Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The Art of AV
Evasion - Or Lack
Thereof
@ChrisTruncer
◉ Sys Admin Turned Red Teamer
for Mandiant
◉ Florida State Seminole
◉ Open Source Software
Developer
○ Veil-Framework
○ Ey...
What is this talk about?
◉ Stager Background
◉ Veil-Evasion’s AV Bypass Approach
◉ Signatured - DOH!
◉ An Experiment I Con...
Stagers
What are stagers?
◉ Can be referred to as “stage 1”
○ This can be msfvenom or Veil-Evasion output
◉ The goal for these are...
What are stagers?
◉ Any language that has a means to access
Windows functions can be used to develop
stagers!
○ This can o...
Shellcode Injection Basics
◉ Allocate memory to store shellcode, and set
proper memory protections
◉ Copy the shellcode th...
VirtualAlloc
◉ Allocates memory within the current process
○ How much memory should it allocate (shellcode
size)?
○ Which ...
RtlMoveMemory
◉ Moves shellcode into the memory space that’s
been allocated
○ Needs a pointer indicating where to copy the...
CreateThread
◉ This function creates a new thread for the
copied shellcode
○ Needs a pointer to the start of the code (she...
WaitForSingleObject
◉ This function tells the program (stager main) to
wait to exit until the thread completes
○ A handle ...
AV’s Approach to
Catching Malware
AV Methods of Detection
◉ Signature Based
○ This is what Veil-Evasion attempts to bypass
◉ Heuristics Based
◉ “Crowd Sourc...
Veil-Evasion’s
Approach to
Bypass AV
Approaches to Bypassing AV
◉ Ghost code / net no-operation code
◉ Encrypted binaries
○ Hyperion
◉ Custom Code
◉ Multiple d...
Veil-Evasion’s Approach
◉ We are combating on-disk detection through
different techniques:
○ Obfuscated code
○ Encrypted c...
Veil-Evasion’s Approach
◉ Languages within Veil-Evasion
○ Python
○ Perl
○ PowerShell
○ C#
○ C
○ Go
○ Ruby
Veil-Evasion’s Approach
◉ Using a language that’s not C or C# made a big
difference
○ AV Programs didn’t know or didn’t pr...
Simply changing
the language the
code is written in
completely bypassed
all signatures.
Time for a New
Module
Close Enough to June V-Day
◉ It’s been a little while since our last V-Day
○ Sorry, life…
◉ I have a module I wrote a whil...
Remember Hyperion?
◉ I briefly mentioned Hyperion before
◉ Hyperion is a cool concept
○ It works by completely encrypting ...
Remember Hyperion?
◉ This is a pretty nifty idea, it shouldn’t be hard
to write in a higher level language.
◉ However, the...
Remember Hyperion?
◉ So I can’t just try/except my way through this
module for incorrect keys
◉ Let’s perform a chosen pla...
Notification of Signature
◉ Finally, after approximately 1 year, we had our
first signature
Notification of Signature
◉ I was pretty excited to see if someone finally
figured Veil-Evasion out.
◉ Previous attempts h...
Preparation
ShowMeCon Prep
◉ I wanted to originally start looking into a brand
new bypass to release for ShowMeCon
◉ Started looking i...
What did I try?
◉ Generated Payload - Caught
◉ Removed the Shellcode - Caught
◉ Renamed CTypes library (extra length) -
Ca...
Hello World!
What about in Windows?
◉ Test this functionality out in Windows!
○ This just seems odd..
◉ Build a Python-based payload, b...
What are my Thoughts?
◉ This leads me to believe Avast is developing
signatures for binaries generated by Veil-
Evasion, r...
What did I Learn?
◉ Avast has chosen the shotgun approach to just
blacklisting windows binaries made by
PyInstaller within...
Let’s Experiment
with AV
Experiment Outline
◉ Generate most of the payloads currently in
Veil-Evasion
◉ Test against multiple vendors, ensuring the...
Who am I testing?
◉ Symantec
◉ McAfee
◉ Avast
◉ Microsoft Security Essentials
◉ Avira
◉ AVG
◉ ESET
Predictions?
◉ Generally - Most modules will bypass AV
◉ There will be some that are caught
○ C or C# based payloads
○ Pro...
The ability to detect an open source
virus as the single datapoint for
determining which antivirus
product to buy isn’t th...
But it’s not a bad supplement
:)
Observations
◉ A lot of interesting information:
○ Of all the payloads generated against all the tested
AVs, almost 50% ar...
Observations
◉ Crowd-sourcing antivirus detection can be an
option, but will heavily rely on:
○ The number of nodes submit...
Wrapup
Wrapup
◉ Antivirus isn’t a brick wall
◉ The tiniest modifications can bypass antivirus
◉ AV Vendors are human, and make hu...
Develop Your
Process
Develop Your Process
◉ I approach AV how I approach red teaming
environments I don’t know
○ I see stuff I have not ever to...
A difference between an experienced
professional and someone new to the
field is the pro is confident in their
own methodo...
Any questions ?
Reach out to me!
◉ @ChrisTruncer
◉ https://www.christophertruncer.com
◉ https://www.github.com/ChrisTrunce...
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
Upcoming SlideShare
Loading in …5
×
Upcoming SlideShare
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
Next
Download to read offline and view in fullscreen.

