AV Evasion & Obfuscation
Last updated
Was this helpful?
Last updated
Was this helpful?
AV evasion and obfuscation techniques are used by attackers to avoid detection by antivirus (AV) software. They involve modifying or disguising malicious code so that it appears harmless or undetectable to security scanners. This can include changing file signatures, encrypting payloads, or using polymorphic techniques to generate new, unique versions of malware. By evading detection, attackers can increase the chances of successfully compromising a system and maintaining access without triggering alarms.
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. –
AV software will typically utilize signature, heuristic and behaviour based detection.
Signature based detection - An AV signature is a unique sequence of bytes that uniquely identifies malware. As a result, you will have to ensure that your obfuscated exploit or payload doesn't match any known signature in the AV database.
We can bypass signature-based detection by modifying the malware's byte sequence, therefore changing the signature.
Heuristic-based detection - Relies on rules or decisions to determine whether a binary is malicious. It also looks for specific patterns within the code or program calls.
Behavior based detection - Relies on identifying malware by monitoring it’s behavior. (Used for newer strains of malware)
Obfuscation - Obfuscation refers to the process of concealing something important, valuable, or critical. Obfuscation reorganizes code in order to make it harder to analyze or RE.
Encoding - Encoding data is a process involving changing data into a new format using a scheme. Encoding is a reversible process; data can be encoded to a new format and decoded to its original format.
Packing - Generate executable with new binary structure with a smaller size and therefore provides the payload with a new signature.
Crypters - Encrypts code or payloads and decrypts the encrypted code in memory. The decryption key/function is usually stored in a stub.
Focuses on manipulation of memory and does not write files to disk.
Injects payload into a process by leveraging various Windows APIs.
Payload is then executed in memory in a separate thread.
Shellter is a versatile and dynamic shellcode injection tool commonly used for creating and embedding malicious payloads into legitimate Windows executable files. It employs advanced techniques like dynamic payload encryption and polymorphism to evade antivirus detection and enhance the success of exploitation. Security professionals also use Shellter for penetration testing and vulnerability assessments.
To install Shellter, execute the following command:
To install Wine, perform the following steps:
To run Shellter, use the command:
Select the Auto options and provide the path to the executable file you want to merge.
Additionally, create a listener using msfvenom. so that target system can connect to that listener.
Obfuscation refers to the process of concealing something important, valuable, or critical. Obfuscation reorganizes code in order to make it harder to analyze or RE.
As a penetration tester, you will find yourself working with PowerShell code frequently. Most AV solutions will immediately flag malicious PowerShell code, as a result, you must be able to obfuscate/encode your PowerShell code and scripts in order to avoid detection. </aside>
To install the PowerShell repository, run the following command:
After installation, use the command pwsh to launch PowerShell.
Launch Invoke-Obfuscation: pwsh Invoke-Obfuscation.ps1
List available obfuscation options: Get-Command -Module Invoke-Obfuscation
Choose a specific obfuscation option (e.g., --ObfuscateCommand): Invoke-Obfuscation -ScriptBlock {Write-Host "Hello, World!"} --ObfuscateCommand
Hacker's Mantra: A hacker does not deliberately destroy data or profit from his activities. - Kevin Mitnick
is a popular PowerShell obfuscation tool available on GitHub, designed to alter and disguise PowerShell scripts to evade traditional security detection mechanisms. It uses various techniques to transform the code's structure and syntax, making it challenging for antivirus software to detect and analyze malicious intent. Security researchers and red teamers utilize Invoke-Obfuscation to test the effectiveness of defenses and assess the resilience of their systems against obfuscated PowerShell attacks.