How do you evade antivirus and firewall detection when performing post-exploitation?

Crafting your own payloads is the best way to hide from anything looking for known malice. It’s not just about creating a new binary, it’s about going into the code itself and obfuscating key strings that are going to stand out to an antivirus or IDS. If you have a moment, take a course or watch free content online about reverse engineering malware. We can see strings like mimikatz and kiwi from a mile away, antivirus software just automates this process for defenders.

Obfuscating payloads is a critical technique for bypassing antivirus detection. During a recent penetration test, I encountered an environment heavily fortified with endpoint protection solutions. To evade detection, I utilized MSFvenom to create an encrypted payload, carefully choosing the encryption algorithm to mask its true intent. By combining this approach with packing and polymorphic techniques, I was able to deliver my payload successfully without triggering alarms. This experience highlighted how sophisticated obfuscation can be vital in executing payloads undetected in highly secure environments.

There are some techniques that you can use to help evade defense mechanisms, for example: if you are using a vector in Powershell, obfuscate strings and replace variables and functions with random names, as well as integers to help and make it difficult for Malware scanners and EDRs detect PowerShell execution and can block it. Some tools like Vulkan, pyfuscation and Invoke-Obfuscation are useful in this case.

Obfuscating payloads involves altering their appearance while preserving functionality to evade detection. Techniques include encryption, encoding, compression, and polymorphism. Tools like Veil or MSFvenom can generate such obfuscated payloads to bypass antivirus software.

To evade antivirus and firewall detection during post-exploitation, use obfuscation tools to disguise payloads, encrypt communications to avoid traffic inspection, and leverage legitimate system tools like PowerShell to blend in with normal operations. Employ process injection to run malicious code within trusted processes, use polymorphic malware to bypass signature-based detection, and utilize network tunneling to route traffic through legitimate channels. These techniques help minimize detection while maintaining control over compromised systems.

Utilizing proxychains and VPNs is crucial for evading firewall detection. These tools mask our true IP by routing traffic through multiple servers, making our activities invisible to network-based firewalls. Proxychains string together proxies, and VPNs add layers of anonymity, creating a complex path that's difficult for firewalls to trace and block. This ensures unrestricted access to systems and networks during penetration testing.

Using proxychains and VPNs helps evade firewalls by routing your traffic through multiple servers, masking your real IP and location. Proxychains can chain several proxies, while VPNs encrypt your traffic, making it difficult for firewalls to detect and block you.

Mimicking legitimate processes can significantly enhance the stealth of your post-exploitation activities. In one engagement, I was tasked with demonstrating how easily an attacker could blend malicious actions with normal system processes. I used PsExec to inject my payload into the trusted process explorer.exe. By doing so, I ensured my activities remained hidden among legitimate operations, which effectively reduced detection risks. This method underscores the importance of understanding the target environment and leveraging legitimate processes to mask malicious intent.

Mimicking legitimate processes involves disguising malicious activities as trusted system processes to evade detection. Techniques include process hollowing, injection, and impersonation, using tools like PsExec or Metasploit. This helps the malware blend in with normal system behavior and avoid antivirus and firewall scrutiny.

As AV and EDR solutions get more sophisticated, successful attacks will need to be indistinguishable from the common noise that scanners expect and ignore in their daily routines. Modern defensive tools are not only attuned to catch the malicious shellcode an attacker injects into their network but also the loader that launches it, how these files appeared on the network, the Windows API functions they utilize and more should all be examined and consciously prepared to increase your chances of avoiding detection. After initial execution, it is important to avoid behavior that looks abnormal - which may vary considerably based on your target.

To evade antivirus and firewall detection, use alternative communication channels like DNS, ICMP, or custom protocols instead of standard ones (HTTP, HTTPS, FTP). Tools such as DNScat2 or Iodine can tunnel traffic through DNS requests, bypassing common security measures.

Excellent enumeration and recon on your target throughout the engagement will ultimately allow you to decide on the best way to exfiltrate data or communicate with your implant without creating any interesting events on the network. If you plan to use SSH and that protocol is foreign to your target, it may not be blocked but it will quickly be noticed. Many C2 solutions exist that use common protocols like HTTP and hide communication via using resources like Github, Google Docs and Pastebin to make evil requests look normal. Know your target and blend in.

To evade antivirus and firewall detection, stay current by using the latest penetration testing tools and techniques. Regularly update your methods, follow cybersecurity news, and engage with the latest resources like blogs and courses to adapt to evolving defenses.

From my experience, one of the advanced way that can be considered and frequently used by the attacker in evading the heuristic-based and behavioral analysis in antivirus is reversing or manually analyzing the antivirus emulator engine which only simulates the execution of most common Win32 APIs. Infrequently-used APIs are either incorrectly emulated or are not emulated at all. Through this way, the attacker can discover non-emulated APIs, and approach the method of terminating the execution of malicious payload if it encounters some of non-emulated APIs in sandboxed environment, to avoid the detection of the antivirus.