Bypassing Anti Virus using badUSB

hello everyone uh and welcome to to this presentation uh now we are going to to speak about uh bypassing antiviruses using bed USB uh this presentation will be mostly Technical and we will tackle the the Windows Defender um and basically I know that this was a very very very long day for everyone so I'll try to not bore you some um some very technical topics so two words about myself U I'm a penetration tester founder of a cyber security company part of the certified ethical hacker committee and I'm also a speaker and trainer for multiple organizations all over the world and in time I also speak to to some conferences like those and write some articles on me and the agenda for today would be how we can uh bypass the MCI which is the the protocol used for one second which is the protocol used for Windows Defender um to to check the SCS to check the malicious files that we Tred to run uh next we'll check how can we bypass the exec policy in order to to run those scripts um to to build a payload runner in which through which we will insert our payload directly into the memory and how can we put everything together on a little bed USB and demo also included running on a Windows Defender upto-date version and the scenario is the following uh Bob uh went in the parking lot he found an USB next to uh to his car took that USB uh to his computer introduced it he was just curious and now an attacker is connected to to Bob computer uh how would that be possible because Bob had and is having antivirus running more specifically Windows Defender um and Bob is a low privilege user within the the organization so how that happened uh and before moving forward I want to to ask you how many of you still rely on Windows Defender hands up okay okay how many of you do you think it's it's a good Choice okay that's fine uh expected as expected so uh also we have a policy in place for our organization that this allows USBS to be in into into um computers more specifically removable media storage what happened we'll see during this this presentation uh the the sequence of attacks that has been performed on the on the Bob computer are the following firstly attacker evaded AMC in order to run the the script uh then execution policy bypass payload Runner is being inserted directly into the memory so we have a Fess uh payload there and post exploitation he migrated to to another leged process in order to not be caught firstly we will go into details regarding Ami bypass methods what is Ami uh this this technology works as a main in the- Middle uh interface between our antivirus and the Powershell scripts or other scripts that we are running on our computers and if we find a way to disable it of course with low privileged accounts if we find a way to disable it we can run any malicious scripts that we we want on the on the computers uh and it is usually used with third part party antiviruses in order to provide a scanning interface between the scripts and the engine and technically speaking uh it uses the m SC buffer function from the library .dl so if we find a way to manipulate the returning results of this function we may find a way to totally disable or to temper with it in order to return a result that every time it scans for a file it will return that file is legit that file is valid and is not flagged as malicious how can we do that firstly we will do a PO shell script and we will Define multiple API functions within the the Powershell script uh why we need this sequence here is that because uh Powershell do does not know uh C and what we are doing here is basically uh C so we are defining finding those functions in C and then translating them to to Powershell using the add type method and then we will load the uh mcdl library in memory in order to to manipulate with the functions within it as you can see we Define get Pro address loader library and virtual protect those uh functions we'll use to manipulate the amyan buffer function and the first one that we are using here to load the library uh is actually the the load Library functions uh Windows API function next we have dm. DL we need to extract the function from dm. DL we will uh use the getro get Pro address function in order to to retrieve the am kind buffer method and then we need to make it writable we need to make it writable in order to temper with the return address of the of the function for that case we'll use Virtual protect in order to to change the permissions to uh to allow us to temper with the with the function and after that we need to create the value that will be replaced every every time the function is being called against a file or against a script this value here uh is 0 x 8 007 0057 it doesn't make any sense for now but we'll see why it's uh it's a very important uh return value during the next slide uh next using Marshall copy we are doing uh a replacement of the of the result and why this value should be should be replaced for the amyan buffer result Let's Take a Look Over the official documentation for Amy scan buffer function and we can see that it takes uh an Amy result as the output if this output uh succeed if the function itself succeeds scanning the file it will return sore okay if the function does not succeed it will return an age result error code why is the why is this a problem in Windows the problem is that by default if we think securely if the Amy scan buffer function would crash would return an error the file should not permitted to run but by default in Windows the file is being run when the am scan buffer function return an error code so we'll make the the function to return an error code our error code is this one 80070057 we'll see also the documentation for this code so that's that's also flow within windows by itself and the value of the of the error code it says that one or more arguments are invalid we can take any error code that we we want but this one is pretty pretty effective so there is the uh the age res documentation on on Microsoft official page we can take any value uh this one seemed to to work without any uh additional manual interventions so while if we make the function sorry if we make the function return this this error code uh we may have the file running we may have bypassed the the antivirus and this is our final uh um bypass payload let me ask you something what do you think it is missing here this one is being being caught by most of the antivirus Solutions so we need to do an extra step for it oh okay we'll apply ofation we can apply this fation using um using the invoke ofation payload from from Powershell it can be found also on on GitHub it's a it's a function that applies layers of ofation over our powers shell scripts and this is the first part of our exploit the am bypass we successfully bypassed the um the main in the middle between our antivir and the scripts that we are running next execution policy bypass what is this execution policy bypass by default Windows does not permit users low privileged users to run Powershell scripts that are unsigned by an official provider such as Microsoft but uh unfortunately windows allow us as low privilege user to disable the execution policy for our user only so attackers may just disable the execution policy using this on line command for the user that they are targeting we cannot disable it for the uh for the machine itself but we can disable it for the user that we are running the the script within the context to which in our case is Bob so the attacker uh disabled the execution policy for for Bob and the third step within our uh within our payload development would be the runner what is this Runner uh the runner allows us