New Job-Role Training Path: Active Directory Penetration Tester! Learn More

Introduction to Windows Evasion Techniques

In this module we will cover the basics of evading antivirus solutions (Windows Defender specifically) from an attackers point-of-view.

4.54

Created by bmdyy

Hard Offensive

Summary

This module is for students who want to understand how attackers evade antivirus, specifically Microsoft Defender Antivirus. It is highly recommended that you have at least basic knowledge of C# before attempting this course, as we will be developing a few custom tools.

This module is divided up as follows:

  • Introduction: Introduction to the module, as well as the lab environment.
  • Introduction to Antivirus Evasion: We discuss how antivirus works, and how to bypass it, the Antivirus Scan Interface and User Account Control.
  • Evading Application Whitelisting: We discuss AppLocker, and various ways to bypass it, as well as the ConstrainedLanguage mode.
  • Skills Assessment: Put your new-found skills to the test against a custom target.

This module aims to teach students enough about antivirus evasion so that they can be comfortable doing so independently.

This module is broken into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.

You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the PwnBox provided in the interactive sections or your virtual machine.

A firm grasp of the following modules can be considered a prerequisite for the successful completion of this module:

Introduction

Introduction to the Module

In this module, we will be discussing the basics of evading antivirus. Specifically, we will focus on evading Microsoft Defender Antivirus, which attackers most commonly encounter during engagements. That being said, all the techniques in this module may be adapted to work with other antivirus solutions.

Evading antivirus is commonly referred to as a cat-and-mouse game. This is because attackers come up with new attack vectors just as frequently as antivirus providers come up with new ways to catch them. Depending on who you ask, one or the other may be a step ahead, but there is never a clear answer. One or the other may be a step ahead, but there is never a clear answer. As of early 2024, while the attack vectors covered in this module remain effective, they are susceptible to detection sooner or later. Thus, it is crucial to prioritize grasping the underlying concepts rather than the specific examples. The techniques discussed here will likely require adaptation and altering in the future to evade detection.

Introduction to the Lab

Throughout this module, we will be working with the following two Windows VMs:

  • EVASION-DEV: A Windows server with administrative privileges access to develop/debug payloads.
  • EVASION-TARGET: A Windows server with low-privileged user access. The sections' questions and the skills assessments will require to attack this machine.

One way to access the machines is with xfreerdp, using the following syntax. Since files will need to be transferred back and forth, the /drive argument allows us to map a local drive to the remote machine (note that Microsoft Defender Antivirus may periodically scan and delete files in this folder).

xfreerdp /v:[IP] /u:[USERNAME] /p:'[PASSWORD]' /dynamic-resolution /drive:linux,/tmp

EVASION-DEV

This section's question provides access to EVASION-DEV. Use it whenever developing an exploit to solve any of the sections' questions.

The credentials for the development VM are the following:

Username Password Notes
Administrator Eva$i0n! Built-in administrator account
maria Eva$i0n! Administrator
max Eva$i0n! Standard user

Most of the tools referenced in the sections reside in the 'C:\Tools' folder, and throughout the module, all custom programs developed will assume that this directory is being used.

image

Note: Unless you know what you are doing, please stick to using the provided VM for development, rather than using your own machine.

EVASION-TARGET

Initially, we only have access to the target VM as the following user:

Username Password Notes
alpha FGQxrLW2 Standard User

For all interactive sections, including the skills assessments, placing files in or interacting with files in the folder "C:\Alpha" is required. Each subfolder will generate its own log.txt file, which be useful in the case a payload does not work.

image

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.

Relevant Paths

This module progresses you towards the following Paths

Active Directory Penetration Tester

The Active Directory Penetration Tester Job Role Path is designed for individuals who aim to develop skills in pentesting large Active Directory (AD) networks and the components commonly found in such environments. This path equips students with the skills needed to evaluate the security of AD environments, navigate complex Windows networks, and identify elusive attack paths. This path includes advanced hands-on labs where participants will practice techniques such as Kerberos attacks, NTLM relay attacks, and the abuse of services like AD Certificate Services (ADCS), Exchange, WSUS, and MSSQL. Students will also learn how to exploit misconfigurations in Active Directory DACLs and Domain Trusts, perform evasion tactics in Windows environments, and leverage Command and Control (C2) frameworks for post-exploitation activities. By combining theoretical foundations with practical exercises and a structured methodology for identifying AD vulnerabilities, this path enables students to conduct professional security assessments on complex AD infrastructures and effectively report security weaknesses discovered by chaining multiple vulnerabilities.

