Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,399 --> 00:00:02,080 hey greetings everyone welcome back 2 00:00:02,080 --> 00:00:03,120 today we're going to take a look at 3 00:00:03,120 --> 00:00:04,480 something really cool to 4 00:00:04,480 --> 00:00:07,520 bypass windows defender called 5 00:00:07,520 --> 00:00:09,599 mc bypass it's going to be really cool 6 00:00:09,599 --> 00:00:10,719 but before we get started 7 00:00:10,719 --> 00:00:12,960 please do make sure that you hit the old 8 00:00:12,960 --> 00:00:14,240 subscribe button 9 00:00:14,240 --> 00:00:16,960 and follow me on instagram i'm out there 10 00:00:16,960 --> 00:00:17,840 so check me out 11 00:00:17,840 --> 00:00:20,160 just got that started uh hit like as 12 00:00:20,160 --> 00:00:22,240 well and as always i love having 13 00:00:22,240 --> 00:00:23,680 conversations with you good folks out 14 00:00:23,680 --> 00:00:24,320 there 15 00:00:24,320 --> 00:00:26,160 in the comments section so make sure you 16 00:00:26,160 --> 00:00:27,680 comment for me as well 17 00:00:27,680 --> 00:00:30,960 that said let's jump into this idea 18 00:00:30,960 --> 00:00:33,920 that is emcee bypass i know it sounds 19 00:00:33,920 --> 00:00:36,079 kind of like uh it sounds cool 20 00:00:36,079 --> 00:00:38,399 i gotta be honest like for me it just 21 00:00:38,399 --> 00:00:40,320 sounds kind of cool like i hear amc 22 00:00:40,320 --> 00:00:41,840 bypass 23 00:00:41,840 --> 00:00:43,280 almost like i'm getting away with 24 00:00:43,280 --> 00:00:44,960 watching movies that i should you know 25 00:00:44,960 --> 00:00:48,559 amc but it's not amc it's amsi 26 00:00:48,559 --> 00:00:50,800 or this is the anti-malware scan 27 00:00:50,800 --> 00:00:52,320 interface that's found 28 00:00:52,320 --> 00:00:55,440 inside of the windows operating systems 29 00:00:55,440 --> 00:00:57,039 as it were right and this will 30 00:00:57,039 --> 00:00:58,480 actually this is this is kind of a 31 00:00:58,480 --> 00:00:59,920 really neat thing i just looked at it 32 00:00:59,920 --> 00:01:01,840 very preliminarily i don't want to 33 00:01:01,840 --> 00:01:04,000 i don't want to pre-game too hard for 34 00:01:04,000 --> 00:01:05,680 you for you out there i want us to kind 35 00:01:05,680 --> 00:01:07,200 of like go down this road together i 36 00:01:07,200 --> 00:01:08,720 want to learn about this 37 00:01:08,720 --> 00:01:11,360 this kind of came up uh as i was hanging 38 00:01:11,360 --> 00:01:13,280 out with the one mr john hammond 39 00:01:13,280 --> 00:01:16,560 and he was doing some uh uh malware 40 00:01:16,560 --> 00:01:19,600 analysis analysis i guess is the right 41 00:01:19,600 --> 00:01:21,280 way right malware analysis 42 00:01:21,280 --> 00:01:24,560 um he was analyzing malware and he 43 00:01:24,560 --> 00:01:26,159 talked about amc bypass and he just kind 44 00:01:26,159 --> 00:01:27,439 of fleeingly went by and he was 45 00:01:27,439 --> 00:01:28,720 explaining that the 46 00:01:28,720 --> 00:01:30,240 the malware that he was looking at was 47 00:01:30,240 --> 00:01:31,360 doing that i thought oh that's 48 00:01:31,360 --> 00:01:32,320 interesting 49 00:01:32,320 --> 00:01:34,479 i'm not 100 i understand about the idea 50 00:01:34,479 --> 00:01:35,600 of uh 51 00:01:35,600 --> 00:01:38,000 malware and antivirus evasion techniques 52 00:01:38,000 --> 00:01:39,759 but i'm not familiar 53 00:01:39,759 --> 00:01:42,079 really with this so i need to get 54 00:01:42,079 --> 00:01:43,280 schooled up on that so that's what i'm 55 00:01:43,280 --> 00:01:44,399 going to take a look at today let's get 56 00:01:44,399 --> 00:01:46,079 into the computer here 57 00:01:46,079 --> 00:01:48,560 i can find my mouse there we go i just 58 00:01:48,560 --> 00:01:49,840 googled it really quickly 59 00:01:49,840 --> 00:01:52,320 i i've nothing more than that and that's 60 00:01:52,320 --> 00:01:53,759 what i was looking at when i was like 61 00:01:53,759 --> 00:01:55,840 microsoft has developed the amc or 62 00:01:55,840 --> 00:01:57,759 anti-malware scan interface 63 00:01:57,759 --> 00:02:00,159 as a method defend against common 64 00:02:00,159 --> 00:02:02,159 malware execution 65 00:02:02,159 --> 00:02:04,320 cool i mean that's that's pretty sweet 66 00:02:04,320 --> 00:02:05,759 actually that's that's neat that they 67 00:02:05,759 --> 00:02:07,280 put that in their operating system 68 00:02:07,280 --> 00:02:09,039 and they thought about it probably 69 00:02:09,039 --> 00:02:10,640 because 70 00:02:10,640 --> 00:02:12,000 they've been known to have an issue or 71 00:02:12,000 --> 00:02:14,000 two in the past in the past right 72 00:02:14,000 --> 00:02:16,080 and they are definitely a targeted 73 00:02:16,080 --> 00:02:17,440 operating system 74 00:02:17,440 --> 00:02:19,040 so it just makes sense that they would 75 00:02:19,040 --> 00:02:20,720 be doing that and the people at 76 00:02:20,720 --> 00:02:22,480 microsoft have been working 77 00:02:22,480 --> 00:02:25,520 uh toward more robust security i'm not 78 00:02:25,520 --> 00:02:27,680 saying that they're successful in that 79 00:02:27,680 --> 00:02:29,280 uh they can be and they cannot be it's 80 00:02:29,280 --> 00:02:31,519 all up to us as the hackers to um 81 00:02:31,519 --> 00:02:34,480 to be schooled and skilled in the 82 00:02:34,480 --> 00:02:35,840 necessary tradecraft 83 00:02:35,840 --> 00:02:37,280 to get around this stuff we're red 84 00:02:37,280 --> 00:02:39,040 teaming it up so i'm going to click on 85 00:02:39,040 --> 00:02:40,400 this first one and just see where that 86 00:02:40,400 --> 00:02:41,599 takes this is the number one with the 87 00:02:41,599 --> 00:02:42,319 bullet 88 00:02:42,319 --> 00:02:44,160 and this is found at pentest 89 00:02:44,160 --> 00:02:46,879 laboratories dot com forward slash 2021 90 00:02:46,879 --> 00:02:48,319 forward slash o five four slash one 91 00:02:48,319 --> 00:02:50,160 seven four slash amc 92 00:02:50,160 --> 00:02:52,959 bypass dash methods that's right there 93 00:02:52,959 --> 00:02:53,840 you go 94 00:02:53,840 --> 00:02:56,319 all right microsoft has developed this 95 00:02:56,319 --> 00:02:57,680 as a method defend against common 96 00:02:57,680 --> 00:02:59,760 malware execution and protect the end 97 00:02:59,760 --> 00:03:00,879 user 98 00:03:00,879 --> 00:03:02,640 uh the default windows defender 99 00:03:02,640 --> 00:03:04,800 interacts with the amc api 100 00:03:04,800 --> 00:03:08,000 to scan powershell scripts vba macros 101 00:03:08,000 --> 00:03:10,720 javascript uh and scripts using the 102 00:03:10,720 --> 00:03:12,959 windows script host technology 103 00:03:12,959 --> 00:03:14,959 during execution to prevent arbitrary 104 00:03:14,959 --> 00:03:16,080 execution of code 105 00:03:16,080 --> 00:03:19,120 that does sound like uh well for us if 106 00:03:19,120 --> 00:03:20,800 we're doing some red teaming or hacking 107 00:03:20,800 --> 00:03:22,080 ethically of course 108 00:03:22,080 --> 00:03:24,000 uh that would be a good time but it's 109 00:03:24,000 --> 00:03:25,360 not a good time for people that are 110 00:03:25,360 --> 00:03:27,040 actually running windows they don't 111 00:03:27,040 --> 00:03:28,159 we don't want people to be able to 112 00:03:28,159 --> 00:03:30,080 bypass that stuff or run uh 113 00:03:30,080 --> 00:03:33,120 arbitrary execution of code 114 00:03:33,120 --> 00:03:34,879 so it says however other antivirus 115 00:03:34,879 --> 00:03:37,200 products might contain support for amc 116 00:03:37,200 --> 00:03:38,959 so organizations are not restricted to 117 00:03:38,959 --> 00:03:40,480 the use of windows defender 118 00:03:40,480 --> 00:03:42,480 so i guess that's why they built this so 119 00:03:42,480 --> 00:03:43,840 that they can 120 00:03:43,840 --> 00:03:45,519 oh okay you don't want to run windows 121 00:03:45,519 --> 00:03:46,959 defender that's fine 122 00:03:46,959 --> 00:03:49,200 i guess you know how microsoft is they 123 00:03:49,200 --> 00:03:50,319 like you to just use everything 124 00:03:50,319 --> 00:03:52,239 microsoft then i get that right they're 125 00:03:52,239 --> 00:03:53,439 they're a company they want to make that 126 00:03:53,439 --> 00:03:55,760 money um and why go anywhere else when 127 00:03:55,760 --> 00:03:57,360 they offer a very valid 128 00:03:57,360 --> 00:04:00,159 the winner's defenders not bad i'm not 129 00:04:00,159 --> 00:04:00,959 i'm not going to tell you 130 00:04:00,959 --> 00:04:03,840 any otherwise so but if you're running 131 00:04:03,840 --> 00:04:05,280 something else and you want to interface 132 00:04:05,280 --> 00:04:06,720 with this system 133 00:04:06,720 --> 00:04:08,560 that's fine that's what amc is all about 134 00:04:08,560 --> 00:04:11,040 so really cool let's see here how mc 135 00:04:11,040 --> 00:04:12,000 works 136 00:04:12,000 --> 00:04:14,000 quick and dirty here when a user 137 00:04:14,000 --> 00:04:15,760 executes a script or initiates 138 00:04:15,760 --> 00:04:16,639 powershell 139 00:04:16,639 --> 00:04:19,280 the ampsi.dll is injected into the 140 00:04:19,280 --> 00:04:19,919 process 141 00:04:19,919 --> 00:04:22,160 memory space oh i always love this 142 00:04:22,160 --> 00:04:24,000 technical jargon that gets in here just 143 00:04:24,000 --> 00:04:25,919 twirls my beanie right i have a good 144 00:04:25,919 --> 00:04:27,040 time 145 00:04:27,040 --> 00:04:28,560 when we talk about this stuff it just 146 00:04:28,560 --> 00:04:30,479 makes me happy to hear it 147 00:04:30,479 --> 00:04:31,919 i know i'm like uh me and my friend 148 00:04:31,919 --> 00:04:33,360 justin used to talk about uh doing a 149 00:04:33,360 --> 00:04:34,639 show called tech next 150 00:04:34,639 --> 00:04:37,040 where we would be like too very 151 00:04:37,040 --> 00:04:38,320 technical because we're both very 152 00:04:38,320 --> 00:04:39,040 technical 153 00:04:39,040 --> 00:04:43,120 and we're both from very rural parts of 154 00:04:43,120 --> 00:04:45,680 um i guess we are considered a redneck 155 