SlideShare ist ein Scribd-Unternehmen logo

DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbox evasion

Felipe Prado
Felipe Prado

DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbox evasion

Technologie
1 von 103
Downloaden Sie, um offline zu lesen
ANTHONY ROSE JACOB KRASNOV VINCENT ROSE 1 @bcsecurity1
2 Legal Stuff…So we don’t go to jail Training is for informational and research purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The information provided by us is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis.
ANTHONY ROSE C01И ◦ Co-founder, BC Security ◦ Lead Researcher, Merculite Security ◦ MS in Electrical Engineering ◦ Lockpicking Hobbyist ◦ Bluetooth & Wireless Security Enthusiast 3 whoami JACOB KRASNOV HUBBLE ◦ Co-founder, BC Security ◦ BS in Astronautical Engineering, MBA ◦ Red Team Lead ◦ Currently focused on embedded system security VINCENT ROSE HALCYON ◦ Security Researcher, BC Security ◦ BS in Computer Science ◦ Software Engineer Introduction
◦ How to mask your malware to avoid AMSI and Sandboxes 4 Why are we here? Introduction
◦ Antimalware Scan Interface (AMSI) ◦ Malware Triggering ◦ Empire ◦ Obfuscation Techniques ◦ Invoke-Obfuscation ◦ AMSI Bypasses ◦ Sandbox Evasion ◦ Put it all together 5 Overview
◦ Introduce Microsoft’s Antimalware Scan Interface (AMSI) and explain its importance ◦ Learn to analyze malware scripts before and after execution ◦ Understand how obfuscate code to avoid AMSI and Windows Defender ◦ Detect and avoid sandbox environments 6 Goals Introduction
We will teach you to… ◦ operate Empire ◦ obfuscate Powershell ◦ avoid AMSI and Sandboxes We are not going to teach you… ◦ how to be a “leet hacker” 7 Expectations Introduction
-h What is Malware? 8
◦ Obfuscation is the main means by which Malware achieves survival ◦ Defeat signature-based Antivirus ◦ Makes analysis more difficult 9 Overview of the Evolution of Malware Obfuscation What is Malware I’m Obfuscated You can’t find me…
The first virus to obfuscate itself was the Brain Virus in 1986 ◦ Would display unchanged data from a different disk sector instead of the one it had modified The first virus to use encryption was the Cascade Virus and also appeared in 1986 ◦ Used simple XOR encryption First commercial AV products came out in 1987 ◦ This included heuristic based AV products! 10 The Early Days What is Malware
The Malware Arms Race continued and by 1992 polymorphic virus engines had been released ◦ Could be attached to non- polymorphic viruses to make them more effective 11 Coming into Its Own What is Malware
AV wasn’t far behind and soon started to include emulation code to sandbox the malware ◦ There were evasion techniques but we will talk about this later By the 2000s malware had moved on to so called metamorphic viruses ◦ Polymorphic viruses only change their decryptor while metamorphic change the code body as well 12 Coming into Its Own
Not really completely Fileless ◦ Usually requires some kind of initial script/executable to kick off infection ◦ Persistence methods may leave traces in places like the registry (e.g., Poweliks) This created a big problem for AV as it has traditionally relied on scanning files/executables All of this leads into… 13 Going Fileless What is Malware
Antimalware Scan Interface (AMSI) 14
The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product that's present on a machine. AMSI provides enhanced malware protection for your end-users and their data, applications, and workloads. 15 What Is AMSI? AMSI
◦ Evaluates commands at run time ◦ Handles multiple scripting languages (Powershell, JaveScript, VBA) ◦ Provides an API that is AV agnostic ◦ Identify fileless threats 16 That’s Great But What Does that Mean? AMSI
17 Data Flow AMSI
The code is evaluated when it is readable by the scripting engine This means that: becomes: However: Does not become: This is what allows us to still be able to obfuscate our code 18 One point of clarification (Powershell) AMSI
Malware Triggering 19
