Bypassing Security
AMSI
Powershell Only
Global
Windows Defender
For csharp, pe or raw executable's use Nimcrypt2:
-t for filetype
-e to use encryption
PELoader + pe2shc
We first generate a Sliver implant and upload it to our Windows attacking host (not target). We will need https://github.com/hasherezade/pe_to_shellcode and https://github.com/Hagrid29/PELoader.
We first convert the PE to shellcode:
Next, we use PE_loader.exe to encrypt the shellcode:
This will output "sliver_PE.shc.exe.enc". Upload this file to the target together with PELoader.exe. Of course rename PELoader.exe to incendiumrocks.exe. After that set the env and decrypt and execute the encrypted shellcode (our Sliver implant)
Done, check your listener in Sliver
UAC
User Account Control (UAC) is a key part of Windows security. UAC reduces the risk of malware by limiting the ability of malicious code to execute with administrator privileges.
Check UAC settings
if 5
(default) it will ask the administrator to confirm to run non Windows binaries with high privileges:
Common bypass with AutoElevate
Some executables can auto-elevate, achieving high IL without any user intervention. This applies to most of the Control Panel's functionality and some executables provided with Windows.
For an application, some requirements need to be met to auto-elevate:
The executable must be signed by the Windows Publisher
The executable must be contained in a trusted directory, like
%SystemRoot%/System32/
or%ProgramFiles%/
To check if a binary has autoElevate, we can use sigcheck:
Fodhelper
Fodhelper.exe is one of Windows default executables in charge of managing Windows optional features, including additional languages, applications not installed by default, or other operating system characteristics. Like most of the programs used for system configuration, fodhelper can auto elevate when using default UAC settings so that administrators won't be prompted for elevation when performing standard administrative tasks. Fodhelper can be abused without having access to a GUI.
When Windows opens a file, it checks the registry to know what application to use.
We can set the following keys for the fodhelper binary:
And then proceed to execute fodhelper.exe, which in turn will trigger the execution of our reverse shell.
More bypasses with UACME
Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.
Last updated