This talk goes over how stagers work in a different manner. Rather than standard function calls, I show how to utilize the same functionality in a slightly different way. It talks about Veil-Evasion, and a signature that was developed for it. Finally, I get into custom code and showcase three pieces of custom code that completely bypass antivirus.

1. A Battle Against the
Industry - Beating
Antivirus for Meterpreter
and More
@ChrisTruncer

2. Whoami
■ A systems administrator turnedredteamer
■ Florida State Seminole
■ Open Source Software Developer
■ Veil-Framework
■ EyeWitness
Thanks Robin :)
■ Egress-Assess
■ Just-Metadata

3. Why am I here today?
■Share some laughs at Antivirus :)
■Give a background on stagers
■Showcase a Veil-Evasion signature bypass
■Anyone can do this..
■Talk about developing your own code
■Case studies on previously developed code

4. Stagers

5. What are stagers?
■Can be referred to as “stage 1”
■Might be msfvenom, Veil-Evasion, etc. output
■Goal is typically to inject shellcode into memory
■Shellcode usually downloads and executes a
reflectively injectable dll
■…but it can also do anything you want if you
write it :)

6. What are stagers?
■Stagers are really used as loaders for your real
malware
■They’re designed to be expendable and tiny
■Don’t give away your engineered malware by
dropping it to disk
■Load everything in memory

7. What are stagers?
■Any language that has the ability to access
windows functions can be used to write a stager!
■Pretty cool, and allows us to expand out from
traditional “Windows Langauges”
■Interacting with Windows functions can seem
daunting, but isn’t all that bad
■4 or 5 function calls

8. Function Calls

9. Stagers in a Nutshell
■ Allocate memory to store the shellcode being
injected, and apply proper memory permissions
■ Copy the shellcode into the allocated memory
■ Create a thread to run the shellcode copied into
the process’s memory
■ Wait for the thread to complete running before
exiting the program

10. Windows API Calls
■Most stagers utilize VirtualAlloc to allocate
memory
■This talk shows an alternate way to allocate
memory that isn’t heavily utilized
■It might be a better way to fly under the radar

11. HeapCreate
■Creates a private heap object that can be used by
the process creating the heap
■Specify the memory protections
■Requires the size of the heap that will need to be
allocated
■Shellcode length
■Max size of allocated memory
■I do twice the shellcode length

12. HeapAlloc
■ Allocates memory from the previously created
heap object
■ Receives a handle to the previously allocated
heap object
■ Specify the total amount of space that you are
allocating for shellcode

13. RtlMoveMemory
■Places the shellcode you are injecting into the
allocated heap space
■Needs a pointer to where data (shellcode) will be
copied to (heapalloc output)
■Needs a pointer to the data (shellcode)
■Needs the length of the shellcode being injected

14. CreateThread
■This function creates a new thread within the
current process to execute the data (shellcode)
that was injected
■Requires a pointer to the data (shellcode) that will
run in the new thread
■Schedule the thread to execute immediately

15. WaitForSingleObject
■This function is like a blocking call to prevent the
program from exiting immediately
■Requires a handle to the thread that was created
by the CreateThread function
■Requires a value (-1) to specify that the program
should wait to exit until the thread exists

16. Stagers in a Nutshell (Repeated)
■ Allocate memory to store the shellcode being
injected, and apply proper memory permissions
■ Copy the shellcode into the allocated memory
■ Create a thread to run the shellcode copied into
the process’s memory
■ Wait for the thread to complete running before
exiting the program

18. Ordinal Values

19. Ordinal Values
■ Using ordinal values to reference functions is an
old-school but effective way to bypass antivirus
detection
■Picture an array or Python list containing
functions. To reference a specific function,
you reference it by its location within the
array/list
■Same concept for bypassing AV via ordinal
values

20. Ordinal Values
■ Rather than calling HeapAlloc or RtlMoveMemory
by name, why not reference it by its ordinal
value?
■ This is still a call to the same function, but just via
a different method
■Check out this code

24. Ordinal Values
■Simply referencing function calls by their
ordinal value vs. name can bypass anti-virus
■NOTE: Ordinal values can change between both
OSs and Service Packs. You will need to target
your payload to the OS and Service Pack when
referencing via ordinal value.
■So…. how do we find these ordinal values?

26. Ordinal Values
■PEView is a free program which lets you inspect
PE files, dlls, etc.
■You can use this to load kernel32.dll, search for
the functions that you are calling, and obtain
their ordinal value
■PEView provides the base 16 value, so be sure
to convert it to its base 10 value.

