Skip to main content

Intro

post exploitation = everything after the first exploit, including lateral movement, escape and escalation, theft.

 

Needed Bypass: AV, AMSI, UAC, WDAC

 

Evade signature detection

EXE: ghostwriting, shelter, donut

Script: Obfuscation, normalizing

 

Bypass AMSI

  1. Find something isn't hooked: Excel 4.0 macros, powershell v2
  2. Obfuscation
  3. Tamper with AMSI

Bypass Tools:

  1. Tailored obfuscation tools
  2. manipulated commands
  3. mitm attack against amsi.dll
  4. malicious trojan amsi.dll