Anti-AV - Repository of defense evasion tools and resources
Invoke-EDRChecker - Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services, the registry and running drivers for the presence of known defensive products such as AV's, EDR's and logging tools.
SandboxDefender - C# code to Sandbox Defender (and most probably other AV/EDRs).
AVET - AVET is an AntiVirus Evasion Tool, which was developed for making life easier for pentesters and for experimenting with antivirus evasion techniques, as well as other methods used by malicious software.
Backstab - Backstab is a tool capable of killing antimalware protected processes by leveraging sysinternals’ Process Explorer (ProcExp) driver, which is signed by Microsoft.
TimeStomp - A wonderfully frustrating tool in the Metasploit kit, that can change time stamps of different activities to disrupt event tracking and forensics.
PEcloak.py - A simple encoder/decoder that can send instructions to spent cycles in an effort to trick the AV scanner and utilize code caves.
DefenderCheck - Takes a binary as input and splits it until it pinpoints that exact byte that Microsoft Defender will flag on, and then prints those offending bytes to the screen. This can be helpful when trying to identify the specific bad pieces of code in your tool/payload.
SysWhispers3 - SysWhispers on Steroids - AV/EDR evasion via direct system calls.
Cerbersec/metatwin/tree/cerbersec-patch-1 - The project is designed as a file resource cloner. Metadata, including digital signature, is extracted from one file and injected into another. Note: Signatures are copied, but no longer valid.
StopDefender - Stop Windows Defender programmatically creating a new token using TrustedInstaller and Windefend service accounts.
Injector - Complete Arsenal of Memory injection and other techniques for red-teaming in Windows
SharpEDRChecker - Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools.
EDRSandblast - a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Notify Routine callbacks, Object Callbacks and ETW TI provider) and LSASS protections.
The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product that's present on a machine. AMSI provides enhanced malware protection for end users and their data, applications, and workloads.
AMSI provides features such as script scanning and behaviour monitoring, and allows detection of script functions that are known to be 'malicious'.
AMSI is integrated into the following components of Windows:
User Account Control (UAC) – elevation of EXE, COM, MSI, or ActiveX installation
PowerShell – scripts, interactive use, and dynamic code evaluation
Windows Script Host – wscript.exe and cscript.exe
JavaScript and VBScript
Office VBA macros
Bypass techniques
When .NET version 2 is installed, it enables the usage of PowerShell version 2, which does not have support for AMSI.
After calling PowerShell version 2, you can then use the ‘fileless malware’ techniques.
7 execution policies that can be set for powershell by machine admin
All Signed – All scripts and configuration files must be signed by a trusted publisher.
Bypass – Nothing is blocked and there are no warnings or prompts.
RemoteSigned – All scripts and configuration files downloaded from the Internet must be signed by a trusted publisher.
Restricted – Doesn't load configuration files or run scripts
Default – Sets the default execution policy. Restricted for Windows clients or RemoteSigned for Windows servers.
Undefined – No execution policy is set for the scope. If the execution policy in all scopes is Undefined, the effective execution policy is Restricted.
Unrestricted – Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you're prompted for permission before it runs.
In most cases, administrators will harden machines and will set the execution policy to Restricted.
When running the command Get-ExecutionPolicy -List, we are presented with the execution policies for all scopes
Ways to bypass the restricted policy
‘Bypass’ execution policy flag. This technique involves spawning a new PowerShell process, setting the execution policy to Bypass for that scope and passing the script as an argument. The command looks like this: PS > powershell.exe -ExecutionPolicy Bypass -File .\script.ps1
Type and pipe. Although scripts are disabled, single commands still work, so another technique is to simply read the script and pipe it into the PowerShell executable. PS > type .\script.ps1 | powershell.exe -noprofile -
The copy and the paste (only in interactive mode). This generally works best for small scripts. As above, this technique works because commands are pasted straight into the console instead of being run from the script itself.
The base64 encoded parameter. PowerShell offers the ability to run commands encoded as base64. To do this, you must encode the contents of the file and pass the resulting string to the -EncodedCommand switch of PowerShell.
PS > $commands = Get-Content script.ps1 -RawPS > $bytes = [System.Text.Encoding]::Unicode.GetBytes($commands)PS > $encodedCommand = [Convert]::ToBase64String($bytes)PS > powershell.exe -EncodedCommand $encodedCommand
Authorisation Manager → NULL. The following technique will replace the Authorisation Manager with null for the current session. Thus, the execution policy will become Unrestricted for the remainder of the session. This does not affect any global configuration.
PS > function Disable-ExecutionPolicy {($ctx = $executioncontext.gettype().getfield("_context","nonpublic,instance").getvalue( $executioncontext)).gettype().getfield("_authorizationManager","nonpublic,instance").setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager "Microsoft.PowerShell"))}PS > Disable-ExecutionPolicy