Intro
post exploitation = everything after the first exploit, including lateral movement, escape and escalation, theft.
Needed Bypass: AV, AMSI, UAC, WDAC
Evade signature detection
EXE: ghostwriting, shelter, donut
Script: Obfuscation, normalizing
Bypass AMSI
- Find something isn't hooked: Excel 4.0 macros, powershell v2
- Obfuscation
- Tamper with AMSI
Bypass Tools:
- Tailored obfuscation tools
- manipulated commands
- mitm attack against amsi.dll
- malicious trojan amsi.dll