SecurityVulnerabilityTerminalCode

AV Evasion & Obfuscation

On-disk Evasion, In-memory Evasion.

You need to bypass AMSI in Windows.

Sites

Kleenscan

Not divulge any submitted sample to third parties

VirusTotal

Once scanned, the platform sends our sample to every antivirus vendor that has an active membership.

Tools

Tool
Details

shellter

It is an .exe, so for Linux you need Wine. sudo dpkg --add-architecture i386 && sudo apt-get update && sudo apt-get install wine32 sudo apt-get install shellter -y Note that to restore the execution flow through the Stealth Mode option, custom payloads need to terminate by exiting the current thread. Payload with msfvenom and EXITTHREAD=processa Simple binary in /usr/share/windows-binaries/ cd /usr/share/windows-resources/shellter sudo wine shellter.exe

Veil

sudo apt -y install veil /usr/share/veil/config/setup.sh --force --silent veil

Invoke-Obfuscation

pwsh

> Import-Module .Invoke-Obfuscation.psd1

> Invoke-Obfuscation > SET SCRIPTBLOCK <COMMAND>

ScareCrow

./ScareCrow -I <PAYLOAD> -d <www.domainToImitate.com> -encryptionmode AES

darkarmour

Yet to be seen

See UPX packer, The Enigma Protector Alternative: MPRESS, EXE Packer, ExeStealth, Morphine, MEW, Themida.

On-disk

  • Packers

  • Obfuscators

  • Crypter

  • Anti-reversing & Anti-debugging

  • Virtual machine emulation detection

In-memory

Also known as PE Injection.

  • Remote Process Memory Injection

    • attempts to inject the payload into another valid PE that is not malicious.

  • Reflective DLL Injection

    • attempts to load a DLL stored by the attacker in the process memory.

  • Process Hollowing

    • attempts to launch a non-malicious process in suspended state, remove its image from memory, and replace it with a malicious executable before resuming execution.

  • Inline hooking

    • attempts to modify memory by introducing a hook into a function to redirect code execution to malicious code, then return to the modified function to resume normal execution.

Other

Archives with password

Storing information and putting a password in the archive bypasses many common antivirus signatures today. However, the downside of this process is that they will be raised as notifications in the AV alert dashboard as unscannable due to being locked with a password.

Download rar from HERE or sudo apt-get install rar.

Also try to archive it multiple times.

Last updated

Was this helpful?