00:04:45,680 --> 00:04:47,600 you know or we know rednecks we grew up 156 00:04:47,600 --> 00:04:49,040 with rednecks 157 00:04:49,040 --> 00:04:51,919 um it's just funny play on words we 158 00:04:51,919 --> 00:04:53,680 don't take it too seriously right 159 00:04:53,680 --> 00:04:55,280 uh let's see here prior to the execution 160 00:04:55,280 --> 00:04:57,120 of the following two apis 161 00:04:57,120 --> 00:04:58,639 are you that's why you see the voice hey 162 00:04:58,639 --> 00:05:00,240 there man because i grew up when people 163 00:05:00,240 --> 00:05:01,600 talk just like this 164 00:05:01,600 --> 00:05:03,280 that's how a lot of people talk and it'd 165 00:05:03,280 --> 00:05:05,280 be just funny is if one of them good old 166 00:05:05,280 --> 00:05:06,639 boys out there knows how to change the 167 00:05:06,639 --> 00:05:08,720 tire and he knows about dll injections 168 00:05:08,720 --> 00:05:10,240 and amc bypass 169 00:05:10,240 --> 00:05:13,360 right so i'm sorry i digress prior to 170 00:05:13,360 --> 00:05:15,039 execution the following two apis are 171 00:05:15,039 --> 00:05:17,600 used by the antivirus to scan the buffer 172 00:05:17,600 --> 00:05:20,000 and strings for sign of mount signs of 173 00:05:20,000 --> 00:05:20,880 malware 174 00:05:20,880 --> 00:05:23,199 so we've got this amc scan buffer let's 175 00:05:23,199 --> 00:05:26,080 make sure you guys can see that 176 00:05:26,080 --> 00:05:29,520 an amc scan string if a known signature 177 00:05:29,520 --> 00:05:31,039 is identified 178 00:05:31,039 --> 00:05:33,280 execution doesn't initiate and mess a 179 00:05:33,280 --> 00:05:34,800 message appears that the script has been 180 00:05:34,800 --> 00:05:35,360 blocked 181 00:05:35,360 --> 00:05:37,520 by the antivirus software the following 182 00:05:37,520 --> 00:05:39,360 diagram illustrates the 183 00:05:39,360 --> 00:05:41,680 amc scanning so that's cool here's a 184 00:05:41,680 --> 00:05:43,360 nice little hey you've got this 185 00:05:43,360 --> 00:05:46,080 powershell process and 186 00:05:46,080 --> 00:05:48,880 into the mcdll it goes it runs these two 187 00:05:48,880 --> 00:05:50,000 amc scan string 188 00:05:50,000 --> 00:05:53,199 ansi mcscan buffer if 189 00:05:53,199 --> 00:05:57,120 a windows defender detects a signature 190 00:05:57,120 --> 00:05:59,199 you get a lovely little piece of red 191 00:05:59,199 --> 00:06:00,319 text that tells you 192 00:06:00,319 --> 00:06:02,080 how horrible you are and you should not 193 00:06:02,080 --> 00:06:03,520 run that 194 00:06:03,520 --> 00:06:06,240 so i wanted to test this and i know that 195 00:06:06,240 --> 00:06:07,039 this can be 196 00:06:07,039 --> 00:06:09,520 extremely sensitive like anything will 197 00:06:09,520 --> 00:06:10,479 move the needle 198 00:06:10,479 --> 00:06:11,680 on this stuff because i've played around 199 00:06:11,680 --> 00:06:13,840 with it a little bit before so i'm gonna 200 00:06:13,840 --> 00:06:14,160 run 201 00:06:14,160 --> 00:06:17,199 powershell power shell yes bring it 202 00:06:17,199 --> 00:06:19,840 all right so here's powershell can i 203 00:06:19,840 --> 00:06:21,759 just like control plus that no i can't 204 00:06:21,759 --> 00:06:23,680 i can shift control oh i don't know how 205 00:06:23,680 --> 00:06:26,479 to power shell increase 206 00:06:26,479 --> 00:06:29,759 font so i'll go to was its edits 207 00:06:29,759 --> 00:06:33,039 no properties there we go cursor size 208 00:06:33,039 --> 00:06:34,479 font that's what we're looking for 209 00:06:34,479 --> 00:06:37,840 let's go to 20. okay then there we go 210 00:06:37,840 --> 00:06:39,280 now we got some action 211 00:06:39,280 --> 00:06:40,880 now we can see i'm just going to do that 212 00:06:40,880 --> 00:06:42,560 so it full screens 213 00:06:42,560 --> 00:06:44,880 all right so in my i think i put in my 214 00:06:44,880 --> 00:06:46,720 documents directory vr 215 00:06:46,720 --> 00:06:48,720 yeah so i was playing around was like i 216 00:06:48,720 --> 00:06:50,000 was gonna get me me cats and i was like 217 00:06:50,000 --> 00:06:51,440 can't you just 218 00:06:51,440 --> 00:06:52,880 run something and you'll notice this has 219 00:06:52,880 --> 00:06:54,639 zero length in it there's there's no 220 00:06:54,639 --> 00:06:56,319 data in there if i 221 00:06:56,319 --> 00:06:59,440 type if i can type 222 00:06:59,440 --> 00:07:02,880 uh invoke me cats you'll notice i'm 223 00:07:02,880 --> 00:07:04,160 still i'm still getting blocked there's 224 00:07:04,160 --> 00:07:05,199 nothing in that file 225 00:07:05,199 --> 00:07:08,759 it's just a file named invoke dash 226 00:07:08,759 --> 00:07:10,319 minicats.ps1 227 00:07:10,319 --> 00:07:11,680 but you'll see right here it's saying 228 00:07:11,680 --> 00:07:13,840 this script contains malicious content 229 00:07:13,840 --> 00:07:16,880 and has been blocked by your antivirus 230 00:07:16,880 --> 00:07:17,680 software 231 00:07:17,680 --> 00:07:20,800 that is the amc 232 00:07:20,800 --> 00:07:23,919 business chucking it over to windows 233 00:07:23,919 --> 00:07:26,639 defender windows defender goes 234 00:07:26,639 --> 00:07:29,520 if i'm not mistaken correct me if i'm 235 00:07:29,520 --> 00:07:30,800 wrong good sir 236 00:07:30,800 --> 00:07:34,160 but i do believe that invoke me me cats 237 00:07:34,160 --> 00:07:35,039 is bad 238 00:07:35,039 --> 00:07:36,639 and you shouldn't run it and i'm like 239 00:07:36,639 --> 00:07:38,319 well there's nothing really there but 240 00:07:38,319 --> 00:07:40,479 like i said this thing can be pretty 241 00:07:40,479 --> 00:07:41,680 sensitive 242 00:07:41,680 --> 00:07:44,080 so there it is uh in effect we've seen 243 00:07:44,080 --> 00:07:44,720 it work 244 00:07:44,720 --> 00:07:47,440 just minimize this we'll be back to here 245 00:07:47,440 --> 00:07:50,080 now let's take a look at evasions 246 00:07:50,080 --> 00:07:52,720 what can we do to get around that so 247 00:07:52,720 --> 00:07:54,560 let's take a look uh 248 00:07:54,560 --> 00:07:57,919 microsoft emblem amc yeah yeah yeah 249 00:07:57,919 --> 00:07:59,840 offensive tooling also supports amc 250 00:07:59,840 --> 00:08:01,520 bypasses that could be used in red team 251 00:08:01,520 --> 00:08:03,039 engagements 252 00:08:03,039 --> 00:08:04,800 prior to any script execution but manual 253 00:08:04,800 --> 00:08:06,879 methods could also be deployed 254 00:08:06,879 --> 00:08:10,879 number one powershell downgrade 255 00:08:10,879 --> 00:08:12,879 i mean it sounds cool like you know it 256 00:08:12,879 --> 00:08:14,879 sounds big but it's just oh we're just 257 00:08:14,879 --> 00:08:16,319 downgrading 258 00:08:16,319 --> 00:08:18,000 and you look you it says that even 259 00:08:18,000 --> 00:08:19,680 though powershell 2.0 has been 260 00:08:19,680 --> 00:08:21,280 deprecated 261 00:08:21,280 --> 00:08:22,800 uh microsoft hasn't removed it from the 262 00:08:22,800 --> 00:08:25,199 operating system well there you go 263 00:08:25,199 --> 00:08:27,919 like i said they're trying you know 264 00:08:27,919 --> 00:08:29,520 they're they're trying hard don't 265 00:08:29,520 --> 00:08:31,360 don't don't come down on them too hard 266 00:08:31,360 --> 00:08:32,640 but here they are 267 00:08:32,640 --> 00:08:35,839 saying this is dangerous and it doesn't 268 00:08:35,839 --> 00:08:38,080 look at this older versions of 269 00:08:38,080 --> 00:08:40,479 powershell doesn't contain security 270 00:08:40,479 --> 00:08:41,440 controls such 271 00:08:41,440 --> 00:08:44,560 as amc protection and could be used as a 272 00:08:44,560 --> 00:08:45,920 form of evasion downgrading the 273 00:08:45,920 --> 00:08:47,440 powershell version to an older version 274 00:08:47,440 --> 00:08:48,959 is trivial and requires the execution of 275 00:08:48,959 --> 00:08:50,800 the following command which is 276 00:08:50,800 --> 00:08:54,320 powershell version 2. so let's give that 277 00:08:54,320 --> 00:08:55,760 a shot 278 00:08:55,760 --> 00:08:57,440 i don't know if this will work but we'll 279 00:08:57,440 --> 00:08:59,760 see i think it will 280 00:08:59,760 --> 00:09:02,640 uh oh it's cls here right yeah okay so 281 00:09:02,640 --> 00:09:03,680 it is 282 00:09:03,680 --> 00:09:05,200 you know i'm still gonna bump that font 283 00:09:05,200 --> 00:09:06,959 for you good folks i still find that to 284 00:09:06,959 --> 00:09:08,640 be 285 00:09:08,640 --> 00:09:10,399 it seemed to make the window bigger and 286 00:09:10,399 --> 00:09:12,480 not necessary oh that's the size because 287 00:09:12,480 --> 00:09:16,480 i'm a fool even though i'm in fonts 288 00:09:16,480 --> 00:09:21,839 very strange isn't there like a terminal 289 00:09:21,839 --> 00:09:23,440 i thought there was like an option to 290 00:09:23,440 --> 00:09:26,160 actually change the size of the font 291 00:09:26,160 --> 00:09:29,279 i thought that was it 24 292 00:09:29,279 --> 00:09:31,440 let's try that it's full screen yeah 293 00:09:31,440 --> 00:09:33,279 it's a little better a little better 294 00:09:33,279 --> 00:09:36,800 all right so we've got powershell dash 295 00:09:36,800 --> 00:09:39,839 version 2 if i'm not mistaken 296 00:09:39,839 --> 00:09:43,519 bing oh it is not installed 297 00:09:43,519 --> 00:09:45,200 oh oh because i don't have the net 298 00:09:45,200 --> 00:09:47,440 framework okay 299 00:09:47,440 --> 00:09:52,399 that's interesting so i need version 300 00:09:52,440 --> 00:09:54,000 2.05727 okay 301 00:09:54,000 --> 00:09:56,240 so well you know what that tells me is 302 00:09:56,240 --> 00:09:58,000 my machine if someone tried to do this 303 00:09:58,000 --> 00:09:58,720 bypass 304 00:09:58,720 --> 00:10:01,839 it would not work because i don't have 305 00:10:01,839 --> 00:10:02,399 the dot 306 00:10:02,399 --> 00:10:05,839 net framework install um 307 00:10:05,839 --> 00:10:08,399 and that is that version 2.0 now that's 308 00:10:08,399 --> 00:10:10,399 just because this is a fairly new pc for 309 00:10:10,399 --> 00:10:11,040 me 310 