Antivirus has long been considered the first line of defense when malicious actors attempt to compromise a target machine, but it is not a silver bullet for defending against cyberattacks—particularly when new vulnerabilities are discovered and exploited. Rapid7’s Metasploit team has been researching techniques to evade common antivirus products so the broader security community can boost their security defenses by better anticipating and mitigating these approaches.
Rapid7’s Metasploit team has introduced several new capabilities into Metasploit to support antivirus evasion, including a code randomization framework, novel antivirus emulation-detecting code, encoding and encrypting routines, and a new evasion module type to make it easy to add further evasion techniques into Metasploit.
These capabilities help module developers and users build solutions for penetration testers who are pushing the boundaries of customer defenses, assist researchers and developers in improving and testing defensive tools, and enable IT professionals to more effectively illustrate evolving attacker techniques.
In this whitepaper, we offer details of the engineering work that underpins Metasploit’s new evasion capabilities, as well as example code for creating an evasion module yourself.