◦ Windows Defender ◦ Antimalware Scan Interface (AMSI) ◦ Control flow guard ◦ Data Execution Prevention (DEP) ◦ Randomized memory allocations ◦ Arbitrary code guard (ACG) ◦ Block child processes ◦ Simulated execution (SimExec) ◦ Valid stack integrity (StackPivot) 20 Types of Windows Mitigations Malware Triggering
22 Flagged Malware Malware Triggering
Get-WinEvent 'Microsoft-Windows-Windows Defender/Operational' - MaxEvents 10 | Where-Object Id -eq 1116 | Format-List 23 Windows Defender Logs Malware Triggering
1. Run Powershell ISE 2. Look in the sample folder 3. Try out samples 1-3 24 Try Some Code Samples Malware Triggering
Building/Customizing Your Malware 25
Prioritize what you want to complete 1. Get working base code first ◦ Empire, Metasploit, Etc 2. Customize Functions 3. Obfuscate Code 4. Test Against AV 26 Don’t Do Too Much at Once Building/Customizing Malware
New-ItemProperty -Path "HKLM:Softwarepoliciesmicrosoftwindows defender" -name disableantispyware -value 0 –Force Restart computer/VM 27 Disabling Windows Defender Building/Customizing Malware
Empire Tutorial 28
Post-exploitation framework built around Powershell ◦ Merger of Powershell Empire and Python EmPyre projects ◦ Runs on Python 2.6/2.7 ◦ Encrypted C2 channel ◦ Adaptable modules ◦ .bat, .vbs, .dll ◦ Released at BSidesLV 2015 29 What is Empire? Empire
30 Why Go After Powershell? ◦ Full .NET access ◦ Direct access to Win32 API ◦ Operates in memory ◦ Installed by default in Windows ◦ Admins typically leave it enabled Empire
Relatively small payload (stager) that calls back to a listener 31 How Empire is Deployed? Empire
Preloaded into VM https://github.com/BC- SECURITY/Empire Install our forked version (Do not use version 2.5) ◦ sudo ./setup/install.sh ◦ setup ./reset.sh 32 Empire Tutorial Empire
Splash page ◦Version running (We are using a modified dev version) ◦How many modules loaded ◦Active Listeners ◦Active Agents 33 Empire Tutorial Empire
“Help” lists out all available commands ◦ Agents – Active payloads available ◦ Interact – Control a payload/host ◦ Preobfuscate – Obfuscates Powershell module (not needed) ◦ Set – Modify payload settings ◦ Usemodule – Select Empire Module ◦ Uselistener – Select Listener ◦ Usestager – Select Empire stager (we will be using macros) 34 Empire Tutorial Empire
Setting up your listener Select “uselistener http” 35 Empire Tutorial Empire
Use edit to modify Listener info ◦“set Name LISTENERNAME” ◦“set Host YOURIPADDRESS” ◦“set Port PORTNUMBER” ◦“execute” 36 Empire Tutorial Empire
37 Empire Tutorial Usestager ◦Tailor the stager to what the target is ◦“Multi/Launcher” ◦ Useful for testing VM setups Empire
Setting the stager and listener Successful callback to Empire 38 Testing the Launcher Empire
New-ItemProperty -Path "HKLM:Softwarepoliciesmicrosoftwindows defender" -name disableantispyware -value 1 –Force Restart computer/VM 39 Enabling Windows Defender Empire
Setting the stager and listener 40 Testing the Launcher Empire
Build the stager ◦ Select “usestager multi/launcher” ◦ “info” to view settings ◦ Turn off Obfuscation ◦ Turn off AMSIBypass 41 Test your Empire Payload Empire
Final check on settings ◦ All obfuscations are disabled ◦ Both AMSI Bypasses are disabled ◦ Good to Go! ◦ “execute” 42 Test your Empire Payload Empire
43 Test your Empire Payload Empire
Default Empire will not get past AMSI ◦ Obfuscation or changes are needed ◦ Default Empire will get you caught 44 Empire Tutorial Empire
Obfuscation Techniques 45
Powershell ignores capitalization ◦ Create a standard variable ◦ This makes and ◦ The same as… ◦ AMSI ignores capitalization, but changing your hash is a best practice 46 Randomized Capitalization Obfuscation Techniques
AMSI is still heavily dependent upon signatures, simple concatenation can circumvent most alerts will be flagged But, is not flagged 47 Concatenation Obfuscation Techniques
Powershell recognizes $ as a special character in a string and will fetch the associated variable. We embedded into Which gives us 48 Variable Insertion Obfuscation Techniques
Powershell allows for the use of {} inside a string to allow for variable insertion. This is an implicit reference to the format string function. will be flagged But, Returns… 49 Format String Obfuscation Techniques