Hard Path Sections 253 Sections
Required: 7100
Reward: +1420
Path Modules
Medium
Path Sections 36 Sections
Reward: +20
Active Directory (AD) is the leading enterprise domain management suite, providing identity and access management, centralized domain administration, authentication, and much more. Due to the many features and complexity of AD, it presents a large attack surface that is difficult to secure properly. To be successful as infosec professionals, we must understand AD architectures and how to secure our enterprise environments. As Penetration testers, having a firm grasp of what tools, techniques, and procedures are available to us for enumerating and attacking AD environments and commonly seen AD misconfigurations is a must.
Medium
Path Sections 12 Sections
Reward: +100
This module provides an overview of Active Directory (AD), introduces core AD enumeration concepts, and covers enumeration with built-in tools.
Medium
Path Sections 9 Sections
Reward: +100
This module covers AD enumeration focusing on the PowerView and SharpView tools. We will cover various techniques for enumerating key AD objects that will inform our attacks in later modules.
Medium
Path Sections 14 Sections
Reward: +100
This module covers AD enumeration focusing on the BloodHound tool. We will cover various techniques for enumerating key AD objects that will inform our attacks in later modules.
Medium
Path Sections 14 Sections
Reward: +100
Windows lateral movement involves techniques to navigate and control remote systems within a network, primarily after gaining initial access. It is crucial in offensive and defensive cybersecurity strategies, allowing attackers to escalate privileges, access sensitive data, and expand their network presence while helping defenders understand, identify, and mitigate such movements. This module delves into various lateral movement techniques on Windows systems, providing a comprehensive understanding and practical examples of executing and defending against these methods.
Medium
Path Sections 27 Sections
Reward: +100
Active Directory presents a vast attack surface and often requires us to use many different tools during an assessment. The CrackMapExec tool, known as a "Swiss Army Knife" for testing networks, facilitates enumeration, attacks, and post-exploitation that can be leveraged against most any domain using multiple network protocols. It is a versatile and highly customizable tool that should be in any penetration tester's toolbox.
Hard
Path Sections 23 Sections
Reward: +100
Kerberos is an authentication protocol that allows users to authenticate and access services on a potentially insecure network. Due to its prevalence throughout an Active Directory environment, it presents us with a significant attack surface when assessing internal networks. This module will explain how Kerberos works thoroughly and examines several scenarios to practice the most common attacks against it from multiple perspectives.
DACL Attacks I
mini module tag Mini-Module
Hard
Path Sections 7 Sections
Reward: +100
Discretionary Access Control Lists (DACLs), found within security descriptors, are a fundamental component of the security model of Windows and Active Directory, defining and enforcing access to the various system resources. This mini-module will cover enumerating and attacking common DACL misconfigurations, allowing us to escalate our privileges horizontally and vertically and move laterally across an Active Directory network.
DACL Attacks II
mini module tag Mini-Module
Hard
Path Sections 9 Sections
Reward: +100
In this second module on Discretionary Access Control Lists (DACLs), we delve into sophisticated attack techniques and strategies within Windows Active Directory environments. Building on the foundation laid in DACL Attacks I, this module explores other DACL misconfigurations and their exploitation. We also introduce methods for detecting and mitigating these DACL-based attacks, equipping learners with both offensive and defensive skills crucial for safeguarding and compromising Active Directory networks.
Hard
Path Sections 10 Sections
Reward: +100
The NTLM authentication protocol is commonly used within Windows-based networks to facilitate authentication between clients and servers. However, NTLM's inherent weaknesses make it susceptible to Adversary-in-the-Middle attacks, providing a significant attack vector. This module focuses on the various NTLM relay attacks that attackers use to compromise Active Directory networks.
Hard
Path Sections 19 Sections
Reward: +100
This module focuses on privilege escalation attacks by abusing misconfigurations in Active Directory Certificate Services.
Hard
Path Sections 21 Sections
Reward: +100
Active Directory (AD) is the leading solution for organizations to provide identity and access management, centralized domain administration, authentication, and many other tasks. It is possible to connect Active Directory domains and forests via a feature called "trusts". Domain trusts can be set up for a variety of reasons such as resource sharing, centralized management, cross-forest collaboration, migration, enhanced security. With the introduction of trusts into any environment, they bring with them many inherent risks. As skilled AD pentesters we must understand how to enumerate and attack both intra-forest and cross-forest and be able to confidently explain the hardening considerations a customer needs to take into an account to mitigate some of the risk of introducing trusts into their operation environment.
Hard
Path Sections 19 Sections
Reward: +100
Active Directory is present in over 90% of corporate environments and it is the prime target for attacks. This module covers the attack chain from getting the initial foothold within a corporate environment to compromising the whole forest with Sliver C2 and other open-source tools.
Hard
Path Sections 14 Sections
Reward: +100
In this module we will cover the basics of evading antivirus solutions (Windows Defender specifically) from an attackers point-of-view.
Hard
Path Sections 19 Sections
Reward: +100
This module covers attacks targeting tightly incorporated technologies in Active Directory environments such as MSSQL, Exchange, and SCCM, and how to identify them.