General

Resources

Windows Internals

  • Malapi.io

Microsoft Security Solutions

  • Windows Defender

  • AMSI

  • PS CLM

  • UAC

  • WDAC

  • Applocker

  • Windows Defender Application Guard(WDAG)

    • Hardware isolation feature that seperates untrusted content from the host OS using virtualization technology.

    • Implemented in Office, Edge.

    • Untrusted content is opened in Hyper-V enabled environment. (seperate containerized env)

  • WDEG

  • Sandbox

Windows Credential Guard

Introduced in Windows 10 Enterprise and Windows Server 2016, Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. [Reference]

  • Hardware security NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.

  • Virtualization-based security Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.

  • Better protection against advanced persistent threats When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate other security strategies and architectures.

  • Bypass by Enabling WDigest & Disabling Credential Guard via memory patching. [Reference]

AppLocker Bypass

  • We cannot run scripts using dot sourcing( . .\Script.ps1). Instead use .\Script.ps1 because of the constrained language mode.

  • Append to the end of Script.ps1, function to invoke.

  • Tip: If executables can be run from c:\Windows : Try executing in sub directories.

#Enumerate Applocker Policy to identify directories where scripts can be executed
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
#From Local GPO
Get-AppLockerPolicy -Local

Some high-level bypass techniques:

  • Use LOLBAS if only (Microsoft-)signed binaries are allowed.

  • If binaries from C:\Windows are allowed, try dropping your binaries to C:\Windows\Temp or C:\Windows\Tasks. If there are no writable subdirectories but writable files exist in this directory tree, write your file to an alternate data stream (e.g. a JScript script) and execute it from there.

  • Wrap your binaries in a DLL file and execute them with rundll32 to bypass executable rules. If binaries like Python are allowed, use that. If that doesn’t work, try other techniques such as wrapping JScript in a HTA file or running XSL files with wmic.

Building Obfuscators

Process Ghosting

Parent Process

#Using ctypes in python, if white-listed. Process runs under 'python.exe'
import ctypes
result = ctypes.WinDLL("C:\\users\\anonymous\\downloads\calc.dll")
result.Update()

Shellter

  • Backdoor a valid and non-malicious executable file with a malicious shellcode payload.

  • Performs a thorough analysis of the target PE file and the execution paths. It then determines where it can inject our shellcode, without relying on traditional injection techniques that are easily caught by AV engines. Those include changing of PE file section permissions, creating new sections, and so on.

  • Finally, Shellter attempts to use the existing PE Import Address Table (IAT)434 entries to locate functions that will be used for the memory allocation, transfer, and execution of our payload.

Inceptor

Last updated