AV Evasion

My job involves lightweight pentesting and vulnerability assessment and such is the nature that clients know what I want to accomplish and will happily white-list any script I ask them to, but what’s the fun in that? Researching methods to bypass AV and thinking of methods to just not write to disk, showed that AV catches common scripts (Inveigh in this example) even when in memory and not on disk. I came across this article  written by Black Hills Infosec that showed how easy AV evasion is and I thought that no way could this article written almost 2 years ago is still relevant.

I was wrong.

Particularly, I was trying to run Inveigh, which is the Windows version of Responder, but Windows Defender would constantly catch it. So I tried the methods in the Black Hills article.

I initially tried to just remove a line of code and rename the script, but that didn’t work.

fail

So instead, I took Inveigh.ps1 and renamed it to Inv.psm1

PSM1.PNG

Next, I made three changes to the script via ctrl+F & replace.

  1. I removed the comment section
  2. I changed the word “Spoof” to “Moof”
  3. I changed the word “Inveigh” to “Inv”

Rename.PNG

And sure enough…

Success

It turns out that AV evasion really isn’t difficult at all and even as quickly definitions of AV are updated, it takes almost no time to re-edit a script.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: