Sign in Subscribe
Red Teaming

Primer on Antivirus Evasion

fuffsec

2 min read
Cyber Fox

What is an Anti-Virus?

It is like a COVID-19 vaccine for digital systems. It protects computer machines from bad/malicious intent software that tries to steal our data.

How does it detect a threat?

  1. Static Analysis
    1. signature-based
      1. compares the portion of the virus with the database of malicious signatures.
    2. Heuristic-based 
      1. disassemble the virus and read the code to find malicious patterns.
  2. Dynamic Analysis
    1. Behavior-based (+AI)
      1. Let the virus run and monitor what it does to check if it is malicious.
      2. We can also add AI to find abnormalities

Bypass AV

Why do we need to evade it?

If a Red Teamer wants to simulate a real threat, then it is needed so that the system can be hardened.

How to evade?

if we go a bit down and think what a virus is. Then, we know that it is a small software or zeros&ones that a machine understands.

It is more like a virtual entity. Hence, it takes space on the computer, either on the disk or the RAM.

  1. Evading on-disk
    1. obfuscation
      1. change the code in a way that makes it hard to understand
    2. packers
      1. compress the virus
  2. Evading on-RAM
    1. Injection
      1. DLL injection
        1. inject a DLL into the memory.
      2. Memory injection
        1. inject bad code into the memory of a benign process.
    2. Process Hallowing
      1. Swap good code with bad code

AV vs EDR vs XDR

  • Antivirus (AV):
    • Focuses on preventing, detecting, and removing malware from individual computers.
    • Primarily uses signatures to identify known threats.
    • Effective against many common types of malware but may struggle with new or evolving threats.
  • Endpoint Detection and Response (EDR):
    • Provides advanced protection for endpoints (e.g., computers, smartphones) that connect to a network.
    • Monitors endpoint and network activities to identify suspicious behavior patterns.
    • Offers tools for investigating security alerts and automating responses to threats.
    • Designed to overcome the limitations of AV with continuous monitoring and response capabilities.
  • Extended Detection and Response (XDR):
    • Offers a holistic view of threats across an organization's entire network, including endpoints, cloud services, and email.
    • Aggregates and correlates data from various sources for more accurate threat detection. Enables a coordinated response to complex, multi-vector attacks.
    • Aims to improve detection accuracy and response speed by providing comprehensive analysis.

Next Step

  1. ⚔️ https://book.hacktricks.xyz/windows-hardening/av-bypass
  2. ❤️ https://www.reddit.com/r/Malware/comments/xrav8c/antivirus_evasion_techniques/
  3. 🔥 https://www.ired.team/offensive-security/defense-evasion
*I am a noob. Feel free to correct any mistakes :) (Let's learn together) ✌️