Uses: ◦ Pseudorandom number generation ◦ Error detection ◦ Encryption/Decryption ◦ Reversable function 50 XOR || ⊕ A B A XOR B 0 0 0 0 1 1 1 0 1 1 1 0 Obfuscation Techniques
Using Samples 1-3 from the early exercise attempt to obfuscate them so that they will run Sample 3 can be difficult to figure out what is causing the issue Save your modified versions as a different name. We will reuse the unobfuscated samples latter Close/Open Powershell ISE between samples 51 Obfuscate the Samples Obfuscation Techniques
◦ Break large sections of code into smaller pieces ◦ Isolate fewer lines to determine what is being flagged ◦ Good place to start is looking for “AMSI” 52 Hints
53 The Answers
Invoke-Obfuscation 54
Install here ◦https://github.com/danielboha nnon/Invoke-Obfuscation ◦“Start-up.ps1” ◦“Import-Module ./Invoke- Obfuscation.psd1” ◦Run “Invoke-Obfuscation” 55 Invoke-Obfuscation Obfuscation Techniques
Type “Tutorial” for high level directions ◦Extremely helpful for learning/remembering the basics 56 Invoke-Obfuscation Obfuscation Techniques
Example code ◦ Use Sample 4 ◦ SET SCRIPTBLOCK… 57 Invoke-Obfuscation Obfuscation Techniques
Token-layer Obfuscation ◦ TokenVariable (extremely useful for masking variable names to AMSI) ◦ TokenAll (if you are super lazy) ◦ This will get you caught ◦ Typically run whitespace last (2-3 times) 58 Invoke-Obfuscation Obfuscation Techniques
Encoding ◦ Used to further mask the payload by converting the format (e.g., Hex, Binary, AES, etc) ◦ Beware: running too much encoding will break the 8,191 character limit 61 Invoke-Obfuscation Obfuscation Techniques
String ◦Obfuscate Powershell code as a string ◦Breaks up the code with reversing techniques and concatenation 62 Invoke-Obfuscation Obfuscation Techniques
Compress ◦Can be used in conjunction with Encoding to reduce the overall size of the payload. 63 Invoke-Obfuscation Obfuscation Techniques
Launcher ◦Not needed since Empire already includes a launcher 64 Invoke-Obfuscation Obfuscation Techniques
Order of operations ◦Mix it up to avoid detection ◦Example: ◦TokenString1,2 ◦Whitespace1 ◦Encoding1 ◦Compress1 65 Invoke-Obfuscation Obfuscation Techniques
66 Invoke-Obfuscation in Empire Obfuscation Techniques
AMSI Bypasses 67
If our payload is already obfuscated enough to evade AMSI why bother? ◦ Only the first part of the stager is obfuscated! 68 Why do we need this? AMSI Bypasses
AMSI bypasses let us load whatever future modules we may want without issues ◦ Mimikatz, PS-Inject, Powerup 69 Why do we need this? AMSI Bypasses
◦ AMSI_RESULT_CLEAN = 0 ◦ AMSI_RESULT_NOT_DETECTED = 1 ◦ AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384 ◦ AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479 ◦ AMSI_RESULT_DETECTED = 32768 70 AMSI results AMSI Bypasses
71 Keep It Simple Stupid
72 Keep It Simple Stupid
Simplest Bypass that currently works ◦ $Ref=[REF].Assembly.GetType('System.Management.Automation.AmsiUtils'); ◦ $Ref.GetField('amsiInitFailed', 'NonPublic, Static').SetValue($NULL, $TRUE); 73 Bypass 1: Reflective Bypass AMSI Bypasses
Using reflection we are exposing functions from AMSI We are setting the AmsiInitField to True which source code shows causes AMSI to return: ◦ AMSI_SCAN_RESULT_NOT_FOUND 74 What Does it Do? AMSI Bypasses AMSI.dll
AMSI is loaded into the Powershell process at start up so it has the same permission levels as the process the malware is in 75 Why does this work? AMSI Bypasses
More complicated bypass, but still allows AMSI to load 76 Bypass 2: Patching AMSI.dll in Memory AMSI Bypasses
We use C# to export a few functions from kernel32 that allows to identify where in memory amsi.dll has been loaded 77 Bypass 2: Patching AMSI.dll in Memory AMSI Bypasses
We modify the memory permissions to ensure we have access 78 Bypass 2: Patching AMSI.dll in Memory AMSI Bypasses
Modifies the return function to all always return a value of RESULT_NOT_DETECTED 79 Bypass 2: Patching AMSI.dll in Memory AMSI Bypasses
