Bypassing Anti-Virus Using BadUSB

but it's working thank you thank you very much for for joining this presentation I'm Christian cornea and we are going to discuss about how can we bypass uh antivirus Solutions using bad DSP for those who doesn't know bad USB it's a small it's a small device I forgot to to take it out but one second

so it looks like this small device you can do nasty thing with it and will show to today how how you can use it to to trigger a reverse shell even if the antivirus is is being run on the on the target computer

okay yes so to towards the ball myself um I'm certified with uh some of the offensive security certifications also founder of the zero tax security which is a cyber security service provider and founder of the national cyber security training center in Romania uh trainer for different companies and entities including Pentagon uh Slovenian National Bureau of Investigation polish cert and so on uh speaker at multiple conferences and part of the AC Council check scheme committee which means that I'm part of the group that writes the syllabus and exam questions for that for that exam and as a as a side note I'm not responsible for the nmap questions if you know what I'm talking about yeah so

uh the the agenda for today it's it's pretty pretty simple we'll see how AMC can be bypassed what is um see an introduction to AMC um what is execution policy and how can we evade it and how can we develop every bypasses that we'll discuss into into our honor in order to to have our payload file less what is a file less payload it means that we don't download anything we don't pull anything from a remote location to the uh to the victim computers so all the payloads will be run directly into the memory um then we put together everything on this little device which is the bed USB uh then some post exploitation persistence a live demo with Windows

Defender up and running and some prevention tips uh all of those will be will be done against a lab computer that has Windows Defender up to date and also it is running a low privileged user so how how we'll do it we'll see during the the presentation but firstly what is the scenario of our attack or what are the common scenarios that we can meet in real life and we we have meet them multiple times so Bob is a normal employee he goes he goes smoking in the in the parking lot and Bob's found found out uh this little this little device near his car um and he yes he takes the the device it's it's not theoretical it's a real

life scenario so that's that's even worse uh so it takes the the little device goes up and plugs it into into the corporate computer uh what happens next is that uh a program was run on both computer it was light turning fast Bob never noticed any difference to to his computer so the computer returned to its normal state of work after one millisecond and basically an attacker is now connected to the Bob computer but how how it happened because Bob has Windows Defender enabled and up to date um the user that Bob is running under is a low privileged user and basically they have a policy organization-wide policy to disallow removable media storage so how how it was possible uh we'll see

during during our presentation okay so the sequence of attacks are the following this is this is what we'll do on our little bed USB basically we'll have an amsi bypass in order to trigger an Evasion for the for the antivirus an execution policy bypass uh how many of you run into issues with execution policy or how many of you heard about the execution policy on Windows okay perfect so uh as a summary the execution policy on Windows is the policy that allows or disallows um Powershell scripts to be run under a low privileged user or under some some users and we'll see how how can we bypass that one um then we we need the method to inject

our payload all the payload into the memory in order to be fireless so we are moving stealthy and we are playing only with the processes um then some post exploitation tips and techniques before moving into the technical details before moving into the actual exploitation process uh let me let me ask you a question here um how many of you still rely on an antivirus to protect their organization your organization or your personal computers okay how many of you rely on an ADR solution to do that okay perfect how many of you are confident into having just Windows Defender [Laughter] okay that was not not expected so so I I will give you a reason now to uh to not

be confident in that decision because you'll see you'll see how how bad it can act or so let's let's go directly into the the techniques the the MC bypass technique basically uh what is something for those who doesn't know I'm see it's like a middleman between your computer and the antivirus engine whenever uh third-party provider third-party solution provider for antiviruses wants to implement an antivirus within uh your Windows machine they basically disable Windows Defender and they enforce only that antivirus it is because of DMC so you cannot have basically two three four and five or more antivirus Solutions you can have just one because that just one is using OMSI basically is being used biopsy OMSI

is a library mc.dll that uses the armscan buffer um function that function is used to um to analyze to push for analysis of the of the Powershell scripts that we we are running on on the computer basically what we'll do in in our technique will manipulate this ampsy scan buffer uh so we'll play with this function and we'll make it to return basically uh true every time it runs not true but we'll make it to return a specific value that value will be like a bypass for for the analysis engine within Windows Defender so um okay uh this is the first step into into building our into building our payload um as you can see here

