AV Evasion & Obfuscation
On-disk Evasion, In-memory Evasion. You need to try to bypass AMSI in Windows.
Tools
It is an .exe, so for Linux you need Wine.
sudo dpkg --add-architecture i386; sudo apt-get update
sudo apt-get install wine32
sudo apt-get install shellter -y
cd /usr/share/windows-resources/shellter
sudo wine shellter.exe
Simple binary in /usr/share/windows-binaries/
Payload with msfvenom and EXITTHREAD=process
pwsh
> Import-Module .Invoke-Obfuscation.psd1
> Invoke-Obfuscation
> SET SCRIPTBLOCK <COMMAND>
./ScareCrow -I <PAYLOAD> -d <www.domainToImitate.com> -encryptionmode AES
Yet to be seen
Archives with password
Storing information and putting a password in the archive bypasses many common antivirus signatures today. However, the downside of this process is that they will be raised as notifications in the AV alert dashboard as unscannable due to being locked with a password.
Download rar from HERE or sudo apt-get install rar.
Also try to archive it multiple times.
Packer
Process in which the payload is compressed together with an executable program and decompression code into a single file. When executed, the decompression code reverts the backdoored executable to its original state.
UPX packer, The Enigma Protector, MPRESS Alternate EXE Packer, ExeStealth, Morphine, MEW, Themida.
Last updated