Evasion

00:00

Hello and welcome to another penetration. Testing execution Standard discussion.

00:06

Today we're going to be looking at evasion within the exploitation phase of pee test.

00:12

Now it's a quick disclaimer. We will discuss some tools and techniques that could be used for system hacking. Any tools discussed or used during our demonstrations should be researched and understood by the user.

00:24

Please research your laws and regulations regarding use of such tools in your given area to ensure that you do not violate any applicable laws or regulations.

00:33

We don't want you getting into any trouble with the police. So

00:38

what are the objectives of today's discussion? Well, we're going to at a high level describe what evasion is.

00:46

We're going to look at some common techniques for evasion and what the overall goal of evasion is

00:53

so jumping right in What is evasion? Well, evasion is the technique or techniques used in order to escape detection during a penetration test, so this should be circumventing a camera system, eyes not to be seen by guard or off. You scared in your payloads to evade intrusion detection systems

01:11

or prevention systems. And so in some cases this can overlap a little bit with bypassing countermeasures.

01:18

But what were ultimately trying to do is to go undetected. Where is where we're when we're, you know, circumventing countermeasures. We're trying to get execution of something on a system or into a system

01:30

with evasion. We're trying not to be detected or have something alert on us. So overall, the need to identify a low risk scenario for evading a technology or person should be formulated prior to the exploit.

01:42

So remember, if we're doing physical testing and we're trying to avoid cameras, you know, we need to understand Are we allowed to tilt cameras up? Are we allowed to do feedback loops if we have that level of sophistication or technology at our disposal? All of those things need to be considered

02:00

isn't part of the rules of engagement, and the overall scope of work that you'll be conducting for client clients is, well, business owners. Just remember, you know, there are different ways that evasion ca n't take place, and so that's a good starting point for us to get into some of the common techniques.

02:16

And so one of the ones that I want to point out before we read through everything is really for, like intrusion detection of prevention systems. There is a manner in which you could do a denial of service against the systems to overload them, but we need to have explicit permission in order to perform that. The problem is, is that some of these systems,

02:36

especially when managed by 1/3 party

02:38

I could have caps on ingestion rates, you know, could have, um,

02:46

you know, a billing methodology that increases the amount that the client would pay if you were to do it denial of service and push hundreds of thousands or millions of logs into the idea. Yes,

02:59

how is that going to financially impact the system? And if legitimate attacks were performed against the client system by a threat actor and those logs, for some reason, roll off Based on how the system is set up

03:14

and that information has lost, you could have put the organization at risk so explicitly taking care of this particular section is going to be key in your scope of work as well as rules of engagement.

03:24

Now, common invasion evasion techniques also include running scans on paranoid levels. This means trying to be super sneaky and doing packet fragmentation and things of that nature. To try and avoid detection, we can use encoding and encryption on payloads, as we had discussed.

03:39

Using well known payloads is likely to be picked up by an A virus,

03:45

and you could use something like virus total or databases that kind of let you know whether or not a signature would be picked up by virus scanning tools. But in most of those cases that gets passed along to the provider, and then they update their tools, and then it will get blocked at a later date. And so

04:00

your best bet would be to have some of the comment and viruses on virtual machines and then run those payloads against those systems to see if the antivirus version detects the particular payload

04:13

again when working against intrusion detection and prevention systems detection, meaning it'll alert on it prevention, meaning it'll take some action to stop it.

04:23

We can do some packet office cation to prevent the system from detecting the attack or seeing that

04:29

we can do fragmentation, which again breaks up the attack in the multiple packets and so we don't hit everything head on full force And then again, denial of service is something you're definitely going to want to discuss with the client

04:43

prior to engaging any denial of service attack, you know, could cause damage to a system could cause unexpected costs,

04:49

downtime, et cetera.

04:50

So we always want to be explicit and what those methods look like and what that could mean for the client.

04:58

So what is the overall goal of evasion? Well, really, for us, anything that we do is, Ah, the tester is to mimic the efforts of a threat actor, and so we want to remain undetected. We want Thio not provide the defending party with any indicators of compromise,

05:14

and we want to test the capabilities of the client security system. Now remember,

05:18

clearing logs and deleting logs and modifying Long's is really not something that we want to do within the scope of testing. Unless again, it's explicitly indicated is OK by the client because we could delete legitimate long information

05:33

and then if they have any compliance requirements that requires them to keep 30 days worth of Long's actively available or something of that nature, then we wipe those out and they're not backed up for some reason there now, no longer in compliance with whatever requirement,

05:48

maybe present. And so

05:50

we want to take those things into consideration when we want to act like a threat actor. We also want to ensure that we do no harm to the client in that process. So let's do a quick check on learning. True or false evasion is when the organization in question attempts to evade the testers attack

06:08

or attacks.

06:11

All right, so if you need additional time to think about the question, please pause the video. So evasion is win the organization okay in question attempts to evade the testers attacks. And so in this case, evasion is when we, the attest the tester attempt

06:29

to evade the organization's detection methods.

06:32

And so this is a false statement with respect to the context of the discussion that we just had.

06:40

So let's go ahead and skip over to the summary for today's discussion.

06:43

So we started by describing what evasion is and again evasion is just us trying to act as a threat actor. That's also one of the primary goals

06:55

and essentially avoid detection on the system or the ability for the client to see that we are on the system and attacking the system.

07:03

And then we describe some common evasion techniques such as packet fragmentation, super paranoid type scans that are very slow and again taking our time, not trying to go in with a hell Mary and attack every system at once. Being methodical, being slow in the process

07:20

is going to help us in those evasion techniques and in those manners and other things like encryption, tunneling, doing things of that. Nature can also throw off ideas and I ps systems in the process.