Defense Evasion

Here are the articles in this section:AV Bypass with Metasploit Templates and Custom BinariesEvading Windows Defender with 1 Byte ChangeBypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon SessionsBypassing Cylance and other AVs/EDRs by Unhooking Windows APIsEDR / AV EvasionWindows API Hashing in MalwareEvasionDetecting Hooked SyscallsCalling Syscalls Directly from Visual Studio to Bypass AVs/EDRsRetrieving ntdll Syscall Stubs from Disk at Run-timeFull DLL Unhooking with C++EDR evasionEnumerating RWX Protected Memory Regions for Code InjectionCode Injection, Defense EvasionDisabling Windows Event Logs by Suspending EventLog Service ThreadsObfuscated Powershell InvocationsDefense EvasionMasquerading Processes in Userland via _PEBUnderstanding how malicious binaries can maquerade as any other legitimate Windows binary from the userland.Commandline ObfusactionCommandline obfuscationFile Smuggling with HTML and JavaScriptTimestompingDefense EvasionAlternate Data StreamsHidden FilesDefense Evasion, PersistenceEncode/Decode Data with CertutilDefense EvasionDownloading Files with CertutilDownloading additional files to the victim system using native OS binary.Packed BinariesDefense Evasion, Code ObfuscationUnloading Sysmon DriverUnload sysmon driver which causes the system to stop recording sysmon event logs.Bypassing IDS Signatures with Simple Reverse ShellsPreventing 3rd Party DLLs from Injecting into your MalwareProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)Parent Process ID (PPID) SpoofingExecuting C# Assemblies from Jscript and wscript with DotNetToJscript