When Invoke-Obfuscation came out in late 2016, I, and I’m sure many other pentesters, rejoiced at the fact that our commands bypassed AV like it wasn’t even there. Empire payload? Easy. Privilege escalation Powershell scripts? Not a problem.
In 2016, Windows Defender was but an annoying feature in Windows that would just catch Cain & Abel. Fast forward two years and now it’s one of the best, if not the best AV on the market. When I created ADAPE, AV didn’t do anything about it. Kaspersky, McAfee, AMP, Windows Defender, etc. were all bypassed because everything was encoded using Invoke-Obfuscation. Within two months of publishing that script, Defender now hates it. I tried encoding the commands and scripts in different ways, but it still caught it. I didn’t have a clue on how to bypass this damn basic AV solution that was built into every modern PC.
Recently, on an engagement, I had Empire set up, and used CrackMapExec to execute the Powershell payload on a target. Of course, it was blocked by Defender. No worries, CME supports Invoke-Obfuscation now and even has it built in with the –obfs switch. Surely it would work now, right?
Wrong. Defender even caught that. Game on. By default, Empire spits out a base64 encoded payload that looks like this when decoded.
So I would historically encode it via Invoke-Obfuscation.
And it would work. Until recently.
Ok, fair enough. I only encoded it once and reversed it, let’s try encoding it a bit better.
Ok, let’s try special characters.
So, it’s clear Defender has caught on and now there needs to be a new method to the madness. Luckily, I found something out: Why bypass AV when you can just turn it off? Yeah, they might have alerts set to ring when Defender is turned off, but at this point the engagement is dead if I can’t get by, so I’m willing to take that chance.
Turning off Defender is pretty easy. It’s actually one line of PS.
Set-MpPreference -DisableRealtimeMonitoring $true
However, the catch is you need to have administrative privileges.
Last year, byt3bl33d3r published a new, awesome, tool called SILENTTRINITY. I wrote an article on how to use it here, but the TL;DR version is that it’s a C2 tool that utilizes IronPython and C# to execute it’s modules and beacon. By default, when installing the .NET framework, it installs a tool called msbuild.exe. This executable builds C# code from an XML file, so if that XML file is really just a hook for the C2 server, it’s going to build it and you have a session on the target.
So, I started using this more than Empire because you don’t have to run anything ‘malicious’ on the target since you can build the XML file via SMB path.
Once I have a session open, I then use the ipy/shell module to run the command to disable Defender
And now I can run ADAPE without being blocked. This really is a testament to how good Windows Defender is now and how far it has come. As adversary simulators, we hate this, but really we know this is awesome.