6

Share

Download to read offline

The Art of AV Evasion - Or Lack Thereof

Download to read offline

This talk goes over the art of antivirus evasion, or really the lack thereof. I talk about a new module that's getting added into Veil-Evasion, a signature that was developed for Veil, and creating your own processes for approaching unknowns.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

The Art of AV Evasion - Or Lack Thereof

  1. 1. The Art of AV Evasion - Or Lack Thereof @ChrisTruncer
  2. 2. ◉ Sys Admin Turned Red Teamer for Mandiant ◉ Florida State Seminole ◉ Open Source Software Developer ○ Veil-Framework ○ EyeWitness ○ Egress-Assess WHOAMI
  3. 3. What is this talk about? ◉ Stager Background ◉ Veil-Evasion’s AV Bypass Approach ◉ Signatured - DOH! ◉ An Experiment I Conducted ◉ Process Creation
  4. 4. Stagers
  5. 5. What are stagers? ◉ Can be referred to as “stage 1” ○ This can be msfvenom or Veil-Evasion output ◉ The goal for these are (typically) to inject shellcode into memory ○ The shellcode’s task is usually to download and inject a reflective dll ○ Or anything you specify ◉ This is essentially a loader for your real malware
  6. 6. What are stagers? ◉ Any language that has a means to access Windows functions can be used to develop stagers! ○ This can open up a ton of options ◉ Interacting with Windows functionality isn’t all that scary! ○ It’s just four function calls
  7. 7. Shellcode Injection Basics ◉ Allocate memory to store shellcode, and set proper memory protections ◉ Copy the shellcode that you want to run into the previously allocated memory ◉ Create a thread to execute the shellcode ◉ Have your code run until the thread has completed execution (you exit Meterpreter)
  8. 8. VirtualAlloc ◉ Allocates memory within the current process ○ How much memory should it allocate (shellcode size)? ○ Which permissions should be assigned to the allocated memory? ■ RWX? ■ W?
  9. 9. RtlMoveMemory ◉ Moves shellcode into the memory space that’s been allocated ○ Needs a pointer indicating where to copy the shellcode (VirtualAlloc output) ○ A pointer indicating where you are copying “data” from ○ The length of data (shellcode) to copy
  10. 10. CreateThread ◉ This function creates a new thread for the copied shellcode ○ Needs a pointer to the start of the code (shellcode) that you want to run in a new thread ○ Schedule the thread to run immediately
  11. 11. WaitForSingleObject ◉ This function tells the program (stager main) to wait to exit until the thread completes ○ A handle to the thread that was just created (output from CreateThread) ○ A value (-1) instructing the program to wait until the thread has finished running
  12. 12. AV’s Approach to Catching Malware
  13. 13. AV Methods of Detection ◉ Signature Based ○ This is what Veil-Evasion attempts to bypass ◉ Heuristics Based ◉ “Crowd Sourced” ○ Reputation
  14. 14. Veil-Evasion’s Approach to Bypass AV
  15. 15. Approaches to Bypassing AV ◉ Ghost code / net no-operation code ◉ Encrypted binaries ○ Hyperion ◉ Custom Code ◉ Multiple different ways to approach bypassing AV
  16. 16. Veil-Evasion’s Approach ◉ We are combating on-disk detection through different techniques: ○ Obfuscated code ○ Encrypted code ○ Non-standard languages for windows binaries ■ Python, Ruby, Perl, etc. ■ Flat Payloads vs. others
  17. 17. Veil-Evasion’s Approach ◉ Languages within Veil-Evasion ○ Python ○ Perl ○ PowerShell ○ C# ○ C ○ Go ○ Ruby
  18. 18. Veil-Evasion’s Approach ◉ Using a language that’s not C or C# made a big difference ○ AV Programs didn’t know or didn’t properly inspect non-standard languages ◉ Example: ○ C Flat vs. Python Flat
  19. 19. Simply changing the language the code is written in completely bypassed all signatures.
  20. 20. Time for a New Module
  21. 21. Close Enough to June V-Day ◉ It’s been a little while since our last V-Day ○ Sorry, life… ◉ I have a module I wrote a while ago that’s been fairly successful ◉ It’s Python based ◉ Let’s release it today!
  22. 22. Remember Hyperion? ◉ I briefly mentioned Hyperion before ◉ Hyperion is a cool concept ○ It works by completely encrypting an executable ○ It wraps a decoder stub around the executable ○ Hyperion uses a purposefully restricted keyspace for generating the encryption key ○ The decryption key is NOT within the executable ○ The executable brute forces itself at runtime and once decrypted, runs the original executable
  23. 23. Remember Hyperion? ◉ This is a pretty nifty idea, it shouldn’t be hard to write in a higher level language. ◉ However, there is an issue/feature when performing decryption routines ○ If I don’t provide the right key, I don’t get an alert, I just get decrypted garbage
  24. 24. Remember Hyperion? ◉ So I can’t just try/except my way through this module for incorrect keys ◉ Let’s perform a chosen plaintext attack! ○ Attack where we specify the plaintext and can observe the ciphertext ◉ Small modification of this will let me make a python based Hyperion-esque module
