Summary:
This article provides an overview of different evasion techniques used to bypass security measures in software or tools.

Key takeaways:

Counter arguments:

Introduction

Signature-based Detection bypasses are a simple way to attempt to evade detection from antivirus and endpoint security software, relying on a signature database of known malicious binaries. Behavior-based Detection is more reliable in detecting malicious behavior, but can still be bypassed with a private Packer.

Behaviour-based Detection can lead to an AV/EDR action or a Memory Scan on runtime, triggered by specific behaviours such as writing stuff into Memory, loading specific libraries in a specific order or time-frame, creating registry entries, and doing initial HTTP requests. There are various bypass techniques available for Defender, depending on the behaviour that was detected. One example of a behaviour that leads to an AV action is the Fodhelper UAC bypass.

When using Meterpreter, it is possible to be detected by Defender if it is launched with a stageless payload or if it uses reflective DLL injection. However, it is possible to disable Meterpreter’s detection by passing a command to the msfconsole.

Cobalt Strike is another popular, behavior-based C2-framework that is often analyzed by security tools. To avoid detection by Memory Scans, it is necessary to modify the source code, bypass Memory Scans with autostdapi-Loading, or encrypt the C2-server’s memory.

Fingerprinting and Detection can be avoided by using encryption and obfuscation of the C2-server’s memory, using direct or indirect Syscalls, and using environmental keying.

If you want to use the Arsenal Kit, you need to be familiar with C/C++ and do heavy customizations to the template code to get rid of detections. It is also suggested to use raw-Shellcode output and your own private custom Loader/Packer to implement the things mentioned above. Even if you apply all of these requirements, your implant can still get detected in mature environments. Depending on which EDR is used in your target environment, it may not be enough, leaving some problems left.

Evasion Techniques can be used to bypass security measures in software or tools. An overview of different evasion techniques is provided, and the article ends with the question of whether or not all this effort is really necessary.

Behaviour-based Detection

Behaviour-based Detection is a method used by Anti-Virus (AV) and Endpoint Detection and Response (EDR) systems to detect malicious activity on a system. This type of detection is more reliable than Signature-based Detection, which relies on a signature database of known malicious binaries. Behaviour-based Detection can lead to an AV/EDR action or a Memory Scan on runtime, depending on the behaviours that are detected. Examples of behaviours that can trigger an AV/EDR action or a Memory Scan include writing stuff into Memory, loading specific libraries in a specific order or time-frame, creating registry entries, and doing initial HTTP requests.

There are various bypass techniques available for Defender, depending on the behaviour that was detected. For example, the Fodhelper UAC bypass is a behaviour that leads to an AV action. Additionally, this text provides an overview of how Meterpreter behaves-based detection works. It explains that Meterpreter can be detected by Defender if it is launched with a stageless payload or if it uses reflective DLL injection. The text also provides a way to disable Meterpreter’s detection by passing a command to the msfconsole.

Cobalt Strike is another popular, behavior-based C2-framework that is often analyzed by security tools. There are three ways to avoid detection by Memory Scans: modification of the source code, bypassing Memory Scans with autostdapi-Loading, or encryption of the C2-server’s memory. To avoid fingerprinting and detection after the first connection, it is necessary to use encryption and obfuscation of the C2-server’s memory, use direct or indirect Syscalls, and use environmental keying.

The author suggests that if you want to use the Arsenal Kit, you need to be familiar with C/C++ and do heavy customizations to the template code to get rid of detections. He also suggests using raw-Shellcode output and your own private custom Loader/Packer to implement the things mentioned above. Even if you apply all of these requirements, your implant can still get detected in mature environments. Depending on which EDR is used in your target environment, it’s just not enough. There are still some problems left.

Evasion Techniques are another way to bypass security measures in software or tools. This article discusses how different evasion techniques can be used to do this, providing an overview of different evasion techniques, and ending with a question about whether or not all this effort is really necessary. As we can see, there are many ways to bypass security measures, but it is important to remember that all of these techniques will vary depending on the environment and the tools being used.

Meterpreter

Meterpreter is a powerful and versatile tool that is often used for penetration testing and malicious activities. It can be used for various purposes such as privilege escalation, data exfiltration, and command execution. It is also a popular tool among attackers because it is designed to bypass security measures, making it difficult to detect. As a result, it is important to understand how Meterpreter behaves-based detection works and how it can be detected.

Meterpreter can be detected by Defender if it is launched with a stageless payload or if it uses reflective DLL injection. When Meterpreter is launched, an initial payload is loaded into memory. Once the payload is in memory, it can be detected by av/edr solutions such as Windows Defender. However, the attacker can bypass the detection by passing a command to the msfconsole. This command will disable the Meterpreter’s detection and allow it to run undetected.

Cobalt Strike is another popular, behaviour-based C2-framework that is often analyzed by security tools. It is designed to allow attackers to quickly and easily create a custom malware payload and deliver it to a target computer. Cobalt Strike is able to bypass security measures by using various evasion techniques such as encryption, obfuscation, and environmental keying.

When it comes to Memory Scans, there are three ways to avoid detection. The first is to modify the source code to avoid detection. The second is to bypass Memory Scans with autostdapi-Loading. And the third is to encrypt the C2-server’s memory.

