threat-hunting-evasion
Fail
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill provides numerous pre-configured command-line strings for using LOLBins (Living-off-the-Land Binaries) like certutil, bitsadmin, and msbuild to bypass execution policies and download external payloads.
- [REMOTE_CODE_EXECUTION]: Includes functional C# source code for a downloader that utilizes reflexive assembly loading (
Assembly.Load) to execute code in memory, intentionally bypassing file-based security scanners. - [CREDENTIALS_UNSAFE]: Provides detailed instructions and code patterns for harvesting credentials from the LSASS process while evading detection, including techniques like 'Handle Duplication' and the use of signed drivers to bypass PPL (Protected Process Light) protections.
- [COMMAND_EXECUTION]: Contains specific instructions for subverting active system defenses, including code to patch the Anti-Malware Scan Interface (AMSI) and Event Tracing for Windows (ETW) via memory manipulation to suppress the reporting of malicious activities.
- [REMOTE_CODE_EXECUTION]: Provides detailed guidance on implementing 'Direct Syscalls' and 'Indirect Syscalls' to bypass Endpoint Detection and Response (EDR) user-mode hooks.
- [EXTERNAL_DOWNLOADS]: References the SigmaHQ and Yara-Rules public GitHub repositories for the purpose of analyzing and testing bypasses against community detection rules.
Recommendations
- AI detected serious security threats
Audit Metadata