Time
5 minutes
Difficulty
Intermediate

Video Transcription

00:00
Hey, everyone is Canada Hill Master instructor. It's I bury in this video. We're gonna talk about evasion.
00:06
So when we talk about invasion, we can do many things right. Some of the techniques we can use, like encryption, is probably a very popular one that we can use that we can basically encrypt our our shell are shell code on that way? Hopefully, the anti virus does not detect it. Another way to try to circumvent anti virus is what's called separation
00:26
eso. In that example, we could separate like the loader from, like the actual payload and put them in different process spaces. So maybe that will fool the antivirus to say, Oh, yeah, it's not really an executed. All right, this is perfectly fine. So that's another technique that we can use.
00:42
Power shell is a technique that's That's
00:46
Ben, commonly used in the past and still in use in the Wild 11 thing with that is as we kind of his more organizations moving to like the machine learning aspect with the anti virus. A lot of those air really good about detecting
01:03
anything that you're doing is a power shoot power shell actually curable eventually flagging it as a That doesn't look right. So just keep that in mind. If you're gonna be trying to use power, she'll attacks that. It may be flagged by different anti viruses.
01:15
Ghost writing is another technique we can potentially do.
01:21
What? And you Really? Actually, if you're gonna do ghost writing, you need assembly experience. You need to understand assembly. By the way, there is an assembly course that will be coming on the site. I'm filming this course in 2019 so there is gonna be an assembly course coming on websites. If you don't know assembly, it's definitely a cool course you check out by Matt Miller.
01:41
That's in the works. Right now. It's It's just about finished up at the timing of this video,
01:45
but it should be out depending on when you're looking at this video. So definitely keep an eye out for that course if you want to learn assembly. But you definitely need to know assembly to do the ghost writing. So what? What we essentially do there is you know what happens is if we write ah, payload in medicine point as an example,
02:01
a lot of anti virus is by design, will say,
02:06
Hey, this was written in medicine, Lloyd. It's automatically malicious, right? I'm automatically gonna flag. It's malicious because I can see what it was written in.
02:15
So what we want to do is essentially that we wantto
02:20
we wantto create a package that created binary that we can then take in reverse, engineer on, disassemble it and then from there,
02:29
uh, we want to modify our code to bypass these anti virus is right. So we wantto put, you know,
02:38
we could potentially put, like, a couple of lines of code at, like, the top. I'll stay off the bat. I'm not I'm not an expert in assembly by any means, but we could potentially put, you know, a few lines, Dakota at the starting point through where
02:52
you know, the antivirus is saying Okay, well, that's not believe is right. We could just add some generalized stuff
02:58
and then later on in our code, we could turn it into an actual execute herbal. So that way it can potentially bypass some anti virus. It's not, You know, Emily, reduce it a little bit. The whole goal here, with all of the ghost writing, is to keep uploaded to a virus total
03:15
and see if it's flagging stuff. So, you know, you may get a reduction by making a few modifications in your code,
03:20
and then you have to go back and kind of go back to the drawing board, so to speak. And so, you know, if we could identify as an example, if you don't know what Zord is, definitely check out the assembly course. It's way outside the scope of this correspondent way. But, um,
03:36
there we could, you know, uh, identify, like, the edit register in our code. Uh, you know, that's being Zord, you know, with itself on then. So we get then from there, you know, and enter what's, you know, like we could enter like a push in a pop command of whatever they're basically, you know, kind of going back and forth there.
03:54
So basically it pushes. It
03:57
pushes the value of the e r register, you know, onto the stack, and then it pops it off the stack right back into the edit register. So basically, there's, like, zero changes and functionality. But now there's a slightly different signature with our code. So maybe the anti virus doesn't recognize that signature or whatever. Like I said, we're not gonna deep dive into that. We're not gonna deep diving assembly in this
04:16
up to a particular video. But
04:18
if you want to really get good at this stuff, if you want to get good a ghost writing, you definitely need to know assembly definitely to know it in depth on you. And you need to understand ways you can manipulate it to bypass anti virus.
04:31
We've also got some different tools out there, like Val veal and Magic corn as well that could be used for evasion. There's just a quick screenshot I've also linked
04:43
to Go get the the the these tools if you want to download it and play with them at all.
04:48
So again, Magic Unicorn is Well, um,
04:51
so in this video, we just kind of took a high level overview of evasion techniques in general. So we'll jump into our post assessment question here. What's the purpose of ghost writing?
05:02
And as I mentioned, you know, another Sancho, that four year old quick. The whole purpose of ghost writing is to try to evade the anti virus or the anti Mel, where solution again with ghost writing, we're gonna have to have a good knowledge of assembly. So it's not a technique that, like a beginner, would use to evade. You know, encryption is probably a technique that, like a
05:20
no script kiddie or somebody like that would use to invade anti virus.

Evasion for Incident Handlers

In Evasion for Incident Handlers, Ken Underhill gives a high-level overview of the various evasion techniques around circumventing antivirus or anti-malware software. Techniques like encryption, separation, and ghostwriting are discussed along with other related tools that are needed for this skill.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor