Summary
This module is for students who want to understand how attackers evade antivirus, specifically Microsoft Defender Antivirus. It is highly recommended that you have at least basic knowledge of C# before attempting this course, as we will be developing a few custom tools.
This module is divided up as follows:
-
Introduction: Introduction to the module, as well as the lab environment. -
Introduction to Antivirus Evasion: We discuss how antivirus works, and how to bypass it, the Antivirus Scan Interface and User Account Control. -
Evading Application Whitelisting: We discuss AppLocker, and various ways to bypass it, as well as the ConstrainedLanguage mode. -
Skills Assessment: Put your new-found skills to the test against a custom target.
This module aims to teach students enough about antivirus evasion so that they can be comfortable doing so independently.
This module is broken into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.
You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the PwnBox provided in the interactive sections or your virtual machine.
A firm grasp of the following modules can be considered a prerequisite for the successful completion of this module:
Introduction
Introduction to the Module
In this module, we will be discussing the basics of evading antivirus. Specifically, we will focus on evading Microsoft Defender Antivirus, which attackers most commonly encounter during engagements. That being said, all the techniques in this module may be adapted to work with other antivirus solutions.
Evading antivirus is commonly referred to as a cat-and-mouse game. This is because attackers come up with new attack vectors just as frequently as antivirus providers come up with new ways to catch them. Depending on who you ask, one or the other may be a step ahead, but there is never a clear answer. One or the other may be a step ahead, but there is never a clear answer. As of early 2024, while the attack vectors covered in this module remain effective, they are susceptible to detection sooner or later. Thus, it is crucial to prioritize grasping the underlying concepts rather than the specific examples. The techniques discussed here will likely require adaptation and altering in the future to evade detection.
Introduction to the Lab
Throughout this module, we will be working with the following two Windows VMs:
-
EVASION-DEV: A Windows server with administrative privileges access to develop/debug payloads. -
EVASION-TARGET: A Windows server with low-privileged user access. The sections' questions and the skills assessments will require to attack this machine.
One way to access the machines is with xfreerdp, using the following syntax. Since files will need to be transferred back and forth, the /drive argument allows us to map a local drive to the remote machine (note that Microsoft Defender Antivirus may periodically scan and delete files in this folder).
xfreerdp /v:[IP] /u:[USERNAME] /p:'[PASSWORD]' /dynamic-resolution /drive:linux,/tmp
EVASION-DEV
This section's question provides access to EVASION-DEV. Use it whenever developing an exploit to solve any of the sections' questions.
The credentials for the development VM are the following:
| Username | Password | Notes |
|---|---|---|
| Administrator | Eva$i0n! | Built-in administrator account |
| maria | Eva$i0n! | Administrator |
| max | Eva$i0n! | Standard user |
Most of the tools referenced in the sections reside in the 'C:\Tools' folder, and throughout the module, all custom programs developed will assume that this directory is being used.
Note: Unless you know what you are doing, please stick to using the provided VM for development, rather than using your own machine.
EVASION-TARGET
Initially, we only have access to the target VM as the following user:
| Username | Password | Notes |
|---|---|---|
| alpha | FGQxrLW2 | Standard User |
For all interactive sections, including the skills assessments, placing files in or interacting with files in the folder "C:\Alpha" is required. Each subfolder will generate its own log.txt file, which be useful in the case a payload does not work.
