Antivirus is a piece of software installed on a computer to block malicious executables from running.

Identifying if the software is malicious is done by "static" signatures or from the executable's behaviour(sandbox or runtime).

• Static analysis usually looks at the hash of the executable, Import Address Table etc. when the executable hits the disk. This is also something that is done in memory.

• Behaviour looks for certain patterns at runtime. For example in a meterpreter session when the migrate command is used MS Defender will kill the session immediately even though we were able to successfully run it. This is because Defender detected the process injection sequence.

• Sandbox evasion: The AV might run the executable in an isolated environment to check if there is any malicious behaviour before actually letting the executable run on the host.

Defender got pretty good at detecting the 'classic shellcode injection' technique. I will start modifying the code to get it to run on a fully patched windows host.

Note: This will not work on most modern EDRs. That's something I will go into more detail in the upcoming series.