00:10:11,040 --> 00:10:13,360 i haven't needed to have net framework 311 00:10:13,360 --> 00:10:14,480 installed at least not for 312 00:10:14,480 --> 00:10:17,120 anything i can remember but it doesn't 313 00:10:17,120 --> 00:10:19,440 say it's that version 2 isn't installed 314 00:10:19,440 --> 00:10:21,680 but it is required to run it 315 00:10:21,680 --> 00:10:23,600 so for any reason i install something 316 00:10:23,600 --> 00:10:24,800 that requires the 317 00:10:24,800 --> 00:10:27,920 net framework of v2o and maybe other 318 00:10:27,920 --> 00:10:28,959 versions would 319 00:10:28,959 --> 00:10:32,880 suffice i'm actually oh you know what 320 00:10:32,880 --> 00:10:35,120 stop me just see if we can get some i 321 00:10:35,120 --> 00:10:36,160 want to check the 322 00:10:36,160 --> 00:10:38,160 let me go to you're like what are you 323 00:10:38,160 --> 00:10:39,839 doing you're talking crazy man 324 00:10:39,839 --> 00:10:41,600 i know i'm like my thoughts are jumping 325 00:10:41,600 --> 00:10:42,880 all over the place i'm going to open the 326 00:10:42,880 --> 00:10:43,920 control panel 327 00:10:43,920 --> 00:10:46,000 uh i'm going to do that by clicking the 328 00:10:46,000 --> 00:10:47,120 right thing 329 00:10:47,120 --> 00:10:51,360 and control panel and i'm going to go to 330 00:10:51,360 --> 00:10:55,200 the programs and features 331 00:10:55,200 --> 00:10:58,560 and then go to look and see if i have 332 00:10:58,560 --> 00:10:59,040 any 333 00:10:59,040 --> 00:11:01,040 net framework installed it does not look 334 00:11:01,040 --> 00:11:02,399 like it 335 00:11:02,399 --> 00:11:04,640 let's go to windows features on or off 336 00:11:04,640 --> 00:11:06,480 does that and maybe in there 337 00:11:06,480 --> 00:11:09,519 net framework 4.8 338 00:11:09,519 --> 00:11:12,720 but not like net framework 3 or 339 00:11:12,720 --> 00:11:14,480 net framework 2. let's see if we can 340 00:11:14,480 --> 00:11:17,959 install that i'll see here 341 00:11:17,959 --> 00:11:22,160 download.net 2.0 342 00:11:22,800 --> 00:11:24,880 let's see here there it is download 343 00:11:24,880 --> 00:11:26,399 that's 344 00:11:26,399 --> 00:11:27,600 let's get it going i can always 345 00:11:27,600 --> 00:11:28,959 uninstall it right you're like you're 346 00:11:28,959 --> 00:11:30,959 making your system less secure yes i 347 00:11:30,959 --> 00:11:32,160 know 348 00:11:32,160 --> 00:11:33,680 it's all for the cause right it's all 349 00:11:33,680 --> 00:11:36,880 for learning and understanding and 350 00:11:36,880 --> 00:11:38,640 trying to be better at this stuff right 351 00:11:38,640 --> 00:11:40,240 so i want to download yes 352 00:11:40,240 --> 00:11:43,120 english is rights that all looks good 353 00:11:43,120 --> 00:11:45,040 hit the download 354 00:11:45,040 --> 00:11:48,720 come on give it to me yeah save it 355 00:11:48,720 --> 00:11:50,320 give it yeah you can see where i was 356 00:11:50,320 --> 00:11:52,880 trying to download uh 357 00:11:52,880 --> 00:11:55,760 uh powersport and brave was like no you 358 00:11:55,760 --> 00:11:57,040 don't 359 00:11:57,040 --> 00:11:59,040 you don't play with that stuff i mean 360 00:11:59,040 --> 00:12:00,560 you crazy 361 00:12:00,560 --> 00:12:03,440 you out of your mind i'm like yeah kinda 362 00:12:03,440 --> 00:12:04,480 a little bit 363 00:12:04,480 --> 00:12:07,200 i'm scared i'll do what i want open 364 00:12:07,200 --> 00:12:10,079 let's see your show and folder 365 00:12:10,079 --> 00:12:13,920 fire that off get that installed 366 00:12:13,920 --> 00:12:16,800 yes such a pretty chime there you go all 367 00:12:16,800 --> 00:12:18,320 right so this is telling me 368 00:12:18,320 --> 00:12:21,120 oh it includes 2.0 so if you if you 369 00:12:21,120 --> 00:12:21,680 install the 370 00:12:21,680 --> 00:12:24,000 net framework 3.5 it includes 2.0 and 371 00:12:24,000 --> 00:12:25,519 3.0 372 00:12:25,519 --> 00:12:30,000 yes go install and honestly.net 35 is 373 00:12:30,000 --> 00:12:31,200 probably something i would have 374 00:12:31,200 --> 00:12:32,800 installed eventually anyway 375 00:12:32,800 --> 00:12:35,920 just for all the random shenanigans i do 376 00:12:35,920 --> 00:12:38,079 i probably should be doing this all in a 377 00:12:38,079 --> 00:12:38,959 vm but 378 00:12:38,959 --> 00:12:40,399 what are you gonna do right now like i 379 00:12:40,399 --> 00:12:42,320 said i'll uninstall it when i'm done 380 00:12:42,320 --> 00:12:45,839 uh or i'll uninstall version 2.0 of 381 00:12:45,839 --> 00:12:47,600 powershell 382 00:12:47,600 --> 00:12:50,480 which is probably the more the like the 383 00:12:50,480 --> 00:12:51,680 better option 384 00:12:51,680 --> 00:12:54,560 just get rid of the 2.0 powershell you 385 00:12:54,560 --> 00:12:56,399 gotta worry about it then i can have 386 00:12:56,399 --> 00:12:58,320 net whatever i want as long as there's 387 00:12:58,320 --> 00:12:59,600 no known vulnerabilities which i don't 388 00:12:59,600 --> 00:13:00,720 know any of 389 00:13:00,720 --> 00:13:02,800 but uh yeah this is fun we're just 390 00:13:02,800 --> 00:13:04,839 waiting for this to 391 00:13:04,839 --> 00:13:07,360 download almost there 392 00:13:07,360 --> 00:13:11,200 we're almost at the station but 393 00:13:11,200 --> 00:13:13,519 hopefully once we get this installed 394 00:13:13,519 --> 00:13:16,079 this little downgrade attack 395 00:13:16,079 --> 00:13:17,839 right might bring us to the to the 396 00:13:17,839 --> 00:13:19,279 mountaintop 397 00:13:19,279 --> 00:13:21,120 as it were come on download the files 398 00:13:21,120 --> 00:13:22,480 you can do this thing 399 00:13:22,480 --> 00:13:23,600 man i should have brought a cup of water 400 00:13:23,600 --> 00:13:25,440 in here i'm a little a little parched 401 00:13:25,440 --> 00:13:26,000 today 402 00:13:26,000 --> 00:13:27,440 a little i've been speaking i had a 403 00:13:27,440 --> 00:13:29,440 webinar today then i 404 00:13:29,440 --> 00:13:32,720 filmed a youtube asset for uh work 405 00:13:32,720 --> 00:13:33,920 uh but it was really cool because it's 406 00:13:33,920 --> 00:13:35,920 gonna be a ctf walkthrough so it's gonna 407 00:13:35,920 --> 00:13:36,880 be fun 408 00:13:36,880 --> 00:13:39,279 it's gonna be good stuff trying to bring 409 00:13:39,279 --> 00:13:42,240 you good folks out there all the goods 410 00:13:42,240 --> 00:13:44,720 that's that's my that's my way that's 411 00:13:44,720 --> 00:13:46,079 how i do things right 412 00:13:46,079 --> 00:13:48,399 all right come on that i hate when it 413 00:13:48,399 --> 00:13:50,079 gets to that little 414 00:13:50,079 --> 00:13:53,440 tiny bar you just gotta go 415 00:13:53,440 --> 00:13:55,680 just just i feel like office space right 416 00:13:55,680 --> 00:13:57,279 when he's trying to get out of work 417 00:13:57,279 --> 00:14:00,240 and he's like i want to come on you know 418 00:14:00,240 --> 00:14:01,760 and then the bar fills in and then 419 00:14:01,760 --> 00:14:02,959 another bar shows up he's like 420 00:14:02,959 --> 00:14:05,920 you got to be kidding me all right we've 421 00:14:05,920 --> 00:14:08,079 got to be close 422 00:14:08,079 --> 00:14:11,440 we've got to be almost there 423 00:14:11,519 --> 00:14:14,079 please simon says go i never would have 424 00:14:14,079 --> 00:14:16,160 thought this would have been like 425 00:14:16,160 --> 00:14:19,600 this difficult to do 426 00:14:19,600 --> 00:14:20,639 you know what though i'm just being 427 00:14:20,639 --> 00:14:22,000 impatient when you got the camera 428 00:14:22,000 --> 00:14:23,440 running 429 00:14:23,440 --> 00:14:25,120 and you're trying to show people stuff 430 00:14:25,120 --> 00:14:26,639 the last thing in the world you want is 431 00:14:26,639 --> 00:14:27,519 to wait 432 00:14:27,519 --> 00:14:30,399 for a file to download which is exactly 433 00:14:30,399 --> 00:14:32,000 what's happening now 434 00:14:32,000 --> 00:14:35,360 um yeah 435 00:14:35,360 --> 00:14:36,800 yeah there's that so what i'm going to 436 00:14:36,800 --> 00:14:38,399 do is oh 437 00:14:38,399 --> 00:14:41,040 oh it's installing hey i think all you 438 00:14:41,040 --> 00:14:42,079 have to do is 439 00:14:42,079 --> 00:14:45,199 threaten to pause the video 440 00:14:45,199 --> 00:14:47,199 and then it will go yeah i'm gonna pause 441 00:14:47,199 --> 00:14:48,240 that video 442 00:14:48,240 --> 00:14:50,880 good and hard and man be paused all day 443 00:14:50,880 --> 00:14:52,480 long 444 00:14:52,480 --> 00:14:55,120 i'm just trying to coax it into into 445 00:14:55,120 --> 00:14:57,120 installing 446 00:14:57,120 --> 00:14:58,320 anyway a couple of you asked about my 447 00:14:58,320 --> 00:15:00,480 guitars while we're waiting 448 00:15:00,480 --> 00:15:01,920 uh i've got quite a few always try to 449 00:15:01,920 --> 00:15:03,920 rotate something different up there 450 00:15:03,920 --> 00:15:05,519 i don't have a ton of stuff but i have a 451 00:15:05,519 --> 00:15:07,279 few up there right now 452 00:15:07,279 --> 00:15:09,279 paul reed smith sc that i bought way 453 00:15:09,279 --> 00:15:11,440 back in the day love that guitar 454 00:15:11,440 --> 00:15:13,040 i use it for playing like alternate 455 00:15:13,040 --> 00:15:15,199 tunings that one specifically 456 00:15:15,199 --> 00:15:17,680 i've got others as well but maybe i'll 457 00:15:17,680 --> 00:15:19,120 throw a shout out to the old guitars in 458 00:15:19,120 --> 00:15:20,240 the back and you can't see them over 459 00:15:20,240 --> 00:15:20,959 here with 460 00:15:20,959 --> 00:15:25,600 there's amps that way 461 00:15:25,600 --> 00:15:28,000 can you see that amps are that way oh 462 00:15:28,000 --> 00:15:29,120 you can't see the guitar because i've 463 00:15:29,120 --> 00:15:30,639 got the computer screen up 464 00:15:30,639 --> 00:15:33,440 close up me yeah there it is there's the 465 00:15:33,440 --> 00:15:34,399 guitar 466 00:15:34,399 --> 00:15:38,079 that's the prsse that i bought 467 00:15:38,079 --> 00:15:42,000 two thousand like 468 