the art of av evasion - or lack thereof
TRANSCRIPT
![Page 1: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/1.jpg)
The Art of AV Evasion - Or Lack Thereof
@ChrisTruncer
![Page 2: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/2.jpg)
◉ Sys Admin Turned Red Teamer for Mandiant
◉ Florida State Seminole◉ Open Source Software
Developer○ Veil-Framework○ EyeWitness○ Egress-Assess
WHOAMI
![Page 3: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/3.jpg)
What is this talk about?
◉ Stager Background◉ Veil-Evasion’s AV Bypass Approach◉ Signatured - DOH!◉ An Experiment I Conducted◉ Process Creation
![Page 4: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/4.jpg)
Stagers
![Page 5: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/5.jpg)
What are stagers?
◉ Can be referred to as “stage 1”○ This can be msfvenom or Veil-Evasion output
◉ The goal for these are (typically) to inject shellcode into memory○ The shellcode’s task is usually to download and
inject a reflective dll○ Or anything you specify
◉ This is essentially a loader for your real malware
![Page 6: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/6.jpg)
What are stagers?
◉ Any language that has a means to access Windows functions can be used to develop stagers!○ This can open up a ton of options
◉ Interacting with Windows functionality isn’t all that scary!○ It’s just four function calls
![Page 7: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/7.jpg)
Shellcode Injection Basics
◉ Allocate memory to store shellcode, and set proper memory protections
◉ Copy the shellcode that you want to run into the previously allocated memory
◉ Create a thread to execute the shellcode◉ Have your code run until the thread has
completed execution (you exit Meterpreter)
![Page 8: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/8.jpg)
VirtualAlloc
◉ Allocates memory within the current process○ How much memory should it allocate (shellcode
size)?
○ Which permissions should be assigned to the allocated memory?■ RWX?■ W?
![Page 9: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/9.jpg)
RtlMoveMemory
◉ Moves shellcode into the memory space that’s been allocated○ Needs a pointer indicating where to copy the
shellcode (VirtualAlloc output)
○ A pointer indicating where you are copying “data” from
○ The length of data (shellcode) to copy
![Page 10: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/10.jpg)
CreateThread
◉ This function creates a new thread for the copied shellcode○ Needs a pointer to the start of the code (shellcode)
that you want to run in a new thread○ Schedule the thread to run immediately
![Page 11: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/11.jpg)
WaitForSingleObject
◉ This function tells the program (stager main) to wait to exit until the thread completes○ A handle to the thread that was just created (output
from CreateThread)
○ A value (-1) instructing the program to wait until the thread has finished running
![Page 12: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/12.jpg)
![Page 13: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/13.jpg)
AV’s Approach to Catching Malware
![Page 14: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/14.jpg)
AV Methods of Detection
◉ Signature Based○ This is what Veil-Evasion attempts to bypass
◉ Heuristics Based◉ “Crowd Sourced”
○ Reputation
![Page 15: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/15.jpg)
Veil-Evasion’s Approach to Bypass AV
![Page 16: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/16.jpg)
Approaches to Bypassing AV
◉ Ghost code / net no-operation code◉ Encrypted binaries
○ Hyperion
◉ Custom Code◉ Multiple different ways to approach bypassing
AV
![Page 17: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/17.jpg)
Veil-Evasion’s Approach
◉ We are combating on-disk detection through different techniques:○ Obfuscated code○ Encrypted code○ Non-standard languages for windows binaries
■ Python, Ruby, Perl, etc.■ Flat Payloads vs. others
![Page 18: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/18.jpg)
Veil-Evasion’s Approach
◉ Languages within Veil-Evasion○ Python○ Perl○ PowerShell○ C#○ C○ Go○ Ruby
![Page 19: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/19.jpg)
Veil-Evasion’s Approach
◉ Using a language that’s not C or C# made a big difference○ AV Programs didn’t know or didn’t properly inspect
non-standard languages
◉ Example:○ C Flat vs. Python Flat
![Page 20: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/20.jpg)
![Page 21: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/21.jpg)
![Page 22: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/22.jpg)
Simply changing the language the code is written in
completely bypassed all signatures.
![Page 23: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/23.jpg)
Time for a New Module
![Page 24: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/24.jpg)
Close Enough to June V-Day
◉ It’s been a little while since our last V-Day○ Sorry, life…
◉ I have a module I wrote a while ago that’s been fairly successful
◉ It’s Python based◉ Let’s release it today!
![Page 25: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/25.jpg)
Remember Hyperion?
◉ I briefly mentioned Hyperion before◉ Hyperion is a cool concept
○ It works by completely encrypting an executable○ It wraps a decoder stub around the executable
○ Hyperion uses a purposefully restricted keyspace for generating the encryption key
○ The decryption key is NOT within the executable
○ The executable brute forces itself at runtime and once decrypted, runs the original executable
![Page 26: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/26.jpg)
Remember Hyperion?
◉ This is a pretty nifty idea, it shouldn’t be hard to write in a higher level language.
◉ However, there is an issue/feature when performing decryption routines○ If I don’t provide the right key, I don’t get an alert, I
just get decrypted garbage
![Page 27: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/27.jpg)
![Page 28: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/28.jpg)
![Page 29: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/29.jpg)
Remember Hyperion?
