Evasion P1 – How the Antiviruses Works?

Hi everyone, welcome back. I couldn’t write any blogs due to some extra projects and my OSEP Journey. In this post series, we will talk about evasion techniques and bypassing security solutions. But, firstly we must start with understanding these technologies basically. Before the start, stop reading and think about how the anomalies can detect. How?

We faced lots of security solutions as a pentester or red teamer. The most used one is antivirus solutions. Also, we can see EDR, XDR, IDS/IPS, WAF, etc. In this post, we will talk about antiviruses.

You can detect an anomaly with lots of ways in incident response but the antiviruses have several engines for detecting the malware or anomaly. Basically;

Engine Explanations

Static Engine: Search for variable names, executable names, process names, etc. For example, if we write;

void *payload = malloc(sizeof(meterpreter_size));

The static engine will be found payload and meterpreter strings in the code. And the antivirus shows the “I found a virus” pop-up 🙂 or the antivirus scans for static signatures like file md5 hashes.

Dynamic Engine: This engine look at the functions, processes, threads like pieces of stuff. How does the executable start? Does the executable want to reach unwanted places? For example, If you know the mimikatz, The mimikatz wants to reach LSASS.exe’s memory place, the security solutions want to protect this place because this place contains password hashes (means confidential for us). While this reaching process, the antiviruses blocks and detects an anomaly, other applications do not need this memory place (If needed, maybe whitelisted). The API Hooking techniques may be used for analysis.

Behavioral Engine (Heuristic Engine): This engine looks for the control flow of the application, network movements, sending/getting information (for example got the keystroke and send this -> Keylogger), etc. The antivirus searches the malicious pattern as we said in the keylogger. Other examples may, capturing the screenshots when the mouse clicks or trying to close security solutions, etc.

The basic 3 types we talked about are generally used engines. There is an unpacking engine besides these. We will explain the packing and unpacking in detail, in the next posts. I think you heard the UPX, called Ultimate Packer for Executables. Briefly, you can imagine this process like zipping or compressing any file. This “Unpacking Engine”s main responsibility is unpacking the executables pack briefly, simple 🙂

Next-generation solutions use these engines together. Also, you can find some articles about ML and AI-based engines. Some researchers find the malware with pictures. If you are interested in image processing, you can create a malware code picture dataset and you can find similarities between the sample code picture and target code picture. We will talk about bypassing all these engines and techniques in the other parts in detail.

Example Engine Findings

Now here, you can see a picture of the malicious code process example:

Absolutely, Not Malware!…

Which Engine, can detect which anomalies?

Static Engine: “CMD”,”NTSH”,”NETSH” strings, and if the vendor has an MD5 of this example, MD5 signature will be found.

Dynamic Engine: Backdoor creation functions may be found. If the executable uses a few old injection or hooking techniques dynamic engines can detect these.

Heuristic Engine (Behavioral Engine): Closing the firewall, CMD command execution, and backdoor creation process depend on the situation.

Next Stations

Our roadmap is here:

Thanks for your time and interest, see you next time for this post series with bypass techniques, and I will capture a youtube video with additional information.

For additional information check out my channel and you can look at these links:

  • https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection
  • https://www.infosecurity-magazine.com/opinions/malware-detection-signatures/
  • https://www.amazon.com/Antivirus-Bypass-Techniques-practical-techniques/dp/1801079749
  • https://www.socinvestigation.com/most-common-antivirus-evasion-and-bypass-techniques/
  • https://www.lmgsecurity.com/common-antivirus-bypass-techniques/
  • https://www.hivepro.com/antivirus-evasion-techniques/
  • https://blog.sevagas.com