AMSI.dll is loaded into the same memory space as Powershell. This means that we have unrestricted access to the memory space that AMSI runs in and can modify it however we please Tells the function to return a clean result prior to actually scanning 80 Why does this work? AMSI Bypasses
Ensure that ObfuscateCommand and AMSI Bypass both display values ◦ “set ObfuscateCommand TokenAll1” ◦ “set AMSIBypass True” 81 AMSI Bypasses in Empire
Re-enable Defender and run your Empire launcher 82 Test time! AMSI Bypasses
Sandbox Detection and Evasion 83
A software created environment that isolates and limits the rights and accesses of a process being executed An effective way of doing behavioral analysis for AV 84 What is a Sandbox? Sandboxes
85 Who is using Sandboxes? Sandboxes
As we talked about earlier, obfuscating code to break signatures can be relatively trivial ◦ AV would need an almost unlimited number of signatures Heavily obfuscated code can make it almost impossible for human analysis to be effective Instead evaluate behavior 86 Automated Sandbox Malware analysis Sandboxes
Sandbox Indicators 87
They use a lot of resources which can be expensive End users don't want to wait to receive their messages Email scanning requires thousands of attachments to be evaluated constantly 88 Sandbox Limitations Sandboxes
These limitations provide us with several means to try and detect or evade them ◦ Password Protection ◦ Time Delays ◦ Auto open vs close ◦ Check for limited resources (small amount of ram, single core, etc.) ◦ Look for virtualization processes (sandboxie, VMWare tools) 89 Sandbox Limitations Sandboxes
Embedding Macros 90
91 Back to Empire Usestager ◦Tailor the stager to what the target is ◦Our focus is Windows using a Macro (will be used later) ◦“Windows/macro” Empire
◦Set stager and listener ◦Copy macro over to Word 92 Creating a Payload
Open Word Document Select Developer Options Click on Macros 93 Embedding the Macro
94 Embedding the Macro
Evasion Techniques 95
Before we do suspicious things such as… ◦ Starting a new process ◦ Reaching out to the internet The checks could be suspicious themselves ◦ Sandbox Evasion is becoming more prevalent 96 When do we want to do this? Evasion Techniques
The sandbox doesn't know the password and therefore can't open the file. No results are found so the file is passed on. The password is usually sent in the body of the email with instructions to use it. ◦ Lower success rate 97 Password Protection Evasion Techniques
Email filters have a limited amount of time to scan files so delay until it the scan is completed This is less practical in a macro as it will keep the document open until done waiting 98 Time Delay Evasion Techniques
Using WMI Objects you can enumerate the hardware and system configurations Some malware looks for things like the presence of a fan ◦ Note: WMI objects are very inconsistently implemented by manufacturers. 99 Checking for Resources Evasion Techniques
Some Useful WMI Objects ◦ Win32_ComputerSystem ◦ Win32_LogicalDisk ◦ Win32_Fan 100 Checking for Resources Evasion Techniques
Most if not all sandboxes result in the addition of management processes that we can look for ◦ Win32_Process contains all the processes currently running Some common processes to look for: ◦ Sbiesvc, SbieCtrl ◦ Vmtools ◦ VBoxService 101 Checking for Processes Evasion Techniques
Because of the control many developers have on implementing WMI objects or naming processes there is no one check that is guaranteed to work. ◦ Learn as much as possible about the target environment ◦ Use multiple halting conditions ◦ Check places like attack.mitre.org to look for new techniques if old ones fail 102 There is no one way guaranteed to work Evasion Techniques
Covert tactic used to develop signatures on malware and prevent attacks What do we know so far? ◦ Zero documentation anywhere ◦ We can get a callback out 103 Sandbox Evasion Example
Put it all together YOUR TURN TO TRY IT ALL 104Conclusion
1. Build payload in Empire ◦ AMSI Bypass ◦ Obfuscation 2. Embed into Word Doc ◦ Verification 3. Add in Macro Checks to avoid “Sandbox” 4. (Optional) Test on host machine 105 Put it all together
INFO@BC-SECURITY.ORG @BCSECURITY1 HTTPS://GITHUB.COM/BC-SECURITY/DEFCON27 106

