Webinar Series Update: Evading Anti-Virus

In the webinar I gave last week based on “How attackers break in“, there were several questions at the end that focused on password management and then also evading anti-virus. During the webinar, I had created a malicious file, which I then executed on a client workstation, which then spawned a console on the hacker workstation, allowing me to then execute extra commands and potentially elevate privileges. In the second webinar I gave today in the series, I went through this process again but using the details I will talk about below.

As you know when building presentations, often the demo’s that you see, are created to illustrate the principle and may or may not work in the real world as easily. However, for the malicious file to execute on the Windows 10 client that is running Windows Defender I needed to either disable that which can be done using PowerShell, Group Policy, Registry change or the Settings App or make it, so it allowed the executable to run and ignore what it is.

Now Windows Defender is clever like most Anti-virus platforms as it checks many different elements of files, not just the name or the location you have it stored. Adding a folder location that is set as an exclusion, can often work for this, but often the real-time scan engine picks it up anyway if it tries to execute something malicious.

As an example, for the Windows 10 Fall Creators update, you can use these registry values saved as a “.reg” file which will do the job.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
“DisableAntiSpyware”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
“DisableBehaviorMonitoring”=dword:00000001
“DisableOnAccessProtection”=dword:00000001
“DisableScanOnRealtimeEnable”=dword:00000001

Though that works great for a self-contained demonstration environment, in the real world there is no way that this would be allowed. So, how do we get around the anti-virus protections when you want someone to open a malicious file?

This comes down to using other tools to make the executable look like something else that is trusted. One tool, that can be used is called “Shellter“. This can run on Linux, but requires “i386” and “Wine” to be installed, which can be done using the following commands:

dpkg –add-architecture i386
apt update && apt install wine32

Once it is installed, you can then simply run “shelter” from the console.

What is “Shellter” and what does it do?
Now before you do this, you need to understand what this tool will let you do. “Shellter” is a dynamic shellcode injection tool referred to as a “Dynamic PE Infector“. It can be used to inject shellcode into native Windows applications. “Shellter” takes advantage of the original structure of the PE (Portable Executable) file and doesn’t apply any modifications to the file. “Shellter” is not just an EPO (Entry-Point Obscuring) infector that tries to find a location to insert an instruction to redirect execution to the payload. Unlike any other infector, Shellter’s advanced infection engine never transfers the execution flow to a code cave or to an added section in the infected PE (Portable Executable) file. Shellter uses a unique dynamic approach which is based on the execution flow of the target application. This means that no static/predefined locations are used for shellcode injection. Shellter will launch and trace the target, while at the same time will log the execution flow of the application.

For this to work, you can basically use any 32-bit standalone native Windows application. Of course, since the main goal is to bypass anti-virus, you should generally use legitimate looking applications that have not been flagged by any anti-virus vendors.

How to start?
Within a Kali Linux environment, the first task is to download an executable that you wish to use. It could be any 32-bit legitimate application. For this example, let’s use the installer for “Notepad++“, which can be found here:

https://notepad-plus-plus.org/download/v7.5.6.html

Once this is downloaded, you will use this as the executable. To use the downloaded file, launch a console application then change to the directory you downloaded the file into.

Now you can simply type “shellter” from that directory. This will launch a separate console for “shellter“.

For the first option, select “A“, then when prompted, type the exact name of the downloaded file.

This command will then create a backup of the original file, then using “DisARM.dll” will then traverse the executable to see what it does, looking at how it flows as an application.

Once this has completed, you must select whether to enable “Stealth” mode, for this example press “Y“.

Using “Shellter“, you can either use a custom payload or have the tool create one itself, that can then be used by tools such as Metasploit within a Meterpreter session. For this example, type “L“, to allow you to select from the list displayed. Then type option “1“, which we will combine with a Meterpreter session.

This configuration is then the same as using an exploit within Metasploit, so set the LHOST, this is the “Listening” machine i.e. the Hacking device, and then the LPOR, which is the port you wish the communication to be made on.

Now the process will iterate the file, inject the payload and ensure the executable works as expected. Press “Enter” to continue, which will close the “Shellter” window and return you back to the parent console window.

The newly created file will then need to be copied to the victim workstation or device, ready to be executed.

On the Linux machine, you now need to launch “Metasploit“, ready to set up the listener, using the details we added to the “Notepad++” installer.

Once “Metasploit” has loaded, you need to set the exploit to be used as the following:

Now everything has been configured, you can now type “exploit” to execute the listener.

The hacker device will then simply sit there waiting for a connection to come back to it and then create the tunnel between the two. Switching to the Windows 10 device, you can now launch the “Notepad++” installer we created. Once the installer has been initialized, the console back on the Kali Linux device should then receive a connection.

To check that this is the correct device we can execute the following commands:

This will tell the Meterpreter session to launch a “CMD.EXE” process on the remote workstation, keep it hidden and retrieve any user tokens with it.

Once this completes, you should be a command prompt, to the directory that the executable (Notepad++) ran from.

Now you can type any “Windows” commands that “CMD.EXE” accepts, such as “whoami” to tell us who we logged in as then of course “hostname” to the name.

Switching out of the command prompt you could also run “sysinfo” at the Meterpreter prompt to get some further details.

As you can see this process of using “Shellter” to inject shellcode and make a process hidden to anti-virus is very powerful. Combine this with existing tools such as Metasploit means that you then have the power to use all those tools plus many others to either traverse the device further or even pivot from that device to others sitting within the networks that you as the Hacker could not see.

Liam Cleary

Liam began his career as a Trainer of all things computer related. He quickly realized that programming, breaking, and hacking was a lot more fun. He spent the next few years working within core infrastructure and security services until he found SharePoint. He is the founder and owner of SharePlicity, a consulting company that focuses on all areas of Technology. His role within SharePlicity is to help organizations implement technology that will enhance internal and external collaboration, document and records management, automate business processes and of course security controls and protection. Liam also serves as the Product Owner for Security at Rencore, where he is helping to develop offerings that help organizations further understand and mitigate security and compliance risks, within SharePoint and Office 365 customizations. His core focus will is to identify, control and protect whether they are full-fledged customizations or out-of-the-box Office 365 functionality. He is also a twelve-time Microsoft MVP focusing on Architecture but also crosses the boundary into Development. His specialty over the past few years has been security in SharePoint and its surrounding platforms. He can often be found at user groups or conferences speaking, offering advice, spending time in the community, teaching his kids how to code, raspberry PI programming, hacking the planet or building Lego robots.

You may also like...