12

What are some good anti virus evasion techniques when using ps_exec? As a pentester I often encounter situations where you can't, for one exploit a machine as they are running anti-virus software on their machines. I'm mostly talking about binaries which get saved on the victim's machine before being executed.

What are some good technique to, for instance, generate a meterpreter payload dynamically so that you can evade AV software.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • 2
    Check out TheLightCosine's DerbyCon 2013 talk: http://www.irongeek.com/i.php?page=videos/derbycon3/3202-antivirus-evasion-lessons-learned-thelightcosine –  Oct 23 '13 at 21:30
  • Here's a slightly outdated blog post about most of the theory you might want to know: https://blogs.cisco.com/security/a_brief_history_of_malware_obfuscation_part_1_of_2 – toster-cx Jul 22 '19 at 18:47

5 Answers5

16

There are strategies to improve the chances of evading a target's AV. The overall strategy is to try to develop a backdoor that is unique as possible. Writing your own backdoor from scratch will be the most successful.

A protected, or "encrypted" envelope around malware is a common strategy. However, AV's will sometimes flag the envelope and assume the contents is malware, which sometimes happens with UPX. As of 2015, Veil-Evasion has become my preferred envelope used to evade signature anti-virus software.

rook
  • 46,916
  • 10
  • 92
  • 181
11

In order to evade the antivirus solution, first you need to understand how the antivirus flag your particular backdoor. First method the AV engine use is its vast set of malicious file signatures to search for particular patterns and signatures in an executable. In case of Metasploit, the AV solutions have signatures for the default exe template (data/template/template_x86_windows.exe) and any executable you generate using this default template will be flagged by the AV regardless of the actual shellcode in it. An easy way to overcome this problem will be to generate your shellcode separately and then create a custom exe and embed the shellcode in it. Bypassing the shellcode is easy using the shikata_ga_nai encoder since it is a polymorphic encoder that generates different shellcode each time.

The next technique the AV engine use is the sandbox where your backdoor will be executed for a very short period of time and its behaviour will be analysed at runtime. It will look for signs such as allocating an RWX memory block or establishing a reverse connection. An easy way to bypass this is to use a dummy loop or code blocks that executes till the sandbox timer expires without performing any malicious task.

Finally, modern AV engines have multiple components such as separate module for network traffic, web, email etc. Since meterpreter is a staged payload where the first stager download the second stage meterpreter DLL file, if the connection through which the DLL is transferred is not encrypted, the second stage DLL will be detected regardless of whether you have bypassed the AV in the first stage or not. You can use the reverse or bind HTTPS meterpreter to bypass this restriction.

I have used Veil on a few occasions and it is an easy way to bypass AV. The only limitation is the increase in size due to the full python interpreter that needs to be embedded with the EXE. Veil can do its work using native exe's as well without requirement for the python interpreter but the code size is still increased due to the encryption and decryption routine. If size is not a problem, you can use Veil. However, in certain environments (such as embedded devices or IDS file size signatures) where size is really a big constraints, you have to craft a custom backdoor from the scratch yourself.

void_in
  • 5,541
  • 1
  • 20
  • 28
5

Apart from using One interesting framework I came to like Veil. It's a framework which assists in generating payloads and binaries specifically designed to evade anti-virus software. It's available in the Kali repository.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
0

Some of the best methods that work are:

  1. Code your own executable or generate a meterpreter backdoor using shellcode and then embed it in your program, use XOR or any equivalent encoding scheme and decrypt at runtime. Make use of Loops, IO operations for delaying execution for some time. Generally, Executables consuming 100% CPU are skipped by some AV vendors.. So say if your executable starts by consuming 100% CPU for next 2 minutes, it will eventually bypass some controls like 15-sec sandbox analysis etc

  2. For Persistence, use task scheduler rather than registry enteries

  3. Self sign the executable, this bypasses many AVs out there.. Recent example is Petya Ransomware

  4. Scramble function names and implement Anti-VM protection

Nipun Jaswal
  • 134
  • 5
0

Most AV seems to detect the exe/pe "template" rather than the encrypted payload. Try to create your own basic c program which executes shellcode at some point. You can write useless code all arround the actual payload call to generate unique programs each time. Try combining a couple of rounds shikata_ga_nai (msfecnode) with your custom exe template.

Sebastian B.
  • 571
  • 3
  • 7
  • 2
    encoding does not aid AV evasion, it merely takes away non-working bytes. – Lucas Kauffman Oct 23 '13 at 20:45
  • 1
    I would disagree. I think its not hard for av to detect payload patterns in executables. Encoding payloads randomly does hide this patterns from pattern detection. – Sebastian B. Oct 24 '13 at 17:30