AV / EDR Evasion
Last updated
Last updated
Common AV process names:
Search for active AV processes on hosts (local admin priveleges required):
Identify Microsoft.NET version from inspecting assembly properties:
Identify Microsoft.NET version from querying the registry:
Windows build <-> default .NET Framework version associations:
.NET Framework version <-> CLR version associations:
Note that we don't have to target the exact .NET Framework version when compiling our tools. It's enough to match the above relationship between .NET Framework version and CLR version, i. e. all 4.x versions will execute on CLR v4. For example, Rubeus compiled to target v4.5 will run on a machine with only .NET v4.0 installed.
.NET:
Python:
Pyramid
BOFs with Python
Python RDI
Hyperion + Pescramble
Install and generate a payload:
Exec with msbuild.exe and get a shell:
Wrap executable into PEzor:
| Process Name | Vendor/Product |
|---|
| Windows Build | Default .NET Framework Version |
|---|
| .NET Framework Version | CLR Version |
|---|
Install LLVM 13.x obfuscator based on and :
avp.exe | KIS / KES |
cpda.exe | Check Point End Point Security |
egui.exe | ESET GUI |
ekrn.exe | ESET Kernel Service |
MsMpEng.exe | Windows Defender |
ntrtscan.exe | Trend Micro OfficeScan |
tmlisten.exe | Trend Micro OfficeScan |
1511 | 4.6.1 |
1607 | 4.6.2 |
1703 | 4.7 |
1709 | 4.7.1 |
1803 | 4.7.2 |
1909+ | 4.8 |
2.0, 3.0, 3.5 | 2 |
4, 4.5-4.8 | 4 |