Empfohlen

Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveZoltan Balazs
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016grecsl
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation PrimitivesSynack
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
 

Empfohlen

Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveZoltan Balazs
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016grecsl
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation PrimitivesSynack
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper ExposedSynack
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!Synack
 
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...Andrea Draghetti
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!Synack
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS XSynack
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
Abusing Java Remote Interfaces
Abusing Java Remote InterfacesAbusing Java Remote Interfaces
Abusing Java Remote Interfacesjuanvazquezslides
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with MetasploitMohammed Danish Amber
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperSynack
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
 
Metasploit
MetasploitMetasploit
Metasploitninguna
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharySaurav Chaudhary
 

Weitere ähnliche Inhalte

Was ist angesagt?

Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper ExposedSynack
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!Synack
 
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...Andrea Draghetti
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!Synack
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS XSynack
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
Abusing Java Remote Interfaces
Abusing Java Remote InterfacesAbusing Java Remote Interfaces
Abusing Java Remote Interfacesjuanvazquezslides
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperSynack
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
 
Metasploit
MetasploitMetasploit
Metasploitninguna
 

Was ist angesagt? (20)

Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper Exposed
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play Doctor
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
 
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick Wardle
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS X
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
 
Abusing Java Remote Interfaces
Abusing Java Remote InterfacesAbusing Java Remote Interfaces
Abusing Java Remote Interfaces
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with Metasploit
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing Gatekeeper
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 Devices
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS X
 
Metasploit
MetasploitMetasploit
Metasploit
 

Ähnlich wie DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbox evasion

DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharySaurav Chaudhary
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Stefano Maccaglia
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Metasploit Computer security testing tool
Metasploit Computer security testing toolMetasploit Computer security testing tool
Metasploit Computer security testing toolmedoelkang600
 
ETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a HackerETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a HackerRob Gillen
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
padding oracle attack
padding oracle attackpadding oracle attack
padding oracle attackSatish b
 
Reversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsReversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsCysinfo Cyber Security Community
 

Ähnlich wie DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbox evasion (20)

DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Messing around avs
Messing around avsMessing around avs
Messing around avs
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Metasploit Computer security testing tool
Metasploit Computer security testing toolMetasploit Computer security testing tool
Metasploit Computer security testing tool
 
ETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a HackerETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a Hacker
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc groupNtxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Tranning-2
Tranning-2Tranning-2
Tranning-2
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
padding oracle attack
padding oracle attackpadding oracle attack
padding oracle attack
 
Reversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsReversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basics
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 

Mehr von Felipe Prado

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsFelipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionFelipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101Felipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentFelipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareFelipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...Felipe Prado
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationFelipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceFelipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksFelipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityFelipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsFelipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...Felipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksFelipe Prado
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncFelipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
 

Mehr von Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Kürzlich hochgeladen

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 

Kürzlich hochgeladen (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbox evasion

