Anti-Virus / Analysis evasion

Linux

Rename a process

#include <stdio.h>
#include <sys/prctl.h>

int main() {
    int status;

    status = prctl(PR_SET_NAME, "sshd", NULL, NULL, NULL);
    getchar(); // hang to not die for demo
}

$ ps -a
    PID TTY          TIME CMD
  23557 pts/4    00:00:00 sshd
  23982 pts/5    00:00:00 ps

Windows

PPID Spoofing

Development

1. AV Fingerprinting
   • Tools : SharpEDRChecker, Seatbelt
   • Social engineering
2. Replicates the victim environment to test our payloads

Info

We should always disable any kind of cloud-based protection in the AV settings (potentially by outright disconnecting the VM from the internet) so that the AV doesn't upload our carefully crafted payloads to a server somewhere for analysis.

• On-Disk evasion
• In-Memory evasion