When Invoke-Obfuscation came out in late 2016, I, and I’m sure many other pentesters, rejoiced at the fact that our commands bypassed AV like it wasn’t even there. Empire payload? Easy. Privilege escalation Powershell scripts? Not a problem.
In 2016, Windows Defender was but an annoying feature in Windows that would just catch Cain & Abel. Fast forward two years and the introduction of Window’s Anti-Malware Scan Interface (AMSI) and suddenly it’s one of the best, if not the best AV on the market. When I created ADAPE, AV didn’t do anything about it. Kaspersky, McAfee, AMP, Windows Defender, etc. were all bypassed because everything was encoded using Invoke-Obfuscation. Within two months of publishing that script, Defender now hates it. I tried encoding the commands and scripts in different ways, but it still caught it. I didn’t have a clue on how to bypass this damn basic AV solution that was built into every modern PC.
Recently, on an engagement, I had Empire set up, and used CrackMapExec to execute the Powershell payload on a target. Of course, it was blocked by Defender. No worries, CME supports Invoke-Obfuscation now and even has it built in with the –obfs switch. Surely it would work now, right?
Wrong. Defender even caught that. Game on. By default, Empire spits out a base64 encoded payload that looks like this when decoded.
So I would historically encode it via Invoke-Obfuscation.
And it would work. Until recently.
Ok, fair enough. I only encoded it once and reversed it, let’s try encoding it a bit better.
Ok, let’s try special characters.
So, it’s clear Defender has caught on and now there needs to be a new method to the madness. Luckily, I found something out: Why bypass AV when you can just turn it off? Yeah, they might have alerts set to ring when Defender is turned off, but at this point the engagement is dead if I can’t get by, so I’m willing to take that chance.
Turning off Defender is pretty easy. It’s actually one line of PS.
Set-MpPreference -DisableRealtimeMonitoring $true
However, the catch is you need to have administrative privileges.
Last year, byt3bl33d3r published a new, awesome, C2 framework called SILENTTRINITY. ST utilizes IronPython and C# to execute it’s modules and beacon. By default, when installing the .NET framework, it installs a tool called msbuild.exe. This executable builds C# code from an XML file, so if that XML file contains a payload, it’s going to build it and you have a session on the target. It also can build over SMB paths, meaning you don’t have to drop anything to disk (technically it does drop to disk temporarily).
Utilizing it CME:
Once I have a session open, I then use the ipy/shell module to run the command to disable Defender
This really is a testament to how good Windows Defender & AMSI are now and how far build in AV has come. Of course this is a bit noisy, so for red team engagements this might not be the best solution as much as it is a last resort. In addition, instead of turning it all the way off, it’s possible to just exclude a folder from AMSI which you’d then work out of.