To avoid fingerprinting and detection after the first connection, it is necessary to use encryption and obfuscation of the C2-server’s memory, use direct or indirect Syscalls, and use environmental keying. Additionally, if you want to use the Arsenal Kit, you need to be familiar with C/C++ and do heavy customizations to the template code to get rid of detections. It is also a good idea to use raw-Shellcode output and your own private custom Loader/Packer to implement the things mentioned above. Even if you apply all of these requirements, your implant can still get detected in mature environments.

Finally, this article discussed how different evasion techniques can be used to bypass security measures in software or tools. It provided an overview of different evasion techniques, and ended with a question about whether or not all this effort is really necessary. Evasion techniques can help attackers bypass security measures, but they can also leave a trail of evidence that can be tracked. As a result, it is important to be aware of the techniques used to bypass security measures and to use them responsibly.

Cobalt Strike

Cobalt Strike is a popular behavior-based C2-framework that is often analyzed by security tools. It is used to facilitate stealthy, persistent access to compromised systems and to perform post-exploitation activities. This framework is used by red teams and attackers in order to bypass security measures and achieve their objectives. Cobalt Strike is composed of multiple components such as the Beacon, the Malleable C2, the Armitage GUI, and the Aggressor Script. The Beacon is the payload that is typically used to gain a foothold within a target environment. It is responsible for gathering information about the target environment, executing commands and scripts, downloading and executing files, and much more. The Malleable C2 is a tool that allows the attacker to modify the behavior of the Beacon in order to evade detection. The Armitage GUI is a graphical user interface that provides visualizations and assists the attacker with their tasks. Finally, the Aggressor Script is a scripting language that allows the attacker to automate tasks and customize their attacks.

One of the main ways that Cobalt Strike can be detected is through behavior-based detection. This type of detection is more reliable than signature-based detection and can detect malicious activities performed by the Beacon. Examples of behaviors that can trigger an AV/EDR action or memory scan include writing stuff into memory, loading specific libraries in a specific order or time-frame, creating registry entries, and doing initial HTTP requests. To avoid detection, the attacker must use evasion techniques such as obfuscation, encryption, and environmental keying. Additionally, the attacker can use a private Packer to further reduce the chances of detection.

The Arsenal Kit is another tool that can be used to bypass security measures. It is a template codebase that can be used to create implants that are undetectable by security tools. To use the Arsenal Kit, the attacker must have a good understanding of C/C++ and do heavy customizations to the template code to get rid of detections. Additionally, the attacker must use raw-Shellcode output and their own private custom Loader/Packer to get the most out of their implant. Even with all of these measures in place, the implant can still be detected in mature environments.

Memory Scans

Signature-based Detection bypasses rely on a signature database of known malicious binaries and are relatively simple to execute. Behavior-based Detection is more reliable, but can be bypassed with a private Packer. Behaviour-based Detection can lead to an AV/EDR action or a Memory Scan on runtime. Some examples of behaviours that can trigger an AV/EDR action or a Memory Scan are writing stuff into Memory, loading specific libraries in a specific order or time-frame, creating registry entries, and doing initial HTTP requests. Meterpreter can be detected by Defender if it is launched with a stageless payload or if it uses reflective DLL injection, but a command can be passed to the msfconsole to disable its detection. Cobalt Strike is a popular, behavior-based C2-framework that is often analyzed by security tools. There are three ways to avoid detection by Memory Scans: modification of the source code, bypassing Memory Scans with autostdapi-Loading, or encryption of the C2-server’s memory. To avoid fingerprinting and detection after the first connection, it is necessary to use encryption and obfuscation of the C2-server’s memory, use direct or indirect Syscalls, and use environmental keying. The author suggests that if you want to use the Arsenal Kit, you need to be familiar with C/C++ and do heavy customizations to the template code to get rid of detections. He also suggests using raw-Shellcode output and your own private custom Loader/Packer to implement the things mentioned above. Evasion techniques can be used to bypass security measures in software or tools, and this article provides an overview of different evasion techniques. However, even if all the precautions are taken, there is still a chance of detection in mature environments, so it is important to be aware of the risks.

Fingerprinting and Detection

Fingerprinting and detection are two key techniques used by organizations to detect and prevent malicious activity. Fingerprinting is used to detect the presence of known malware, while detection is used to identify unknown malicious activity. In order to avoid being detected by these techniques, various techniques can be used. Encryption and obfuscation of the C2-server’s memory can help in avoiding fingerprinting and detection after the first connection. Direct and indirect Syscalls can also be used to make it difficult for defenders to detect the malicious activity. Additionally, environmental keying can be used to further complicate the task of detection.

The Arsenal Kit can be used in order to bypass detection, but it requires a lot of know-how. The user must be familiar with C/C++ and must do a lot of customization of the template code in order to avoid detection. Additionally, raw-Shellcode output and a private custom Loader/Packer should be used in order to fully avoid detection. Even if all of these requirements are met, the implant may still be detected in mature environments due to the advanced security tools used.

Finally, various evasion techniques can be used in order to bypass security measures in software or tools. These techniques involve manipulating the code in order to hide the malicious activity or to make it difficult to detect. It is important to note, however, that while these techniques can be used to bypass detection in some instances, they may not be effective in all cases. As such, it is important to consider the overall security measures in place and whether or not the effort is worth the risk.