00:15:42,000 --> 00:15:44,959 six somewhere in there yeah something 469 00:15:44,959 --> 00:15:46,160 like that 470 00:15:46,160 --> 00:15:47,360 but there we go we got this installed 471 00:15:47,360 --> 00:15:49,360 we'll get back to the computer no more 472 00:15:49,360 --> 00:15:51,199 guitar stuff 473 00:15:51,199 --> 00:15:53,680 all right so that is installed let's see 474 00:15:53,680 --> 00:15:55,759 if that 475 00:15:55,759 --> 00:15:59,199 what is this what is this oh i i express 476 00:15:59,199 --> 00:16:01,600 setup install using compatibility 477 00:16:01,600 --> 00:16:03,120 settings whatever you need man just get 478 00:16:03,120 --> 00:16:04,399 it done 479 00:16:04,399 --> 00:16:07,680 yes do the thing 480 00:16:07,680 --> 00:16:10,160 this thing always acts like is uh did 481 00:16:10,160 --> 00:16:11,279 the program work collectively 482 00:16:11,279 --> 00:16:16,240 i don't know sure worked fine 483 00:16:16,320 --> 00:16:18,079 scared i don't need the download thing 484 00:16:18,079 --> 00:16:20,480 anymore and let's bring up powershell 485 00:16:20,480 --> 00:16:24,240 let's try it one more time hey hey 486 00:16:24,240 --> 00:16:26,959 well look at there now that we're in 487 00:16:26,959 --> 00:16:28,320 here 488 00:16:28,320 --> 00:16:30,240 right we got the invoke mimi cats i can 489 00:16:30,240 --> 00:16:31,360 do the same thing type 490 00:16:31,360 --> 00:16:36,240 invoke mimikatz oh and it ran oh that 491 00:16:36,240 --> 00:16:38,240 was too stupid easy 492 00:16:38,240 --> 00:16:41,360 okay that was an easy one so here's the 493 00:16:41,360 --> 00:16:42,480 thing 494 00:16:42,480 --> 00:16:46,160 if uh yeah you can downgrade into 495 00:16:46,160 --> 00:16:49,440 powershell version 2 that you can run 496 00:16:49,440 --> 00:16:51,360 dangerous things because it's not doing 497 00:16:51,360 --> 00:16:53,360 an amsi check 498 00:16:53,360 --> 00:16:56,399 fyi and that was kind of stupid easy to 499 00:16:56,399 --> 00:16:57,759 do 500 00:16:57,759 --> 00:17:01,839 uh wow that was kind of cool actually 501 00:17:01,839 --> 00:17:03,600 all right let's move on we got one in 502 00:17:03,600 --> 00:17:05,439 the back not that i'm gonna demo every 503 00:17:05,439 --> 00:17:06,720 one of these things 504 00:17:06,720 --> 00:17:08,240 uh i know there's a few of them in this 505 00:17:08,240 --> 00:17:10,160 list because i saw how 506 00:17:10,160 --> 00:17:12,240 big the scroll bar is and the fact that 507 00:17:12,240 --> 00:17:13,199 it's being numbered 508 00:17:13,199 --> 00:17:14,480 seems to indicate the fact that there 509 00:17:14,480 --> 00:17:17,039 would be more than one um 510 00:17:17,039 --> 00:17:18,480 let's go to the let's go to the next one 511 00:17:18,480 --> 00:17:21,679 because that was ridiculous 512 00:17:21,679 --> 00:17:25,679 uh let's see here base64 encoding 513 00:17:25,679 --> 00:17:28,319 okay oh blah blah blah to prove that if 514 00:17:28,319 --> 00:17:30,480 base64 is used on strings 515 00:17:30,480 --> 00:17:34,480 the amc utils and amsi init 516 00:17:34,480 --> 00:17:37,679 yeah amc init failed that trigger ampsi 517 00:17:37,679 --> 00:17:41,200 and decoded at runtime could be used as 518 00:17:41,200 --> 00:17:42,720 an evasion defeating these signatures of 519 00:17:42,720 --> 00:17:44,000 microsoft 520 00:17:44,000 --> 00:17:47,440 this technique prevents mc 521 00:17:47,440 --> 00:17:49,520 prevents mcscanning capability for the 522 00:17:49,520 --> 00:17:51,360 current process 523 00:17:51,360 --> 00:17:53,679 by setting the amc failed flag or 524 00:17:53,679 --> 00:17:54,880 mcinnet fail flag 525 00:17:54,880 --> 00:17:58,000 okay so i'm taking that to mean 526 00:17:58,000 --> 00:18:01,039 that if 527 00:18:01,039 --> 00:18:04,480 you set this or you use basin 528 00:18:04,480 --> 00:18:06,799 64 all right so here's the original amc 529 00:18:06,799 --> 00:18:09,039 bypass rough.assembly to get type 530 00:18:09,039 --> 00:18:10,799 system dot management automatic amc 531 00:18:10,799 --> 00:18:13,200 utils get field 532 00:18:13,200 --> 00:18:15,280 and there it is so basically you're 533 00:18:15,280 --> 00:18:16,559 saying 534 00:18:16,559 --> 00:18:19,840 that amp c didn't start 535 00:18:19,840 --> 00:18:22,720 right amc in it failed so you're 536 00:18:22,720 --> 00:18:23,520 flagging 537 00:18:23,520 --> 00:18:26,480 that amc just didn't work so just go 538 00:18:26,480 --> 00:18:27,760 ahead and run this so don't worry about 539 00:18:27,760 --> 00:18:29,280 amc checking because it didn't work 540 00:18:29,280 --> 00:18:30,480 anyway 541 00:18:30,480 --> 00:18:32,000 so i guess you go on to the next step 542 00:18:32,000 --> 00:18:33,840 which is run this code 543 00:18:33,840 --> 00:18:36,960 and then here's a base64 544 00:18:36,960 --> 00:18:39,440 version of that which i guess is the the 545 00:18:39,440 --> 00:18:40,559 bypass 546 00:18:40,559 --> 00:18:43,520 you base64 encode this stuff so you can 547 00:18:43,520 --> 00:18:45,360 see this text.encoding 548 00:18:45,360 --> 00:18:49,160 right and then oops a little too far 549 00:18:49,160 --> 00:18:51,760 unicode.getstring was that back here at 550 00:18:51,760 --> 00:18:53,280 all 551 00:18:53,280 --> 00:18:56,960 no so we got to see 552 00:18:56,960 --> 00:19:00,240 what it's doing here from base64 string 553 00:19:00,240 --> 00:19:02,320 so you just start popping the base64 554 00:19:02,320 --> 00:19:03,919 equivalence 555 00:19:03,919 --> 00:19:06,960 of c all this stuff right here 556 00:19:06,960 --> 00:19:10,880 is actually like base64c dot get field 557 00:19:10,880 --> 00:19:12,799 and then text encoding unicorn string 558 00:19:12,799 --> 00:19:14,799 get blah blah blah blah 559 00:19:14,799 --> 00:19:17,120 is going to be right there's the base 560 00:19:17,120 --> 00:19:18,240 64. 561 00:19:18,240 --> 00:19:20,720 and that's going to be all this stuff 562 00:19:20,720 --> 00:19:23,440 which is normally like hey don't do that 563 00:19:23,440 --> 00:19:26,240 i might give you a problem but here 564 00:19:26,240 --> 00:19:27,919 because it's basic c4 encoded we don't 565 00:19:27,919 --> 00:19:30,880 get that problem we get a bypass 566 00:19:30,880 --> 00:19:34,320 um i wonder if that'll work 567 00:19:34,320 --> 00:19:36,080 oh is it is it actually running anything 568 00:19:36,080 --> 00:19:39,919 or is it just like how do you run this 569 00:19:39,919 --> 00:19:42,559 all right invoke mimikatz so i'm looking 570 00:19:42,559 --> 00:19:44,720 at there 571 00:19:44,720 --> 00:19:47,440 i don't have a sorry you can't really 572 00:19:47,440 --> 00:19:48,160 increase 573 00:19:48,160 --> 00:19:50,880 the the size of the picture i'll read it 574 00:19:50,880 --> 00:19:52,080 to you though 575 00:19:52,080 --> 00:19:53,760 it looks like it's throwing that stuff 576 00:19:53,760 --> 00:19:56,720 at it i'm looking for where you actually 577 00:19:56,720 --> 00:19:58,720 oh you just run that string okay i'm 578 00:19:58,720 --> 00:20:00,799 gonna double click that 579 00:20:00,799 --> 00:20:05,280 copy and then here 580 00:20:05,840 --> 00:20:08,960 fire off oh it didn't like that did it 581 00:20:08,960 --> 00:20:10,400 no it did not 582 00:20:10,400 --> 00:20:13,440 oh antivirus found threats what does it 583 00:20:13,440 --> 00:20:14,080 find 584 00:20:14,080 --> 00:20:16,320 what does it hate what is it not a fan 585 00:20:16,320 --> 00:20:17,760 of 586 00:20:17,760 --> 00:20:23,440 all right maybe it's in like the 587 00:20:24,000 --> 00:20:26,720 pc could be at risk i don't want to scan 588 00:20:26,720 --> 00:20:28,320 so it just didn't like that okay 589 00:20:28,320 --> 00:20:30,000 so it's not that it found like the 590 00:20:30,000 --> 00:20:32,799 invoke memecats.ps1 thing that i made 591 00:20:32,799 --> 00:20:35,360 it just did not like that code even 592 00:20:35,360 --> 00:20:36,640 though 593 00:20:36,640 --> 00:20:39,440 that was base64 encoded that was the 594 00:20:39,440 --> 00:20:40,960 that was the bypass this one 595 00:20:40,960 --> 00:20:42,799 didn't seem to have worked at least not 596 00:20:42,799 --> 00:20:44,320 on my system that doesn't mean it won't 597 00:20:44,320 --> 00:20:44,880 work 598 00:20:44,880 --> 00:20:46,799 it just means it didn't work here could 599 00:20:46,799 --> 00:20:48,000 work somewhere else 600 00:20:48,000 --> 00:20:50,880 all right uh let's see here let's get a 601 00:20:50,880 --> 00:20:51,840 move on here 602 00:20:51,840 --> 00:20:54,720 get out of my face all right hooking 603 00:20:54,720 --> 00:20:55,440 number three 604 00:20:55,440 --> 00:20:58,799 hooking um that's an interesting choice 605 00:20:58,799 --> 00:20:59,440 of words 606 00:20:59,440 --> 00:21:02,240 uh tom carver created a proof a concept 607 00:21:02,240 --> 00:21:04,080 in the form of a dll file which evades 608 00:21:04,080 --> 00:21:06,000 amc by hooking into the ampsi scan 609 00:21:06,000 --> 00:21:07,280 buffer function 610 00:21:07,280 --> 00:21:09,120 the amc scan buffer will then be 611 00:21:09,120 --> 00:21:10,960 executed with dummy parameters 612 00:21:10,960 --> 00:21:12,559 the dll needs to be injected into the 613 00:21:12,559 --> 00:21:14,080 powershell process 614 00:21:14,080 --> 00:21:16,960 which the amc bypass will be performed 615 00:21:16,960 --> 00:21:18,080 okay 616 00:21:18,080 --> 00:21:20,799 so you got the simpleinjector.exe which 617 00:21:20,799 --> 00:21:22,400 i don't have 618 00:21:22,400 --> 00:21:24,400 and then you invoke powershell ue and 619 00:21:24,400 --> 00:21:27,039 then mchook.dll 620 00:21:27,039 --> 00:21:29,679 right that's what it looks like yeah 621 00:21:29,679 --> 00:21:32,000 it's like a one big one-liner 622 00:21:32,000 --> 00:21:35,039 kind of thing and then off it goes 623 00:21:35,039 --> 00:21:36,720 i guess you would have to go get that 624 00:21:36,720 --> 00:21:38,880 and download it i assume that's what's 625 00:21:38,880 --> 00:21:41,039 going on 626 00:21:41,039 --> 00:21:42,480 that texas number well that was a quick 627 00:21:42,480 --> 00:21:45,200 one um i don't see where that 628 00:21:45,200 --> 00:21:47,679 is though 629 00:21:48,240 --> 00:21:51,520 i know that's not this this is just the 630 00:21:51,520 --> 00:21:54,720 the commands to execute 631 00:21:54,720 --> 00:21:56,840 and then here is like a picture of it 632 00:21:56,840 --> 00:21:58,640 working 633 00:21:58,640 --> 00:22:00,400 try the new cross-platform powershell 634 00:22:00,400 --> 00:22:01,679 what is all this okay 635 00:22:01,679 --> 00:22:04,640 yeah got process safety for powershell 636 00:22:04,640 --> 00:22:06,000 so yeah this is a 637 00:22:06,000 --> 00:22:07,520 this looks like a compiled program that 638 00:22:07,520 --> 00:22:09,280 does this you give it all the necessary 639 00:22:09,280 --> 00:22:10,320 items 640 00:22:10,320 --> 00:22:13,360 and you got your bypass all right 641 00:22:13,360 --> 00:22:16,559 memory patching number four daniel 642 00:22:16,559 --> 00:22:17,600 duggan 643 00:22:17,600 --> 00:22:19,520 really is it dugan or duggan i think 644 00:22:19,520 --> 00:22:21,200 it's duggan with 645 00:22:21,200 --> 00:22:23,440 two g's i would assume it's still good 646 00:22:23,440 --> 00:22:25,280 he released an amc bypass which patches 647 00:22:25,280 --> 00:22:27,280 the ampsi scan buffer function in order 648 00:22:27,280 --> 00:22:28,559 to return 649 00:22:28,559 --> 00:22:32,000 always amc result clean which indicates 650 00:22:32,000 --> 00:22:34,480 that no detection has been found 651 00:22:34,480 --> 00:22:35,919 the patch is displayed in the following 652 00:22:35,919 --> 00:22:37,760 line so 653 00:22:37,760 --> 00:22:40,640 you run this and then the bypass has 654 00:22:40,640 --> 00:22:42,320 been released in c sharp and powershell 655 00:22:42,320 --> 00:22:44,080 the dll can be loaded 656 00:22:44,080 --> 00:22:48,080 and executed with the following commands 657 00:22:48,080 --> 00:22:53,200 okay okay so you need to get 658 00:22:53,200 --> 00:22:57,440 the bypass downloaded for this to work 659 00:22:57,440 --> 00:22:59,200 and then it will run and here it is like 660 00:22:59,200 --> 00:23:01,520 showing you how invoke mimics doesn't 661 00:23:01,520 --> 00:23:02,880 work 662 00:23:02,880 --> 00:23:05,280 and then they do system reflection that 663 00:23:05,280 --> 00:23:06,799 assembly load file 664 00:23:06,799 --> 00:23:08,960 and then there's this amc bypass dll 665 00:23:08,960 --> 00:23:10,559 which i don't have a copy up 666 00:23:10,559 --> 00:23:14,159 either i might be able to go here let's 667 00:23:14,159 --> 00:23:18,720 check that oh rasta mouse 668 00:23:19,919 --> 00:23:24,640 is this it no this is not cs 669 00:23:24,640 --> 00:23:29,520 but maybe you have to compile that 670 00:23:29,520 --> 00:23:31,200 yeah maybe so that's a little too much 671 00:23:31,200 --> 00:23:32,400 work i'm not getting that deep in the 672 00:23:32,400 --> 00:23:34,159 weeds i just want to be aware of it 673 00:23:34,159 --> 00:23:35,520 maybe that would be a way it would go 674 00:23:35,520 --> 00:23:37,760 down a little bit further 675 00:23:37,760 --> 00:23:39,360 in the future but i'm not going to worry 676 00:23:39,360 --> 00:23:41,200 about it right now all right what else 677 00:23:41,200 --> 00:23:43,039 do we got here 678 00:23:43,039 --> 00:23:45,520 uh that was number four oh there's a 679 00:23:45,520 --> 00:23:47,360 little more here by default powershell 680 00:23:47,360 --> 00:23:48,960 version is getting flagged 681 00:23:48,960 --> 00:23:50,640 the amc trigger could be used to 682 00:23:50,640 --> 00:23:52,000 discover strings that are flagged by the 683 00:23:52,000 --> 00:23:54,480 amc making calls to mcscan buffer 684 00:23:54,480 --> 00:23:55,840 following lines have been identified and 685 00:23:55,840 --> 00:23:57,600 will need to be obfuscated 686 00:23:57,600 --> 00:23:58,880 so there you go don't forget to 687 00:23:58,880 --> 00:24:00,799 obfuscate that goodness 688 00:24:00,799 --> 00:24:02,559 how did they do it they just kind of 689 00:24:02,559 --> 00:24:05,279 concatenated things together 690 00:24:05,279 --> 00:24:08,400 a standard trick of the trade 691 00:24:08,400 --> 00:24:10,799 for those of you who are i don't mean to 692 00:24:10,799 --> 00:24:11,679 talk past you 693 00:24:11,679 --> 00:24:14,559 sorry concatenation is just the taking 694 00:24:14,559 --> 00:24:14,880 of 695 00:24:14,880 --> 00:24:17,760 things and smashing them together so 696 00:24:17,760 --> 00:24:19,919 instead of having uh what was the word 697 00:24:19,919 --> 00:24:20,960 here so like 698 00:24:20,960 --> 00:24:23,679 amc trigger is probably gonna get picked 699 00:24:23,679 --> 00:24:25,279 up and go hey that's wrong you can't do 700 00:24:25,279 --> 00:24:27,200 that you get the red text and you you 701 00:24:27,200 --> 00:24:28,559 know die inside a little 702 00:24:28,559 --> 00:24:32,159 uh what i can do is i can 703 00:24:32,240 --> 00:24:34,400 concatenate or smash the or kind of 704 00:24:34,400 --> 00:24:36,320 break apart and then 705 00:24:36,320 --> 00:24:37,679 as it runs it'll put it all back 706 00:24:37,679 --> 00:24:39,360 together so i take 707 00:24:39,360 --> 00:24:42,799 their example is to take 708 00:24:42,799 --> 00:24:46,400 amsi plus scan plus buffer 709 00:24:46,400 --> 00:24:49,840 yeah yeah i guess that's not in the 710 00:24:49,840 --> 00:24:52,559 uh not in the actual name or the 711 00:24:52,559 --> 00:24:53,600 commands i'm sorry 712 00:24:53,600 --> 00:24:55,520 having trouble today my brain just ain't 713 00:24:55,520 --> 00:24:56,960 working 714 00:24:56,960 --> 00:25:01,279 um but then there's maybe that's inside 715 00:25:01,279 --> 00:25:06,640 of the actual uh asb bypass 716 00:25:06,640 --> 00:25:08,400 all right then there's obfuscated code 717 00:25:08,400 --> 00:25:09,760 look at this 718 00:25:09,760 --> 00:25:11,200 the code contained within the powershell 719 00:25:11,200 --> 00:25:12,880 script will evade amc and perform memory 720 00:25:12,880 --> 00:25:14,400 patching is this 721 00:25:14,400 --> 00:25:17,919 it is this the whole thing 722 00:25:18,960 --> 00:25:22,880 um it could be 723 00:25:23,120 --> 00:25:28,640 is this amc bypass or asb bypass dot ps1 724 00:25:28,640 --> 00:25:33,200 i don't know guess what i'm gonna try it 725 00:25:35,840 --> 00:25:37,200 i guess it's already done what am i 726 00:25:37,200 --> 00:25:39,120 doing this is not how you do this daniel 727 00:25:39,120 --> 00:25:39,679 go to 728 00:25:39,679 --> 00:25:43,760 here grab that 729 00:25:43,760 --> 00:25:46,880 copy and then 730 00:25:46,880 --> 00:25:49,840 go to my folder go to here and then say 731 00:25:49,840 --> 00:25:51,679 new 732 00:25:51,679 --> 00:25:55,200 text documents and call this 733 00:25:55,200 --> 00:25:58,960 what was it called a i hate when i can't 734 00:25:58,960 --> 00:26:01,440 remember 735 00:26:02,159 --> 00:26:04,400 what they call this thing i just can't 736 00:26:04,400 --> 00:26:06,559 remember this 737 00:26:06,559 --> 00:26:09,520 okay be that way get out of my way 738 00:26:09,520 --> 00:26:10,799 because i can't see 739 00:26:10,799 --> 00:26:13,679 what is going on 740 00:26:13,840 --> 00:26:17,600 asb bypass sheesh 741 00:26:17,600 --> 00:26:21,360 i'm horrible at this a s b 742 00:26:21,360 --> 00:26:27,120 bypass and then change that to ps1 743 00:26:28,240 --> 00:26:30,799 yes i'm sure i want to change it and 744 00:26:30,799 --> 00:26:33,039 then we will edit it 745 00:26:33,039 --> 00:26:35,840 and add all that why am i going to ise 746 00:26:35,840 --> 00:26:37,039 that's not what i wanted 747 00:26:37,039 --> 00:26:40,720 just want to do the i guess that's the 748 00:26:40,720 --> 00:26:43,039 i'm gonna open with notepad okay there 749 00:26:43,039 --> 00:26:44,640 we go 750 00:26:44,640 --> 00:26:46,960 now we're talking here get this out of 751 00:26:46,960 --> 00:26:49,679 the way get out of the way 752 00:26:49,679 --> 00:26:53,840 let's see here go over here 753 00:26:54,240 --> 00:26:58,640 grab this code copy 754 00:26:58,640 --> 00:27:01,760 plop a property plop based 755 00:27:01,760 --> 00:27:04,400 hopefully you didn't pick up those yes 756 00:27:04,400 --> 00:27:05,600 it did 757 00:27:05,600 --> 00:27:10,000 that's okay you can delete all that 758 00:27:10,480 --> 00:27:14,480 bam all right file 759 00:27:14,480 --> 00:27:18,399 save bam all right so now let's give it 760 00:27:18,399 --> 00:27:19,679 a shot 761 00:27:19,679 --> 00:27:22,640 see if this works 762 00:27:22,799 --> 00:27:25,039 where did my powershell go did i close 763 00:27:25,039 --> 00:27:26,720 it 764 00:27:26,720 --> 00:27:29,440 sorry oh you know what it did probably 765 00:27:29,440 --> 00:27:32,320 it probably closed on me 766 00:27:32,320 --> 00:27:35,120 it was like no sir i'm done with this 767 00:27:35,120 --> 00:27:35,520 all right 768 00:27:35,520 --> 00:27:38,960 cd into documents dir 769 00:27:38,960 --> 00:27:42,559 there we go dot slash asb bypass one 770 00:27:42,559 --> 00:27:45,120 oh it didn't like that because running 771 00:27:45,120 --> 00:27:46,480 scripts is disabled 772 00:27:46,480 --> 00:27:50,799 for more information aha 773 00:27:50,799 --> 00:27:54,000 that is true there is ways to get around 774 00:27:54,000 --> 00:27:55,520 this though 775 00:27:55,520 --> 00:27:56,960 uh yeah well you know what we're going 776 00:27:56,960 --> 00:27:58,960 to add this to our little fun time here 777 00:27:58,960 --> 00:28:01,360 and 778 00:28:01,360 --> 00:28:04,000 it's been a while since i've done this 779 00:28:04,000 --> 00:28:04,880 um 780 00:28:04,880 --> 00:28:06,000 just because i've been doing other 781 00:28:06,000 --> 00:28:09,840 things but let's see here 782 00:28:10,880 --> 00:28:14,840 so run powershell 783 00:28:14,840 --> 00:28:17,760 scripts or bypass 784 00:28:17,760 --> 00:28:20,960 that's what i want bypass power shell 785 00:28:20,960 --> 00:28:24,640 script restriction 786 00:28:25,360 --> 00:28:27,279 it's like