I don’t have a huge amount of experience in AV evasion so I decided to set up a few VMs and get some hands-on. I’m certain this is not anything at all like how a professional Red Team would approach getting around AV. But for now- it’s a learning experience.
No introduction or explaining needed here. Everybody knows Avast. I’m using the regular old free version.
Again. No introductions needed- Sophos is a well-known AV company. For these tests I was able to get my hands on a copy of Sophos Endpoint Advanced. With Sophos Intercept X also thrown into the mix.
This is a new one on me. Panda performs really well in independent tests (Link) so I figured why not give it a go. This particular version I’m using is the free solution aimed at home users.
- I have 3 VMs running Windows 7 (I already had the VM’s created and ready to roll from another project… but I could have just as easily ran this with Win10)
- I’ve made sure each of these machines is vulnerable to EternalBlue. And before anyone even says it, this is an exercise in AV evasiveness (and not a test of Windows) so doesn’t really matter if it’s an old exploit.
(As matter of fact, using an extremely well known exploit, that’s over a year old is probably putting me at a disadvantage and leaving the AVs with the upper hand.)
The machines have the following addresses:
Kali = 192.168.80.132
Avast = 192.168.80.151 (+ also .152)
Sophos = 192.168.80.156
Panda = 192.168.80.147
Round 1: Remote Exploits
The first thing I’m going to test is exploiting these machines remotely. As I mentioned already I’m going to exploit them via EternalBlue.
Launching the attack from my Kali machine.
Meanwhile, over on Windows, Avast is killing me dead in my tracks.
I run the same exploit and Panda is all over this.
Launching the exploit from Kali:
And very surprisingly… I got in. The devil is in the detail though. Notice that I’ve actually got system level access right now on this box. In other words. Game over.
What is Sophos doing?
Not even an alert/popup to tell me something is after happening with a remote connection and the system account.
Yeh. Maybe I would have liked to have known about that one Sophos.
Let’s launch Sophos to see if its reporting anything on its dashboard.
“Your computer is protected……” its telling the user, whilst in the background, somebody has a remote connection to the machine and is silently noseying around the file system.
Lets upgrade this from a cmd and throw a meterpreter shell into the mix.
From here I start the keylogger and start recording all the users key strokes. If this was a real machine I was attacking (and not a VM) I would start listening in on the machines microphone and see what’s going on in the room.
I think it’s safe to say that this machine is hopelessly compromised at this point.
Round 2: Localised Exploits
With one machine down and only two more to go, I’m going to ramp things up a notch and see how well the AV’s handle dealing with a malicious payload dropped right into the system.
If this was in the real world you would need to get creative. Maybe send the user a phishing email with a download link, give them a phone call and social engineer them into visiting your website, or copy the payload onto a USB key and drop it outside the front door of the company etc etc
Lucky for me, I don’t have that headache to deal with. I’m just going to setup a shared folder on each of the C drives and drop the payload right in.
I could go straight for the gold here. But after seeing what happened with the Sophos machine, Im going to take my time and try some basic attacks.
Lets start at the very basics. I took a meterpreter shell and passed it through 12 iterations of Shikata Ga Nai. Its called backdoor.exe Lets see how we get on.
Instantly picked up on this.
Not only was I able to drop the payload onto the system I also ran a scan on it which came back clean.
This is not looking good for Panda.
However though. Its one thing to have your encoded/encrypted/binded/packed malware fly under the nose of an AV product. The real test is can you launch that malware without the AV detecting and killing it at run time.
Lets see how Panda deals with this. I trying launching the backdoor.exe file and……
……. It worked!
As you can see I have a full access to the system. Another machine down. Its just me and you now Avast.
Im not going to call this round 3 because Im sticking with the same attack vector, only this time I’m going to up the levels…..slightly.
This time, instead of using a meterpreter shell Im going to generate my own reverse tcp shell from veil and encode it with single byte Xor then compile it into an exe. I called it backdoor2.1.exe
And it was picked up instantly.
At this point I started throwing everything I have at this machine.
Im taking so many losses on this. I’m taking losses back to back. I’ve sank countless hours on this. I’m testing everything I know about antivirus evasion. Im trying shell code injections. Powershell droppers. Ive got generic shells. Custom shells. Im using Phantom. Im using Veil. Im using Chaos. Im using MSFVenom. My options eventually wore thin and with great pain I had to stand down to Avast.
It might not be a complete loss though. I did have a mini victory especially if you take a very strict interpretation of when I said ‘test to evade AV‘.
Let me cover real quick the payload.
I took a reverse tcp shell and xor encoded it. Then I compiled it into an exe that would inject straight into the RAM heap (think back to your buffer overflow lessons). For good measure I also included some dummy processes. The plan is that it will spawn the first few processes and they will just execute a load of random nonsense and hopefully catch the AV off guard and get out of any sandboxing efforts. Then on top of this I triple key Xor it again and strip out any symbols. Apparently this last bit, stripping out symbols, makes it harder to reverse engineer. And thus harder for an AV to pick up on anything malicious. Who am I to argue?
With this new backdoor in hand I drop it onto the machine. And Avast does pick up that something is not right.
But it actually let me away with it.
This is excellent news. Can I launch the application without tripping Avast?
Yes. I can.
Does it make a secure connection back to my machine?
Goddamn it. So close but still no cigar. I tried a few a variations of this payload and while they can all get around Avast none of them can actually make the connection back. It keeps crashing on me.
To rule out any issues with my payload I tested on the Sophos + Panda machines and it works fine on those. And to rule out the possibility of some niggly windows/VM issue I built a new VM. Installed Avast and it’s the same thing. It seems as though that something Avast is doing is [unintentionally?] breaking my payload.
Avast.Well done. Excellent job on keeping your users safe.
Panda.To be honest I quite liked Panda and was secretly hoping it would come out on top. It’s a very intuitive solution and is easy to use. It’s not a resource hog either which is a huge plus in my books. It didn’t hold up as well I had hoped- but I am using the free version. I’d like to think that maybe if I’d had the premium product we’d be looking at different results.
Sophos. Going into these tests I expected Sophos to come out on top. I was quite surprised with the results. It obviously didn’t do so well this time. But theres no reason if I run a similar experiment in a few months that there will be totally different results.