Inceptor – Template-Driven AV/EDR Evasion Framework
Modern Penetration testing and Red Teaming often requires to bypass common AV/EDR appliances in order to execute code on a target. With time, defenses are becoming more complex and inherently more difficult to bypass consistently.
Inceptor is a tool which can help to automate great part of this process, hopefully requiring no further effort.
Installation
Inceptor has been designed to work on Windows. The update-config.py utility can locate the required Microsoft binaries and update the configuration accordingly. It might be required to install Microsoft Build Tools, the Windows SDK, and Visual Studio, update-config.py will guide the user on how to install the required dependencies.
git clone --recursive https://github.com/klezVirus/inceptor.git
cd inceptor
virtualenv venv
venvScriptsactivate.bat
pip install -r requirements.txt
cd inceptor
python update-config.py
Useful Notes
Default Loaders
The current version of Inceptor locates a specific template using a simple naming convention (don’t change template names), and the set of arguments given by the user. Among the arguments, there is also the loader (-t). If not specified, the loader will be picked-up as a function of the file to pack, following this simple schema:
$ python inceptor.py -hh
[*] Default Loaders
Input File Extension SpecialCondition Guessed Filetype Default Loader Default Template
0 .raw NaN Shellcode Simple Loader Classic
1 .exe .NET Dotnet Executable Donut Classic
2 .exe NaN Native Executable Pe2Shellcode PE Load
3 .dll NaN Native Library sRDI Classic
Template name convention
It’s very important to understand also the template name convention, to avoid misinterpreting an artifact behaviour.
- Classic: a classic template usually means it uses the VirtualAlloc/VirtualAllocEx and CreateThread/CreateRemoteThread API to allocate and execute arbitrary code
- Dinvoke: if a template contains only dinvoke (e.g classic-dinvoke.cs), it means it uses dynamic function resolution feature of dinvoke
- dinvoke-subtechnique: a template containing dinvoke followed by another keyword is using a particular feature of dinvoke, like manual_mapping, overload_mapping, or syscalls
- Syscalls: as the name suggest, this template is using syscalls
- PE Load: this template tries to map a full PE into memory, without transforming it
- Assembly Load: this template tries to execute a .NET assembly using reflection
Usage
$ usage: inceptor.py [-h] [-hh] [-Z] {native,dotnet,powershell} ...
inceptor: A Windows-based PE Packing framework designed to help
Red Team Operators to bypass common AV and EDR solutions
positional arguments:
{native,dotnet,powershell}
native Native Binaries Generator
dotnet .NET Binaries Generator
powershell PowerShell Wrapper Scripts Generator
optional arguments:
-h, --help show this help message and exit
-hh Show functional table
-Z, --check Check file against ThreatCheck
Next Developments
- New Template Engine
- New Templates
- New Encoders
- C# Code-Based obfuscation
Resources
- Inceptor – Bypass AV-EDR solutions combining well known techniques
- A tale of EDR bypass methods
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.
