Evasor : A Tool To Be Used In Post Exploitation Phase For Blue

The Evasor is an automated security assessment tool which locates existing executables on the Windows operating system that can be used to bypass any Application Control rules. It is very easy to use, quick, saves time and fully automated which generates for you a report including description, screenshots and mitigations suggestions, suites for both blue and red teams in the assessment of a post-exploitation phase.

Requirements

  • Windows OS.
  • Visual studio 2017 installed.

Usage instructions

Download the Evasor project and complie it. Verify to exclude from the project the App.config file from the reference tree.

run Evasor.exe from the bin folder. Choose your numeric option from the follwoing:

  1. Locating executable files that can be used to bypass the Application Control!
  • Retrieving the all running processes relative paths
  • Checking every process (executable file) if it vulnerable to DLL Injection by:
    1. Running “MavInject” Microsoft component from path C:\Windows\System32\mavinject.exe with default parameters.
    2. Checking the exit code of the MavInject execution, if the process exited normally it means that the process is vulnerable to DLL Injection and can be used to bypass the Application Control.
  1. Locating processes that vulnerable to DLL Hijacking!
  • Retrieving the all running processes
  • For each running Process:
    1. Retrieving the loaded process modules
    2. Checking if there is a permission to write data into the directory of the working process by creating an empty file with the name of the loaded module (DLL) or overwriting an existence module file on the working process directory.
    3. If the write operation succeeds – it seems that the process is vulnerable to DLL Hijacking.
  1. Locating for potential hijackable resource files
  • Searching for specific files on the computer by their extension.
  • Trying to replace that files to another place in order to validate that the file can be replaceable and finally, potentially vulnerable to Resource Hijacking.
  • Extensions: xml,config,json,bat,cmd,ps1,vbs,ini,js,exe,dll,msi,yaml,lib,inf,reg,log,htm,hta,sys,rsp
  1. Generating an automatic assessment report word document includes a description of tests and screenshots taken.

Notes

  • The original code developed and being used on CyberArk Labs: Copyright © 2020 CyberArk Software Ltd. All rights reserved. internaly, makes full automation and exploitation of the informative results.
  • The original code contains part of activation and exploitation but we removed it from here.
  • The files content under the DLLs folder are empty and not contains any exploitation code also and it’s for the Cyber Security community Red and Blue teams to be used and to be implemented according to their own needs and can be a starting point for their assessment objectives.
R K

Recent Posts

Install OpenCV on Ubuntu 18.04: Step-by-Step Setup Guide

Computer vision technology powers many modern applications, from image editors to facial scanners. OpenCV (Open Source Computer…

4 minutes ago

Install VNC on Ubuntu 18.04: Step-by-Step TigerVNC Setup

A remote desktop interface makes it easy to manage a remote computer. VNC (Virtual Network Computing) is…

22 minutes ago

Install Gitea on Ubuntu 18.04: Self-Hosted Git Service Guide

Hosting your own code repositories is a great way to keep your projects private. Gitea is a…

35 minutes ago

Install Java on Ubuntu 18.04: OpenJDK 11 and OpenJDK 8

Many modern programs require Java to run. From development tools like Eclipse to search systems…

44 minutes ago

Configure a Static IP Address on Ubuntu 18.04: Netplan Guide

Setting a static IP address on your server is a smart move. It ensures your…

23 hours ago

Install Xrdp on Ubuntu 18.04: Remote Desktop Setup Guide

Xrdp is an open-source implementation of the Microsoft Remote Desktop Protocol (RDP). It lets you access…

24 hours ago