Tips for an Information Security Analyst/Pentester career - Ep. 43: AV Evasion (pt.1)

In this post we'll analyze how to make our payloads less detectable through antivirus evasion.

For this purpose, we're going to use a tool called Veil  (former Veil – Evasion), mainly based on Python and following the Metasploit structure (though the current version doesn't look as Metasploit-ish as it was before).

Prep 

Veil contains several exploits.

In this case, we choose the number 29 (python/shellcode_inject/aes_encrypt.py), which encrypts its own payload with AES cryptography.

You'll notice in the above screenshot that we used a reverse shell payload, based on the IP address of our Kali VM, listening on port 5600.

The command generates an executable that we copy to the Web server directory. 

At that point, we must only setup a handler (multi/handler) to pick up the reverse connection from the victim machine and open up a shell.

Exploitation

We move to our Windows 10 target machine in order to download the malicious executable.

A warning message pops up, but it's not a blocking warning and, additionally, the file isn't flagged as malware, unlike what happened when I tried downloading files generated by other tools.

We can simply dismiss the warning by X'ing out of it.

Most users would keep going regardless, if they thought that file was legit or helpful, and can also be convinced to do so through social engineering techniques.

In fact, we're able to run the executable normally and to open up a Meterpreter session.

Privilege escalation

We're in as a local user, which belongs to the Administrators group, and this circumstance allows for a successful privilege escalation.

For this purpose, we're going to use another exploit (exploit/windows/local/bypassuac_fodhelper).

 

For more information and the settings related to this specific exploit, check the embedded video.

We're successful and another session is created for us,

This time around, our escalation with getsystem works.

We can also dump the password hashes by migrating to a process having a higher priority.

I chose Windows Defender for this (who'd go and look for something there, right?) and this time around the operation was successful.

At this point, we add another user, called hacker, to the system.

We can have a more granular control of the system by running a Windows shell with the shell command and this way we add hacker to the Administrators localgroup.

Wrap-up

Antivirus software is very important and helpful, but not flawless, as it's mostly based on viral signatures, i.e. hashes.

If a file doesn't contain those patterns or it's been created through methods disguising the viral code, it might easily slip through undetected.

The specific AV software used can make a big difference, but your paranoia is your best defense first and foremost.

Make sure to install ALL security updates, whenever they pop up.

Don't be lazy about it because any updates close specific vulnerabilities an attacker can leverage in order to hack you.

My victim machine was an unactivated Windows 10 VM, so I couldn't install any Windows updates.

I'm working on resizing a genuine Windows 10 VirtualBox VM, so I can update it and test this attack against it, therefore I reserve to update this post.

Home users are forced to go through automatic updates and there's not a lot they can do about it, but corporate customers have more say in the matter.

However, regardless of the updating process, a healthy distrust is the best option for you to stay safe.

Don't run anything you're 100% sure of and, even when you're 100% sure, linger a second and think about it once more.

A click can't be undone, but a missed click can save your day and maybe your business, your career or, sometimes, your very life.

Episode 44

Episode 42