I have been researching on ways to bypass AVs. One of the concepts is detecting whether the malware is being emulated on a host, debugged, or on a sandbox machine. The issue is I am not sure how to test this.
If I put Mimikatz on a VM with Kaspersky, it gets flagged. This is most likely due to static analysis. Now if I create a small crypter I can encrypt mimikatz and add it to my stub. Then my stub will be very simple and just get the encrypted mimikatz, decrypt (hard coded keys) and then execute.
If this is placed on a VM with Kaspersky it still is not detected even though if it was ran in a emulator or sandbox it would be obvious that it is mimikatz.
My question is how can I test this process? How can I force the AV to run it in a emulator or sandbox to determine if it is malicious or not.
If I put Mimikatz on a VM with Kaspersky, it gets flagged. This is most likely due to static analysis. Now if I create a small crypter I can encrypt mimikatz and add it to my stub. Then my stub will be very simple and just get the encrypted mimikatz, decrypt (hard coded keys) and then execute.
If this is placed on a VM with Kaspersky it still is not detected even though if it was ran in a emulator or sandbox it would be obvious that it is mimikatz.
My question is how can I test this process? How can I force the AV to run it in a emulator or sandbox to determine if it is malicious or not.