The Red Team Vade Mecum
Search…
The Red Team Vade Mecum
The Red Team Vade Mecum
Techniques
Defense Evasion
Binary Properties and Code Signing
ATA/ATP
Tips and Tricks
Basics
IOCs
High Level Overview of EDR technologies
Sandbox Evasion
Obfuscating Imports
Encrypting Strings
Disabling/Patching Telemetry
Minimization
Misdirection
Hiding our Payloads
IPC For Evasion and Control
Privilege Escalation
Enumeration
Execution
Initial Access
Lateral Movement
Code Injection
Persistence
Infrastructure
SQL
Other
Windows Internals
Powered By
GitBook
IOCs
Here is a picture from "Securi-Tay 2020: Offensive Tradecraft - Defence Evasion" by - Paul Laîné which briefly sums up the technologies used by AVs to detect malware
We as attackers have to find ways to bypass and hide these detections.
I would also like to add a couple more things
Sandboxing: Trigger payload in a controlled environment to track heuristic behaviors and flag known malware behavior
Data Mining: Uses a known data set like virustotal to make algorithms to detect AV or just to build signatures to flag for
In memory scanning: periodically scans or scans executable regions for malware in real time to detect malware
Library load events
Kernel callbacks
EtwTi Kernel-mode event provider
​
​
​
Previous
Basics
Next
High Level Overview of EDR technologies
Last modified
1yr ago
Copy link