you can do an iex and no 787 00:28:27,279 --> 00:28:29,440 profile this that and the other 788 00:28:29,440 --> 00:28:32,080 15 ways to back there we go there we go 789 00:28:32,080 --> 00:28:33,440 hey we're getting a two for one sale 790 00:28:33,440 --> 00:28:34,000 today 791 00:28:34,000 --> 00:28:35,600 not only are we learning how to bypass 792 00:28:35,600 --> 00:28:37,039 amc but we're also learning how to 793 00:28:37,039 --> 00:28:37,840 bypass 794 00:28:37,840 --> 00:28:40,960 uh script restrictions so hey 795 00:28:40,960 --> 00:28:44,240 execution policy i guess they call on it 796 00:28:44,240 --> 00:28:45,840 yeah yeah yeah just give me give me the 797 00:28:45,840 --> 00:28:48,640 goods so yeah i bet if we do a get 798 00:28:48,640 --> 00:28:51,520 execution policy 799 00:28:51,520 --> 00:28:55,120 get dash execution policy 800 00:28:55,120 --> 00:28:57,600 it doesn't even let me run that has not 801 00:28:57,600 --> 00:28:59,760 recognized oh 802 00:28:59,760 --> 00:29:04,000 oh that's weird why did it do that get 803 00:29:04,000 --> 00:29:06,320 execution policy oh there we go 804 00:29:06,320 --> 00:29:08,080 restricted i i added an extra character 805 00:29:08,080 --> 00:29:09,440 that was the problem 806 00:29:09,440 --> 00:29:12,480 so yeah it's restricted and 807 00:29:12,480 --> 00:29:16,240 we are going to yeah lab setup 808 00:29:16,240 --> 00:29:17,679 you fun fun fun just show me the 809 00:29:17,679 --> 00:29:19,760 bypasses 810 00:29:19,760 --> 00:29:21,600 i know the one that i normally use is 811 00:29:21,600 --> 00:29:23,279 probably in here because it's a pretty 812 00:29:23,279 --> 00:29:24,640 standard 813 00:29:24,640 --> 00:29:28,000 i just don't maybe just 814 00:29:28,000 --> 00:29:30,480 powershell no profile pipe it into 815 00:29:30,480 --> 00:29:31,120 powershell 816 00:29:31,120 --> 00:29:34,159 no profile let's see if that works 817 00:29:34,159 --> 00:29:37,360 all right so we want to run hey 818 00:29:37,360 --> 00:29:40,000 come on man type there you go pipe that 819 00:29:40,000 --> 00:29:40,799 into 820 00:29:40,799 --> 00:29:44,480 power shell.exe 821 00:29:44,480 --> 00:29:49,520 dash no profile didn't like that 822 00:29:49,520 --> 00:29:51,679 okay it's not really the one i was 823 00:29:51,679 --> 00:29:54,240 looking for oh yeah i forgot you gotta 824 00:29:54,240 --> 00:29:56,080 throw like a 825 00:29:56,080 --> 00:29:57,760 dash on the end of that still didn't 826 00:29:57,760 --> 00:29:59,679 like it though all right 827 00:29:59,679 --> 00:30:02,880 we we persevere 828 00:30:04,799 --> 00:30:08,240 oh yeah you could totally make it a 829 00:30:08,240 --> 00:30:12,320 web so this is like reaching out to a 830 00:30:12,320 --> 00:30:12,720 web 831 00:30:12,720 --> 00:30:15,679 assets uh download a powershell script 832 00:30:15,679 --> 00:30:16,960 from the internet and execute it without 833 00:30:16,960 --> 00:30:18,720 having to write it to disk 834 00:30:18,720 --> 00:30:21,520 uh oh yeah maybe i think that's no p nop 835 00:30:21,520 --> 00:30:22,080 is that 836 00:30:22,080 --> 00:30:25,600 and then dash c i e x 837 00:30:25,679 --> 00:30:29,120 maybe that would work powershell dash 838 00:30:29,120 --> 00:30:31,520 knob dash c 839 00:30:31,520 --> 00:30:33,520 i e well i don't know if iex will work 840 00:30:33,520 --> 00:30:34,799 but 841 00:30:34,799 --> 00:30:37,840 use the command switch 842 00:30:38,480 --> 00:30:40,480 let's see here okay we'll try this 843 00:30:40,480 --> 00:30:43,440 pretty simple looking one 844 00:30:44,080 --> 00:30:50,039 um sorry uh how do we do that again 845 00:30:50,039 --> 00:30:52,000 powershell.exe dash command 846 00:30:52,000 --> 00:30:54,480 and then whatever you want to do 847 00:30:54,480 --> 00:30:56,399 powershell exe dash command 848 00:30:56,399 --> 00:31:01,760 all right powershell 849 00:31:01,760 --> 00:31:05,039 dot exe dash command 850 00:31:05,039 --> 00:31:09,360 and then is it a sp 851 00:31:09,360 --> 00:31:12,080 okay oh no it's still saying running 852 00:31:12,080 --> 00:31:14,399 scripts is disabled okay 853 00:31:14,399 --> 00:31:16,880 man well maybe we've got 15 of them so 854 00:31:16,880 --> 00:31:18,880 one of these have got to work 855 00:31:18,880 --> 00:31:22,159 uh short command that's okay 856 00:31:22,159 --> 00:31:25,279 use the encode command command 857 00:31:25,279 --> 00:31:27,760 equals 858 00:31:28,559 --> 00:31:31,760 right host blah blah blah blah blah 859 00:31:31,760 --> 00:31:34,159 that's where your command goes 860 00:31:34,159 --> 00:31:36,559 and then 861 00:31:37,760 --> 00:31:40,960 so this is all getting put into like 862 00:31:40,960 --> 00:31:42,399 variables 863 00:31:42,399 --> 00:31:46,000 and then oh and then you encode it 864 00:31:46,000 --> 00:31:49,200 into base 64. 865 00:31:49,440 --> 00:31:52,880 that's fun okay 866 00:31:53,039 --> 00:31:56,000 i guess i can just 867 00:31:57,760 --> 00:32:01,840 i can just copy this copy 868 00:32:01,840 --> 00:32:04,799 go here pop it in you'll notice it 869 00:32:04,799 --> 00:32:06,880 freaked out 870 00:32:06,880 --> 00:32:09,600 because it got me unexpected token bytes 871 00:32:09,600 --> 00:32:11,200 and expression i don't know what's going 872 00:32:11,200 --> 00:32:14,399 on there 873 00:32:14,399 --> 00:32:18,559 i'm okay it didn't like that 874 00:32:18,559 --> 00:32:21,600 like that at all well this is a learning 875 00:32:21,600 --> 00:32:23,039 process ladies and gentlemen that's how 876 00:32:23,039 --> 00:32:24,480 things go when you're learning the 877 00:32:24,480 --> 00:32:26,480 computer security anybody tells you hey 878 00:32:26,480 --> 00:32:28,159 you know it's easy just jump on 879 00:32:28,159 --> 00:32:31,120 in water's fine it is the water is fine 880 00:32:31,120 --> 00:32:32,720 we're glad to have you 881 00:32:32,720 --> 00:32:35,519 but it can take a hot minute to like 882 00:32:35,519 --> 00:32:36,799 figure stuff out 883 00:32:36,799 --> 00:32:38,720 this ladies and gentlemen is the real 884 00:32:38,720 --> 00:32:41,679 world you're seeing it live and in color 885 00:32:41,679 --> 00:32:44,640 right in front of you um i don't know 886 00:32:44,640 --> 00:32:46,159 why that didn't work it seems like it 887 00:32:46,159 --> 00:32:48,080 would have worked 888 00:32:48,080 --> 00:32:49,600 but maybe we need to do these things one 889 00:32:49,600 --> 00:32:51,919 at a time because that's how they did it 890 00:32:51,919 --> 00:32:54,640 so here's what we're going to do i'm 891 00:32:54,640 --> 00:32:58,159 just going to back this up a bit 892 00:32:58,159 --> 00:33:01,279 i persevere i don't give up 893 00:33:01,279 --> 00:33:05,039 command equals uh 894 00:33:05,039 --> 00:33:08,840 dot slash asb 895 00:33:08,840 --> 00:33:12,559 by pass dot ps1 896 00:33:12,559 --> 00:33:16,399 one and then bing do that 897 00:33:16,399 --> 00:33:18,559 okay didn't mind that i'm just going to 898 00:33:18,559 --> 00:33:20,559 read from the top up there 899 00:33:20,559 --> 00:33:25,200 which is going to be dollar sign bytes 900 00:33:25,200 --> 00:33:28,799 equals i guess i can just 901 00:33:28,799 --> 00:33:31,519 copy this 902 00:33:32,240 --> 00:33:35,600 um where do i need to end this at 903 00:33:35,600 --> 00:33:39,039 yeah right there 904 00:33:39,039 --> 00:33:42,720 copy that bing 905 00:33:42,720 --> 00:33:47,039 back this up just paste it in ding 906 00:33:47,039 --> 00:33:52,000 there we go then i will 907 00:33:52,000 --> 00:33:54,559 do this 908 00:33:55,679 --> 00:34:00,880 paste that in almost at the station 909 00:34:02,080 --> 00:34:06,880 copy the last part copy and paste 910 00:34:06,880 --> 00:34:08,720 oh cannot be loaded because running 911 00:34:08,720 --> 00:34:10,879 scripts is disabled on this system 912 00:34:10,879 --> 00:34:13,520 man i really thought that was gonna work 913 00:34:13,520 --> 00:34:14,720 we persevere 914 00:34:14,720 --> 00:34:17,919 moving on uh what else do we have invoke 915 00:34:17,919 --> 00:34:22,159 command right yes the invoke expression 916 00:34:22,159 --> 00:34:24,320 so git content i'm going to say forward 917 00:34:24,320 --> 00:34:25,599 slash input expression 918 00:34:25,599 --> 00:34:30,960 okay let's see if that works git content 919 00:34:31,520 --> 00:34:34,079 and then the ps1 file and then pipe that 920 00:34:34,079 --> 00:34:35,760 into invoke 921 00:34:35,760 --> 00:34:39,679 all right get dash content i feel like 922 00:34:39,679 --> 00:34:43,119 i've done this one before actually 923 00:34:43,119 --> 00:34:46,839 a speed bypass pipe that into 924 00:34:46,839 --> 00:34:52,720 um yeah invoke no not maybe cats 925 00:34:53,679 --> 00:34:56,879 it's in right go back 926 00:34:56,879 --> 00:34:58,880 i can never remember the invoke dash 927 00:34:58,880 --> 00:35:00,400 expression 928 00:35:00,400 --> 00:35:06,079 so bad at this expression 929 00:35:06,079 --> 00:35:11,200 oh oh so we didn't get red text on that 930 00:35:11,200 --> 00:35:14,320 and it came back as true that makes me 931 00:35:14,320 --> 00:35:15,599 think that makes me feel like it 932 00:35:15,599 --> 00:35:18,000 actually ran that 933 00:35:18,000 --> 00:35:21,119 right because 934 00:35:21,119 --> 00:35:24,160 that ran let's try that let's just give 935 00:35:24,160 --> 00:35:24,720 it 936 00:35:24,720 --> 00:35:28,320 what it did so we will uh what was it 937 00:35:28,320 --> 00:35:29,040 doing 938 00:35:29,040 --> 00:35:31,680 it was like oh it had like a run me dot 939 00:35:31,680 --> 00:35:32,640 ps1 940 00:35:32,640 --> 00:35:36,079 which i guess was uh just a printing of 941 00:35:36,079 --> 00:35:37,520 yeah right host 942 00:35:37,520 --> 00:35:40,960 bing bing okay 943 00:35:40,960 --> 00:35:44,000 i think that ran uh 944 00:35:44,000 --> 00:35:48,000 i'm just saying i'm gonna go with that 945 00:35:48,000 --> 00:35:49,520 how do we verify that how do we i mean 946 00:35:49,520 --> 00:35:51,599 the true value that comes back 947 00:35:51,599 --> 00:35:54,880 makes me