Evasion and bypassing detection within C#
Overview
AV and EDR bypass techniques for C# assembly payloads.
Experiment
In this experiment we will be using the NTAPI injector as our baseline.
pageUsing NTAPI Undocumented FunctionsMsfvenom payload
Injector without any shellcode
For our baseline we tested the raw injector code without any shellcode in the payload.
Raw Meterpreter payload shellcode
Running injector with raw Meterpreter shellcode.
Using AES encryption
Encrypting the shellcode using AES
pageAes encryptorRunner it twice and defender is not so nice
So interesting, when executing it a second time Defenders behavioral analysis flagged and blocked execution.
Adding a sleep accelerator check to bypass sandboxing seems to do the trick to bypass this a second time.
pageTime accelerated checksReferences
pageC# .Net AssemblyLast updated