  • 2. 2 Legal Stuff…So we don’t go to jail Training is for informational and research purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The information provided by us is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis.
  • 3. ANTHONY ROSE C01И ◦ Co-founder, BC Security ◦ Lead Researcher, Merculite Security ◦ MS in Electrical Engineering ◦ Lockpicking Hobbyist ◦ Bluetooth & Wireless Security Enthusiast 3 whoami JACOB KRASNOV HUBBLE ◦ Co-founder, BC Security ◦ BS in Astronautical Engineering, MBA ◦ Red Team Lead ◦ Currently focused on embedded system security VINCENT ROSE HALCYON ◦ Security Researcher, BC Security ◦ BS in Computer Science ◦ Software Engineer Introduction
  • 4. ◦ How to mask your malware to avoid AMSI and Sandboxes 4 Why are we here? Introduction
  • 5. ◦ Antimalware Scan Interface (AMSI) ◦ Malware Triggering ◦ Empire ◦ Obfuscation Techniques ◦ Invoke-Obfuscation ◦ AMSI Bypasses ◦ Sandbox Evasion ◦ Put it all together 5 Overview
  • 6. ◦ Introduce Microsoft’s Antimalware Scan Interface (AMSI) and explain its importance ◦ Learn to analyze malware scripts before and after execution ◦ Understand how obfuscate code to avoid AMSI and Windows Defender ◦ Detect and avoid sandbox environments 6 Goals Introduction
  • 7. We will teach you to… ◦ operate Empire ◦ obfuscate Powershell ◦ avoid AMSI and Sandboxes We are not going to teach you… ◦ how to be a “leet hacker” 7 Expectations Introduction
  • 8. -h What is Malware? 8
  • 9. ◦ Obfuscation is the main means by which Malware achieves survival ◦ Defeat signature-based Antivirus ◦ Makes analysis more difficult 9 Overview of the Evolution of Malware Obfuscation What is Malware I’m Obfuscated You can’t find me…
  • 10. The first virus to obfuscate itself was the Brain Virus in 1986 ◦ Would display unchanged data from a different disk sector instead of the one it had modified The first virus to use encryption was the Cascade Virus and also appeared in 1986 ◦ Used simple XOR encryption First commercial AV products came out in 1987 ◦ This included heuristic based AV products! 10 The Early Days What is Malware
  • 11. The Malware Arms Race continued and by 1992 polymorphic virus engines had been released ◦ Could be attached to non- polymorphic viruses to make them more effective 11 Coming into Its Own What is Malware
  • 12. AV wasn’t far behind and soon started to include emulation code to sandbox the malware ◦ There were evasion techniques but we will talk about this later By the 2000s malware had moved on to so called metamorphic viruses ◦ Polymorphic viruses only change their decryptor while metamorphic change the code body as well 12 Coming into Its Own
  • 13. Not really completely Fileless ◦ Usually requires some kind of initial script/executable to kick off infection ◦ Persistence methods may leave traces in places like the registry (e.g., Poweliks) This created a big problem for AV as it has traditionally relied on scanning files/executables All of this leads into… 13 Going Fileless What is Malware
  • 15. The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product that's present on a machine. AMSI provides enhanced malware protection for your end-users and their data, applications, and workloads. 15 What Is AMSI? AMSI
  • 16. ◦ Evaluates commands at run time ◦ Handles multiple scripting languages (Powershell, JaveScript, VBA) ◦ Provides an API that is AV agnostic ◦ Identify fileless threats 16 That’s Great But What Does that Mean? AMSI
  • 18. The code is evaluated when it is readable by the scripting engine This means that: becomes: However: Does not become: This is what allows us to still be able to obfuscate our code 18 One point of clarification (Powershell) AMSI
  • 20. ◦ Windows Defender ◦ Antimalware Scan Interface (AMSI) ◦ Control flow guard ◦ Data Execution Prevention (DEP) ◦ Randomized memory allocations ◦ Arbitrary code guard (ACG) ◦ Block child processes ◦ Simulated execution (SimExec) ◦ Valid stack integrity (StackPivot) 20 Types of Windows Mitigations Malware Triggering
  • 22. Get-WinEvent 'Microsoft-Windows-Windows Defender/Operational' - MaxEvents 10 | Where-Object Id -eq 1116 | Format-List 23 Windows Defender Logs Malware Triggering
  • 23. 1. Run Powershell ISE 2. Look in the sample folder 3. Try out samples 1-3 24 Try Some Code Samples Malware Triggering
  • 25. Prioritize what you want to complete 1. Get working base code first ◦ Empire, Metasploit, Etc 2. Customize Functions 3. Obfuscate Code 4. Test Against AV 26 Don’t Do Too Much at Once Building/Customizing Malware
  • 26. New-ItemProperty -Path "HKLM:Softwarepoliciesmicrosoftwindows defender" -name disableantispyware -value 0 –Force Restart computer/VM 27 Disabling Windows Defender Building/Customizing Malware
  • 28. Post-exploitation framework built around Powershell ◦ Merger of Powershell Empire and Python EmPyre projects ◦ Runs on Python 2.6/2.7 ◦ Encrypted C2 channel ◦ Adaptable modules ◦ .bat, .vbs, .dll ◦ Released at BSidesLV 2015 29 What is Empire? Empire
  • 29. 30 Why Go After Powershell? ◦ Full .NET access ◦ Direct access to Win32 API ◦ Operates in memory ◦ Installed by default in Windows ◦ Admins typically leave it enabled Empire
  • 30. Relatively small payload (stager) that calls back to a listener 31 How Empire is Deployed? Empire
