SlideShare a Scribd company logo

The Art of AV Evasion - Or Lack Thereof

C
CTruncer

This talk goes over the art of antivirus evasion, or really the lack thereof. I talk about a new module that's getting added into Veil-Evasion, a signature that was developed for Veil, and creating your own processes for approaching unknowns.

Internet
1 of 70
Download to read offline
The Art of AV Evasion - Or Lack Thereof @ChrisTruncer
◉ Sys Admin Turned Red Teamer for Mandiant ◉ Florida State Seminole ◉ Open Source Software Developer ○ Veil-Framework ○ EyeWitness ○ Egress-Assess WHOAMI
What is this talk about? ◉ Stager Background ◉ Veil-Evasion’s AV Bypass Approach ◉ Signatured - DOH! ◉ An Experiment I Conducted ◉ Process Creation
Stagers
What are stagers? ◉ Can be referred to as “stage 1” ○ This can be msfvenom or Veil-Evasion output ◉ The goal for these are (typically) to inject shellcode into memory ○ The shellcode’s task is usually to download and inject a reflective dll ○ Or anything you specify ◉ This is essentially a loader for your real malware
What are stagers? ◉ Any language that has a means to access Windows functions can be used to develop stagers! ○ This can open up a ton of options ◉ Interacting with Windows functionality isn’t all that scary! ○ It’s just four function calls
Shellcode Injection Basics ◉ Allocate memory to store shellcode, and set proper memory protections ◉ Copy the shellcode that you want to run into the previously allocated memory ◉ Create a thread to execute the shellcode ◉ Have your code run until the thread has completed execution (you exit Meterpreter)
VirtualAlloc ◉ Allocates memory within the current process ○ How much memory should it allocate (shellcode size)? ○ Which permissions should be assigned to the allocated memory? ■ RWX? ■ W?
RtlMoveMemory ◉ Moves shellcode into the memory space that’s been allocated ○ Needs a pointer indicating where to copy the shellcode (VirtualAlloc output) ○ A pointer indicating where you are copying “data” from ○ The length of data (shellcode) to copy
CreateThread ◉ This function creates a new thread for the copied shellcode ○ Needs a pointer to the start of the code (shellcode) that you want to run in a new thread ○ Schedule the thread to run immediately
WaitForSingleObject ◉ This function tells the program (stager main) to wait to exit until the thread completes ○ A handle to the thread that was just created (output from CreateThread) ○ A value (-1) instructing the program to wait until the thread has finished running
AV’s Approach to Catching Malware
AV Methods of Detection ◉ Signature Based ○ This is what Veil-Evasion attempts to bypass ◉ Heuristics Based ◉ “Crowd Sourced” ○ Reputation
Veil-Evasion’s Approach to Bypass AV
Approaches to Bypassing AV ◉ Ghost code / net no-operation code ◉ Encrypted binaries ○ Hyperion ◉ Custom Code ◉ Multiple different ways to approach bypassing AV
Veil-Evasion’s Approach ◉ We are combating on-disk detection through different techniques: ○ Obfuscated code ○ Encrypted code ○ Non-standard languages for windows binaries ■ Python, Ruby, Perl, etc. ■ Flat Payloads vs. others
Veil-Evasion’s Approach ◉ Languages within Veil-Evasion ○ Python ○ Perl ○ PowerShell ○ C# ○ C ○ Go ○ Ruby
Veil-Evasion’s Approach ◉ Using a language that’s not C or C# made a big difference ○ AV Programs didn’t know or didn’t properly inspect non-standard languages ◉ Example: ○ C Flat vs. Python Flat
Simply changing the language the code is written in completely bypassed all signatures.
Time for a New Module
Close Enough to June V-Day ◉ It’s been a little while since our last V-Day ○ Sorry, life… ◉ I have a module I wrote a while ago that’s been fairly successful ◉ It’s Python based ◉ Let’s release it today!
Remember Hyperion? ◉ I briefly mentioned Hyperion before ◉ Hyperion is a cool concept ○ It works by completely encrypting an executable ○ It wraps a decoder stub around the executable ○ Hyperion uses a purposefully restricted keyspace for generating the encryption key ○ The decryption key is NOT within the executable ○ The executable brute forces itself at runtime and once decrypted, runs the original executable
Remember Hyperion? ◉ This is a pretty nifty idea, it shouldn’t be hard to write in a higher level language. ◉ However, there is an issue/feature when performing decryption routines ○ If I don’t provide the right key, I don’t get an alert, I just get decrypted garbage
