Random AV Bypass Techniques

This is my presentation about bypassing AntiVirus solutions at B33F H4CK1NG in April 2024, which is the book club under B33F 50μP CTF team.

Disclaimer

Just my personal notes. I’m still learning. Much of the content is hearsay or something I “dreamed about”, so it’s just for reference only.

This article is for educational purposes only. I’m not responsible for any damage caused by the misuse of this information.

Before we start

We only discuss User-level (Ring-3) attack and defense, no Kernel(Ring-0).

This writeup is based on many previous works.

Why?

Bypassing AV is crucial nowadays because of windows defender and other AV solutions when we are pefroming red teaming or pentesting.

If you cannot bypass AV, maybe you can have only a plain reverse shell, which is not enough for a red team operation.

What is C2?

• Command and Control
• Backdoor
• Famous C2 frameworks:
  • Cobalt Strike https://wbglil.gitbook.io/cobalt-strike
  • Metasploit

What does Anti Virus do?

Static Analysis

• Checks signature for many common tools like metasploit and cobalt strike.
• “Regex matching”: Yara Rules
  • https://github.com/Yara-Rules/rules
  • https://github.com/elastic/protections-artifacts/
• Memory scanning
  • https://github.com/CCob/BeaconEye

• Open source projects’ signature are highly recognized, especially the hash of official release.

Dynamic Detection

• Run in sandbox
• Hook dangerous winapi functions in ntdll.dll
  • Scan VirtualAlloc/VirtualProtect’s rwx memory
  • WriteProcessMemory
  • CreateRemoteThread
  • Look for api sequence
• Monitor suspicious internet traffic

Some bypass methods

Static Analysis Bypass

• Obfuscate function names and strings.

• Modify the tools and try to remove signatures.
  • https://www.cobaltstrike.com/blog/cobalt-strike-and-yara-can-i-have-your-signature
  • https://pingmaoer.github.io/2020/06/24/CobaltStrike%E4%BA%8C%E6%AC%A1%E5%BC%80%E5%8F%91%E7%8E%AF%E5%A2%83%E5%87%86%E5%A4%87/
  • However, Cobalt Strike is highly recognized by all AV vendors, so it’s better to avoid using it.
  • There are many good open source C2
    • Havoc
    • Sliver
    • Empire
    • etc

• FYI C2Matrix

• If you don’t want to modify the framework itself, you can change the payload generated by the C2.
  • Encrypt shellcode/DLL + Custom Shellcode Loader / DLL Sideloading / Injection
  • DLL Hijacking
  • Reflective PE loader
  • Load shellcode from remote so there’s no payload file on disk
• Add Signature and icon to executable file (AV is very alert to unsigned programs)
• Pack the program with VMProtect or other packing solutions.
• Obfuscate the code like ollvm
• Avoid memory scanner https://www.youtube.com/watch?v=edIMUcxCueA
  • However memory scanning is really hard to bypass…

Dynamic Detection Bypass

• Unhooking your hook
• SysWhispers3
• Encrypt your C2 traffic
  • Use mTLS or HTTPS!
• Or consider using DNS tunneling
• Make C2 server look like normal websitehttps://github.com/BC-SECURITY/Malleable-C2-Profiles
• Interactive sessions are dangerous!
  • Interactive session
  • Short Haul: Callback every 1 to 24 hours.
  • Long Haul: Callback time could up to days.
• Indirect syscall and callstack spoofing https://github.com/HavocFramework/Havoc/tree/main/payloads/Demon/src/asm
• Detect sandbox https://evasions.checkpoint.com/
  • Ram
  • CPU
  • IsDebuggerPresent
  • Check registry
• Sleep before executing
  • Since AV is very sensitive when the program just starts, you can sleep for a while before executing the payload.
  • https://github.com/janoglezcampos/DeathSleep

Some other weird(?) bypass methods

• Use BYOVD attack to kill antivirus.
• Guess the excluded path of antivirus.

Random Victim

Our victim today:

AMSI

• AMSI is an interface on which applications or services (third-party included) are able to scan a script’s content for malicious usage. If a signature in the script is registered by the AMSI antimalware service provider (Windows Defender by default), it will be blocked.
• amsi.dll
• Bypassing AMSI is easy
  • https://amsi.fail/
  • https://github.com/Mr-Un1k0d3r/AMSI-ETW-Patch

DWORD offset = 0x83;
FARPROC ptrAmsiScanBuffer = GetProcAddress(LoadLibrary("amsi.dll"), "AmsiScanBuffer");
VirtualProtect(ptrAmsiScanBuffer + offset, 1, PAGE_EXECUTE_READWRITE, &dwOld);
memcpy(ptrAmsiScanBuffer + offset, "\x74", 1);
VirtualProtect(ptrAmsiScanBuffer + offset, 1, dwOld, &dwOld);

• Obfuscating works well
  • https://github.com/danielbohannon/Invoke-Obfuscation
  • OceanLotus loves this.

• Demo Reverse Shell with latest Defender enabled: https://youtu.be/itW_OLkhVeQ

• Obfuscated result
• 
  • minimal reverse shell
  • Still far from C2 implants,

Conclusion

• Bypassing AV is a cat and mouse game.
• Only bypass the AV on target machine
  • https://github.com/r00tSe7en/get_AV
• 
• Develop you own tools by maintaining a private fork of open source projects.
  • Write your own rat https://www.youtube.com/watch?v=w0bh7s7bVXI
• From 紅隊該如何打造自己的利器 by Inndy @ DEVCORE Conference 2024
• Don’t upload your latest AV Bypass samples to Virustotal
  • Use ThreatCheck
  • Disable auto sample submission of Windows Defender!!!
• Weaponize your tools!
• Golang is great!
• Use dll for payload delivery
• https://github.com/TideSec/BypassAntiVirus
• https://github.com/vxunderground/MalwareSourceCode
• C2 Reference: Empire, Sliver, Cobalt Strike, Covenant, Havoc, Merlin, Villian, viper, SILENTTRINITY, Mythic, PoshC2
• Reference: https://conf.devco.re/2024/keynote/DEVCORE-CONFERENCE-2024-Inndy-The-Art-of-Cyber-Craftsman-How-to-build-your-own-redteam-tools.pdf
• I thought Cobalt Strike has export control, how come every APT Group is using it?