this is not Powershell this is not Powershell um code basically we can use uh C style code to into Powershell with ADD type so we can use the r type with impartial it's a function that allows us to translate C type of code into into Powershell and here we Define three three functions native functions within uh within windows so we Define get proc address load library and virtual protect you may assume that we will use those functions within our OMSI bypass how we'll use it basically get proc address is used to pull the exact memory address of a specific function within memory how can we search for a specific function within memory if we don't know the library that

defines that function so we have the load Library function which basically uh loads the word the memory of the memory address of a specific function and then the virtual protect will be using it to to edit the the function itself also this process is called patching so we are patching memory addresses and return addresses within the memory and for that one we'll use a virtual protect okay the the third step will be to to search for the amsyscan buffer as you've seen as you seen here we loaded the amc.dll using the load library that we defined previously so now we are searching for the ansys account buffer um function that we discussed we need to

patch we need to replace its return its return um address and here we have this is the return address that we will patch the ampsy scan buffer function with and why this value will explain during the next two slides because it's it's basically not random so it's not a random value it's taken from the documentation and here we're using the Marshall copy we can patch the uh the address so why the the value here why this value basically if we are taking a look over the amsyscan buffer function uh Microsoft official documentation it says the following coding Microsoft if this function succeeds it returns it's okay otherwise it returns an H result error code and here we close the codes but

it's not completed this explanation is not completed why Microsoft didn't tell us that if the function returns an H result error code then the script is actually executed Microsoft never told us about it so if the function is for the function if we do not provide the arguments if we do not provide uh the correct values for it to run it will pass the script the partial script directly to to execution which is a very very big mistake and they never documented this this issue and is still not documented so uh our our goal here our mission here is to make the armscan buffer to return Edge result every time it runs each result will be this value why this value

basically if we take over the H result values within Microsoft official documentation we can take anything from there so any value from the from the table of H result values and I took here the first uh the first value which says one or more arguments are invalid basically if it's it's any value that you can take from the from the h result values and let me show you on Google right now because it's it's on Google that's what cross soft [Music] okay it's loading so as you can see uh we can take any any from from here let me make it a little bit uh [Music] perfect so you can take any any value from here the table is pretty pretty big

so those are possible values for the for the h result value so you can take any anything from there but be um be aware of the um of the characters because uh because some some operating systems would crash on Bad characters so the value that you take uh before that how many of you have buffer overflow experience okay um as you may know in buffer overflows you test for bad characters because some characters are interpreted wrongly by the by the computer the same here the value that you take here uh must be interpreted correctly some of the characters can be considered bad characters so this value for example was tested and it is interpreted okay in more uh more

than 10 versions of of Windows that uh I have tested within the within the lab so uh we have here the the amsi DMC payload let me ask you a question here now uh this is detectable how can we make it undetectable or less detectable

yes yes yes basically you are very close it's obfuscation so it's obfuscation you can you can add any any layers of any any types of obfuscation here we obfuscated the code uh using normalized functions and using uh hexadecimal characters so everything is um is basically obfuscated but be be very cautious on this one this code cannot be obfuscated too much because it's in another language it's in C so when you use the add type function it will not translate the code correctly into the Porsche so what code can we uh can we obfuscate is the one that is Powershell only okay so we have the answer bypass um technique let's see execution policy bypass I think many of you run into this

error so this error uh tells you you have no rights of running PowerShot but does you basically do you uh do you have the the rights because you can use something like set execution policy are restricted with minus minus scope current user which will allow you to bypass the execution policy uh within the scope of your current user which means that if we are Bob so if we are Bob and we type this command it will make the execution policy uh to allow the partial scripts for for our account but for our account only so it's pretty it's pretty standard we we were discussing it with Microsoft and the the Microsoft answer was it's a feature

