windows-av-evasion
Warn
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides instructions for executing commands that intentionally bypass security restrictions, such as downgrading PowerShell to version 2 (which lacks AMSI) and using the 'donut' utility to convert .NET assemblies into executable shellcode.
- [REMOTE_CODE_EXECUTION]: Includes functional C# and PowerShell code patterns for patching system memory (e.g., 'AmsiScanBuffer' in 'amsi.dll') to disable runtime security scanning.
- [REMOTE_CODE_EXECUTION]: Provides detailed templates for sophisticated process injection techniques, such as 'Early Bird APC Injection' and 'Process Hollowing', which allow execution of code within the context of legitimate Windows processes.
- [REMOTE_CODE_EXECUTION]: Describes methods to bypass API hooking used by security products by employing direct and indirect syscalls via tools like 'SysWhispers' and 'HellsGate'.
- [REMOTE_CODE_EXECUTION]: Outlines strategies for in-memory assembly loading and the use of Win32 API callbacks (e.g., 'EnumWindows') to trigger shellcode execution while evading common heuristic detections.
Audit Metadata