Bypassing AV solutions is essential for initial access, lateral movement and full domain compromise. Over the last couple of years, we’ve seen a myriad of various techniques, PE packers and other AV bypass solutions for pentesters to get past defenses.绕过 AV 解决方案对于初始访问、横向移动和全域妥协至关重要。在过去的几年里,我们看到了无数的各种技术、PE封隔器和其他AV旁路解决方案,供渗透测试仪通过防御。
## ScareCrow稻草人
ScareCrow is a popular payload development framework. If you haven’t heard of it, ScareCrow can do a lot of things. It can enable sandbox evasion, sign a DLL or EXE with a fake cert from a legit company, and all from just a .bin file.
ScareCrow 是一种流行的有效负载开发框架。如果你还没有听说过,ScareCrow可以做很多事情。它可以启用沙盒规避,使用来自合法公司的假证书对DLL或EXE进行签名,而所有这些都来自.bin文件。
ScareCrow has even been implemented as a Cobalt Strike plugin. This was enough to get past Windows Defender and a lot of AV last year. Since then, Microsoft has released a lot of AMSI/Defender updates. So, does it work against Windows 11?ScareCrow 甚至被实现为 Cobalt Strike 插件。这足以超越去年的Windows Defender和许多AV。从那时起,Microsoft发布了许多AMSI / Defender更新。那么,它适用于 Windows 11 吗?
Let’s give it a shot with a generic Metasploit payload.让我们用通用的 Metasploit 有效载荷试一试。
We can then use our raw shellcode with ScareCrow to create a DLL.然后,我们可以将原始 shellcode 与 ScareCrow 一起使用来创建 DLL。
For the final test, I’ll host the DLL and try to download it to my Windows 11 VM.对于最终测试,我将托管 DLL 并尝试将其下载到我的 Windows 11 VM。
Defender blocked our DLL! What about an EXE?后卫阻止了我们的DLL!EXE呢?
Defender blocked our EXE also! As you can see, looks like ScareCrow is out.Defender也阻止了我们的EXE!正如你所看到的,看起来 ScareCrow 已经出局了。
## PEzor
Moving on to PEzor, we have a few more options. PEzor offers a lot of ways to bypass Defender and other AV engines through raw syscalls, user-land unhooking, and storing shellcode in the .text section of he PE.转到 PEzor,我们还有更多选择。PEzor 提供了很多方法,通过原始系统调用、用户空间解钩和将 shellcode 存储在 PE 的 .text 部分来绕过 Defender 和其他 AV 引擎。
We’ll use the same generic Metasploit shellcode and try a few different methods.我们将使用相同的通用 Metasploit shellcode 并尝试几种不同的方法。
Here’s our first payload.这是我们的第一个有效载荷。
As you can see from the screenshot below, our payload was detected.从下面的屏幕截图中可以看出,检测到了我们的有效载荷。
Every iteration that I used with PEzor resulted in Windows Defender catching my payload. Looks like this one is done also.我与 PEzor 一起使用的每次迭代都会导致 Windows Defender 捕获我的有效负载。看起来这个也完成了。
## Charlotte *夏 洛特*
Charlotte is a pretty cool packer, but instead of creating EXEs it creates DLLs. The tool utilizes methods from Sektor 7’s malware development essentials course. It automates XOR encrypted payloads and provides a key to run on the target system.Charlotte 是一个非常酷的打包程序,但它不是创建 EXE,而是创建 DLL。该工具利用了 Sektor 7 的恶意软件开发基础课程中的方法。它自动执行 XOR 加密的有效负载,并提供在目标系统上运行的密钥。
Let’s use the same Metasploit payload and see if we can get past Defender.让我们使用相同的 Metasploit 有效载荷,看看我们是否能通过 Defender。
Looks like Charlotte has been signatured by Defender also.看起来夏洛特也被后卫签下了。
## Sh3llter
Let’s go back in time and see if we can use the original PE packer, Sh3llter.让我们回到过去,看看我们是否可以使用原始的 PE 打包器 Sh3llter。
Sh3llter is pretty cool because it takes a 32 bit executable and loads your shellcode into it automatically.Sh3llter 非常酷,因为它需要一个 32 位可执行文件并自动将您的 shellcode 加载到其中。
We can download the 32 bit version of Putty and insert our shellcode.我们可以下载 Putty 的 32 位版本并插入我们的 shellcode。
Okay, this one was a long shot, but I was hopeful.好吧,这是一个很长的镜头,但我充满希望。
## FourEye
FourEye is a PE packer that offers a few different methods of encrypting payloads into an EXE file. The GitHub says that it was released February of 2021, so let’s see if this can get past Windows 11 defenses.FourEye 是一个 PE 打包程序,它提供了几种不同的方法将有效负载加密到 EXE 文件中。GitHub 表示它是在 2021 年 2 月发布的,所以让我们看看这是否能通过 Windows 11 的防御。
We’ll start out with the EXE function of the packer. Let’s create our Metasploit EXE file. Notice from the screenshot below, we are using the zutto_dekiru encryption provided by Metasploit.我们将从打包程序的 EXE 函数开始。让我们创建我们的 Metasploit EXE 文件。请注意,从下面的屏幕截图中,我们使用的是 Metasploit 提供的zutto_dekiru加密。
