The Red Team Vade Mecum
  • The Red Team Vade Mecum
  • Techniques
    • Defense Evasion
      • Binary Properties and Code Signing
      • ATA/ATP
        • Important Note
        • Intro
        • Lateral Movement
        • Domain Dominance
        • Identification
        • Recon
        • Blocking/Disabling Telemetry
          • Trusted Installer
      • Tips and Tricks
      • Basics
        • IOCs
          • High Level Overview of EDR technologies
        • Sandbox Evasion
        • Obfuscating Imports
          • Bootstrapping
        • Encrypting Strings
      • Disabling/Patching Telemetry
        • ETW Bypasses
        • AMSI Bypasses
      • Minimization
        • Commands to Avoid
        • Pivoting
        • Benefits of Using APIs
        • Thread-less Payload Execution
        • DLL Hollowing
      • Misdirection
        • Command Line Argument Spoofing
        • PPID Spoofing via CreateProcess
        • Switching Parents
          • Dechaining via WMI
      • Hiding our Payloads
        • Event Logs
        • File metadata
        • Registry Keys
        • ADS
      • IPC For Evasion and Control
    • Privilege Escalation
      • Hunting For Passwords
      • To System
        • New Service
        • Named Pipe Impersonation
        • Local Exploits
        • AlwaysInstallElevated
      • Hijacking Execution
        • Environment Variable interception
        • DLL Hijacking
      • Insecure Permissions
        • Missing Services and Tasks
        • Misconfigured Registry Hives
        • Insecure Binary Path
        • Unquoted Service Paths
    • Enumeration
      • Situational Awareness
      • Recon Commands
        • .NET AD Enum commands
        • WMIC commands
          • WMI queries from c++
    • Execution
      • Cool ways of Calling a Process
      • One Liners
    • Initial Access
      • Tips and Tricks
      • Tools
      • Staging/Stagers
      • MS Office
        • Macros
          • Evasion
            • VBA Stomping
            • Revert To Legacy Warning in Excel
            • Sandbox Evasion
          • Info Extraction
          • Inline Shapes
          • .MAM Files
          • PowerPoint
          • ACCDE
          • Shellcode Execution
          • Info Extraction
          • Dechaining Macros
        • Field Abuse
        • DDE
      • Payload Delivery
      • File Formats
        • MSG
        • RTF
        • REG
        • BAT
        • MSI Files
        • IQY
        • CHM
        • LNK
          • Using LNK to Automatically Download Payloads
        • HTA
    • Lateral Movement
      • Linux
        • SSH Hijacking
        • RDP
        • Impacket
      • No Admin?
      • Checking for access
      • Poison Handler
      • WinRM
      • AT
      • PsExec
      • WMI
      • Service Control
      • DCOM
      • RDP
      • SCShell
    • Code Injection
      • Hooking
        • Detours
      • CreateRemoteThread
      • DLL Injection
      • APC Queue Code Injection
      • Early Bird Injection
    • Persistence
      • Scheduled Tasks
        • AT
      • MS Office
      • SQL
      • Admin Level
        • SSP
        • Services
        • Default File Extension
        • AppCert DLLs
        • Time Provider
        • Waitfor
        • WinLogon
        • Netsh Dlls
        • RDP Backdoors
        • AppInit Dlls
        • Port Monitor
        • WMI Event Subscriptions
      • User Level
        • LNK
        • Startup Folder
        • Junction folders
        • Registry Keys
        • Logon Scripts
        • Powershell Profiles
        • Screen Savers
  • Infrastructure
    • SQL
      • MS SQL
        • Basics
        • Finding Sql Servers
        • Privilege Escalation
        • Post Exploitation
  • Other
    • Vulnerability Discovery
      • Web Vulnerabilities
        • Code Grepping
          • PHP Cheatsheet
    • Windows Internals
      • Unorganized Notes
Powered by GitBook
On this page
  • Payload Control
  • Evasion
  • Conclusion

Was this helpful?

  1. Techniques
  2. Defense Evasion

IPC For Evasion and Control

IPC(inter-process communication) is used to provide communications and data sharing between applications. IPC is an umbrella term that fits all of these definitions.

In this case, we won't be using IPC to communicate with other processes and such, but we will be using it as a shared object that indicates a certain function depending on our goal.

Payload Control

One scenario you might encounter is that your payload may have multiple instances and it might become too hectic. This can arise from DLL hijacking or COM hijacking where multiple programs might load your payload. Although having multiple running instances of your payload on a machine may be a good thing for stability and such, it may create a lot of noise due to the number of artifacts being created to your system.

To solve this, we can create an IPC object and say, "if this object already exists, stop execution, but if this object does not exist, create it and execute your payload". This logic ensures that only one instance of your payload is running at a time.

One example of an IPC object we can use is named pipes.

NamedPipeCheck = CreateNamedPipe("\\\\.\\pipe\\EvilCheck", PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE, PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL); 

if (GetLastError() == ERROR_ALREADY_EXISTS) {
   CloseHandle(NamedPipeCheck);
   return 0;
}

In the above function, we will try to create a named pipe called "\\\\.\\pipe\\EvilCheck", if it already exists, we will stop execution and return 0.

As you can see, this is a very simple method to keep your payloads in control. Note that your pipe name can be a IOC.

Evasion

The same idea can be used for sandbox evasion, except that we will only start execution if a certain IPC object exists. This method was documented in the vault7 leaks here, which used mutexes:

As stated in the document, this method calls itself. This works because "The AV will only trigger the code if it has been called in a certain way"

We can implement this with:

NamedPipeCheck = CreateNamedPipe("\\\\.\\pipe\\EvilCheck", PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE, PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL); 

if (GetLastError() == ERROR_ALREADY_EXISTS) {
   decryptCodeSection();
   startShellCode();

}
else {
   startExe("test.exe"); // name of implant
   Sleep(100);
}

return 0;

Conclusion

There are plenty of ways to implement these types of checks. You can use Mutexes, Semaphores etc. You don't even have to use IPC objects, a simply registry key or file will suffice.

PreviousADSNextPrivilege Escalation

Last updated 3 years ago

Was this helpful?

https://wikileaks.org/ciav7p1/cms/files/BypassAVDynamics.pdf