27. Veil’s Approach

28. How Veil-Evasion Bypasses AV
■ Completely open sourced
■ Can query VT’s API
■ Veil-Evasion attempts to bypass AV through a
few different techniques
■Obfuscated Code
■Encrypted Code
■Non-standard languages for binaries
Flat vs. encrypted code

29. How Veil-Evasion Bypasses AV
■ Languages that Veil-Evasion supports
■Python
■Perl
■PowerShell
■C#
■C
■Go
■Ruby

30. How Veil-Evasion Bypasses AV
■Using a non-standard language (read not C, C++,
or C#) resulted in payloads that immediately
bypassed antivirus
■AV just didn’t understand how to properly
inspect these executables
■Example:
■C Flat vs. Python Flat

33. Ordinal Values
■ Simply changing the
language the payload
was written in
completely bypassed
all AV signatures.

34. Antivirus Signature

35. Veil-Evasion
■After about 1 year, Veil-Evasion finally had its
first signature!
■I was informed about this on IRC and wanted to
check it out.

43. Custom Code

44. Browser Check Scenario
■Instead of sending just some random executable
when phishing, what if you promise to secure
their system?
■Developed by Hunter Hardman (@t3ntman)
■Written in C#
■Custom code, so it bypasses every single AV out
there (at least before Hunter made it public :))

46. Browser Check Scenario
■This works great for phishing scenarios
■We target individuals impersonating their IT
Security, or just IT staff
■Warn them about the dangers of
misconfigured/old browsers
■Give them a solution!

47. Browser Check Scenario
■Once the program starts, it spawns PowerShell
and executes any code you give it
■Meterpreter or Beacon!
■It’s fully functional, once user tells it to start,
they see a progress bar go to completion.
■Once complete, it lets them know their system is
secure!

48. Browser Check Scenario
■Delivery is dependent upon the situation
■We’ve created websites hosting it over HTTPS
to make users think it is secure
■Created fake “secure file transfer” websites
■Rarely, we’ve sent just the executable
■For our initial access, this has been pretty
successful, and the lack of AV detection helps the
user trust the program

49. Browser Check Scenario
■Currently available for review at -
https://github.com/t3ntman/BrowserCheck

50. Enumerator

51. Enumerator
■Customer didn’t want actual shellcode injection
of infection of their endpoints
■Wanted intel collection to act as proof of
“compromise”
■I developed a script that would gather host
information and would POST the data out over
HTTPS to our server.

52. Enumerator
■Information gathered
■System hostname
■IP address(es)
■System drives and drive space
■Current user
■Tasklist

55. Github
■https://github.com/ChrisTruncer/PenTestScript
s/blob/master/enumeration.py
■https://github.com/ChrisTruncer/PenTestScript
s/blob/master/enum_server.py

56. WMIOps

57. WMIOps
■Why waste engineering time, developing a RAT,
hoping it never gets burnt. Just leverage built in
functionality!
■Anything useful for system administration is
just as easily repurposed for illegitimate use :)
■Just live off the land!

58. WMIOps
■Used WMI much?
■WMI is installed and running by default on
Windows systems since Windows 2000
■It does require local admin privileges on the
targeted system
But this can make it great for post-
exploitation

59. WMIOps
■ WMIOps - A PowerShell based tool which uses
WMI to carry out various actions on targeted
systems.
■ Developed in PowerShell - we can load it in
memory and execute a variety of different tasks

60. WMIOps
■ Want to see which users have active processes on
a system?
■Might be good to know where you can snag
creds!
■Rather than needing to compromise the
machine, just run a simple WMI query with
WMIOps!

62. WMIOps
■Now that we know who is on the system, want to
run Mimikatz to capture user credentials?
■Traditionally we’d have to compromise it, and
load up Mimikatz.
■Why not leverage WMI to do everything in
memory without needing the use of a RAT?

63. WMIOps
■ Invoke-RemoteScriptWithOutput
■Spawn PowerShell on the remote system
■Download the PowerShell script in memory
■Runs the user specified function
■Saves output
■Performs a POST over HTTPS to a user
specified IP address

66. WMIOps
■ WMIOps can do other tasks as well
■Run commands
■Kill processes
■Search for files
■Transfer files
■Etc.
Available here -
https://github.com/ChrisTruncer/WMIOps

67. Thanks!
Any questions?
Reach out to me!
■ @ChrisTruncer
■ Chris@Christophertruncer.com
■ https://www.christophertruncer.com
■ https://www.github.com/ChrisTruncer