  • 31. Preloaded into VM https://github.com/BC- SECURITY/Empire Install our forked version (Do not use version 2.5) ◦ sudo ./setup/install.sh ◦ setup ./reset.sh 32 Empire Tutorial Empire
  • 32. Splash page ◦Version running (We are using a modified dev version) ◦How many modules loaded ◦Active Listeners ◦Active Agents 33 Empire Tutorial Empire
  • 33. “Help” lists out all available commands ◦ Agents – Active payloads available ◦ Interact – Control a payload/host ◦ Preobfuscate – Obfuscates Powershell module (not needed) ◦ Set – Modify payload settings ◦ Usemodule – Select Empire Module ◦ Uselistener – Select Listener ◦ Usestager – Select Empire stager (we will be using macros) 34 Empire Tutorial Empire
  • 34. Setting up your listener Select “uselistener http” 35 Empire Tutorial Empire
  • 35. Use edit to modify Listener info ◦“set Name LISTENERNAME” ◦“set Host YOURIPADDRESS” ◦“set Port PORTNUMBER” ◦“execute” 36 Empire Tutorial Empire
  • 36. 37 Empire Tutorial Usestager ◦Tailor the stager to what the target is ◦“Multi/Launcher” ◦ Useful for testing VM setups Empire
  • 37. Setting the stager and listener Successful callback to Empire 38 Testing the Launcher Empire
  • 38. New-ItemProperty -Path "HKLM:Softwarepoliciesmicrosoftwindows defender" -name disableantispyware -value 1 –Force Restart computer/VM 39 Enabling Windows Defender Empire
  • 39. Setting the stager and listener 40 Testing the Launcher Empire
  • 40. Build the stager ◦ Select “usestager multi/launcher” ◦ “info” to view settings ◦ Turn off Obfuscation ◦ Turn off AMSIBypass 41 Test your Empire Payload Empire
  • 41. Final check on settings ◦ All obfuscations are disabled ◦ Both AMSI Bypasses are disabled ◦ Good to Go! ◦ “execute” 42 Test your Empire Payload Empire
  • 42. 43 Test your Empire Payload Empire
  • 43. Default Empire will not get past AMSI ◦ Obfuscation or changes are needed ◦ Default Empire will get you caught 44 Empire Tutorial Empire
  • 45. Powershell ignores capitalization ◦ Create a standard variable ◦ This makes and ◦ The same as… ◦ AMSI ignores capitalization, but changing your hash is a best practice 46 Randomized Capitalization Obfuscation Techniques
  • 46. AMSI is still heavily dependent upon signatures, simple concatenation can circumvent most alerts will be flagged But, is not flagged 47 Concatenation Obfuscation Techniques
  • 47. Powershell recognizes $ as a special character in a string and will fetch the associated variable. We embedded into Which gives us 48 Variable Insertion Obfuscation Techniques
  • 48. Powershell allows for the use of {} inside a string to allow for variable insertion. This is an implicit reference to the format string function. will be flagged But, Returns… 49 Format String Obfuscation Techniques
  • 49. Uses: ◦ Pseudorandom number generation ◦ Error detection ◦ Encryption/Decryption ◦ Reversable function 50 XOR || ⊕ A B A XOR B 0 0 0 0 1 1 1 0 1 1 1 0 Obfuscation Techniques
  • 50. Using Samples 1-3 from the early exercise attempt to obfuscate them so that they will run Sample 3 can be difficult to figure out what is causing the issue Save your modified versions as a different name. We will reuse the unobfuscated samples latter Close/Open Powershell ISE between samples 51 Obfuscate the Samples Obfuscation Techniques
  • 51. ◦ Break large sections of code into smaller pieces ◦ Isolate fewer lines to determine what is being flagged ◦ Good place to start is looking for “AMSI” 52 Hints
  • 55. Type “Tutorial” for high level directions ◦Extremely helpful for learning/remembering the basics 56 Invoke-Obfuscation Obfuscation Techniques
  • 56. Example code ◦ Use Sample 4 ◦ SET SCRIPTBLOCK… 57 Invoke-Obfuscation Obfuscation Techniques
  • 57. Token-layer Obfuscation ◦ TokenVariable (extremely useful for masking variable names to AMSI) ◦ TokenAll (if you are super lazy) ◦ This will get you caught ◦ Typically run whitespace last (2-3 times) 58 Invoke-Obfuscation Obfuscation Techniques
  • 58. Encoding ◦ Used to further mask the payload by converting the format (e.g., Hex, Binary, AES, etc) ◦ Beware: running too much encoding will break the 8,191 character limit 61 Invoke-Obfuscation Obfuscation Techniques
  • 59. String ◦Obfuscate Powershell code as a string ◦Breaks up the code with reversing techniques and concatenation 62 Invoke-Obfuscation Obfuscation Techniques
  • 60. Compress ◦Can be used in conjunction with Encoding to reduce the overall size of the payload. 63 Invoke-Obfuscation Obfuscation Techniques
  • 61. Launcher ◦Not needed since Empire already includes a launcher 64 Invoke-Obfuscation Obfuscation Techniques
  • 62. Order of operations ◦Mix it up to avoid detection ◦Example: ◦TokenString1,2 ◦Whitespace1 ◦Encoding1 ◦Compress1 65 Invoke-Obfuscation Obfuscation Techniques
  • 65. If our payload is already obfuscated enough to evade AMSI why bother? ◦ Only the first part of the stager is obfuscated! 68 Why do we need this? AMSI Bypasses
  • 66. AMSI bypasses let us load whatever future modules we may want without issues ◦ Mimikatz, PS-Inject, Powerup 69 Why do we need this? AMSI Bypasses
  • 67. ◦ AMSI_RESULT_CLEAN = 0 ◦ AMSI_RESULT_NOT_DETECTED = 1 ◦ AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384 ◦ AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479 ◦ AMSI_RESULT_DETECTED = 32768 70 AMSI results AMSI Bypasses
