This talk goes over the art of antivirus evasion, or really the lack thereof. I talk about a new module that's getting added into Veil-Evasion, a signature that was developed for Veil, and creating your own processes for approaching unknowns.
5. What are stagers?
◉ Can be referred to as “stage 1”
○ This can be msfvenom or Veil-Evasion output
◉ The goal for these are (typically) to inject
shellcode into memory
○ The shellcode’s task is usually to download and
inject a reflective dll
○ Or anything you specify
◉ This is essentially a loader for your real
malware
6. What are stagers?
◉ Any language that has a means to access
Windows functions can be used to develop
stagers!
○ This can open up a ton of options
◉ Interacting with Windows functionality isn’t all
that scary!
○ It’s just four function calls
7. Shellcode Injection Basics
◉ Allocate memory to store shellcode, and set
proper memory protections
◉ Copy the shellcode that you want to run into
the previously allocated memory
◉ Create a thread to execute the shellcode
◉ Have your code run until the thread has
completed execution (you exit Meterpreter)
8. VirtualAlloc
◉ Allocates memory within the current process
○ How much memory should it allocate (shellcode
size)?
○ Which permissions should be assigned to the
allocated memory?
■ RWX?
■ W?
9. RtlMoveMemory
◉ Moves shellcode into the memory space that’s
been allocated
○ Needs a pointer indicating where to copy the
shellcode (VirtualAlloc output)
○ A pointer indicating where you are copying “data”
from
○ The length of data (shellcode) to copy
10. CreateThread
◉ This function creates a new thread for the
copied shellcode
○ Needs a pointer to the start of the code (shellcode)
that you want to run in a new thread
○ Schedule the thread to run immediately
11. WaitForSingleObject
◉ This function tells the program (stager main) to
wait to exit until the thread completes
○ A handle to the thread that was just created (output
from CreateThread)
○ A value (-1) instructing the program to wait until the
thread has finished running
16. Approaches to Bypassing AV
◉ Ghost code / net no-operation code
◉ Encrypted binaries
○ Hyperion
◉ Custom Code
◉ Multiple different ways to approach bypassing
AV
17. Veil-Evasion’s Approach
◉ We are combating on-disk detection through
different techniques:
○ Obfuscated code
○ Encrypted code
○ Non-standard languages for windows binaries
■ Python, Ruby, Perl, etc.
■ Flat Payloads vs. others
19. Veil-Evasion’s Approach
◉ Using a language that’s not C or C# made a big
difference
○ AV Programs didn’t know or didn’t properly inspect
non-standard languages
◉ Example:
○ C Flat vs. Python Flat
24. Close Enough to June V-Day
◉ It’s been a little while since our last V-Day
○ Sorry, life…
◉ I have a module I wrote a while ago that’s
been fairly successful
◉ It’s Python based
◉ Let’s release it today!
25. Remember Hyperion?
◉ I briefly mentioned Hyperion before
◉ Hyperion is a cool concept
○ It works by completely encrypting an executable
○ It wraps a decoder stub around the executable
○ Hyperion uses a purposefully restricted keyspace
for generating the encryption key
○ The decryption key is NOT within the executable
○ The executable brute forces itself at runtime and
once decrypted, runs the original executable
26. Remember Hyperion?
◉ This is a pretty nifty idea, it shouldn’t be hard
to write in a higher level language.
◉ However, there is an issue/feature when
performing decryption routines
○ If I don’t provide the right key, I don’t get an alert, I
just get decrypted garbage
27.
28.
29. Remember Hyperion?
◉ So I can’t just try/except my way through this
module for incorrect keys
◉ Let’s perform a chosen plaintext attack!
○ Attack where we specify the plaintext and can
observe the ciphertext
◉ Small modification of this will let me make a
python based Hyperion-esque module
34. Notification of Signature
◉ I was pretty excited to see if someone finally
figured Veil-Evasion out.
◉ Previous attempts have turned out kind of
humorous..
45. ShowMeCon Prep
◉ I wanted to originally start looking into a brand
new bypass to release for ShowMeCon
◉ Started looking into it, and immediately was
disappointed in one vendor.
46. What did I try?
◉ Generated Payload - Caught
◉ Removed the Shellcode - Caught
◉ Renamed CTypes library (extra length) -
Caught
◉ Commented Windows Function Calls
○ From one, to all of them
○ Caught
◉ Deleted ALL THE THINGS and did a “Hello
World from Veil” test
48. What about in Windows?
◉ Test this functionality out in Windows!
○ This just seems odd..
◉ Build a Python-based payload, but just the
source
◉ “Compile” the script in Windows
◉ See what happens
○ Need to figure out the “baseline signature”
49.
50. What are my Thoughts?
◉ This leads me to believe Avast is developing
signatures for binaries generated by Veil-
Evasion, regardless if they are malicious.
○ Lets test this by generating a windows binary
outside of Veil-Evasion, but within Kali.
51.
52. What did I Learn?
◉ Avast has chosen the shotgun approach to just
blacklisting windows binaries made by
PyInstaller within Linux
◉ So this leads to two observations..
○ They’re going to be potentially blacklisting valid
programs
○ Just “compile” your payload in Windows :)
54. Experiment Outline
◉ Generate most of the payloads currently in
Veil-Evasion
◉ Test against multiple vendors, ensuring the
ones I see most are included
◉ Differentiate between detected binaries,
suspect/reputation based detections, and
clean results
◉ Record the results
55. Who am I testing?
◉ Symantec
◉ McAfee
◉ Avast
◉ Microsoft Security Essentials
◉ Avira
◉ AVG
◉ ESET
56. Predictions?
◉ Generally - Most modules will bypass AV
◉ There will be some that are caught
○ C or C# based payloads
○ Probably some of the “Flat” modules
◉ Python based modules are the original ones,
and likely will be caught
◉ Newer languages like GO will bypass AV
◉ “Pure” stagers will bypass AV
◉ PowerShell wins
57. The ability to detect an open source
virus as the single datapoint for
determining which antivirus
product to buy isn’t the best
evidence for your decision.
63. Observations
◉ A lot of interesting information:
○ Of all the payloads generated against all the tested
AVs, almost 50% are determined to be virus free
○ Ruby Base64 Encoded payload is the least detected
payload
○ C# Flat is the most detected payload
○ McAfee is the worst at detecting Veil-Evasion
payloads
○ AVG is the best at detecting Veil-Evasion payloads
64. Observations
◉ Crowd-sourcing antivirus detection can be an
option, but will heavily rely on:
○ The number of nodes submitting to the cloud
○ The configuration of your system
■ How does it respond on low, medium, high, etc.
reputations?
○ Does it just ignore and/or not use signatures?
66. Wrapup
◉ Antivirus isn’t a brick wall
◉ The tiniest modifications can bypass antivirus
◉ AV Vendors are human, and make human
decisions when choosing how to make
signatures
○ You can exploit this
◉ Anyone can develop new ways to bypass AV
◉ Seriously…
○ I’m not an expert, anyone can do this
68. Develop Your Process
◉ I approach AV how I approach red teaming
environments I don’t know
○ I see stuff I have not ever touched before all the
time, and I need to learn to abuse it
○ Develop your process for interacting with
technology (or AV signatures) you’ve never
encountered
69. A difference between an experienced
professional and someone new to the
field is the pro is confident in their
own methodology with encountering
unknowns and being successful
70. Any questions ?
Reach out to me!
◉ @ChrisTruncer
◉ https://www.christophertruncer.com
◉ https://www.github.com/ChrisTruncer
Thanks!