1
00:00:00,830 --> 00:00:08,150
One of the biggest challenges that a penetration tester can face is antivirus evasion.

2
00:00:09,840 --> 00:00:15,330
The payloads that you generate in the previous section are for learning purposes, right?

3
00:00:15,350 --> 00:00:19,140
So I don't care about you being caught by antivirus software.

4
00:00:19,140 --> 00:00:21,250
In fact, that might even mean you did it right.

5
00:00:22,290 --> 00:00:28,620
However, in a real penetration test, if your payload is detected, then it is going to be useless

6
00:00:28,980 --> 00:00:33,110
and sometimes as embarrassing and it makes it look like you have no idea what you're doing.

7
00:00:34,640 --> 00:00:43,800
So on this section, I'm going to explain some concepts and some solutions that will remove antivirus

8
00:00:43,800 --> 00:00:45,650
is from ever being an issue.

9
00:00:46,610 --> 00:00:49,720
Now, this is very cool.

10
00:00:51,240 --> 00:00:59,700
So most antivirus software use signature based detection engines to verify if a file on disk is malicious

11
00:00:59,700 --> 00:01:00,090
or not.

12
00:01:01,850 --> 00:01:09,920
So basically, AV software scans the storage and compares a signature of a suspicious file with its

13
00:01:09,950 --> 00:01:11,000
signature database.

14
00:01:12,030 --> 00:01:19,590
And of course, if a match is found, then Avy Alert's and marks that object to take certain steps against.

15
00:01:21,480 --> 00:01:24,630
And basically, that's how antivirus software works.

16
00:01:25,970 --> 00:01:28,100
But the system doesn't fit.

17
00:01:28,980 --> 00:01:35,250
It has scaling problems, and if there's no match for a signature, a malicious program won't encounter

18
00:01:35,250 --> 00:01:36,570
any protection mechanism.

19
00:01:37,840 --> 00:01:42,100
As you might imagine, this method is not good enough to trust 100 percent.

20
00:01:43,140 --> 00:01:50,940
Antivirus companies also think that so they'll invest in many new methods, create new products, use

21
00:01:50,940 --> 00:01:54,240
EHI machine learning, everything they can throw at it.

22
00:01:55,280 --> 00:01:58,670
However, most of them still work this way.

23
00:01:59,930 --> 00:02:03,680
Now, do you remember what we were saying earlier about Métis Boit payloads?

24
00:02:04,460 --> 00:02:09,980
They're basically designed to run in memory, so they never write data to the disk.

25
00:02:11,300 --> 00:02:17,330
So when you send a payload using an export, most antivirus programs won't even detect that has been

26
00:02:17,330 --> 00:02:18,290
run on the target.

27
00:02:19,390 --> 00:02:27,250
However, during a compromise, you're often going to perform certain actions that will modify, add

28
00:02:27,250 --> 00:02:34,720
or delete files on the targets file system, so that already implies that your actions can be traced

29
00:02:35,080 --> 00:02:37,450
and detected by antivirus software.

30
00:02:38,320 --> 00:02:46,330
So you're just going to need to be a little stealthier by playing in a different way to beat those antivirus.