Striking from the Shadows: Applying and Analyzing Mitigation Techniques to Bypass Antivirus Payload Detection

During red team engagements and penetration tests, understanding how the presence of antivirus software will affect exploitation can make or break the success of an individual or team. With thorough reconnaissance and enumeration, it is possible to predict what will reinforce the target environment. From this vantage point, an attacker has an opportunity to utilize several mitigations and bypass techniques when constructing a payload but making this determination can still be hindered by a multitude of variables or be limited by the user’s experience. Investigating what goes into payload detection from the perspective of an antivirus and using that analysis to better formulate strategies for mitigating detection can be a crucial tool for individuals and teams when faced with non-permissive environments during engagements. Strictly from the attacker’s perspective, it allows them to be better prepared for these eventual situations. Still, for blue teams and security operations specialists, this same research can also aid in letting them know where some of their most critical weak spots are. Modern antivirus software now has several components that all aim to prevent exploitation and nullify payload execution. While most solutions have similarities in how this is achieved, each vendor still has unique attributes where detection may happen with one, while not another. It would be desirable if there was a reliable way for a one-size-fits-all solution, but a similar end-state can be achieved through the utilization of encoders, encryptors, and obfuscation techniques and the proper application of them given a well-analyzed attack surface.