How to Hack Like a Legend: Breaking Windows by Sparc Flow
Author:Sparc Flow [Flow, Sparc]
Language: eng
Format: epub
Amazon: B08YJYR4N7
Goodreads: 63121471
Published: 2022-08-18T21:48:32+00:00
PS C:\Lab> $scriptBlockLogging = $dict.getValue(ââ)[$key]
PS C:\Lab> $scriptBlockLogging[âEnableScriptBlockLoggingâ] = 0
When executing this script on the target machine, we need not worry
about ATA, since these commands do not involve any network communica-
tion with the domain controller. QRadar, on the other hand, still poses a
real threat. This bypass command line is executed right before Script Block
Logging is disabled, which means that it will inevitably be logged as a Warning
under event 4104, as shown in Figure 8-3.
Figure 8-3: The bypass command line is logged under event 4104 as a Warning.
Notice that unlike this one, the other 4104 events were simply catego-
rized as Verbose. This categorization of Warning or Verbose happens in the
Windows Management Framework engine, which is the component execut-
ing PowerShell commands. The WMF engine checks any commands that
are run against a list of suspicious strings defined in the internal property
signatures of the public class ScriptBlock. Dangerous strings and functions,
like NonPublic, GetField, Add-Type, and many others, are automatically flagged
by the execution engine. QRadar is likely looking for any events in the
PowerShell log categorized as Warnings, so this will probably be picked up
by the security team if we run it in Strat Jumboâs network. This is an unnec-
essary exposure that we should avoid in case it triggers a detection rule.
ScriptBlock is declared as a public class, so we can directly reference
it using the [ScriptBlock] object. However, the signatures field containing
the list of suspicious strings is private, so we resort to reflection once more
using the GetField and GetValue methods (Listing 8-1).
PS C:\> [ScriptBlock].GetField(âsignaturesâ,âNonPublic,Staticâ).
GetValue($null)
Add-Type
DllImport
DefineDynamicAssembly
DefineDynamicModule
DefineType
âsnipâ
Listing 8-1: Viewing the list of strings defined in the signatures property of the
ScriptBlock class
92 Chapter 8
Download
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Sass and Compass in Action by Wynn Netherland Nathan Weizenbaum Chris Eppstein Brandon Mathis(7746)
Grails in Action by Glen Smith Peter Ledbrook(7667)
Configuring Windows Server Hybrid Advanced Services Exam Ref AZ-801 by Chris Gill(6248)
Azure Containers Explained by Wesley Haakman & Richard Hooper(6208)
Running Windows Containers on AWS by Marcio Morales(5732)
Kotlin in Action by Dmitry Jemerov(5019)
Microsoft 365 Identity and Services Exam Guide MS-100 by Aaron Guilmette(4738)
Management Strategies for the Cloud Revolution: How Cloud Computing Is Transforming Business and Why You Can't Afford to Be Left Behind by Charles Babcock(4396)
Combating Crime on the Dark Web by Nearchos Nearchou(4328)
Microsoft Cybersecurity Architect Exam Ref SC-100 by Dwayne Natwick(3999)
The Ruby Workshop by Akshat Paul Peter Philips Dániel Szabó and Cheyne Wallace(3991)
The Age of Surveillance Capitalism by Shoshana Zuboff(3915)
Python for Security and Networking - Third Edition by José Manuel Ortega(3550)
Learn Windows PowerShell in a Month of Lunches by Don Jones(3490)
Mastering Python for Networking and Security by José Manuel Ortega(3321)
Mastering Azure Security by Mustafa Toroman and Tom Janetscheck(3311)
Blockchain Basics by Daniel Drescher(3275)
The Ultimate Docker Container Book by Schenker Gabriel N.;(3229)
TCP IP by Todd Lammle(2959)
