WDAC Policy Removal + SSRF domains

This commit is contained in:
Swissky 2023-05-31 14:18:25 +02:00
parent f85f2cb4c6
commit b8c803717a
4 changed files with 17 additions and 10 deletions

View File

@ -4414,3 +4414,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
* [S4U2self abuse - TheHackerRecipes](https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse) * [S4U2self abuse - TheHackerRecipes](https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse)
* [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/) * [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/)
* [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html) * [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html)
* [Certificates and Pwnage and Patches, Oh My! - Will Schroeder - Nov 9, 2022](https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f4304c1d)

View File

@ -307,7 +307,10 @@ Also known as `WDAC/UMCI/Device Guard`.
DeviceGuardCodeIntegrityPolicyEnforcementStatus : EnforcementMode DeviceGuardCodeIntegrityPolicyEnforcementStatus : EnforcementMode
DeviceGuardUserModeCodeIntegrityPolicyEnforcementStatus : EnforcementMode DeviceGuardUserModeCodeIntegrityPolicyEnforcementStatus : EnforcementMode
``` ```
* Remove WDAC policies using CiTool.exe (Windows 11 2022 Update)
```ps1
$ CiTool.exe -rp "{PolicyId GUID}" -json
```
* Device Guard policy location: `C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{PolicyId GUID}.cip` * Device Guard policy location: `C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{PolicyId GUID}.cip`
* Device Guard example policies: `C:\Windows\System32\CodeIntegrity\ExamplePolicies\` * Device Guard example policies: `C:\Windows\System32\CodeIntegrity\ExamplePolicies\`
* WDAC utilities: [mattifestation/WDACTools](https://github.com/mattifestation/WDACTools), a PowerShell module to facilitate building, configuring, deploying, and auditing Windows Defender Application Control (WDAC) policies * WDAC utilities: [mattifestation/WDACTools](https://github.com/mattifestation/WDACTools), a PowerShell module to facilitate building, configuring, deploying, and auditing Windows Defender Application Control (WDAC) policies
@ -383,4 +386,5 @@ You can check if it is done decrypting using this command: `manage-bde -status`
* [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate - 12/09/2022 - Microsoft](https://learn.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate) * [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate - 12/09/2022 - Microsoft](https://learn.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate)
* [DISABLING AV WITH PROCESS SUSPENSION - March 24, 2023 - By Christopher Paschen ](https://www.trustedsec.com/blog/disabling-av-with-process-suspension/) * [DISABLING AV WITH PROCESS SUSPENSION - March 24, 2023 - By Christopher Paschen ](https://www.trustedsec.com/blog/disabling-av-with-process-suspension/)
* [Disabling Event Tracing For Windows - UNPROTECT PROJECT - Tuesday 19 April 2022](https://unprotect.it/technique/disabling-event-tracing-for-windows-etw/) * [Disabling Event Tracing For Windows - UNPROTECT PROJECT - Tuesday 19 April 2022](https://unprotect.it/technique/disabling-event-tracing-for-windows-etw/)
* [ETW: Event Tracing for Windows 101 - ired.team](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101) * [ETW: Event Tracing for Windows 101 - ired.team](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101)
* [Remove Windows Defender Application Control (WDAC) policies - Microsoft - 12/09/2022](https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies)

View File

@ -110,11 +110,13 @@ http://0000::1:3128/ Squid
### Bypass localhost with a domain redirection ### Bypass localhost with a domain redirection
| Domain | Redirect to |
* `spoofed.[BURP_COLLABORATOR]` such as `spoofed.redacted.oastify.com` |------------------------------|-------------|
* `localtest.me` redirect to `::1` | localtest.me | `::1` |
* `company.127.0.0.1.nip.io` redirect to `127.0.0.1` | localh.st | `127.0.0.1` |
* `bugbounty.dod.network` redirect to `127.0.0.2` | spoofed.[BURP_COLLABORATOR] | `127.0.0.1` |
| spoofed.redacted.oastify.com | `127.0.0.1` |
| company.127.0.0.1.nip.io | `127.0.0.1` |
The service nip.io is awesome for that, it will convert any ip address as a dns. The service nip.io is awesome for that, it will convert any ip address as a dns.
@ -138,7 +140,7 @@ http://127.0.0.0
http://2130706433/ = http://127.0.0.1 http://2130706433/ = http://127.0.0.1
http://3232235521/ = http://192.168.0.1 http://3232235521/ = http://192.168.0.1
http://3232235777/ = http://192.168.1.1 http://3232235777/ = http://192.168.1.1
http://2852039166/ = http://169.254.169.254 http://2852039166/ = http://169.254.169.254
``` ```
### Bypass using octal IP ### Bypass using octal IP

View File

@ -62,7 +62,7 @@
- [Bypass "<" and ">" using and ](#bypass--and--using--and-) - [Bypass "<" and ">" using and ](#bypass--and--using--and-)
- [Bypass ";" using another character](#bypass--using-another-character) - [Bypass ";" using another character](#bypass--using-another-character)
- [Bypass using HTML encoding](#bypass-using-html-encoding) - [Bypass using HTML encoding](#bypass-using-html-encoding)
- [Bypass using Katana](#bypass-using-katana) - [Bypass using Katakana](#bypass-using-katakana)
- [Bypass using Cuneiform](#bypass-using-cuneiform) - [Bypass using Cuneiform](#bypass-using-cuneiform)
- [Bypass using Lontara](#bypass-using-lontara) - [Bypass using Lontara](#bypass-using-lontara)
- [Bypass using ECMAScript6](#bypass-using-ecmascript6) - [Bypass using ECMAScript6](#bypass-using-ecmascript6)
@ -967,7 +967,7 @@ Unicode Character U+FF1C and U+FF1E
></script><svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)> ></script><svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)>
``` ```
### Bypass using Katana ### Bypass using Katakana
Using the [Katakana](https://github.com/aemkei/katakana.js) library. Using the [Katakana](https://github.com/aemkei/katakana.js) library.