so so yes it's it's a feature it's a feature for both uh service administrators or system administrators but also for for attackers so it's a feature good feature thank you Microsoft okay so uh that was it though you expected something fancy and complex but no it was it was just just like that so uh how can we how can we develop the the payload Runner basically the payload Runner will help us to inject everything into the into the runtime into the memory um basically here we we start our payload with the lookup func uh this function is using to um to search some assembly references within the the memory because the time is pretty pretty tight we want to get

into too many details for this function uh but for the get delegate type function is a function that is used to um to tell Powershell okay um you don't know about pointers right pointers are not defined into into partial but we need them to pass as arguments to some windows API native functions so the get delegate type function is used to to set those uh those argument types so pointers into 32 uh paintings of the nature all of them can be can be set with the get delegate type function okay next we need to allocate the the required memory for for our uh payload as you can see here the payload is the shell code is uh over to 2000 uh bytes

and here is the allocated space basically we need to to be very cautious to allocate uh close space to the uh to the Shell Code that we generate do not allocate less space because obviously the the Shell Code will not will not run and here for the purpose of this demonstration we will use on Windows x64 meter printer reverse TCP so pretty easy to catch by by any antiviruses pretty um pretty detectable by by any solutions and it's also plain text so Behavior detection should should catch it very very easily and next using the same Marshall copy that we uh we used to to patch the the address we will use it to um to copy the the Shell Code directly

into the pre-allocated uh buffer and then just execute it as you can see here with the create thread function from kernel 32 and here we used the get delegate basically to set the integer pointer uh Integra 32 and other argument types for the um for the invoke function okay so that's that's it regarding the the bypass and the Shell Code execution um everything it's it's good so far but now let's see how we can put everything together on this little device so uh how how basically the attacker how he was able to to run the btsb on the on the Bob computer because there was a removable media storage policy in place basically the attacker was not using a removable

media storage he was using a bad USB and a bad USB is not a removable media storage it's a mouse and a keyboard yes it simulates a mouse and a keyboard so it can write type and move the mouse pointer as you want and how can we develop uh payloads on on this bad USB how can we easily develop payloads because developing payloads on BET USB sometimes it can be pretty hard but how can we easily work smart and develop good payloads on on this bad ESP basically if we tried the the hard way uh if you have advanced knowledge in C plus plus you can use the Arduino native programming basically uh with the with

the compiler and uh with some functions and libraries but if we work smart we can use docky script how many of you heard about rubber duckies okay perfect yeah so uh rubber duck is basically for rubber ducky there is a specific language to to develop payloads for them it's basically the the ducky script and the ducky script can be converted to uh basically Arduino scripts using the dark window on GitHub so you can insert your docky script and convert it to the queen so you can basically develop the same payloads that you would develop on a rubber ducky on the on the bed USB and then just insert it into the Arduino compiler and that's

that's basically it now let's see some uh syntax tips for the for the dark we know scripts basically those apply on the rubber ducky but as we discussed previously we can use the dark window to convert them to um to Arduino so we have string anything that we type after the string command is basically typed by our bed USB into the victim computer uh we have delays we can we can use delay if our Target is basically slow because bad USB sometimes it can be faster than the victim computer so we can use delay to to slip the the typing of of our btsp then RAM for comments uh repeat works as a loop to repeat the last command and the

speech the special keys like enter control tab shift things of the nature should be written uh within the script as they they are written on the keyboard and the guy is the Windows key and we can control the mouse with mouse underscore move and lmos air mouse Amos stands for left Mouse right Mouse and middle Mouse are the the buttons within the the mouse and some some tips when when you acquire such bad USB basically uh those bad USBS are acquired from China in my example and when I when I plug them into into a Sandbox because it is recommended to have a Sandbox yes it's it's recommended to to have a Sandbox be before uh

actually developing on on them uh they they had a reverse shell on them so they they were trying to spawn um a reverse shell to some IP addresses like obviously those IP addresses were not Microsoft addresses so I searched for them on obvious ipdb and they were like confidence score of abuse very very high so yeah that's it just run run it run it on a Sandbox before before starting developing it okay and a tip when you do the post exploitation basically for the trade uh for the process to not close instantly you could migrate it to another process because we are doing it through Metasploit so we are actually um generating a meter pressure reversal

