boh

Encrypting Strings at Compile Time

Thank you to SpecterOps for supporting this research and to Duane and Matt for proofreading and editing! Crossposted on the SpecterOps Blog.

TLDR: You may use this header file for reliable compile time string encryption without needing any additional dependencies.

Programmers of DRM software, security products, or other sensitive code bases are commonly required to minimize the amount of human readable strings in binary output files. The goal of the minimization is to hinder others from reverse engineering their proprietary technology.

Common approaches that are taken to meet this requirement often add an additional maintenance burden to the developer and are prone to error. These approaches will be presented along with t

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

Rundll32 commands

OS: Windows 10/8/7

Add/Remove Programs

RunDll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,0

Content Advisor

RunDll32.exe msrating.dll,RatingSetupUI

Control Panel

Learning Aid - Top Base64 Encodings Table

Base64 Code	Mnemonic Aid	Decoded*	Description
`JAB`	🗣 Jabber	`$.`	Variable declaration (UTF-16)
`TVq`	📺 Television	`MZ`	MZ header
`SUVY`	🚙 SUV	`IEX`	PowerShell Invoke Expression
`SQBFAF`	🐣 Squab favorite	`I.E.`	PowerShell Invoke Expression (UTF-16)
`SQBuAH`	🐣 Squab uahhh	`I.n.`	PowerShell Invoke string (UTF-16) e.g. `Invoke-Mimikatz`
`PAA`	💪 "Pah!"	`<.`	Often used by Emotet (UTF-16)

	# see https://httptoolkit.tech/blog/chrome-android-certificate-transparency/
	# put your Burp cacert.der in the current working directory!

	FINGERPRINT=`openssl x509 -in cacert.der -inform der -pubkey -noout \| openssl pkey -pubin -outform der \| openssl dgst -sha256 -binary \| openssl enc -base64`

	echo "chrome --ignore-certificate-errors-spki-list=$FINGERPRINT" > chrome.sh

	adb push chrome.sh /data/local/tmp/chrome.sh
	adb shell su -c cp /data/local/tmp/chrome.sh /data/local/chrome-command-line
	adb shell su -c cp /data/local/tmp/chrome.sh /data/local/android-webview-command-line

	# Source: System.Management.Automation.dll
	# This list is used to determin if a ScriptBlock contains potential suspicious content
	# If a match is found an automatic 4104 with a "warning" level is generated.
	# https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs
	- "Add-Type"
	- "AddSecurityPackage"
	- "AdjustTokenPrivileges"
	- "AllocHGlobal"
	- "BindingFlags"
	- "Bypass"

	#ifndef PATCHLESS_AMSI_H
	#define PATCHLESS_AMSI_H

	#include <windows.h>

	static const int AMSI_RESULT_CLEAN = 0;

	PVOID g_amsiScanBufferPtr = nullptr;

	unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) {

	Retrieves all of the trust relationships for this domain - Does not Grab Forest Trusts

	([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()


	Grab Forest Trusts.

	([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships()

	#List all resources
	az resource list \| convertfrom-json \| foreach-object { $_ \| Select-Object type, name, resourceGroup, id}

	#List details for all VM's
	az vm lis

	#Run PowerShell command on a VM
	az vm run-command invoke --command-id RunPowerShellScript --name MyVm --resource-group MyResourceGroup --scripts 'whoami'

	#Run PowerShell command on ALL VM's

	# Copyright 2017-2020 Jeff Foley. All rights reserved.
	# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

	# Should results only be collected passively and without DNS resolution? Not recommended.
	#mode = passive
	mode = active

	# The directory that stores the Cayley graph database and other output files
	# The default for Linux systems is: $HOME/.config/amass
	#output_directory = amass