AV Evasion
...
The first command should be enough to disable Windows Defender:
PS> Set-MpPreference -DisableRealtimeMonitoring $true
PS> Set-MpPreference -MAPSReporting 0
PS> Add-MpPreference -ExclusionPath C:\
Code Obfuscation
Code obfuscation is an automated process to make the code less-readable for humans. A simple example would be by replacing variables names with less readable names such as _0x565
.
Code obfuscation doesn't impact the program functionality, but it may impact its performance: obfuscated code is usually slower.
UPX-packed Malware
Ultimate Packer for eXecutables (UPX) is a popular packer for malware.
$ upx -d -o unpacked_xxx.exe xxx.exe
PHP Obfuscation
You can un-obfuscate PHP code with unphp.
Javascript Obfuscation
A few obfuscators for JavaScript:
You may try unpacker to unpack code while you can try relative.im or deobfuscate.io/obf-io to undo simple obfuscation.
Native code or using a abstract syntax tree are also possible. You can decode an AST using escodegen (2.6k β).
const { generate } = require('escodegen');
const ast = {}; // add the JSON AST here
const generatedCode = generate(ast);
console.log(generatedCode);
π» To-do π»
Stuff that I found, but never read/used yet.
Invoke-DOSfuscation> SET COMMAND type <path>
Invoke-DOSfuscation> encoding
Invoke-DOSfuscation\Encoding> 1
$ bashfuscator -c 'cat /etc/passwd'
$ bashfuscator -c 'cat /etc/passwd' -s 1 -t 1 --no-mangling --layers 1
-
net1
instead ofnet
; would creating a copy do the job too? - High level of traffic from one account (LogOn events etc.)
- Signature Detection
- Python obfuscation is in cheatsheet
-
smbexec.py
: create a BAT file with each command often blocked by Windows Defender