Remember Hyperion? ◉ So I can’t just try/except my way through this module for incorrect keys ◉ Let’s perform a chosen plaintext attack! ○ Attack where we specify the plaintext and can observe the ciphertext ◉ Small modification of this will let me make a python based Hyperion-esque module
Notification of Signature ◉ Finally, after approximately 1 year, we had our first signature
Notification of Signature ◉ I was pretty excited to see if someone finally figured Veil-Evasion out. ◉ Previous attempts have turned out kind of humorous..
Preparation
ShowMeCon Prep ◉ I wanted to originally start looking into a brand new bypass to release for ShowMeCon ◉ Started looking into it, and immediately was disappointed in one vendor.
What did I try? ◉ Generated Payload - Caught ◉ Removed the Shellcode - Caught ◉ Renamed CTypes library (extra length) - Caught ◉ Commented Windows Function Calls ○ From one, to all of them ○ Caught ◉ Deleted ALL THE THINGS and did a “Hello World from Veil” test
Hello World!
What about in Windows? ◉ Test this functionality out in Windows! ○ This just seems odd.. ◉ Build a Python-based payload, but just the source ◉ “Compile” the script in Windows ◉ See what happens ○ Need to figure out the “baseline signature”
What are my Thoughts? ◉ This leads me to believe Avast is developing signatures for binaries generated by Veil- Evasion, regardless if they are malicious. ○ Lets test this by generating a windows binary outside of Veil-Evasion, but within Kali.
What did I Learn? ◉ Avast has chosen the shotgun approach to just blacklisting windows binaries made by PyInstaller within Linux ◉ So this leads to two observations.. ○ They’re going to be potentially blacklisting valid programs ○ Just “compile” your payload in Windows :)
Let’s Experiment with AV
Experiment Outline ◉ Generate most of the payloads currently in Veil-Evasion ◉ Test against multiple vendors, ensuring the ones I see most are included ◉ Differentiate between detected binaries, suspect/reputation based detections, and clean results ◉ Record the results
Who am I testing? ◉ Symantec ◉ McAfee ◉ Avast ◉ Microsoft Security Essentials ◉ Avira ◉ AVG ◉ ESET
Predictions? ◉ Generally - Most modules will bypass AV ◉ There will be some that are caught ○ C or C# based payloads ○ Probably some of the “Flat” modules ◉ Python based modules are the original ones, and likely will be caught ◉ Newer languages like GO will bypass AV ◉ “Pure” stagers will bypass AV ◉ PowerShell wins
The ability to detect an open source virus as the single datapoint for determining which antivirus product to buy isn’t the best evidence for your decision.
But it’s not a bad supplement :)
Observations ◉ A lot of interesting information: ○ Of all the payloads generated against all the tested AVs, almost 50% are determined to be virus free ○ Ruby Base64 Encoded payload is the least detected payload ○ C# Flat is the most detected payload ○ McAfee is the worst at detecting Veil-Evasion payloads ○ AVG is the best at detecting Veil-Evasion payloads
Observations ◉ Crowd-sourcing antivirus detection can be an option, but will heavily rely on: ○ The number of nodes submitting to the cloud ○ The configuration of your system ■ How does it respond on low, medium, high, etc. reputations? ○ Does it just ignore and/or not use signatures?
Wrapup
Wrapup ◉ Antivirus isn’t a brick wall ◉ The tiniest modifications can bypass antivirus ◉ AV Vendors are human, and make human decisions when choosing how to make signatures ○ You can exploit this ◉ Anyone can develop new ways to bypass AV ◉ Seriously… ○ I’m not an expert, anyone can do this
Develop Your Process
Develop Your Process ◉ I approach AV how I approach red teaming environments I don’t know ○ I see stuff I have not ever touched before all the time, and I need to learn to abuse it ○ Develop your process for interacting with technology (or AV signatures) you’ve never encountered
A difference between an experienced professional and someone new to the field is the pro is confident in their own methodology with encountering unknowns and being successful
Any questions ? Reach out to me! ◉ @ChrisTruncer ◉ https://www.christophertruncer.com ◉ https://www.github.com/ChrisTruncer Thanks!