  • 70. Simplest Bypass that currently works ◦ $Ref=[REF].Assembly.GetType('System.Management.Automation.AmsiUtils'); ◦ $Ref.GetField('amsiInitFailed', 'NonPublic, Static').SetValue($NULL, $TRUE); 73 Bypass 1: Reflective Bypass AMSI Bypasses
  • 71. Using reflection we are exposing functions from AMSI We are setting the AmsiInitField to True which source code shows causes AMSI to return: ◦ AMSI_SCAN_RESULT_NOT_FOUND 74 What Does it Do? AMSI Bypasses AMSI.dll
  • 72. AMSI is loaded into the Powershell process at start up so it has the same permission levels as the process the malware is in 75 Why does this work? AMSI Bypasses
  • 73. More complicated bypass, but still allows AMSI to load 76 Bypass 2: Patching AMSI.dll in Memory AMSI Bypasses
  • 74. We use C# to export a few functions from kernel32 that allows to identify where in memory amsi.dll has been loaded 77 Bypass 2: Patching AMSI.dll in Memory AMSI Bypasses
  • 75. We modify the memory permissions to ensure we have access 78 Bypass 2: Patching AMSI.dll in Memory AMSI Bypasses
  • 76. Modifies the return function to all always return a value of RESULT_NOT_DETECTED 79 Bypass 2: Patching AMSI.dll in Memory AMSI Bypasses
  • 77. AMSI.dll is loaded into the same memory space as Powershell. This means that we have unrestricted access to the memory space that AMSI runs in and can modify it however we please Tells the function to return a clean result prior to actually scanning 80 Why does this work? AMSI Bypasses
  • 78. Ensure that ObfuscateCommand and AMSI Bypass both display values ◦ “set ObfuscateCommand TokenAll1” ◦ “set AMSIBypass True” 81 AMSI Bypasses in Empire
  • 79. Re-enable Defender and run your Empire launcher 82 Test time! AMSI Bypasses
  • 81. A software created environment that isolates and limits the rights and accesses of a process being executed An effective way of doing behavioral analysis for AV 84 What is a Sandbox? Sandboxes
  • 82. 85 Who is using Sandboxes? Sandboxes
  • 83. As we talked about earlier, obfuscating code to break signatures can be relatively trivial ◦ AV would need an almost unlimited number of signatures Heavily obfuscated code can make it almost impossible for human analysis to be effective Instead evaluate behavior 86 Automated Sandbox Malware analysis Sandboxes
  • 85. They use a lot of resources which can be expensive End users don't want to wait to receive their messages Email scanning requires thousands of attachments to be evaluated constantly 88 Sandbox Limitations Sandboxes
  • 86. These limitations provide us with several means to try and detect or evade them ◦ Password Protection ◦ Time Delays ◦ Auto open vs close ◦ Check for limited resources (small amount of ram, single core, etc.) ◦ Look for virtualization processes (sandboxie, VMWare tools) 89 Sandbox Limitations Sandboxes
  • 88. 91 Back to Empire Usestager ◦Tailor the stager to what the target is ◦Our focus is Windows using a Macro (will be used later) ◦“Windows/macro” Empire
  • 89. ◦Set stager and listener ◦Copy macro over to Word 92 Creating a Payload
  • 90. Open Word Document Select Developer Options Click on Macros 93 Embedding the Macro
  • 93. Before we do suspicious things such as… ◦ Starting a new process ◦ Reaching out to the internet The checks could be suspicious themselves ◦ Sandbox Evasion is becoming more prevalent 96 When do we want to do this? Evasion Techniques
  • 94. The sandbox doesn't know the password and therefore can't open the file. No results are found so the file is passed on. The password is usually sent in the body of the email with instructions to use it. ◦ Lower success rate 97 Password Protection Evasion Techniques
  • 95. Email filters have a limited amount of time to scan files so delay until it the scan is completed This is less practical in a macro as it will keep the document open until done waiting 98 Time Delay Evasion Techniques
  • 96. Using WMI Objects you can enumerate the hardware and system configurations Some malware looks for things like the presence of a fan ◦ Note: WMI objects are very inconsistently implemented by manufacturers. 99 Checking for Resources Evasion Techniques
  • 97. Some Useful WMI Objects ◦ Win32_ComputerSystem ◦ Win32_LogicalDisk ◦ Win32_Fan 100 Checking for Resources Evasion Techniques
  • 98. Most if not all sandboxes result in the addition of management processes that we can look for ◦ Win32_Process contains all the processes currently running Some common processes to look for: ◦ Sbiesvc, SbieCtrl ◦ Vmtools ◦ VBoxService 101 Checking for Processes Evasion Techniques
  • 99. Because of the control many developers have on implementing WMI objects or naming processes there is no one check that is guaranteed to work. ◦ Learn as much as possible about the target environment ◦ Use multiple halting conditions ◦ Check places like attack.mitre.org to look for new techniques if old ones fail 102 There is no one way guaranteed to work Evasion Techniques
  • 100. Covert tactic used to develop signatures on malware and prevent attacks What do we know so far? ◦ Zero documentation anywhere ◦ We can get a callback out 103 Sandbox Evasion Example
  • 101. Put it all together YOUR TURN TO TRY IT ALL 104Conclusion
  • 102. 1. Build payload in Empire ◦ AMSI Bypass ◦ Obfuscation 2. Embed into Word Doc ◦ Verification 3. Add in Macro Checks to avoid “Sandbox” 4. (Optional) Test on host machine 105 Put it all together