General
Resources
Windows Internals
Malapi.io
Microsoft Security Solutions
Windows Defender
AMSI
PS CLM
UAC
WDAC
Applocker
Windows Defender Application Guard(WDAG)
Hardware isolation feature that seperates untrusted content from the host OS using virtualization technology.
Implemented in Office, Edge.
Untrusted content is opened in Hyper-V enabled environment. (seperate containerized env)
WDEG
Sandbox
Windows Credential Guard
Introduced in Windows 10 Enterprise and Windows Server 2016, Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. [Reference]
Hardware security NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
Virtualization-based security Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
Better protection against advanced persistent threats When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate other security strategies and architectures.
Bypass by Enabling WDigest & Disabling Credential Guard via memory patching. [Reference]
AppLocker Bypass
We cannot run scripts using dot sourcing( . .\Script.ps1). Instead use .\Script.ps1 because of the constrained language mode.
Append to the end of Script.ps1, function to invoke.
Tip: If executables can be run from c:\Windows : Try executing in sub directories.
Some high-level bypass techniques:
Use LOLBAS if only (Microsoft-)signed binaries are allowed.
If binaries from
C:\Windows
are allowed, try dropping your binaries toC:\Windows\Temp
orC:\Windows\Tasks
. If there are no writable subdirectories but writable files exist in this directory tree, write your file to an alternate data stream (e.g. a JScript script) and execute it from there.Wrap your binaries in a DLL file and execute them with
rundll32
to bypass executable rules. If binaries like Python are allowed, use that. If that doesn’t work, try other techniques such as wrapping JScript in a HTA file or running XSL files withwmic
.
Building Obfuscators
Reference: Link
Process Ghosting
Blog from elastic.co
Parent Process
Shellter
Backdoor a valid and non-malicious executable file with a malicious shellcode payload.
Performs a thorough analysis of the target PE file and the execution paths. It then determines where it can inject our shellcode, without relying on traditional injection techniques that are easily caught by AV engines. Those include changing of PE file section permissions, creating new sections, and so on.
Finally, Shellter attempts to use the existing PE Import Address Table (IAT)434 entries to locate functions that will be used for the memory allocation, transfer, and execution of our payload.
Inceptor
Last updated