Recommended

Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusCTruncer
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level MalwareCTruncer
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 

Recommended

Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusCTruncer
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level MalwareCTruncer
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-OrdnanceVeilFramework
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareBrandon Arvanaghi
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityBrandon Arvanaghi
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-FrameworkVeilFramework
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationCTruncer
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!CTruncer
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationCTruncer
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCanSecWest
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processesDavid Jorm
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows Ron Munitz
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
EyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage ToolEyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage ToolCTruncer
 
L2
L2L2
L2Asst.prof.Dr.jassim Mohammed
 

More Related Content

What's hot

AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareBrandon Arvanaghi
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityBrandon Arvanaghi
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationCTruncer
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!CTruncer
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationCTruncer
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCanSecWest
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processesDavid Jorm
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows Ron Munitz
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 

What's hot (20)

AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
 
Pentester++
Pentester++Pentester++
Pentester++
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-Ordnance
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted Malware
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant Security
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data Exfiltration
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and More
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgeneration
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacks
 
MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 

Viewers also liked

EyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage ToolEyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage ToolCTruncer
 
Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_Jimmy Shah
 
Attacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using FragmentationAttacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using Fragmentationmichelemanzotti
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotVi Tính Hoàng Nam
 
Radware DefensePipe: Cloud-Based Attack Mitigation Solution
Radware DefensePipe: Cloud-Based Attack Mitigation SolutionRadware DefensePipe: Cloud-Based Attack Mitigation Solution
Radware DefensePipe: Cloud-Based Attack Mitigation SolutionRadware
 
Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiAnti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiStonesoft
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 

Viewers also liked (9)

EyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage ToolEyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage Tool
 
L2
L2L2
L2
 
Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_
 
Attacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using FragmentationAttacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using Fragmentation
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
 
Radware DefensePipe: Cloud-Based Attack Mitigation Solution
Radware DefensePipe: Cloud-Based Attack Mitigation SolutionRadware DefensePipe: Cloud-Based Attack Mitigation Solution
Radware DefensePipe: Cloud-Based Attack Mitigation Solution
 
Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiAnti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewski
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 

Similar to The Art of AV Evasion - Or Lack Thereof

Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
DevSecOps and Drupal: Securing your applications in a modern IT landscape
DevSecOps and Drupal: Securing your applications in a modern IT landscapeDevSecOps and Drupal: Securing your applications in a modern IT landscape
DevSecOps and Drupal: Securing your applications in a modern IT landscapeWill Hall
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Sans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sampleSans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sampleMichel Coene
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
 
Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?Kris Buytaert
 
Static-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptxStatic-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptxShivashankarHR1
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi Krzysztof (Chris) Ozog
 
On hacking & security
On hacking & security On hacking & security
On hacking & security Ange Albertini
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser AliHackIT Ukraine
 
The Risks of YOLOing-2.pdf
The Risks of YOLOing-2.pdfThe Risks of YOLOing-2.pdf
The Risks of YOLOing-2.pdfHacken
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDDaniel Garcia (a.k.a cr0hn)
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
Reverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfReverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfAbdelrahmanShaban3
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
 
Security Solution - Luckey Application on Crypto-currency and Personal Bankin...
Security Solution - Luckey Application on Crypto-currency and Personal Bankin...Security Solution - Luckey Application on Crypto-currency and Personal Bankin...
Security Solution - Luckey Application on Crypto-currency and Personal Bankin...Wan Leung Wong
 

Similar to The Art of AV Evasion - Or Lack Thereof (20)

Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
DevSecOps and Drupal: Securing your applications in a modern IT landscape
DevSecOps and Drupal: Securing your applications in a modern IT landscapeDevSecOps and Drupal: Securing your applications in a modern IT landscape
DevSecOps and Drupal: Securing your applications in a modern IT landscape
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Sans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sampleSans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sample
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
 
Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?
 
Static-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptxStatic-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptx
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
 
On hacking & security
On hacking & security On hacking & security
On hacking & security
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali
 
The Risks of YOLOing-2.pdf
The Risks of YOLOing-2.pdfThe Risks of YOLOing-2.pdf
The Risks of YOLOing-2.pdf
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CD
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
Reverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfReverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdf
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Security Solution - Luckey Application on Crypto-currency and Personal Bankin...
Security Solution - Luckey Application on Crypto-currency and Personal Bankin...Security Solution - Luckey Application on Crypto-currency and Personal Bankin...
Security Solution - Luckey Application on Crypto-currency and Personal Bankin...
 
Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020
 

Recently uploaded

Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 

Recently uploaded (20)

Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 

The Art of AV Evasion - Or Lack Thereof

  • 1. The Art of AV Evasion - Or Lack Thereof @ChrisTruncer
  • 2. ◉ Sys Admin Turned Red Teamer for Mandiant ◉ Florida State Seminole ◉ Open Source Software Developer ○ Veil-Framework ○ EyeWitness ○ Egress-Assess WHOAMI
  • 3. What is this talk about? ◉ Stager Background ◉ Veil-Evasion’s AV Bypass Approach ◉ Signatured - DOH! ◉ An Experiment I Conducted ◉ Process Creation
  • 5. What are stagers? ◉ Can be referred to as “stage 1” ○ This can be msfvenom or Veil-Evasion output ◉ The goal for these are (typically) to inject shellcode into memory ○ The shellcode’s task is usually to download and inject a reflective dll ○ Or anything you specify ◉ This is essentially a loader for your real malware
  • 6. What are stagers? ◉ Any language that has a means to access Windows functions can be used to develop stagers! ○ This can open up a ton of options ◉ Interacting with Windows functionality isn’t all that scary! ○ It’s just four function calls
  • 7. Shellcode Injection Basics ◉ Allocate memory to store shellcode, and set proper memory protections ◉ Copy the shellcode that you want to run into the previously allocated memory ◉ Create a thread to execute the shellcode ◉ Have your code run until the thread has completed execution (you exit Meterpreter)
  • 8. VirtualAlloc ◉ Allocates memory within the current process ○ How much memory should it allocate (shellcode size)? ○ Which permissions should be assigned to the allocated memory? ■ RWX? ■ W?
  • 9. RtlMoveMemory ◉ Moves shellcode into the memory space that’s been allocated ○ Needs a pointer indicating where to copy the shellcode (VirtualAlloc output) ○ A pointer indicating where you are copying “data” from ○ The length of data (shellcode) to copy
  • 10. CreateThread ◉ This function creates a new thread for the copied shellcode ○ Needs a pointer to the start of the code (shellcode) that you want to run in a new thread ○ Schedule the thread to run immediately
  • 11. WaitForSingleObject ◉ This function tells the program (stager main) to wait to exit until the thread completes ○ A handle to the thread that was just created (output from CreateThread) ○ A value (-1) instructing the program to wait until the thread has finished running
  • 12.
  • 14. AV Methods of Detection ◉ Signature Based ○ This is what Veil-Evasion attempts to bypass ◉ Heuristics Based ◉ “Crowd Sourced” ○ Reputation
  • 16. Approaches to Bypassing AV ◉ Ghost code / net no-operation code ◉ Encrypted binaries ○ Hyperion ◉ Custom Code ◉ Multiple different ways to approach bypassing AV
  • 17. Veil-Evasion’s Approach ◉ We are combating on-disk detection through different techniques: ○ Obfuscated code ○ Encrypted code ○ Non-standard languages for windows binaries ■ Python, Ruby, Perl, etc. ■ Flat Payloads vs. others
  • 18. Veil-Evasion’s Approach ◉ Languages within Veil-Evasion ○ Python ○ Perl ○ PowerShell ○ C# ○ C ○ Go ○ Ruby
  • 19. Veil-Evasion’s Approach ◉ Using a language that’s not C or C# made a big difference ○ AV Programs didn’t know or didn’t properly inspect non-standard languages ◉ Example: ○ C Flat vs. Python Flat
  • 20.
  • 21.
  • 22. Simply changing the language the code is written in completely bypassed all signatures.
  • 23. Time for a New Module
  • 24. Close Enough to June V-Day ◉ It’s been a little while since our last V-Day ○ Sorry, life… ◉ I have a module I wrote a while ago that’s been fairly successful ◉ It’s Python based ◉ Let’s release it today!
  • 25. Remember Hyperion? ◉ I briefly mentioned Hyperion before ◉ Hyperion is a cool concept ○ It works by completely encrypting an executable ○ It wraps a decoder stub around the executable ○ Hyperion uses a purposefully restricted keyspace for generating the encryption key ○ The decryption key is NOT within the executable ○ The executable brute forces itself at runtime and once decrypted, runs the original executable
  • 26. Remember Hyperion? ◉ This is a pretty nifty idea, it shouldn’t be hard to write in a higher level language. ◉ However, there is an issue/feature when performing decryption routines ○ If I don’t provide the right key, I don’t get an alert, I just get decrypted garbage
  • 27.
  • 28.
