AV Evasion

Overview (Wreath THM)

When it comes to AV evasion we have two primary types available:

On-Disk evasion
- On-Disk evasion is when we try to get a file (be it a tool, script, or otherwise) saved on the target, then executed. This is very common when working with executable (.exe) files.
In-Memory evasion
- In-Memory evasion is when we try to import a script directly into memory and execute it there

AV Evasion usually involves some form of obfuscation when it comes to payloads. This could be anything from moving things around in the exploit, changing variable names, to encoding aspects of the script, to outright encrypting the payload and writing a wrapper to decrypt and execute the code section-by-section.

AV Detection Methods

Two types:

Static Detection
- Involves some kind of signature detection.
- Never used by itself in modern Anti-Viruses
Dynamic / Heuristic / Behavioral Detection
- Can go through the executable line-by-line checking the flow of execution
  - is the program reaching out to a known bad website, or messing with values in the registry that it shouldn't be?
- The suspicious software can outright be executed inside a sandbox environment under close supervision from the AV software. If the program acts maliciously then it is quarantined and flagged as malware

This can be bypassed by having the software determine if it's in a sandbox or not - no fan? no GUI? and a classic VM service running... SANDBOX!!

PHP Obfuscator

PreviousC2 NextBypassing AMSI