Now we can run this through FourEye’s XOR encryption scheme. This will give use a double encrypted EXE.现在我们可以通过 FourEye 的 XOR 加密方案来运行它。这将使用双重加密的 EXE。
Okay, with our new Metasploit EXE encrypted, we can try it on our Windows 11 instance.好的,加密了我们新的 Metasploit EXE,我们可以在我们的 Windows 11 实例上试用。
Bummer. Okay, so it’s signatured our EXE file, but what about shellcode? Let’s recreate the same payload, but in raw format.无赖。好的,所以它对我们的EXE文件进行了签名,但是shellcode呢?让我们重新创建相同的有效负载,但采用原始格式。
We can run this payload through FourEye and we’ll use the second bypass option, QueueUserAPC.我们可以通过 FourEye 运行此有效负载,我们将使用第二个旁路选项 QueueUserAPC。
Looks like the shellcode.exe file downloaded properly on Windows 11. We’re off to a great start.看起来像 shellcode.exe 文件在 Windows 11 上正确下载。我们有一个良好的开端。
Let’s see if we can run the EXE.让我们看看是否可以运行 EXE。
The meterpreter session opened! We successfully bypassed Windows Defender! But when we drop into a shell session, our payload is caught.meterpreter 会议开始了!我们成功绕过了 Windows Defender!但是当我们进入 shell 会话时,我们的有效载荷就会被捕获。
Looks like we have a packer that bypasses Windows 11 defenses.看起来我们有一个绕过 Windows 11 防御的打包程序。
## Inceptor
Inceptor is a Windows based packer that offers a lot of different features. It’s python based and offers several modules for AV bypasses. The github offers very little in the realm of syntax examples so you might run into problems getting some of the modules to work.Inceptor 是一个基于 Windows 的打包器,提供了许多不同的功能。它基于 python,并提供了多个用于 AV 旁路的模块。github 在语法示例领域提供的很少,因此您可能会遇到让某些模块正常工作的问题。
Let’s use our Metasploit payload to see if we can get past Defender.让我们使用我们的 Metasploit 有效载荷来看看我们是否能通过 Defender。
This command will compile an XOR encrypted EXE that has been “signed” by Microsoft.此命令将编译已由 Microsoft “签名”的 XOR 加密 EXE。
The compiled EXE downloads without detection. Let’s see if we can get a meterpreter session.编译后的 EXE 下载时不会检测到。让我们看看我们是否可以获得一个 meterpreter 会话。
All right! A meterpreter session opened! But on our Windows box we see this prompt. Not exactly OPSEC safe.好吧!一个meterpreter会议开始了!但是在我们的Windows盒子上,我们看到了这个提示。不完全是OPSEC安全。
Also, if we drop into a shell, our payload is caught.此外,如果我们掉入炮弹中,我们的有效载荷就会被捕获。
But from the screenshot you can see, as long as we don’t drop into a shell, we can still run commands and enumerate the system undetected. The only caveat is that command prompt.但是从屏幕截图中您可以看到,只要我们不掉入 shell,我们仍然可以运行命令并枚举系统而不被检测到。唯一需要注意的是命令提示符。
So far, we have two PE packers that will get past Windows 11’s defenses.到目前为止,我们有两个 PE 打包器可以绕过 Windows 11 的防御。
## NimCrypt2
Let’s check out Nimcrypt v2. This is a rebuild of the original Nimcrypt loader. This packer allows you to unhook ntdll.dll, evade sandbox detection and use syscalls.让我们来看看 Nimcrypt v2。这是对原始 Nimcrypt 加载程序的重建。此打包程序允许您取消钩ntdll.dll、逃避沙盒检测和使用系统调用。
Using this command, I was able to get a functional executable, but it was caught by defender.使用此命令,我能够获得一个功能可执行文件,但它被 defender 捕获。
I started playing around with the flags to see if I could get the payload through, but for some reason, I couldn’t get the metasploit payload to trigger a reverse shell. So, I switched over to Covenant.我开始玩弄标志,看看我是否能通过有效载荷,但由于某种原因,我无法让 metasploit 有效载荷触发反向 shell。于是,我切换到了圣约。
I recompiled the payload with my Covenant shellcode and was able to bypass Defender and perform process injection with this command.我使用我的 Covenant shellcode 重新编译了有效负载,并能够绕过 Defender 并使用此命令执行进程注入。
On Covenant, we see that our beacon has been injected into svchost.在 Covenant 上,我们看到我们的信标已被注入 svchost.
I was also able to bypass AMSI and spawn notepad without detection.我还能够绕过 AMSI 并在不被发现的情况下生成记事本。
As you can see, Windows 11 has ramped up their defenses. Although we got caught by a lot of the PE packers out there, we were still able to get through Defender with a few.如您所见,Windows 11 已经加强了防御。虽然我们被很多 PE 包装工抓住了,但我们仍然能够通过一些 Defender。
原文始发于微信公众号(赛博社工):在Windows 11 上红队使用 PE进行AV 规避
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论