  • 29. Remember Hyperion? ◉ So I can’t just try/except my way through this module for incorrect keys ◉ Let’s perform a chosen plaintext attack! ○ Attack where we specify the plaintext and can observe the ciphertext ◉ Small modification of this will let me make a python based Hyperion-esque module
  • 30.
  • 31.
  • 32.
  • 33. Notification of Signature ◉ Finally, after approximately 1 year, we had our first signature
  • 34. Notification of Signature ◉ I was pretty excited to see if someone finally figured Veil-Evasion out. ◉ Previous attempts have turned out kind of humorous..
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 45. ShowMeCon Prep ◉ I wanted to originally start looking into a brand new bypass to release for ShowMeCon ◉ Started looking into it, and immediately was disappointed in one vendor.
  • 46. What did I try? ◉ Generated Payload - Caught ◉ Removed the Shellcode - Caught ◉ Renamed CTypes library (extra length) - Caught ◉ Commented Windows Function Calls ○ From one, to all of them ○ Caught ◉ Deleted ALL THE THINGS and did a “Hello World from Veil” test
  • 48. What about in Windows? ◉ Test this functionality out in Windows! ○ This just seems odd.. ◉ Build a Python-based payload, but just the source ◉ “Compile” the script in Windows ◉ See what happens ○ Need to figure out the “baseline signature”
  • 49.
  • 50. What are my Thoughts? ◉ This leads me to believe Avast is developing signatures for binaries generated by Veil- Evasion, regardless if they are malicious. ○ Lets test this by generating a windows binary outside of Veil-Evasion, but within Kali.
  • 51.
  • 52. What did I Learn? ◉ Avast has chosen the shotgun approach to just blacklisting windows binaries made by PyInstaller within Linux ◉ So this leads to two observations.. ○ They’re going to be potentially blacklisting valid programs ○ Just “compile” your payload in Windows :)
  • 54. Experiment Outline ◉ Generate most of the payloads currently in Veil-Evasion ◉ Test against multiple vendors, ensuring the ones I see most are included ◉ Differentiate between detected binaries, suspect/reputation based detections, and clean results ◉ Record the results
  • 55. Who am I testing? ◉ Symantec ◉ McAfee ◉ Avast ◉ Microsoft Security Essentials ◉ Avira ◉ AVG ◉ ESET
  • 56. Predictions? ◉ Generally - Most modules will bypass AV ◉ There will be some that are caught ○ C or C# based payloads ○ Probably some of the “Flat” modules ◉ Python based modules are the original ones, and likely will be caught ◉ Newer languages like GO will bypass AV ◉ “Pure” stagers will bypass AV ◉ PowerShell wins
  • 57. The ability to detect an open source virus as the single datapoint for determining which antivirus product to buy isn’t the best evidence for your decision.
  • 58. But it’s not a bad supplement :)
  • 59.
  • 60.
  • 61.
  • 62.
  • 63. Observations ◉ A lot of interesting information: ○ Of all the payloads generated against all the tested AVs, almost 50% are determined to be virus free ○ Ruby Base64 Encoded payload is the least detected payload ○ C# Flat is the most detected payload ○ McAfee is the worst at detecting Veil-Evasion payloads ○ AVG is the best at detecting Veil-Evasion payloads
  • 64. Observations ◉ Crowd-sourcing antivirus detection can be an option, but will heavily rely on: ○ The number of nodes submitting to the cloud ○ The configuration of your system ■ How does it respond on low, medium, high, etc. reputations? ○ Does it just ignore and/or not use signatures?
  • 66. Wrapup ◉ Antivirus isn’t a brick wall ◉ The tiniest modifications can bypass antivirus ◉ AV Vendors are human, and make human decisions when choosing how to make signatures ○ You can exploit this ◉ Anyone can develop new ways to bypass AV ◉ Seriously… ○ I’m not an expert, anyone can do this
  • 68. Develop Your Process ◉ I approach AV how I approach red teaming environments I don’t know ○ I see stuff I have not ever touched before all the time, and I need to learn to abuse it ○ Develop your process for interacting with technology (or AV signatures) you’ve never encountered
  • 69. A difference between an experienced professional and someone new to the field is the pro is confident in their own methodology with encountering unknowns and being successful
  • 70. Any questions ? Reach out to me! ◉ @ChrisTruncer ◉ https://www.christophertruncer.com ◉ https://www.github.com/ChrisTruncer Thanks!