Signature Evasion

Tools that leverage the engines themselves to scan the file, including DefenderCheck, ThreatCheck, and AMSITrigger.

Splitting and Merging Objects

The methodology required to split or merge objects is very similar to the objective of concatenation.

==Original String==

string MessageFormat = @"{{""GUID"":""{0}"",""Type"":{1},""Meta"":""{2},""IV"":""{3}"",""EncryptedMessage"":""{4}"",""HMAC"":""{5}""}}";

Obfuscated Method

public static string GetMessageFormat // Format the public method
{
    get // Return the property value
    {
        var sb = new StringBuilder(@"{{""GUID"":""{0}"","); // Start the built-in concatenation method
        sb.Append(@"""Type"":{1},"); // Append substrings onto the string
        sb.Append(@"""Meta"":""{2}"",");
        sb.Append(@"""IV"":""{3}"",");
        sb.Append(@"""EncryptedMessage"":""{4}"",");
        sb.Append(@"""HMAC"":""{5}""}}");
        return sb.ToString(); // Return the concatenated string to the class
    }
}
 
string MessageFormat = GetMessageFormat

Entropy

The randomness of the data in a file used to determine whether a file contains hidden data or suspicious scripts.
To lower entropy, we can replace random identifiers with randomly selected English words. For example, we may change a variable from q234uf to nature.
Depending on the EDR employed, a “suspicious” entropy value is ~ greater than 6.8.

x0prc's notes

Explorer

Signature Evasion

Splitting and Merging Objects

==Original String==

Obfuscated Method

Entropy

Graph View

Table of Contents