top of page

Student Group

Public·41 members
Oliver Walker
Oliver Walker

Evade Script



Evasive techniques used by attackers, date back to the earlier days, when base64 and other common encoding schemes were used. Today, attackers are adopting new Linux shell script tactics and techniques to disable firewalls, monitoring agents and modifying access control lists (ACLs).




Evade Script



In previous Uptycs Threat Research posts, we discussed the common utilities in Linux, which are generally used by threat actors in the attack chain. In this report, we highlight those common defense evasion techniques, which are common in malicious Linux shell scripts. And then, we outline how Uptycs spots and mitigates against them.


Most of the systems and servers deploy firewalls as a defense mechanism.In the malicious script, attackers try to disable the firewall i.e., uninterrupted firewall (ufw) as a defense evasive tactic. Along with that, attackers also remove iptables rules (iptables -F) because it is widely used for managing the firewall rules on Linux systems and servers. (see figure 2)


The malicious shell script also disables Linux security modules like SElinux, Apparmor. These modules are designed to implement mandatory access control(MAC) policies. A server administrator could simply configure these modules to provide the users restricted access to the installed or running applications in the system.


ACLs, or Access Control Lists, contain the rules by which permissions on files and utilities are granted. Filesystem ACLs tell operating systems which users can access the system, and what privileges the users are allowed. Setfacl utility in Linux is used to modify, remove the ACL, in the script we can see the usage of setfacl which sets permissions of chmod for the user:


One of the malicious scripts (d7c4693f4c36d8c06a52d8981827245b9ab4f63283907ef8c3947499a37eedc8) also contained common utilities like wget,curl used with different names. These utilities are generally used to download files from the remote IP. Attackers use these utilities to download malicious files from C2.Some of the security solutions whose detection rules monitor the exact names of the utilities might not trigger the download event if wget,curl are used under different names.


The script is supposed to have the enemies wander until an empty child 'eyes' sees the player. Then it should start chasing the player. Think pac-man. What it's doing right now is making one loop of it's wander cycle and then stopping and not seeing the player at all.


It is a very general concept and can be used in so many different situations, for example: if the target machine does not have the capabilities to handle larger packets then the fragmentation technique is useful to evade the firewall. The parameter of this technique is -f, it just split the request into small segments of IP packets called the fragmented IP packets. You can use -f twice -ff if you want to further break the IP headers.


Nmap scripting is one the best features that Nmap has. Nmap scripts are very useful for the penetration tester because they can save so much time and effort. The Nmap scripting engine has more than 400 scripts at the time of this writing, and you can create your own script and everyone can create a script and submit it to the script engine to help the community of penetration tester.


Nmap scripts can perform so many different functions from vulnerability scanning to exploitation and from malware detection to brute forcing. In this section I will discuss some of the best Nmap scripts and their usage:


If you want to enumerate on the web server to find the directories of the website then this is the best Nmap script for this purpose. The http-enum script is also used to discover the open ports and to list softwares with their version of each port.


So many organizations are running their SMTP server on the non standard port for security reasons. Smtp-strangeport is the script to find out whether the SMTP is running on the standard port or not.


As the name suggests, this script has been created to get the PHP version from the web server. The software version is very important for a penetration tester to find the respective vulnerability, so this script is very helpful for web application penetration testing.


The Nmap scripting engine contains so many scripts that you can even find several scripts for a specific softwareor platform. For example: if you want to do penetration testing on a website which is based on WordPress then you can use Nmap scripts for this purpose.


XSS filter evasion refers to a variety of methods used by attackers to bypass Cross-Site Scripting filters. Attackers attempting to inject malicious JavaScript into web page code must not only exploit an application vulnerability, but also evade input validation and fool complex browser filters. This article looks at some common approaches to XSS filter evasion and shows what you can do to improve application security.


