This guide provides a validated summary and outline for Evasion Engineering, a practical resource for security professionals transitioning from penetration testing to advanced red team operations.
Purchase at NoStarch here: https://nostarch.com/evasion-engineering
ISBN-13: 9781718505049 ISBN-10: 1718505043
As defensive capabilities evolve to include advanced behavioral and heuristic detection, traditional payload modification is no longer sufficient. This book teaches the development of custom tools from the ground up to maintain an advantage over modern detection systems.
-
Beyond Indicator Obfuscation: Move past simple signature evasion to mastering behavioral-level bypasses.
-
The Three Rs: Learn to develop code that follows the principles of Robustness, Reusability, and Reliability for long-term operational effectiveness.
-
Custom Tooling Over LOLBins: Reduce the risk of immediate detection by replacing commonly monitored Living-off-the-Land Binaries (LOLBins) with custom Go-based implementations.
-
Target Learners: Penetration testers seeking to become skilled red team operators.
-
Technical Requirements: Experience with web, cloud (AWS/GCP), Linux, and networking is required.
-
Core Language: The book makes extensive use of the Go programming language for its labs.
-
Note: This is not a beginner's book; it does not cover foundational topics like code interpretation or operating system backend concepts.
The book is organized into three distinct parts, moving from core design principles to hands-on tool development and final validation.
-
Chapter 1: Principles of Application Design and Development: Introduces the "Three Rs" through practical techniques like requirement matrices, modular functions with exception handling, and building multistage payloads.
-
Chapter 2: Evasion Strategies: Explores techniques to delay forensic analysis, including timing randomization, custom low-entropy encryption, and syscall-based enumeration to avoid spawning shell processes.
-
Chapter 3: Enumerating with Traffic Redirection: Covers automating cloud-based scanning using AWS CloudFormation, Lambda scanners, and Tailscale-enabled EC2 proxies with IP rotation scripts.
-
Chapter 4: Developing Command-and-Control Implants: Details a custom Go C2 implant using GCP Firestore for command queuing and decimal encoding for credential protection.
-
Chapter 5: Creating Lateral Exploits with Worms: Guides the development of an SSH worm equipped with honeypot detection, mutex files to prevent reinfection, and exponential backoff for credential spraying.
-
Chapter 6: Enumerating Locally Without LOLBins: Teaches how to replace common tools like
whoamiandhostnamewith five Go-based tools that avoid shell execution via runtime libraries and LDAP queries. -
Chapter 7: Bypassing Detection with Hybrid Packing: Demonstrates a three-stage workflow converting executables to shellcode, compressing them, and disguising the payload as a list of benign IPv4 addresses for in-memory execution.
-
Chapter 8: Staging and Exfiltrating Data Covertly: Details a pipeline for bypassing DLP by staging data in CAB files and exfiltrating it as hex-encoded GCP Cloud Logging entries.
-
Chapter 9: Building Detection Tools: Features a Go binary analyzer to identify suspicious packages and a Python network detector that uses statistical analysis to find beaconing and scanning patterns.
-
Chapter 10: Executing Controlled Reveals: Uses CloudFormation templates to simulate ransomware TTPs and suspicious IAM operations to validate detection pipelines via CloudTrail and CloudWatch.