Defense evasion is a technique used by cyber security attackers to avoid detection by security systems and tools. This involves modifying, hiding, or masking malicious activity to avoid detection by defenses such as anti-virus software, firewalls, intrusion detection systems, etc. The goal of evasion is to extend the duration of an attack, allowing an attacker to accomplish their goals for a longer period of time before being detected. Defense evasion methods can include tactics such as: Hiding files and directories: Attackers can hide their malicious code or files in unknown locations on the target system to avoid detection by security tools. File and Process Manipulation: Attackers can manipulate system files and processes to hide their activity or make it difficult for security tools to detect them.
Code Obfuscation: Attackers can use techniques to make their malicious code more difficult to detect, or reverse engineer it using security tools such as code encryption or encryption. Disabling or modifying security tools: Attackers can disable or modify security tools such as firewalls, anti-virus software, and intrusion detection systems to avoid detection. Use of legitimate system tools: Attackers can use legitimate system tools, such as system utilities and administrative scripts, to perform malicious activities that make it difficult for security tools to detect the attack. Defense evasion is a common technique used in Advanced Persistent Threats (APTs) and other forms of cyberattacks where an attacker seeks to remain on a target system for an extended period of time. To protect against security evasion, organizations must implement a multi-layered approach to security that includes a combination of technical and non-technical controls.
PowerShell command and script obfuscator compatible with PowerShell v2.0+. If the victim’s endpoint can execute PowerShell, then this tool is great for creating highly complex scripts.
Vail is a tool for creating metasploit tools that bypass conventional antivirus solutions. It can be used to generate obfuscated shellcode.
A method of bypassing active EDR projection DLLs by preventing entry point execution. Features: Blocks execution of the EDR DLL entry point, preventing EDR hooks from being placed. An unpatched AMSI bypass that cannot be detected by scanners that look for fixes to the Amsi.dll code at runtime. A host process that is replaced by a PE implant that can be booted from disk, HTTP, or a named pipe (Cobalt Strike). The implanted process is hidden to avoid scanners looking for empty processes. The command line arguments are forged and implanted after the process is spawned using the hidden EDR detection method. ETW patchless bypass. Blocks a call to NtProtectVirtualMemory when the call is in the address space range of the locked DLL.
Alcatraz is a binary x64 GUI obfuscator capable of obfuscating various pe files including: .exe .dll .sys. Some supported obfuscation features include: Obfuscation of direct moves. Control flow alignment. Add mutation. Entry point obfuscation. Lea obfuscation.
Using the GUI to obfuscate a binary:
1. Download the two files by clicking the file in the upper left corner.
2. Add functions by expanding the Functions tree. (You can search by entering the name in the search bar above)
3. Compilation hit (Note: obfuscation of many functions may take several seconds)
Mgle is a tool that manipulates various aspects of combined executables (.ehe or DL). Mangle can remove known strings based on indicators of compromise (IoC) and replace them with random characters, modify a file by increasing the size to avoid EDR, and can clone code signing certificates from legitimate files. By doing this, Mangle helps bootloaders avoid on-disk and in-memory scanners.
The first step, as always, is to clone the repo. Before you can compile Mangle, you will need to install dependencies. Before iu chan tsompile Mgle, iu vil ned to instal dependencysis.
Then build it
AMSI.file is a great website that can create obfuscated PowerShell snippets that break or disable AMSI for the current process. Fragments are randomly selected from a small pool of techniques/variations before being obfuscated. Each fragment is obfuscated at run/query time so that no two generated outputs have identical signatures.