think this ran because there 948 00:35:54,880 --> 00:35:56,960 was no output 949 00:35:56,960 --> 00:36:00,079 it just said true i'm gonna go with that 950 00:36:00,079 --> 00:36:02,320 i think that the invoke expression 951 00:36:02,320 --> 00:36:03,839 worked 952 00:36:03,839 --> 00:36:05,680 there it is again use invoke expression 953 00:36:05,680 --> 00:36:08,400 get content bang invoke expression 954 00:36:08,400 --> 00:36:10,400 did i see that twice or did i scroll up 955 00:36:10,400 --> 00:36:12,160 the wrong way 956 00:36:12,160 --> 00:36:14,720 bypass anyway looks like we got some 957 00:36:14,720 --> 00:36:16,160 looks like that one ran 958 00:36:16,160 --> 00:36:18,560 so if that one ran that means i got 959 00:36:18,560 --> 00:36:19,440 execution 960 00:36:19,440 --> 00:36:22,480 on my script 961 00:36:22,480 --> 00:36:25,599 and there we go okay 962 00:36:25,599 --> 00:36:28,079 back to amsi bypasses all right so 963 00:36:28,079 --> 00:36:29,680 that's cool 964 00:36:29,680 --> 00:36:32,240 oh right yeah because it ran that code 965 00:36:32,240 --> 00:36:34,240 that was that whole 966 00:36:34,240 --> 00:36:37,680 like crazy powershell 967 00:36:37,680 --> 00:36:40,000 oh now that that's wrong oh yes it's 968 00:36:40,000 --> 00:36:41,119 supposed to i'm looking at the picture i 969 00:36:41,119 --> 00:36:42,240 don't know if you can see this 970 00:36:42,240 --> 00:36:45,040 but when it ran mc bypass the return 971 00:36:45,040 --> 00:36:46,400 value was true 972 00:36:46,400 --> 00:36:50,000 now i can just run invoke mimi cats 973 00:36:50,000 --> 00:36:53,599 um invoke mimikatz 974 00:36:53,599 --> 00:36:55,520 dang cannot be loaded because running 975 00:36:55,520 --> 00:36:56,720 scripts is disabled 976 00:36:56,720 --> 00:36:59,839 but it didn't say it was like the devil 977 00:36:59,839 --> 00:37:03,760 you know um what if we do the same thing 978 00:37:03,760 --> 00:37:04,320 just get 979 00:37:04,320 --> 00:37:08,640 content dot 980 00:37:08,640 --> 00:37:12,560 dot slash sorry asb bypass 981 00:37:12,560 --> 00:37:17,359 like invoke no expression 982 00:37:17,359 --> 00:37:20,240 and i love their their autofill leaves a 983 00:37:20,240 --> 00:37:22,079 lot to be desired 984 00:37:22,079 --> 00:37:24,720 low dash x i know you could probably do 985 00:37:24,720 --> 00:37:27,200 iex 986 00:37:27,359 --> 00:37:31,280 just says true because i did the wrong 987 00:37:31,280 --> 00:37:31,680 one 988 00:37:31,680 --> 00:37:35,599 i'm a crazy person i want mimi cats 989 00:37:35,599 --> 00:37:38,960 i want invoke mimikats 990 00:37:39,040 --> 00:37:44,000 there we go yeah it ran 991 00:37:44,480 --> 00:37:46,480 losing my mind hey i'm learning right 992 00:37:46,480 --> 00:37:48,320 i've never done this before 993 00:37:48,320 --> 00:37:51,599 this is my first time give myself a 994 00:37:51,599 --> 00:37:52,240 break 995 00:37:52,240 --> 00:37:54,720 right uh but that's cool so there we got 996 00:37:54,720 --> 00:37:57,440 another bypass to work 997 00:37:57,440 --> 00:38:00,400 nice a slightly different approach the 998 00:38:00,400 --> 00:38:01,839 memory patching technique is to use 999 00:38:01,839 --> 00:38:04,320 different machine language instructions 1000 00:38:04,320 --> 00:38:07,200 yeah yeah yeah that's cool alternative 1001 00:38:07,200 --> 00:38:08,960 by passwords by paul so there's like a 1002 00:38:08,960 --> 00:38:10,000 lot of this we're on 1003 00:38:10,000 --> 00:38:12,480 uh just to remind ourselves memory 1004 00:38:12,480 --> 00:38:13,839 patching 1005 00:38:13,839 --> 00:38:16,560 number four so there's a different 1006 00:38:16,560 --> 00:38:18,000 couple of different ways in which 1007 00:38:18,000 --> 00:38:20,800 we could do memory patching uh we 1008 00:38:20,800 --> 00:38:22,400 finally got one to work and that that 1009 00:38:22,400 --> 00:38:23,520 seemed to be great they gave us the 1010 00:38:23,520 --> 00:38:25,520 codes that helped 1011 00:38:25,520 --> 00:38:27,760 uh and now we're on to number five right 1012 00:38:27,760 --> 00:38:28,960 with a bullet 1013 00:38:28,960 --> 00:38:32,000 number five golden rings no forcing an 1014 00:38:32,000 --> 00:38:35,040 error forcing the amc initialization to 1015 00:38:35,040 --> 00:38:37,440 fail amc and it failed we've seen that 1016 00:38:37,440 --> 00:38:38,480 before 1017 00:38:38,480 --> 00:38:40,560 uh will result that no scan will be 1018 00:38:40,560 --> 00:38:42,480 initiated for the for current process 1019 00:38:42,480 --> 00:38:44,480 originally this was disclosed by mac 1020 00:38:44,480 --> 00:38:45,599 raber 1021 00:38:45,599 --> 00:38:47,119 and microsoft has developed signature to 1022 00:38:47,119 --> 00:38:48,960 prevent wider usage 1023 00:38:48,960 --> 00:38:52,160 avoiding to use thing avoiding 1024 00:38:52,160 --> 00:38:56,640 to use directly the strings 1025 00:38:56,960 --> 00:38:58,480 with the usage of variables that was a 1026 00:38:58,480 --> 00:39:00,400 weird sentence um 1027 00:39:00,400 --> 00:39:03,119 can evade amstee with the same method so 1028 00:39:03,119 --> 00:39:03,760 again 1029 00:39:03,760 --> 00:39:07,839 fire these off and it might work 1030 00:39:07,839 --> 00:39:11,680 sure um 1031 00:39:11,680 --> 00:39:15,280 can i just do this copy 1032 00:39:15,280 --> 00:39:18,560 slap that into here actually let me exit 1033 00:39:18,560 --> 00:39:19,920 out 1034 00:39:19,920 --> 00:39:21,599 and restart it so all that stuff goes 1035 00:39:21,599 --> 00:39:23,920 away 1036 00:39:25,440 --> 00:39:30,240 there we go come on come on come on 1037 00:39:30,240 --> 00:39:33,280 we tried to do things cd to documents 1038 00:39:33,280 --> 00:39:36,960 it is fun for us ctrl v 1039 00:39:36,960 --> 00:39:40,160 and then bam didn't like 1040 00:39:40,160 --> 00:39:42,640 something in there oh man it doesn't 1041 00:39:42,640 --> 00:39:46,000 like this like one liner business 1042 00:39:46,160 --> 00:39:49,599 that's okay that's all right we can do 1043 00:39:49,599 --> 00:39:52,000 it anyway 1044 00:39:52,000 --> 00:39:53,359 well i guess we'll have to do the old 1045 00:39:53,359 --> 00:39:56,800 copy pastes 1046 00:39:56,800 --> 00:40:00,000 bing thing and then no no 1047 00:40:00,000 --> 00:40:03,920 no no no no there we go hit that 1048 00:40:03,920 --> 00:40:08,160 and then this 1049 00:40:08,160 --> 00:40:12,960 and then that and then this 1050 00:40:13,119 --> 00:40:16,240 and then guess what yep yeah 1051 00:40:16,240 --> 00:40:19,760 hit disassembly one 1052 00:40:19,760 --> 00:40:23,599 copy paste hit it 1053 00:40:23,599 --> 00:40:27,119 hit this one with the field 1054 00:40:27,119 --> 00:40:30,800 copy paste hit it 1055 00:40:30,800 --> 00:40:34,560 and last but not least copy 1056 00:40:34,560 --> 00:40:38,960 paste edit now now what do we do 1057 00:40:38,960 --> 00:40:41,599 okay we've got all that stuff in there 1058 00:40:41,599 --> 00:40:42,720 once that's done 1059 00:40:42,720 --> 00:40:45,760 invoke mimikatz we will see 1060 00:40:45,760 --> 00:40:48,800 dot slash invoked demimi cats no you 1061 00:40:48,800 --> 00:40:49,440 don't 1062 00:40:49,440 --> 00:40:53,119 because running script is disabled on 1063 00:40:53,119 --> 00:40:53,760 this system 1064 00:40:53,760 --> 00:40:56,560 which is funny oh you know what we can 1065 00:40:56,560 --> 00:40:57,119 try to do 1066 00:40:57,119 --> 00:41:00,880 uh type do it like i did before 1067 00:41:00,880 --> 00:41:03,520 haha see it didn't it didn't give me a 1068 00:41:03,520 --> 00:41:04,560 problem 1069 00:41:04,560 --> 00:41:06,400 and he gave me a problem right so i'm 1070 00:41:06,400 --> 00:41:08,400 gonna just prove that that 1071 00:41:08,400 --> 00:41:10,880 worked by closing powershell helping 1072 00:41:10,880 --> 00:41:13,599 this back up 1073 00:41:14,160 --> 00:41:17,440 and cd into documents and then 1074 00:41:17,440 --> 00:41:20,319 type invoke beamy cats and you see now 1075 00:41:20,319 --> 00:41:21,200 it is blocked 1076 00:41:21,200 --> 00:41:23,520 because we didn't do the thing right 1077 00:41:23,520 --> 00:41:25,200 which was number five 1078 00:41:25,200 --> 00:41:27,520 remind me what number five was it again 1079 00:41:27,520 --> 00:41:28,240 forcing an 1080 00:41:28,240 --> 00:41:31,520 error interesting so 1081 00:41:31,520 --> 00:41:34,880 yeah great because we are initialized 1082 00:41:34,880 --> 00:41:37,200 we're forcing ampsy initialization to 1083 00:41:37,200 --> 00:41:39,760 fail so it can't run 1084 00:41:39,760 --> 00:41:43,119 therefore once that happens nah you know 1085 00:41:43,119 --> 00:41:44,319 working 1086 00:41:44,319 --> 00:41:47,280 that was a good one worked pretty well 1087 00:41:47,280 --> 00:41:48,720 since there is a signature for the ampsi 1088 00:41:48,720 --> 00:41:50,000 and it failed flag adam chester 1089 00:41:50,000 --> 00:41:51,200 discovered an alternate method which is 1090 00:41:51,200 --> 00:41:52,960 attempt to force an error in order 1091 00:41:52,960 --> 00:41:54,640 flag to be set in a legitimate way and 1092 00:41:54,640 --> 00:41:56,000 not in the console 1093 00:41:56,000 --> 00:41:58,720 this bypass allocates a memory region 1094 00:41:58,720 --> 00:42:00,400 for the amc context 1095 00:42:00,400 --> 00:42:03,440 and since the amc session is set to null 1096 00:42:03,440 --> 00:42:06,560 will result in an error okay this 1097 00:42:06,560 --> 00:42:07,760 discovery has been 1098 00:42:07,760 --> 00:42:10,880 described in the article using this 1099 00:42:10,880 --> 00:42:12,640 evasion without any obfuscation will 1100 00:42:12,640 --> 00:42:14,960 fail as microsoft has created signatures 1101 00:42:14,960 --> 00:42:18,640 is there obfuscation here no 1102 00:42:18,640 --> 00:42:20,560 is there obfuscation here obviously 1103 00:42:20,560 --> 00:42:23,359 versus yeah 1104 00:42:24,560 --> 00:42:30,560 yeah looks like we just grabbed this 1105 00:42:30,560 --> 00:42:33,839 copy and off we go we already know that 1106 00:42:33,839 --> 00:42:34,720 it didn't work here 1107 