AV Evasion & Obfuscation

AV evasion and obfuscation techniques are used by attackers to avoid detection by antivirus (AV) software. They involve modifying or disguising malicious code so that it appears harmless or undetectable to security scanners. This can include changing file signatures, encrypting payloads, or using polymorphic techniques to generate new, unique versions of malware. By evading detection, attackers can increase the chances of successfully compromising a system and maintaining access without triggering alarms.

AV Evasion With Shellter

Defense Evasion

• Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. – MITRE

AV Detection Methods

AV software will typically utilize signature, heuristic and behaviour based detection.

• Signature based detection - An AV signature is a unique sequence of bytes that uniquely identifies malware. As a result, you will have to ensure that your obfuscated exploit or payload doesn't match any known signature in the AV database.

  We can bypass signature-based detection by modifying the malware's byte sequence, therefore changing the signature.

• Heuristic-based detection - Relies on rules or decisions to determine whether a binary is malicious. It also looks for specific patterns within the code or program calls.

• Behavior based detection - Relies on identifying malware by monitoring it’s behavior. (Used for newer strains of malware)

AV Evasion Techniques

On-disk Evasion Techniques:

• Obfuscation - Obfuscation refers to the process of concealing something important, valuable, or critical. Obfuscation reorganizes code in order to make it harder to analyze or RE.

• Encoding - Encoding data is a process involving changing data into a new format using a scheme. Encoding is a reversible process; data can be encoded to a new format and decoded to its original format.

• Packing - Generate executable with new binary structure with a smaller size and therefore provides the payload with a new signature.

• Crypters - Encrypts code or payloads and decrypts the encrypted code in memory. The decryption key/function is usually stored in a stub.

In-Memory Evasion Techniques:

• Focuses on manipulation of memory and does not write files to disk.

• Injects payload into a process by leveraging various Windows APIs.

• Payload is then executed in memory in a separate thread.

Shellter Overview and Usage

• Shellter is a versatile and dynamic shellcode injection tool commonly used for creating and embedding malicious payloads into legitimate Windows executable files. It employs advanced techniques like dynamic payload encryption and polymorphism to evade antivirus detection and enhance the success of exploitation. Security professionals also use Shellter for penetration testing and vulnerability assessments.

• To install Shellter, execute the following command:

sudo apt-get install shellter -y

• To install Wine, perform the following steps:

dpkg --add-architecture i386

sudo apt-get install wine32

• To run Shellter, use the command:

sudo wine shellter.exe

• Select the Auto options and provide the path to the executable file you want to merge.

• Additionally, create a listener using msfvenom. so that target system can connect to that listener.

Obfuscating PowerShell Code

Obfuscation

• Obfuscation refers to the process of concealing something important, valuable, or critical. Obfuscation reorganizes code in order to make it harder to analyze or RE.

• As a penetration tester, you will find yourself working with PowerShell code frequently. Most AV solutions will immediately flag malicious PowerShell code, as a result, you must be able to obfuscate/encode your PowerShell code and scripts in order to avoid detection. </aside>

Invoke-Obfuscation

• Invoke-Obfuscation is a popular PowerShell obfuscation tool available on GitHub, designed to alter and disguise PowerShell scripts to evade traditional security detection mechanisms. It uses various techniques to transform the code's structure and syntax, making it challenging for antivirus software to detect and analyze malicious intent. Security researchers and red teamers utilize Invoke-Obfuscation to test the effectiveness of defenses and assess the resilience of their systems against obfuscated PowerShell attacks.

For Running PowerShell Commands in Linux:

• To install the PowerShell repository, run the following command:

sudo apt-get install powershell -y

• After installation, use the command pwsh to launch PowerShell.

Usage and some common commands:

• Launch Invoke-Obfuscation: pwsh Invoke-Obfuscation.ps1

• List available obfuscation options: Get-Command -Module Invoke-Obfuscation

• Choose a specific obfuscation option (e.g., --ObfuscateCommand): Invoke-Obfuscation -ScriptBlock {Write-Host "Hello, World!"} --ObfuscateCommand

Hacker's Mantra: A hacker does not deliberately destroy data or profit from his activities. - Kevin Mitnick