AV Evasion
Overview (Wreath THM)
When it comes to AV evasion we have two primary types available:
On-Disk evasion
On-Disk evasion is when we try to get a file (be it a tool, script, or otherwise) saved on the target, then executed. This is very common when working with executable (
.exe) files.
In-Memory evasion
In-Memory evasion is when we try to import a script directly into memory and execute it there
AV Evasion usually involves some form of obfuscation when it comes to payloads. This could be anything from moving things around in the exploit, changing variable names, to encoding aspects of the script, to outright encrypting the payload and writing a wrapper to decrypt and execute the code section-by-section.
AV Detection Methods
Two types:
Static Detection
Involves some kind of signature detection.
Never used by itself in modern Anti-Viruses
Dynamic / Heuristic / Behavioral Detection
Can go through the executable line-by-line checking the flow of execution
is the program reaching out to a known bad website, or messing with values in the registry that it shouldn't be?
The suspicious software can outright be executed inside a sandbox environment under close supervision from the AV software. If the program acts maliciously then it is quarantined and flagged as malware
