After a crash course (Part 1) in API-Hooks and 2 ways of getting around those, I want to figure out how to get around a fully patched W10 with Windows Defender enabled with just a few lines of code.
First of all, let’s see what happens if we simply run a simple reverse-shell on a fully patched W10 with Defender enabled.
I started off with something that should be easily spotted. A simple executable connecting back to the attacker, created with msfvenom.
After copying it to /var/www/html on my attacker machine and trying to download the file via Microsoft Edge, I immediately get blocked by Windows Defender….as expected.
Next thing to try is Powershell. We can try to download the file to disk and run it. In this case I am simply downloading it to appdata as test.exe and run it from there…or at least I tried. As you can see, we also get blocked by Defender right away.
We could now go ahead and try a few more things and fail each step like run-from-memory, lolbins, process injection and propably a few more. However, each technique alone will not be enough to get around even Defender. That is why we skip ahead and I will show one possible way to defend Windows Defender.
All in one
To fool Windows Defender I am combining a few different techniques. First thing to do is create a msfvenom-payload in c# (or any other language).
Take this code, encode it again with your own key (Powershell) and then take that payload and safe it somewhere. Now we will use Pinvoke to copy paste code into our project to be able to use Windows-APIs. This will be used to not only create a thread and inject our payload into it but also to distract AVs by fooling heuristics.
With VirtualAllocExNuma and the Sleep-function we will potentially fool heuristics. The idea behind it, allocate memory, if it works simply continue, if not then wait for 5 seconds and then end the program.
The rest of the code (Source: purpl3f0x) will consist of allocating memory, copying the shellcode into the memory-region and executing it. Compiling it all should leave you with a dll you can then use to load and execute from memory via powershell. The whole thing will be done through 2 powershell-scripts.
Ok, but only a normal shell is kind of boring and meterpreter would be much cooler. Simply change the payload and try again…
It is still pretty simple to get around Windows Defender as long as you know how malicious code is getting passed around on the system. With only a few lines of code we were able to get a meterpreter shell on a fully patched W10 without even touching on the initial subject of API-Unhooking. While this works for Windows Defender, you have to put in a bit more effort for most EDR solutions. Next post I will introduce API unhooking and show how to get around a typical EDR with only a few additional lines of code.