so you can use the migrate command to to migrate the the process to something like explorer.text or chrome.x or something like this okay so now the demo I think this is the most awaited part of the presentation so let me set up the things right now here we will use a command and control within um AWS right now I hope I was not okay yes [Music] um the the timeout within AWS just one second

okay let me show you that Windows Defender is actually running okay so real-time protection is is on it's it's running and let's connect to the [Music] okay to the command and control [Music]

basically this is just a Kali Linux hosted on the on the cloud [Music] okay [Music]

and for this for the purpose of this presentation we'll use a Metasploit because should be should be detectable by by any any antivirus Solutions so it should be an easy to catch uh payload but we will see so it's loading the the classic use exploit multi Handler the payload that we set as a listener will be the same payload that we set during the generation of our Shell Code so set payload windows x64. matter predator reverse underscore TCP okay set listening host lhost we'll put something like zero zero zero so catch catch anything uh set L Port If You observe during the the slide we set the the listening port to 443 so a common a common port and now

we just click run okay we start the The Listener and now is the time to insert the bdsp as you can see here is the the bed USB okay yeah I didn't do anything so we will insert the the bed USB as Bob did and we wait

okay so oh okay so it's starting doing things um now it's doing the get delayed gate type function now it's creating the the payload so it's uh placing the the payload into the the memory using the Marshall copy it copied the the payload into the memory and here we have a shell metal Predator shell and we can type up any commands on it so it's it's an actual show with for example load mimikets [Music] okay [Music] and here we have also mimikets so with with the windows uh with the Windows Defender running [Music] as you can see here the Windows Defender is running we loaded mimikets we have everything a reverse shell metal Predator repair shell

and yeah one second

Okay so

so some prevention mechanisms for for this type of attack basically uh this allowing the Powershell through execution policy is not enough we should uh cut Powershell entirely so don't rely on the execution policy uh Access Control lists on the physical USB ports of of the corporate devices um switch from an antivirus perspective to an advanced endpoint protection such an ADR um and also security awareness for users don't pick USBS from the parking lot and insert them into your computers or if you find the USB in the back in a backpack don't plug it into your computer so things things of the nature and uh some research and statistics uh basically the same payload was executed

against 20 antivirus vendors besides Microsoft uh 7 from 20 spawned a metropolitan reverse shell um and it allowed mimikets to be loaded directing to memory and 9 from 20 just a river shell so the nine antivirus vendors uh caught the the meter pressure reversal but they allowed the reversal and four from 20 blocked the attempt when we tried to use the the add type within with impartial so that's that's basically it some questions uh yes please

so this is Defender for compute personal computer is not Enterprise so this one is not Enterprise it's just Defender the question was uh if this was Defender for Enterprise or Defender for a personal but this is Defender for personal uh it might work also in Enterprise it might work yes

he yes so those types of attacks might not work against adrs the question was if they might work against adrs uh personally I think they might not work against uh adrs because most of them are actually blocking like other type or or C functions in Powershell or things of the nature or really the virtual uh virtual protect so things of the nature will not will not work uh but this is just personal opinion I I didn't test it so yes please

yes so the purpose uh basically yeah you can you can download it so you can download directly the payload but the problem is the payload if you download it it will be a file right you will have an artifact on the on the computer on the compromise computer we don't want to have artifacts we don't want to to leave traces we don't want to download things because the static analysis will probably catch us so we want to move far less uh moving files is more stealthy and more efficient than uh than having files and the problem that you've seen that it took some while into executing uh I wanted to take some while because I

wanted to show you that okay here is doing the payload here is putting the uh the buffer but you can remove the slip so you can remove the slip and it will be lightening fast so it can be something in milliseconds but I wanted to show you that the same payload that we are discussing is the same payload that is being run by the by the bed USB okay are there any other questions yes please

uh yes and no so uh if you want uh if you want to trigger it we behind the windows locked session uh if the user has locked password then it's nearly impossible if the user has locked session but just the sign in button it's possible because you can control the mouse movement and we you can point directly on the coordinates of where the button of signing is being is being set on the on the windows okay are there any other questions then thank you very much [Applause]