _Process Monitor_ (of Sysinternals).
 
 ### Check UAC
 
diff --git a/src/windows-hardening/av-bypass.md b/src/windows-hardening/av-bypass.md
index 7bb979202..c7d02d94a 100644
--- a/src/windows-hardening/av-bypass.md
+++ b/src/windows-hardening/av-bypass.md
@@ -155,6 +155,8 @@ Notice how it prepends `amsi:` and then the path to the executable from which th
 
 We didn't drop any file to disk, but still got caught in-memory because of AMSI.
 
+Moreover, starting with **.NET 4.8**, C# code is run through AMSI as well. This even affects `Assembly.Load(byte[])` to load in-memory execution. Thats why using lower versions of .NET (like 4.7.2 or below) is recommended for in-memory execution if you want to evade AMSI.
+
 There are a couple of ways to get around AMSI:
 
 - **Obfuscation**
@@ -202,9 +204,35 @@ This technique was initially discovered by [@RastaMouse](https://twitter.com/_Ra
 > [!NOTE]
 > Please read [https://rastamouse.me/memory-patching-amsi-bypass/](https://rastamouse.me/memory-patching-amsi-bypass/) for a more detailed explanation.
 
-There are also many other techniques used to bypass AMSI with powershell, check out [**this page**](basic-powershell-for-pentesters/index.html#amsi-bypass) and [this repo](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell) to learn more about them.
+There are also many other techniques used to bypass AMSI with powershell, check out [**this page**](basic-powershell-for-pentesters/index.html#amsi-bypass) and [**this repo**](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell) to learn more about them.
+
+This tools [**https://github.com/Flangvik/AMSI.fail**](https://github.com/Flangvik/AMSI.fail) also generates script to bypass AMSI.
+
+**Remove the detected signature**
+
+You can use a tool such as **[https://github.com/cobbr/PSAmsi](https://github.com/cobbr/PSAmsi)** and **[https://github.com/RythmStick/AMSITrigger](https://github.com/RythmStick/AMSITrigger)** to remove the detected AMSI signature from the memory of the current process. This tool works by scanning the memory of the current process for the AMSI signature and then overwriting it with NOP instructions, effectively removing it from memory.
+
+**AV/EDR products that uses AMSI**
+
+You can find a list of AV/EDR products that uses AMSI in **[https://github.com/subat0mik/whoamsi](https://github.com/subat0mik/whoamsi)**.
+
+**Use Poershell version 2**
+If you use PowerShell version 2, AMSI will not be loaded, so you can run your scripts without being scanned by AMSI. You can do this:
+
+```powershell
+powershell.exe -version 2
+```
+
+## PS Logging
+
+PowerShell logging is a feature that allows you to log all PowerShell commands executed on a system. This can be useful for auditing and troubleshooting purposes, but it can also be a **problem for attackers who want to evade detection**.
+
+To bypass PowerShell logging, you can use the following techniques:
+
+- **Disable PowerShell Transcription and Module Logging**: You can use a tool such as [https://github.com/leechristensen/Random/blob/master/CSharp/DisablePSLogging.cs](https://github.com/leechristensen/Random/blob/master/CSharp/DisablePSLogging.cs) for this purpose.
+
+
 
-Or this script taht via memory patching will patch each new Powersh
 
 ## Obfuscation
 
diff --git a/src/windows-hardening/basic-powershell-for-pentesters/README.md b/src/windows-hardening/basic-powershell-for-pentesters/README.md
index 57906f6e3..4ef3f5239 100644
--- a/src/windows-hardening/basic-powershell-for-pentesters/README.md
+++ b/src/windows-hardening/basic-powershell-for-pentesters/README.md
@@ -210,6 +210,7 @@ The steps performing API cal hooking of .NET methods are:
 
 ### AMSI Bypass - More Resources
 
+- Check the page about **[Bypassing AVs & AMSI](../av-bypass.md)**
 - [S3cur3Th1sSh1t/Amsi-Bypass-Powershell](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell)
 - [Amsi Bypass on Windows 11 In 2023](https://gustavshen.medium.com/bypass-amsi-on-windows-11-75d231b2cac6) [Github](https://github.com/senzee1984/Amsi_Bypass_In_2023)
 
