the art of av evasion - or lack thereof
TRANSCRIPT
◉ Sys Admin Turned Red Teamer for Mandiant
◉ Florida State Seminole◉ Open Source Software
Developer○ Veil-Framework○ EyeWitness○ Egress-Assess
WHOAMI
What is this talk about?
◉ Stager Background◉ Veil-Evasion’s AV Bypass Approach◉ Signatured - DOH!◉ An Experiment I Conducted◉ Process Creation
What are stagers?
◉ Can be referred to as “stage 1”○ This can be msfvenom or Veil-Evasion output
◉ The goal for these are (typically) to inject shellcode into memory○ The shellcode’s task is usually to download and
inject a reflective dll○ Or anything you specify
◉ This is essentially a loader for your real malware
What are stagers?
◉ Any language that has a means to access Windows functions can be used to develop stagers!○ This can open up a ton of options
◉ Interacting with Windows functionality isn’t all that scary!○ It’s just four function calls
Shellcode Injection Basics
◉ Allocate memory to store shellcode, and set proper memory protections
◉ Copy the shellcode that you want to run into the previously allocated memory
◉ Create a thread to execute the shellcode◉ Have your code run until the thread has
completed execution (you exit Meterpreter)
VirtualAlloc
◉ Allocates memory within the current process○ How much memory should it allocate (shellcode
size)?
○ Which permissions should be assigned to the allocated memory?■ RWX?■ W?
RtlMoveMemory
◉ Moves shellcode into the memory space that’s been allocated○ Needs a pointer indicating where to copy the
shellcode (VirtualAlloc output)
○ A pointer indicating where you are copying “data” from
○ The length of data (shellcode) to copy
CreateThread
◉ This function creates a new thread for the copied shellcode○ Needs a pointer to the start of the code (shellcode)
that you want to run in a new thread○ Schedule the thread to run immediately
WaitForSingleObject
◉ This function tells the program (stager main) to wait to exit until the thread completes○ A handle to the thread that was just created (output
from CreateThread)
○ A value (-1) instructing the program to wait until the thread has finished running
AV Methods of Detection
◉ Signature Based○ This is what Veil-Evasion attempts to bypass
◉ Heuristics Based◉ “Crowd Sourced”
○ Reputation
Approaches to Bypassing AV
◉ Ghost code / net no-operation code◉ Encrypted binaries
○ Hyperion
◉ Custom Code◉ Multiple different ways to approach bypassing
AV
Veil-Evasion’s Approach
◉ We are combating on-disk detection through different techniques:○ Obfuscated code○ Encrypted code○ Non-standard languages for windows binaries
■ Python, Ruby, Perl, etc.■ Flat Payloads vs. others
Veil-Evasion’s Approach
◉ Using a language that’s not C or C# made a big difference○ AV Programs didn’t know or didn’t properly inspect
non-standard languages
◉ Example:○ C Flat vs. Python Flat
Close Enough to June V-Day
◉ It’s been a little while since our last V-Day○ Sorry, life…
◉ I have a module I wrote a while ago that’s been fairly successful
◉ It’s Python based◉ Let’s release it today!
Remember Hyperion?
◉ I briefly mentioned Hyperion before◉ Hyperion is a cool concept
○ It works by completely encrypting an executable○ It wraps a decoder stub around the executable
○ Hyperion uses a purposefully restricted keyspace for generating the encryption key
○ The decryption key is NOT within the executable
○ The executable brute forces itself at runtime and once decrypted, runs the original executable
Remember Hyperion?
◉ This is a pretty nifty idea, it shouldn’t be hard to write in a higher level language.
◉ However, there is an issue/feature when performing decryption routines○ If I don’t provide the right key, I don’t get an alert, I
just get decrypted garbage
Remember Hyperion?
◉ So I can’t just try/except my way through this module for incorrect keys
◉ Let’s perform a chosen plaintext attack!○ Attack where we specify the plaintext and can
observe the ciphertext
◉ Small modification of this will let me make a python based Hyperion-esque module
Notification of Signature
◉ I was pretty excited to see if someone finally figured Veil-Evasion out.
◉ Previous attempts have turned out kind of humorous..
ShowMeCon Prep
◉ I wanted to originally start looking into a brand new bypass to release for ShowMeCon
◉ Started looking into it, and immediately was disappointed in one vendor.
What did I try?
◉ Generated Payload - Caught◉ Removed the Shellcode - Caught◉ Renamed CTypes library (extra length) -
Caught◉ Commented Windows Function Calls
○ From one, to all of them○ Caught
◉ Deleted ALL THE THINGS and did a “Hello World from Veil” test
What about in Windows?
◉ Test this functionality out in Windows!○ This just seems odd..
◉ Build a Python-based payload, but just the source
◉ “Compile” the script in Windows◉ See what happens
○ Need to figure out the “baseline signature”
What are my Thoughts?
◉ This leads me to believe Avast is developing signatures for binaries generated by Veil-Evasion, regardless if they are malicious.○ Lets test this by generating a windows binary
outside of Veil-Evasion, but within Kali.
What did I Learn?
◉ Avast has chosen the shotgun approach to just blacklisting windows binaries made by PyInstaller within Linux
◉ So this leads to two observations..○ They’re going to be potentially blacklisting valid
programs○ Just “compile” your payload in Windows :)
Experiment Outline
◉ Generate most of the payloads currently in Veil-Evasion
◉ Test against multiple vendors, ensuring the ones I see most are included
◉ Differentiate between detected binaries, suspect/reputation based detections, and clean results
◉ Record the results
Predictions?
◉ Generally - Most modules will bypass AV◉ There will be some that are caught
○ C or C# based payloads○ Probably some of the “Flat” modules
◉ Python based modules are the original ones, and likely will be caught
◉ Newer languages like GO will bypass AV◉ “Pure” stagers will bypass AV◉ PowerShell wins
The ability to detect an open source virus as the single datapoint for
determining which antivirus product to buy isn’t the best evidence for your decision.
Observations
◉ A lot of interesting information:○ Of all the payloads generated against all the tested
AVs, almost 50% are determined to be virus free
○ Ruby Base64 Encoded payload is the least detected payload
○ C# Flat is the most detected payload
○ McAfee is the worst at detecting Veil-Evasion payloads
○ AVG is the best at detecting Veil-Evasion payloads
Observations
◉ Crowd-sourcing antivirus detection can be an option, but will heavily rely on:○ The number of nodes submitting to the cloud○ The configuration of your system
■ How does it respond on low, medium, high, etc. reputations?
○ Does it just ignore and/or not use signatures?
Wrapup
◉ Antivirus isn’t a brick wall◉ The tiniest modifications can bypass antivirus◉ AV Vendors are human, and make human
decisions when choosing how to make signatures○ You can exploit this
◉ Anyone can develop new ways to bypass AV◉ Seriously…
○ I’m not an expert, anyone can do this
Develop Your Process
◉ I approach AV how I approach red teaming environments I don’t know○ I see stuff I have not ever touched before all the
time, and I need to learn to abuse it
○ Develop your process for interacting with
technology (or AV signatures) you’ve never encountered
A difference between an experienced professional and someone new to the field is the pro is confident in their
own methodology with encountering unknowns and being successful
Any questions ?
Reach out to me!
◉ @ChrisTruncer◉ https://www.christophertruncer.com◉ https://www.github.com/ChrisTruncer
Thanks!