n01-BasicKnowledge.md

Enumerations

• Enumerations
  • Active Directory - Components
  • PowerShell Detections
  • Execution Policy
  • Bypassing PowerShell Security - Invisi-Shell

---

Active Directory - Components

Schema

• Define objects and their attributes

Query and index machanism

• Provide searching and publication of objects and their properties

Global Catalog

• Contain information about every object in the directory

Replication Services

• Distribute information across domain controllers

---

PowerShell Detections

There are 4 possible PowerShell detections:

1. System-wide transcriptions

• C:\Transcripts\<date>\PowerShell_transcript.<host>.xxxxxx.xxxxx

2. Scriptblock logging

• Windows Event ID 4104

3. Anti-Malware Scan Interface (AMSI)

• Signature-based detection
• Can be bypassed easily
• https://amsi.fail/

4. Constrained Language Mode (CLM)

• Integrated with Applocker and WDAC (Device Guard)
• Disable almost all interesting commands (e.g. .NET) and common Red Team powershell scripts
• The only one works in CLM will be the official AD module

Check Windows Defender Application Guard (WDAC):

• PowerShell

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard

Note that you can also check C:\Windows\System32\CodeIntegrity\ to see if there is any BlockRules.xml / SiPolicy.p7b / Merged.xml.

---

Execution Policy

• This is NOT a security measure!
• Just to prevent user from accidently executing scripts
• Methods to bypass:

powershell -ep bypass

powershell -c <command>

powershell -encodedcommand $env:PSExecutionaPolicyPreference="bypass"

• Also see:
  https://www.netspi.com/blog/entryid/238/15-ways-to-bypass-the-powershellexecution-policy

---

Bypassing PowerShell Security - Invisi-Shell

We can use Invisi-Shell to bypass the security controls in PowerShell.

• https://github.com/OmerYa/Invisi-Shell

It hooks (by using CLR Profiler API) the .NET assemblies System.Management.Automation.dll and System.Core.dll to bypass logging.

A common language runtime (CLR) profiler is a dynamic link library (DLL) that consists of functions that receive messages from, and send messages to, the CLR by using the profiling API. The profiler DLL is loaded by the CLR at run time.

• https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview

Note that if you want to bypass modern AV/EDR, you have to know how to customize tools instead of using publicly available ones.

To use Invisi-Shell:

• With admin privileges:

RunWithPathAsAdmin.bat

• Without admin privileges:

RunWithRegistryNonAdmin.bat

• Type exit from the new PS session to complete the clean up.

---