@@ -343,6 +344,11 @@ Get-LocalGroupMember Administrators | ft Name, PrincipalSource #Members of Admin
 Get-Clipboard
 ```
 
+Perform some clipboard monitoring using:
+
+- [https://github.com/HarmJ0y/Misc-PowerShell/blob/master/Start-ClipboardMonitor.ps1](https://github.com/HarmJ0y/Misc-PowerShell/blob/master/Start-ClipboardMonitor.ps1)
+- [https://github.com/slyd0g/SharpClipboard](https://github.com/slyd0g/SharpClipboard)
+
 ## Processes
 
 ```powershell
diff --git a/src/windows-hardening/cobalt-strike.md b/src/windows-hardening/cobalt-strike.md
index 56e622654..9ce39b1de 100644
--- a/src/windows-hardening/cobalt-strike.md
+++ b/src/windows-hardening/cobalt-strike.md
@@ -38,6 +38,7 @@ If you already has the file you want to host in a web sever just go to `Attacks
 
 <pre class="language-bash"><code class="lang-bash"># Execute local .NET binary
 execute-assembly </path/to/executable.exe>
+# Note that to load assemblies larger than 1MB, the tasks_max_size property of the malleable profile needs to be modified.
 
 # Screenshots
 printscreen    # Take a single screenshot via PrintScr method
@@ -54,9 +55,14 @@ portscan [pid] [arch] [targets] [ports] [arp|icmp|none] [max connections] # Inje
 portscan [targets] [ports] [arp|icmp|none] [max connections]
 
 # Powershell
-# Import Powershell module
+## Import Powershell module
 powershell-import C:\path\to\PowerView.ps1
-powershell <just write powershell cmd here>
+powershell-import /root/Tools/PowerSploit/Privesc/PowerUp.ps1
+powershell <just write powershell cmd here> # This uses the highest supported powershell version (not oppsec)
+powerpick <cmdlet> <args> # This creates a sacrificial process specified by spawnto, and injects UnmanagedPowerShell into it for better opsec (not logging)
+powerpick Invoke-PrivescAudit | fl
+psinject <pid> <arch> <commandlet> <arguments> # This injects UnmanagedPowerShell into the specified process to run the PowerShell cmdlet.
+
 
 # User impersonation
 ## Token generation with creds
@@ -97,6 +103,7 @@ steal_token <pid> #Steal token from process created by mimikatz
 
 ## Pass the ticket
 ## Request a ticket
+execute-assembly /root/Tools/SharpCollection/Seatbelt.exe -group=system
 execute-assembly C:\path\Rubeus.exe asktgt /user:<username> /domain:<domain> /aes256:<aes_keys> /nowrap /opsec
 ## Create a new logon session to use with the new ticket (to not overwrite the compromised one)
 make_token <domain>\<username> DummyPass
@@ -134,8 +141,8 @@ jump [method] [target] [listener]
 
 remote-exec [method] [target] [command]
 ## Methods:
-<strong>## psexec                          Remote execute via Service Control Manager
-</strong>## winrm                           Remote execute via WinRM (PowerShell)
+## psexec                          Remote execute via Service Control Manager
+## winrm                           Remote execute via WinRM (PowerShell)
 ## wmi                             Remote execute via WMI
 
 ## To execute a beacon with wmi (it isn't ins the jump command) just upload the beacon and execute it
@@ -176,6 +183,15 @@ beacon> socks 1080
 # SSH connection
 beacon> ssh 10.10.17.12:22 username password</code></pre>
 
+## Execute-Assembly
+
+`execute-assembly` uses a sacrificial process using remote process injection to execute the indicated .Net program. Howeevr, there are some custom tools that can be used to load something in the same process:
+
+- [https://github.com/anthemtotheego/InlineExecute-Assembly](https://github.com/anthemtotheego/InlineExecute-Assembly)
+- [https://github.com/CCob/BOF.NET](https://github.com/CCob/BOF.NET)
+- [https://github.com/kyleavery/inject-assembly](https://github.com/kyleavery/inject-assembly)
+
+
 ## Avoiding AVs
 
 ### Artifact Kit