XSS filter evasion refers to a variety of methods used by attackers to bypass cross-site scripting (XSS) filters. There are many ways to inject malicious JavaScript into web page code executed by the client, and with modern browsers, attackers must not only exploit an application vulnerability but also evade any input validation performed by the application and server, and fool complex browser filters. This article looks at some common approaches to XSS filter evasion and shows what you can do to improve application security.


XSS filtering adds an extra level of difficulty to the work of attackers crafting XSS attacks, as any successfully injected script code also has to get past the filters. While XSS attacks generally target application vulnerabilities and misconfigurations, evasion techniques exploit weaknesses in the browser or server-side filters, down to specific products and versions.


Filter evasion techniques can attempt to exploit any aspect of web code parsing and processing, so there are no rigid categories here. The most obvious attempts to inject script tags will generally be rejected, but other HTML tags can also provide injection vectors. Event handlers are often used to trigger script loading, as they can be tied into legitimate user actions. Commonly exploited handlers include onerror, onclick, and onfocus, but the majority of supported event handlers can be used as XSS vectors.


A few days ago, we reported that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a script that can help users affected by the ESXiArgs ransomware attack. The cybercriminals behind the attack have seemingly already countered this move, as they have reportedly developed a new variant that can no longer be decrypted with the CISA's script.


PhantomScript is an internal League of Legends script that is guaranteed to help you climb the ladder and increase your ELO! Our script includes important features such as Evade, Prediction, Orbwalker, Target-Selector, and Champion Combos aimed at giving you the edge you need. Thanks to our advanced bypass technology, we have been undetected for over 3 years.


LoL Scripting enhances your abilities through the magic of AI. PhantomScript will allow you to have perfect kiting, orbwalking, and combos all with the press of a button. The script constantly evaluates the game and makes real-time decisions based on certain parameters.


Games in a higher elo can be really exhausting. Besides all the mechanical activities, you have to keep track of everything and make the right decisions. Thanks to PhantomScript you "only" have to make the right decisions, the script does the rest.


An internal LoL script looks at all of the data from the League of Legends process/memory. When the collected data is processed, the actions in the game are automatically done by sending network packets to the server. This is a classic example of spacebar-to-win that was often seen in previous years. As an example, you can minimize the LoL window, but you will still dodge all enemy abilities in-game.


Yes, not a single user has been banned for using PhantomScript! If you use our League of Legends hack inconspicuously, then nothing will happen to you! Nevertheless, the Golden Rule is safety first. Don't script on your main.


UNC2165 has leveraged multiple Windows batch scripts during the final phases of its operations to deploy ransomware and modify systems to aid the ransomware's propagation. We have observed UN2165 use both HADES and LOCKBIT; we have not seen these threat actors use HADES since early 2021. Notably, LOCKBIT is a prominent Ransomware-as-a-Service (RaaS) affiliate program, which we track as UNC2758, that has been advertised in underground forums since early 2020 (21-00026166).


Now we can do the same thing, only this time using PowerShell instead. Generate your favorite PowerShell base64 encoded payload. Let me guess, you probably want to use PowerShell Empire ( ) which conveniently includes a base64 script as the client-side agent!


This is useful if the pattern match doesn't take into account spaces in the word javascript: -which is correct since that won't render- and makes the false assumption that you can't have a space between the quote and the javascript: keyword. The actual reality is you can have any char from 1-32 in decimal:


Based on the same idea as above, however,expanded on it, using Rnake fuzzer. The Gecko rendering engine allows for any character other than letters, numbers or encapsulation chars (like quotes, angle brackets, etc...) between the event handler and the equals sign, making it easier to bypass cross site scripting blocks. Note that this also applies to the grave accent char as seen here:


This particular variant was submitted by Łukasz Pilorz and was based partially off of Ozh's protocol resolution bypass below. This cross site scripting example works in IE, Netscape in IE rendering mode and Opera if you add in a tag at the end. However, this is especially useful where space is an issue, and of course, the shorter your domain, the better. The ".j" is valid, regardless of the encoding type because the browser knows it in context of a SCRIPT tag. 041b061a72


About

Welcome to the group! You can connect with other members, ge...

Members

bottom of page