WDAC Policy Removal + SSRF domains

2024-04-26 03:25:09 +02:00 · 2023-05-31 14:18:25 +02:00 · 2023-05-31 14:18:25 +02:00 · b8c803717a
parent f85f2cb4c6
commit b8c803717a
4 changed files with 17 additions and 10 deletions
--- a/Resources/Active
+++ b/Resources/Active
@ -4414,3 +4414,4 @@ CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
 * [S4U2self abuse - TheHackerRecipes](https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse)
 * [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/)
 * [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html)
+* [Certificates and Pwnage and Patches, Oh My! - Will Schroeder - Nov 9, 2022](https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f4304c1d)
--- a/Resources/Windows
+++ b/Resources/Windows
@ -307,7 +307,10 @@ Also known as `WDAC/UMCI/Device Guard`.
    DeviceGuardCodeIntegrityPolicyEnforcementStatus         : EnforcementMode
    DeviceGuardUserModeCodeIntegrityPolicyEnforcementStatus : EnforcementMode
    ```
-
+* Remove WDAC policies using CiTool.exe (Windows 11 2022 Update)
+    ```ps1
+    $ CiTool.exe -rp "{PolicyId GUID}" -json
+    ```
 * Device Guard policy location: `C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{PolicyId GUID}.cip`
 * Device Guard example policies: `C:\Windows\System32\CodeIntegrity\ExamplePolicies\`
 * WDAC utilities: [mattifestation/WDACTools](https://github.com/mattifestation/WDACTools), a PowerShell module to facilitate building, configuring, deploying, and auditing Windows Defender Application Control (WDAC) policies
@ -383,4 +386,5 @@ You can check if it is done decrypting using this command: `manage-bde -status`
 * [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate - 12/09/2022 - Microsoft](https://learn.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate)
 * [DISABLING AV WITH PROCESS SUSPENSION - March 24, 2023 - By Christopher Paschen ](https://www.trustedsec.com/blog/disabling-av-with-process-suspension/)
 * [Disabling Event Tracing For Windows - UNPROTECT PROJECT - Tuesday 19 April 2022](https://unprotect.it/technique/disabling-event-tracing-for-windows-etw/)
-* [ETW: Event Tracing for Windows 101 - ired.team](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101)
+* [ETW: Event Tracing for Windows 101 - ired.team](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101)
+* [Remove Windows Defender Application Control (WDAC) policies - Microsoft - 12/09/2022](https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies)
--- a/Forgery/README.md
+++ b/Forgery/README.md
@ -110,11 +110,13 @@ http://0000::1:3128/ Squid

 ### Bypass localhost with a domain redirection

-
-* `spoofed.[BURP_COLLABORATOR]` such as `spoofed.redacted.oastify.com`
-* `localtest.me` redirect to `::1`
-* `company.127.0.0.1.nip.io` redirect to `127.0.0.1`
-* `bugbounty.dod.network` redirect to `127.0.0.2`
+| Domain                       | Redirect to |
+|------------------------------|-------------|
+| localtest.me                 | `::1`       |
+| localh.st                    | `127.0.0.1` |
+| spoofed.[BURP_COLLABORATOR]  | `127.0.0.1` |
+| spoofed.redacted.oastify.com | `127.0.0.1` |
+| company.127.0.0.1.nip.io     | `127.0.0.1` |

 The service nip.io is awesome for that, it will convert any ip address as a dns.

@ -138,7 +140,7 @@ http://127.0.0.0
 http://2130706433/ = http://127.0.0.1
 http://3232235521/ = http://192.168.0.1
 http://3232235777/ = http://192.168.1.1
-http://2852039166/  = http://169.254.169.254
+http://2852039166/ = http://169.254.169.254
 ```

 ### Bypass using octal IP
--- a/Injection/README.md
+++ b/Injection/README.md
@ -62,7 +62,7 @@
    - [Bypass "<" and ">" using ＜ and ＞](#bypass--and--using--and-)
    - [Bypass ";" using another character](#bypass--using-another-character)
    - [Bypass using HTML encoding](#bypass-using-html-encoding)
-    - [Bypass using Katana](#bypass-using-katana)
+    - [Bypass using Katakana](#bypass-using-katakana)
    - [Bypass using Cuneiform](#bypass-using-cuneiform)
    - [Bypass using Lontara](#bypass-using-lontara)
    - [Bypass using ECMAScript6](#bypass-using-ecmascript6)
@ -967,7 +967,7 @@ Unicode Character U+FF1C and U+FF1E
 ></script><svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)>
 ```

-### Bypass using Katana
+### Bypass using Katakana

 Using the [Katakana](https://github.com/aemkei/katakana.js) library.