In this module we will learn how to evade the artifacts that the antivirus may detect from the previous technique
as we saw in the previous technique the Add-Type used from running C# code and calling the win32 APIs in PowerShell
now let’s discus why this is bad
now as we see we compiled a code from the previous section now let’s investigate using procmon.exe
aha as we see there is a temporary file creation on the disk for CS and Dll which may be flagged by the antivirus
[appdomain]::CurrentDomain.GetAssemblies() | Sort-Object -Property fullname | Format-Table fullname
as we see using the GetAssemblies method it shows that the process created a dll file which was being used while execution
In the next part we will learn how to bypass this and execute the script fully in memory
in this technique we hope to execute the code in memory and avoid any write to the hard drive
to perform this technique we will use 2 Win32 APIs