Evasor : A Tool To Be Used In Post Exploitation Phase For Blue

The Evasor is an automated security assessment tool which locates existing executables on the Windows operating system that can be used to bypass any Application Control rules. It is very easy to use, quick, saves time and fully automated which generates for you a report including description, screenshots and mitigations suggestions, suites for both blue and red teams in the assessment of a post-exploitation phase.

Requirements

  • Windows OS.
  • Visual studio 2017 installed.

Usage instructions

Download the Evasor project and complie it. Verify to exclude from the project the App.config file from the reference tree.

run Evasor.exe from the bin folder. Choose your numeric option from the follwoing:

  1. Locating executable files that can be used to bypass the Application Control!
  • Retrieving the all running processes relative paths
  • Checking every process (executable file) if it vulnerable to DLL Injection by:
    1. Running “MavInject” Microsoft component from path C:\Windows\System32\mavinject.exe with default parameters.
    2. Checking the exit code of the MavInject execution, if the process exited normally it means that the process is vulnerable to DLL Injection and can be used to bypass the Application Control.
  1. Locating processes that vulnerable to DLL Hijacking!
  • Retrieving the all running processes
  • For each running Process:
    1. Retrieving the loaded process modules
    2. Checking if there is a permission to write data into the directory of the working process by creating an empty file with the name of the loaded module (DLL) or overwriting an existence module file on the working process directory.
    3. If the write operation succeeds – it seems that the process is vulnerable to DLL Hijacking.
  1. Locating for potential hijackable resource files
  • Searching for specific files on the computer by their extension.
  • Trying to replace that files to another place in order to validate that the file can be replaceable and finally, potentially vulnerable to Resource Hijacking.
  • Extensions: xml,config,json,bat,cmd,ps1,vbs,ini,js,exe,dll,msi,yaml,lib,inf,reg,log,htm,hta,sys,rsp
  1. Generating an automatic assessment report word document includes a description of tests and screenshots taken.

Notes

  • The original code developed and being used on CyberArk Labs: Copyright © 2020 CyberArk Software Ltd. All rights reserved. internaly, makes full automation and exploitation of the informative results.
  • The original code contains part of activation and exploitation but we removed it from here.
  • The files content under the DLLs folder are empty and not contains any exploitation code also and it’s for the Cyber Security community Red and Blue teams to be used and to be implemented according to their own needs and can be a starting point for their assessment objectives.
R K

Recent Posts

Understanding the Model Context Protocol (MCP) and How It Works

Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…

20 hours ago

The file Command – Quickly Identify File Contents in Linux

While file extensions in Linux are optional and often misleading, the file command helps decode what a…

1 day ago

How to Use the touch Command in Linux

The touch command is one of the quickest ways to create new empty files or update timestamps…

1 day ago

How to Search Files and Folders in Linux Using the find Command

Handling large numbers of files is routine for Linux users, and that’s where the find command shines.…

1 day ago

How to Move and Rename Files in Linux with the mv Command

Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy…

1 day ago

How to Create Directories in Linux with the mkdir Command

Creating directories is one of the earliest skills you'll use on a Linux system. The mkdir (make…

1 day ago