◉ So I can’t just try/except my way through this module for incorrect keys
◉ Let’s perform a chosen plaintext attack!○ Attack where we specify the plaintext and can
observe the ciphertext
◉ Small modification of this will let me make a python based Hyperion-esque module
![Page 30: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/30.jpg)
![Page 31: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/31.jpg)
![Page 32: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/32.jpg)
![Page 33: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/33.jpg)
Notification of Signature
◉ Finally, after approximately 1 year, we had our first signature
![Page 34: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/34.jpg)
Notification of Signature
◉ I was pretty excited to see if someone finally figured Veil-Evasion out.
◉ Previous attempts have turned out kind of humorous..
![Page 35: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/35.jpg)
![Page 36: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/36.jpg)
![Page 37: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/37.jpg)
![Page 38: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/38.jpg)
![Page 39: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/39.jpg)
![Page 40: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/40.jpg)
![Page 41: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/41.jpg)
![Page 42: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/42.jpg)
![Page 43: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/43.jpg)
![Page 44: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/44.jpg)
Preparation
![Page 45: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/45.jpg)
ShowMeCon Prep
◉ I wanted to originally start looking into a brand new bypass to release for ShowMeCon
◉ Started looking into it, and immediately was disappointed in one vendor.
![Page 46: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/46.jpg)
What did I try?
◉ Generated Payload - Caught◉ Removed the Shellcode - Caught◉ Renamed CTypes library (extra length) -
Caught◉ Commented Windows Function Calls
○ From one, to all of them○ Caught
◉ Deleted ALL THE THINGS and did a “Hello World from Veil” test
![Page 47: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/47.jpg)
Hello World!
![Page 48: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/48.jpg)
What about in Windows?
◉ Test this functionality out in Windows!○ This just seems odd..
◉ Build a Python-based payload, but just the source
◉ “Compile” the script in Windows◉ See what happens
○ Need to figure out the “baseline signature”
![Page 49: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/49.jpg)
![Page 50: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/50.jpg)
What are my Thoughts?
◉ This leads me to believe Avast is developing signatures for binaries generated by Veil-Evasion, regardless if they are malicious.○ Lets test this by generating a windows binary
outside of Veil-Evasion, but within Kali.
![Page 51: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/51.jpg)
![Page 52: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/52.jpg)
What did I Learn?
◉ Avast has chosen the shotgun approach to just blacklisting windows binaries made by PyInstaller within Linux
◉ So this leads to two observations..○ They’re going to be potentially blacklisting valid
programs○ Just “compile” your payload in Windows :)
![Page 53: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/53.jpg)
Let’s Experiment with AV
![Page 54: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/54.jpg)
Experiment Outline
◉ Generate most of the payloads currently in Veil-Evasion
◉ Test against multiple vendors, ensuring the ones I see most are included
◉ Differentiate between detected binaries, suspect/reputation based detections, and clean results
◉ Record the results
![Page 55: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/55.jpg)
Who am I testing?
◉ Symantec◉ McAfee◉ Avast◉ Microsoft Security Essentials◉ Avira◉ AVG◉ ESET
![Page 56: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/56.jpg)
Predictions?
◉ Generally - Most modules will bypass AV◉ There will be some that are caught
○ C or C# based payloads○ Probably some of the “Flat” modules
◉ Python based modules are the original ones, and likely will be caught
◉ Newer languages like GO will bypass AV◉ “Pure” stagers will bypass AV◉ PowerShell wins
![Page 57: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/57.jpg)
The ability to detect an open source virus as the single datapoint for
determining which antivirus product to buy isn’t the best evidence for your decision.
![Page 58: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/58.jpg)
But it’s not a bad supplement
:)
![Page 59: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/59.jpg)
![Page 60: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/60.jpg)
![Page 61: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/61.jpg)
![Page 62: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/62.jpg)
![Page 63: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/63.jpg)
Observations
◉ A lot of interesting information:○ Of all the payloads generated against all the tested
AVs, almost 50% are determined to be virus free
○ Ruby Base64 Encoded payload is the least detected payload
○ C# Flat is the most detected payload
○ McAfee is the worst at detecting Veil-Evasion payloads
○ AVG is the best at detecting Veil-Evasion payloads
![Page 64: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/64.jpg)
Observations
◉ Crowd-sourcing antivirus detection can be an option, but will heavily rely on:○ The number of nodes submitting to the cloud○ The configuration of your system
■ How does it respond on low, medium, high, etc. reputations?
○ Does it just ignore and/or not use signatures?
![Page 65: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/65.jpg)
Wrapup
![Page 66: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/66.jpg)
Wrapup
◉ Antivirus isn’t a brick wall◉ The tiniest modifications can bypass antivirus◉ AV Vendors are human, and make human
decisions when choosing how to make signatures○ You can exploit this
◉ Anyone can develop new ways to bypass AV◉ Seriously…
○ I’m not an expert, anyone can do this
![Page 67: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/67.jpg)
Develop Your Process
![Page 68: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/68.jpg)
Develop Your Process
◉ I approach AV how I approach red teaming environments I don’t know○ I see stuff I have not ever touched before all the
time, and I need to learn to abuse it
○ Develop your process for interacting with
technology (or AV signatures) you’ve never encountered
![Page 69: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/69.jpg)
A difference between an experienced professional and someone new to the field is the pro is confident in their
own methodology with encountering unknowns and being successful
![Page 70: The Art of AV Evasion - Or Lack Thereof](https://reader034.vdocuments.mx/reader034/viewer/2022051404/58f9b34d760da3da068bd4b9/html5/thumbnails/70.jpg)
Any questions ?
Reach out to me!
◉ @ChrisTruncer◉ https://www.christophertruncer.com◉ https://www.github.com/ChrisTruncer
Thanks!