| using System; | |
| using System.Collections.Generic; | |
| using System.Diagnostics; | |
| using System.Linq; | |
| using System.Text; | |
| namespace XORBruteForce | |
| { | |
| class Program | |
| { |
| # Ensure System.Security assembly is loaded. | |
| Add-Type -AssemblyName System.Security | |
| function ConvertTo-CIPolicy { | |
| <# | |
| .SYNOPSIS | |
| Converts a binary file that contains a Code Integrity policy into XML format. | |
| Author: Matthew Graeber (@mattifestation) |
| $s1 = (gwmi -List Win32_ShadowCopy).Create("C:\", "ClientAccessible") | |
| $s2 = gwmi Win32_ShadowCopy | ? { $_.ID -eq $s1.ShadowID } | |
| $d = $s2.DeviceObject + "\" | |
| cmd /c mklink /d C:\scpy "$d" | |
| New-CIPolicy -Level RootCertificate -FilePath C:\BasePolicy.xml -ScanPath C:\scpy -UserPEs | |
| $s2.Delete() | |
| Remove-Item -Path C:\scpy -Force | |
| Set-RuleOption –option 3 –FilePath C:\BasePolicy.xml | |
| ConvertFrom-CIPolicy C:\BasePolicy.xml C:\BasePolicy.bin | |
| Move-Item C:\BasePolicy.bin c:\Windows\System32\CodeIntegrity\SIPolicy.p7b -force |
| # Enable Required Windows Features | |
| Enable-WindowsOptionalFeature -Online -NoRestart -FeatureName:Microsoft-Hyper-V-Hypervisor -All | |
| Disable-WindowsOptionalFeature -Online -NoRestart -FeatureName: Microsoft-Hyper-V-Tools-All, Microsoft-Hyper-V-Services | |
| Get-WindowsOptionalFeature -Online -FeatureName "IsolatedUserMode" | Enable-WindowsOptionalFeature -Online -NoRestart | |
| # Enable DeviceGuard Security Flags | |
| #reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f | |
| New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -PropertyType "DWORD" -Value 1 -Force | |
| # Info Source: https://docs.microsoft.com/en-us/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security#use-registry-keys-to-enable-vbs-and-device-guard |
| ; A minimal Mach-o x64 executable for OS X (also see below Mountain Lion version) | |
| ; | |
| ; $ nasm -f bin -o tiny_hello tiny_hello.s | |
| ; $ chmod +x tiny_hello | |
| ; $ ./tiny_hello | |
| ; Hello World! | |
| ; $ | |
| ; c.f. | |
| ; http://osxbook.com/blog/2009/03/15/crafting-a-tiny-mach-o-executable/ ( the original tiny mach-o executable ) |
| #include <Windows.h> | |
| #include <ImageHlp.h> | |
| #include <strsafe.h> | |
| #include "loaded_psp_drivers.h" | |
| #include <set> | |
| #include <string> | |
| #include <algorithm> | |
| #pragma comment(lib, "crypt32.lib") |
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace BlockDllTest | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { |
| // | |
| // main.m | |
| // EndpointSecurityDemo | |
| // | |
| // Created by Omar Ikram on 17/06/2019 - Catalina 10.15 Beta 1 (19A471t) | |
| // Updated by Omar Ikram on 15/08/2019 - Catalina 10.15 Beta 5 (19A526h) | |
| // Updated by Omar Ikram on 01/12/2019 - Catalina 10.15 (19A583) | |
| // | |
| #import <Foundation/Foundation.h> |
We can do this by experimenting with .config files.
Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name
In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.
We do this by directing the application to read a config file we provide.
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Runtime.InteropServices; | |
| namespace InjectionTest | |
| { | |
| public class DELEGATES | |
| { |