CSP-CERT® Resources:
Anti-Virus Evasion for Penetration Testing Engagements

by Nathu Nandwani
posted August 2018

Anti-virus in the basic sense definitely help in defending unwanted software applications that might slip into a machine. This is why it is very common to find anti-virus systems installed during a penetration testing engagement with a client; however, this becomes a challenge for penetration testers too. Right after getting a command-line shell, running exploits for privilege escalation or even for the post exploitation process will be the next steps but if an anti-virus system is installed, this might prevent the tools to be executed. Evading anti-viruses in this case becomes needed when a penetration testing engagement is done.

Anti-virus evasion is a broad topic but can be split into two specific scenarios. First is the case where a tool must evade anti-virus detection when it is resting as a file. The second case is where the tool must evade anti-virus detection during execution of its instructions whether it tries to replace a library of a privileged application for escalation or maybe recover hashes for post exploitation.

Techniques involved in both scenarios are quite different. When the file is resting in a storage device, an anti-virus might calculate its hash and see if the hash is known to be a popular penetration testing tool which can also be used for malicious purposes. The anti-virus might also see the strings contained in the tool which leads it to detect the tool or so. In the second scenario, the anti-virus evaluates the tool's actions and then decides whether it should be quarantined or not.

A discussion about anti-virus evasion techniques when the file is still resting in its storage can be found here: https://www.alienvault.com/blogs/security-essentials/antivirus-evasion-for-penetration-testing-engagements. The techniques presented assume that the penetration testing tool's source code is available. If the source code is not available, the binary can be encrypted using an algorithm and later be processed for decryption using another tool. A separate discussion for evasion techniques during run-time can be created for another reading soon.