Anti-Virus / EDR

If possible avoid droping compiled binaries onto hosts. Common EXE payloads tend to be detected.

If using an EXE payload the following techniques can be used to avoid detections.

• Ghostwriting: Tweaking the assmebly, adding NOPS, increments, decrements, etc.

• Shelter: Hiding shellcode in an exisiting EXE

• Donut: Hiding shellcode within .Net Assemly

Use script payloads when possible, they have endless obfuctation options. Can run until antivirus times out. Some technologies are starting to detect actions after execution which prevents some of the time based attacks.