to insert the uh the Shell Code the payload directly into the memory without having any additional files firstly we will Define a lookup Funk uh in order to search for uh assembly references later within our payload uh we don't have enough time but this this function as a summary these functions uh check the the system check the uh system for any assembly references that we'll take later into into our payload and use them get delegate type uh this function should be should be defined within Powershell because Powershell does not know uh some argument types that are used commonly in C for example pointer paral does not know about the C pointer so we need a function that defines all those types then we have the actual payload Runner which injects our our final shell code to the into the memory we take uh an writable memory we allocate it withinin the machine using uh using virtual aloc that we just defined previously then we generate a payload for example using msv Venom a simple met pretor payload that is that is caught by by any virus Solutions today like it's very very basic and then inject that using Marshall copy into our previously allocated memory space and uh we can we can invoke it later and here we are using the get delegate type to um to provide Arguments for the invoke function argument types that are not known Powershell but they are uh they are defined in C like uh pointers and uh integers so we we take that and we uh provide them as Arguments for our invoke function and now uh we should put everything on on a small device and let me bring the the small device real quick so we have this small device right here which looks like a normal USB like real normal USB and we can put everything that we seen previously on this device so uh firstly you remember that the the P Lo was successfully run but the organization had policies to restrict removable media storage so why why did it actually this is not a removable media storage it's a simulation of a mouse and a keyboard here we have an Arduino Arduino board within the USB that takes the keyboard. hush and mouse. hush functions to libraries sorry those libraries and takes the functions from those to simulate of inserting some keystrokes or to move the mouse of the compromised of the compromised user how can we how can we develop scripts uh actually we have two options we can use the digispark scripts which are Arduino uh script and they are they are scripted in C++ or we can duy scripts those duy scripts are mainly used for rubber ducky payloads which are similar to to those bed USBS but they are more expensive than a bed USB because a bed USB can be bought for like $1 or maximum $2 while rubber duckies can be bought for 20 30 depending on where you are located in the world so those are much uh much cheaper but they came from China so you need to investigate a little bit before before play with them for example mine had a command and control reverse callback to addresses so I had to test it within a a local send box and uh going back to to our discussion we'll use the the duy script will code our final payload in dakis script and we'll transform it to digispark and using this uh doino which is an open source project can be found U through GitHub and you just insert the docky script and then uh it will compile into Arduino code bed USB uh and du what is the the Syntax for developing payloads using ducki scripts have the the string variable which what we type after the string will be typed by our USB we have also delays we have the the repeat Loop which allows us to uh to run the last command multiple times we we must insert our special keys that we see on the keyboard like enter tab shift control as they are typed on our keyboard we insert them into into our payload uh without the string without the string variable and the Windows key will be um must be inserted as uh guy um command and in order to to temper with the with the mouse locations we'll use Mouse uncore move uh and the coordinates of the of the mouse and L Mouse R Mouse and M Mouse are corresponding to the mouse buttons and some tips regarding post exploitation that we can do after this attack succeeds uh we can migrate our reverse shell to to a process such explorer.exe why explorer.exe because it's a very very common uh process and it is usually uh left running uh nonstop on the on the target computer and Metasploit can help us using the the migrate command and let's let's move forward with the demo just one second to prepare everything okay so uh to explain you a bit we have here a command and control endpoint that will be that we will use for uh our as our listener and we have the the compromis machine which is a local Windows 10 machine with uh realtime protection on from Windows Defender and firstly we'll use the uh Metasploit framework to to start a listener in the upcoming seconds and we'll insert the the bed USB to see how how it works with the Windows Defender up and running e and now we are inserting the bed USB and we wait for it to to load bed USB inserted I'm not doing anything this is a proof of concept that's uh it is slow just to show you the the payload and we are waiting a bit and there we got a shell a met PR reverse shell Windows Defender fully fully running and that's that's basically the the purpose of this exploitation uh what we can do next we can migrate to another process in order to not be caught or just uh insert another another payload so and as you can see it's it's also uh met pretor so it should be it should be caught by by most of the antivirus Solutions but the the payload was successfully running we disabled uh the Ami and here here we are and you can drop those uh bed USBS like in the parking lots or at the mall at a very crowded uh station and things of the nature and you know what the the dangerous part about it that uh I have researched and it's working it is working with office m macros also and like when I say working it's actually working with most of the antivirus Solutions and one second to switch to the presentation okay so what is the prevention for those attacks firstly Microsoft should update their solution or the anti virus products should update their Solutions uh but for us as administrators or security Engineers we should disable uh Powershell for end users we should have uh Access Control lists on Mach based specific uh White listing for the for the USB ports um and we should move our we should shift our perspective from from running antiviruses for our endpoints to a more advanced solution like an endpoint protection or ADR xdr and things of the nature and security awareness training for for the end users some research and statistics about this uh exploitation because we cannot name it really a vulnerability we can call it an exploitation thing um was reported to Microsoft they said that uh it's basically not a not an issue uh because requires a lot of user interaction like what user interaction do do you expect like there was a USB on the uh on the floor and the user picked it up and then there was a reverse shell like two user interactions pick the USB or insert the USB you don't want to pick up the USB good just deliver it directly to the user then you have one user interaction needed um the the payLo was tested on 20 antivirus vendors uh seven on of them uh allowed us to to spawn a reverse shell met pror reverse shell then to load mimicet directly into the into the memory uh nine sorry nine of them allowed Us only for a normal reverse shell but that's good also so that's good uh and four of them blocked the entire attempt of exploitation the the attempt was caught during the Amy bypass through Behavior Analysis and thank you very much