  25. 25. Notification of Signature ◉ Finally, after approximately 1 year, we had our first signature
  26. 26. Notification of Signature ◉ I was pretty excited to see if someone finally figured Veil-Evasion out. ◉ Previous attempts have turned out kind of humorous..
  27. 27. Preparation
  28. 28. ShowMeCon Prep ◉ I wanted to originally start looking into a brand new bypass to release for ShowMeCon ◉ Started looking into it, and immediately was disappointed in one vendor.
  29. 29. What did I try? ◉ Generated Payload - Caught ◉ Removed the Shellcode - Caught ◉ Renamed CTypes library (extra length) - Caught ◉ Commented Windows Function Calls ○ From one, to all of them ○ Caught ◉ Deleted ALL THE THINGS and did a “Hello World from Veil” test
  30. 30. Hello World!
  31. 31. What about in Windows? ◉ Test this functionality out in Windows! ○ This just seems odd.. ◉ Build a Python-based payload, but just the source ◉ “Compile” the script in Windows ◉ See what happens ○ Need to figure out the “baseline signature”
  32. 32. What are my Thoughts? ◉ This leads me to believe Avast is developing signatures for binaries generated by Veil- Evasion, regardless if they are malicious. ○ Lets test this by generating a windows binary outside of Veil-Evasion, but within Kali.
  33. 33. What did I Learn? ◉ Avast has chosen the shotgun approach to just blacklisting windows binaries made by PyInstaller within Linux ◉ So this leads to two observations.. ○ They’re going to be potentially blacklisting valid programs ○ Just “compile” your payload in Windows :)
  34. 34. Let’s Experiment with AV
  35. 35. Experiment Outline ◉ Generate most of the payloads currently in Veil-Evasion ◉ Test against multiple vendors, ensuring the ones I see most are included ◉ Differentiate between detected binaries, suspect/reputation based detections, and clean results ◉ Record the results
  36. 36. Who am I testing? ◉ Symantec ◉ McAfee ◉ Avast ◉ Microsoft Security Essentials ◉ Avira ◉ AVG ◉ ESET
  37. 37. Predictions? ◉ Generally - Most modules will bypass AV ◉ There will be some that are caught ○ C or C# based payloads ○ Probably some of the “Flat” modules ◉ Python based modules are the original ones, and likely will be caught ◉ Newer languages like GO will bypass AV ◉ “Pure” stagers will bypass AV ◉ PowerShell wins
  38. 38. The ability to detect an open source virus as the single datapoint for determining which antivirus product to buy isn’t the best evidence for your decision.
  39. 39. But it’s not a bad supplement :)
  40. 40. Observations ◉ A lot of interesting information: ○ Of all the payloads generated against all the tested AVs, almost 50% are determined to be virus free ○ Ruby Base64 Encoded payload is the least detected payload ○ C# Flat is the most detected payload ○ McAfee is the worst at detecting Veil-Evasion payloads ○ AVG is the best at detecting Veil-Evasion payloads
  41. 41. Observations ◉ Crowd-sourcing antivirus detection can be an option, but will heavily rely on: ○ The number of nodes submitting to the cloud ○ The configuration of your system ■ How does it respond on low, medium, high, etc. reputations? ○ Does it just ignore and/or not use signatures?
  42. 42. Wrapup
  43. 43. Wrapup ◉ Antivirus isn’t a brick wall ◉ The tiniest modifications can bypass antivirus ◉ AV Vendors are human, and make human decisions when choosing how to make signatures ○ You can exploit this ◉ Anyone can develop new ways to bypass AV ◉ Seriously… ○ I’m not an expert, anyone can do this
  44. 44. Develop Your Process
  45. 45. Develop Your Process ◉ I approach AV how I approach red teaming environments I don’t know ○ I see stuff I have not ever touched before all the time, and I need to learn to abuse it ○ Develop your process for interacting with technology (or AV signatures) you’ve never encountered
  46. 46. A difference between an experienced professional and someone new to the field is the pro is confident in their own methodology with encountering unknowns and being successful
  47. 47. Any questions ? Reach out to me! ◉ @ChrisTruncer ◉ https://www.christophertruncer.com ◉ https://www.github.com/ChrisTruncer Thanks!
  • danillYudhistira

    May. 21, 2019
  • lowchinyick

    Jan. 5, 2017
  • triad578

    Jan. 4, 2017
  • DamonMohammadbagher

    Nov. 26, 2016
  • dustbyter

    Jun. 15, 2016
  • zwned

    Jun. 14, 2016

This talk goes over the art of antivirus evasion, or really the lack thereof. I talk about a new module that's getting added into Veil-Evasion, a signature that was developed for Veil, and creating your own processes for approaching unknowns.

Views

Total views

4,692

On Slideshare

0

From embeds

0

Number of embeds

1,879

Actions

Downloads

98

Shares

0

Comments

0

Likes

6

×