00:42:34,720 --> 00:42:37,599 so paste that in oh i got a feeling this 1108 00:42:37,599 --> 00:42:39,040 ain't gonna work but 1109 00:42:39,040 --> 00:42:42,480 whoa yeah i didn't like that so 1110 00:42:42,480 --> 00:42:44,400 i always love it when that thing happens 1111 00:42:44,400 --> 00:42:46,160 it's like hey what are you 1112 00:42:46,160 --> 00:42:49,839 doing you need to calm the hell down 1113 00:42:49,839 --> 00:42:51,680 like right now before i get upset 1114 00:42:51,680 --> 00:42:55,040 it's like yo hey i'm just i'm just a guy 1115 00:42:55,040 --> 00:42:56,960 learning here man don't get upset with 1116 00:42:56,960 --> 00:42:57,520 me 1117 00:42:57,520 --> 00:42:59,680 i'm gonna have some fun that's all it's 1118 00:42:59,680 --> 00:43:01,680 gonna be a good time 1119 00:43:01,680 --> 00:43:03,680 uh i didn't think so right so that was 1120 00:43:03,680 --> 00:43:04,960 fun okay so i 1121 00:43:04,960 --> 00:43:07,760 definitely saw that one and did not like 1122 00:43:07,760 --> 00:43:08,079 it 1123 00:43:08,079 --> 00:43:11,040 at all uh so number six this brings us 1124 00:43:11,040 --> 00:43:13,040 to number six man there are a lot of 1125 00:43:13,040 --> 00:43:13,839 these how many 1126 00:43:13,839 --> 00:43:16,880 are there registry key modification amc 1127 00:43:16,880 --> 00:43:18,400 providers are responsible for the 1128 00:43:18,400 --> 00:43:20,560 scanning process of the antivirus 1129 00:43:20,560 --> 00:43:24,240 just checking uh uh i'm sorry scanning 1130 00:43:24,240 --> 00:43:26,160 processed by the antibody of products 1131 00:43:26,160 --> 00:43:28,160 and are registered in the local in the 1132 00:43:28,160 --> 00:43:29,359 location registry to do it for the 1133 00:43:29,359 --> 00:43:31,760 windows defender display below 1134 00:43:31,760 --> 00:43:33,680 okay removing the register key of the 1135 00:43:33,680 --> 00:43:35,359 amps provider will disable the ability 1136 00:43:35,359 --> 00:43:36,800 of the windows defender to perform amps 1137 00:43:36,800 --> 00:43:37,520 inspection 1138 00:43:37,520 --> 00:43:39,119 and evade the control however deleting 1139 00:43:39,119 --> 00:43:40,400 the registry is not considered a 1140 00:43:40,400 --> 00:43:41,520 stealthy approach 1141 00:43:41,520 --> 00:43:42,880 if there's sufficient monitoring placed 1142 00:43:42,880 --> 00:43:46,000 i'm not going to delete that 1143 00:43:46,000 --> 00:43:48,480 because no right because uh but it's 1144 00:43:48,480 --> 00:43:49,599 good to know that it's there 1145 00:43:49,599 --> 00:43:51,920 you could probably i would almost 1146 00:43:51,920 --> 00:43:53,359 guarantee that one works 1147 00:43:53,359 --> 00:43:54,880 i don't know why i think that just my 1148 00:43:54,880 --> 00:43:57,200 gut feeling that if it's out of the 1149 00:43:57,200 --> 00:43:58,880 registry this just doesn't work anymore 1150 00:43:58,880 --> 00:43:59,920 and then you can just do whatever you 1151 00:43:59,920 --> 00:44:00,960 feel like doing 1152 00:44:00,960 --> 00:44:02,560 so but like they said that's kind of a 1153 00:44:02,560 --> 00:44:05,200 noisy way to go about it 1154 00:44:05,200 --> 00:44:08,319 so use with caution 1155 00:44:08,319 --> 00:44:11,760 if you are red teaming engagements 1156 00:44:11,760 --> 00:44:14,000 let's see here dll hijacking dll 1157 00:44:14,000 --> 00:44:15,680 hijacking this is like an oldie but a 1158 00:44:15,680 --> 00:44:17,280 goodie just for 1159 00:44:17,280 --> 00:44:18,960 you know it's been around a while dll 1160 00:44:18,960 --> 00:44:21,119 hijacking can we use debate amc from 1161 00:44:21,119 --> 00:44:22,960 userland oh that's cool 1162 00:44:22,960 --> 00:44:25,599 right uh it has been described by 1163 00:44:25,599 --> 00:44:27,599 sensepost 1164 00:44:27,599 --> 00:44:30,079 uh the only requirements is to re create 1165 00:44:30,079 --> 00:44:32,720 a non-legitimate amc.dll file and plant 1166 00:44:32,720 --> 00:44:34,240 it on the same folder as powershell 1167 00:44:34,240 --> 00:44:35,359 64-bit 1168 00:44:35,359 --> 00:44:37,520 which could be copied to a user-writable 1169 00:44:37,520 --> 00:44:39,920 directory the proof-of-concept code has 1170 00:44:39,920 --> 00:44:41,520 been released by sensepost and it's 1171 00:44:41,520 --> 00:44:42,720 demonstrated below 1172 00:44:42,720 --> 00:44:45,599 there's proof of code concept right and 1173 00:44:45,599 --> 00:44:47,760 then 1174 00:44:47,760 --> 00:44:51,839 you execute powershell 1175 00:44:51,839 --> 00:44:53,359 executing powershell outside of the 1176 00:44:53,359 --> 00:44:55,280 standard directory will load the amcdl 1177 00:44:55,280 --> 00:44:57,040 file which contains all necessary 1178 00:44:57,040 --> 00:44:58,000 functions to operate 1179 00:44:58,000 --> 00:45:00,720 however amc will not be initiated so 1180 00:45:00,720 --> 00:45:01,920 you're just basically going 1181 00:45:01,920 --> 00:45:04,319 yeah do everything except that ansi 1182 00:45:04,319 --> 00:45:06,240 thing don't like that so 1183 00:45:06,240 --> 00:45:08,960 let's just let them sleep they're tired 1184 00:45:08,960 --> 00:45:10,480 you know we don't need to get them 1185 00:45:10,480 --> 00:45:11,680 involved in this 1186 00:45:11,680 --> 00:45:12,800 we're just going to have a little fun 1187 00:45:12,800 --> 00:45:14,640 between friends and no one it's a 1188 00:45:14,640 --> 00:45:16,319 victimless crime right you want it you 1189 00:45:16,319 --> 00:45:17,440 won't be upset 1190 00:45:17,440 --> 00:45:22,400 uh so yeah that's cool 1191 00:45:22,400 --> 00:45:25,680 and then minor attack talking about this 1192 00:45:25,680 --> 00:45:27,280 and youtube don't worthy and alright so 1193 00:45:27,280 --> 00:45:29,040 there were six 1194 00:45:29,040 --> 00:45:33,520 i'm wondering if this is possible 1195 00:45:33,520 --> 00:45:36,800 i see that they've got 1196 00:45:37,040 --> 00:45:38,720 they have their own powershell scripts 1197 00:45:38,720 --> 00:45:40,079 is that what's going on here 1198 00:45:40,079 --> 00:45:41,920 so yeah that's what they're doing okay 1199 00:45:41,920 --> 00:45:44,800 so i'm going to try this 1200 00:45:45,440 --> 00:45:47,680 all right am i or is this like is this 1201 00:45:47,680 --> 00:45:49,839 powershell oh no this is 1202 00:45:49,839 --> 00:45:50,960 i'm sorry i'm not going to be able to do 1203 00:45:50,960 --> 00:45:53,119 this i don't have a c compiler 1204 00:45:53,119 --> 00:45:56,079 this is a compiled a dog because it's a 1205 00:45:56,079 --> 00:45:57,760 dll what was i thinking 1206 00:45:57,760 --> 00:46:00,319 um i would have to compile that and then 1207 00:46:00,319 --> 00:46:01,520 see if it will work but that's a cool 1208 00:46:01,520 --> 00:46:02,880 way to go about it 1209 00:46:02,880 --> 00:46:05,520 if you got a compiler compile the code 1210 00:46:05,520 --> 00:46:06,319 copy 1211 00:46:06,319 --> 00:46:10,319 the powershell.exe executable put it in 1212 00:46:10,319 --> 00:46:14,079 a user controlled area with the dll 1213 00:46:14,079 --> 00:46:16,400 make sure they're together run it and 1214 00:46:16,400 --> 00:46:17,760 you should be good to go 1215 00:46:17,760 --> 00:46:21,280 on the amc bypass so there we go i feel 1216 00:46:21,280 --> 00:46:21,839 good 1217 00:46:21,839 --> 00:46:25,040 right i feel like i've i've learned a 1218 00:46:25,040 --> 00:46:25,920 thing or two 1219 00:46:25,920 --> 00:46:28,640 hopefully you have as well today on 1220 00:46:28,640 --> 00:46:30,480 bypassing windows defender specifically 1221 00:46:30,480 --> 00:46:31,760 the ampsi 1222 00:46:31,760 --> 00:46:35,359 dll that tries to check and pass things 1223 00:46:35,359 --> 00:46:38,400 off to windows defender for that check 1224 00:46:38,400 --> 00:46:40,480 we had quite a few of these bypass 1225 00:46:40,480 --> 00:46:42,880 methods actually work for us 1226 00:46:42,880 --> 00:46:45,359 so hey there's that there were there 1227 00:46:45,359 --> 00:46:47,119 were six of them to go from i think we 1228 00:46:47,119 --> 00:46:49,359 probably executed four of them 1229 00:46:49,359 --> 00:46:51,599 um and they worked really well right 1230 00:46:51,599 --> 00:46:52,960 maybe we got three 1231 00:46:52,960 --> 00:46:55,839 it was three or four so fifty percent if 1232 00:46:55,839 --> 00:46:56,160 i 1233 00:46:56,160 --> 00:47:01,040 targeted you know 200 500 machines 1234 00:47:01,040 --> 00:47:03,680 i and let's say 500 and i got 250 that's 1235 00:47:03,680 --> 00:47:04,400 a lot 1236 00:47:04,400 --> 00:47:06,079 right that's a pretty good day at the at 1237 00:47:06,079 --> 00:47:07,599 the office right there 1238 00:47:07,599 --> 00:47:10,240 so really cool stuff i enjoyed that now 1239 00:47:10,240 --> 00:47:11,839 i've got a little extra 1240 00:47:11,839 --> 00:47:14,720 i know a little more right i'm feeling 1241 00:47:14,720 --> 00:47:16,240 i'm feeling frisky i'm feeling good 1242 00:47:16,240 --> 00:47:17,680 so hopefully it is well if you like what 1243 00:47:17,680 --> 00:47:20,000 you saw don't forget hit the subscribe 1244 00:47:20,000 --> 00:47:20,640 button 1245 00:47:20,640 --> 00:47:23,280 smash smash smash and then of course 1246 00:47:23,280 --> 00:47:25,280 like notification bell and like i said 1247 00:47:25,280 --> 00:47:27,040 in the beginning i now have an instagram 1248 00:47:27,040 --> 00:47:27,839 page 1249 00:47:27,839 --> 00:47:29,200 i've got somebody running that for me 1250 00:47:29,200 --> 00:47:31,040 but don't worry they're taking cool 1251 00:47:31,040 --> 00:47:31,599 content 1252 00:47:31,599 --> 00:47:32,880 putting it on there starting to build 1253 00:47:32,880 --> 00:47:34,720 that up so look for 1254 00:47:34,720 --> 00:47:38,000 that to become a more of a thing as we 1255 00:47:38,000 --> 00:47:39,839 continue on down the road having a good 1256 00:47:39,839 --> 00:47:41,359 time learning about cyber security 1257 00:47:41,359 --> 00:47:43,280 thanks for watching everyone and i will 1258 00:47:43,280 --> 00:47:47,920 see you next time81456