Skip to main content

Research Repository

Advanced Search

BOAZ, Yet Another Layered Evasion Tool: Evasion Tool Evaluations and AV Testing

Macfarlane, Rich; Xuan Meng, Thomas

Authors

Thomas Xuan Meng



Abstract

In the rapidly evolving landscape of cybersecurity, there has been an increasing deployment of evasion techniques in organizational vulnerability assessments and found post-discovery of security incidents, owing to the more sophisticated defense mechanisms. However, there is no consensus on how antivirus (AV) performance against evasion methods and techniques can be methodically evaluated.

Antivirus (AV) solutions, serving as the last line of defense on users' endpoint devices, have evolved into highly complex entities, often operated as 'black boxes' from the user's perspective due to proprietary and security reasons. This dynamic places researchers and attackers in similar positions. While malware authors can fingerprint AV detection mechanisms through various evasion techniques, researchers can employ similar methods to identify improvement opportunities in security products.

Our study aims to bridge the gap in empirical research on the performance of up-to-date antivirus solutions against evasion frameworks and methods in the latest Windows environment with all defense features enabled. As a by-product of this study, I developed a custom evasion framework named BOAZ, which served as an additional and flexible AV evaluation tool. This framework is complemented by a comprehensive suite of 17 evasion tools, evaluated against 71 online AV engines and 14 carefully selected desktop AV solutions. The experiment results revealed significant insights: the successful compromise of contemporary AVs can be achieved by understanding the building blocks of evasion detections and strategically combining existing evasion methods, without requiring advanced programming skills or zero-day exploits. Moreover, the study revealed the iterative relationship between signature and behavioural detections across detection phases.

Citation

Macfarlane, R., & Xuan Meng, T. (2024, August). BOAZ, Yet Another Layered Evasion Tool: Evasion Tool Evaluations and AV Testing. Presented at blackhat USA 2024, Las Vegas, US

Presentation Conference Type Presentation / Talk
Conference Name blackhat USA 2024
Start Date Aug 3, 2024
End Date Aug 8, 2024
Deposit Date Sep 23, 2024
Peer Reviewed Not Peer Reviewed
Keywords Offensive Security, Malware, Evasion, Exploitation