1 of 24

Bypassing Antivirus

With Understanding Comes Ease

Jeff McJunkin, Founder

Rogue Valley Information Security

2 of 24

Introduction and Agenda

AV’s main approaches to detecting and blocking malware
Fundamental limitations of the above
Bypassing AV -- Different Approaches
Live Demo
Further discussions
Q&A

3 of 24

Antivirus / Antimalware / EDR’s tools

Static detections - searching each EXE/DLL on load for bad strings/patterns
Hooking runtime API calls and searching for bad strings / patterns

Anti-Malware Scanning Interface (AMSI)

Otherwise, all PowerShell / JavaScript, etc only has static detections

Userland hooks
Kernel-level hooks (Not used for modern operating systems due to PatchGuard, but replaced by mini-filter drivers instead)
This approach is more prone to false positives and has fewer signatures

Dynamic detection (behavioral analytics during brief emulation)

This approach is also more prone to false positives, and has fewer signatures

All of the techniques result in a yes/no decision using “badness” scores

Some strings (such as “Copyright Benjamin Delpy” or “Invoke-Mimikatz”) are suspicious, whereas others (such as “Copyright Microsoft 2020”) are not.

4 of 24

“Next-Gen” Antivirus

But what about machine learning? What about artificial intelligence?

AI is only as smart as it needs to be (finding bad strings)

5 of 24

AMSI

The Antimalware Scan Interface allows AV vendors to “see” PowerShell, JavaScript, VBScript, Office macros, and a few other scripting formats, after de-obfuscation and before execution

AV then gets to make a yes/no decision

Not all AV vendors support AMSI (introduced in 2015)
Symantec didn’t support it until June 15, 2020 with SEP 14.3

6 of 24

Which Vendors Support

AMSI?

https://github.com/subat0mik/whoamsi

My hot take: if your AV/EDR vendor doesn’t support AMSI, they have no business in this industry, and don’t deserve your money.

7 of 24

Fundamental Limitations of AV

AV isn’t tracking everything, for performance reasons

Each API call interception adds latency, and there are strong financial incentives to avoid perceptibly slowing down computers due to AV

Emulation maximum time varies, but I’ve never seen it over 0.25 seconds (@taviso mentioned a “million instructions”)

AV intercepts far more than just running EXE files from disk

Examples: Loading additional DLL’s, writing to other process’s memory, creating new threads, extracting compressed content, checking for debuggers, and more

AV companies have a strong financial incentive to minimize false positives, which means A) accepting false negatives and B) brittle signatures

With AV, bots are fighting bots. Unfortunately, attackers can study AV’s behavior, and they take the last move.

8 of 24

Rock ‘Em, Sock ‘Em

Left: https://github.com/NavyTitanium/Fake-Sandbox-Artifacts �Right: https://winternl.com/fuzzing-the-windows-api-for-av-evasion/

9 of 24

Relationship Between False Positives and False Negatives

Commonly discussed in testing theory, but terminology is often used elsewhere (categorization theory, AV/EDR, etc)

10 of 24

Relationship Between False Positives and False Negatives

False Positive: Marking a benign binary (such as Notepad.exe) as malicious

False Negative: Marking a malicious binary (such as Mimikatz.exe) as safe

False Positives cost more than False Negatives, in PR and market share

11 of 24

Brittle Signatures, Demonstrated

“Copyright Benjamin Delpy”: unlikely to have false positives, but all sorts of legitimate software accesses LSASS as well.

12 of 24

DEMO:

Bypassing Static Signatures To Use “Malicious” Binaries

13 of 24

Disadvantages for Security Professionals

Before Tweet After Tweet

14 of 24

Disadvantages for Security Professionals

Security professionals tend to…

Talk about their bypass methods

As shown on the prior slide, this tends to result in quickly-updated vendor signatures

Use public toolsets (Metasploit, Empire, Covenant, Veil-Evasion)

AV vendors spend a disproportionate amount of time making signatures for public tools
Security professionals often make their own non-public toolset to take advantage of this, to good effect (BHIS included)

Upload to VirusTotal to test their payloads

...which results in every single AV vendor getting a copy of the payload

15 of 24

Methods of Bypassing Antivirus

Use non-malicious software in malicious ways (preferred)

Instead of Metasploit’s psexec implementation, use PsExec.exe from Microsoft
Instead of Mimikatz.exe, dump LSASS memory with Task Manager and extract passwords elsewhere
Instead of hashdump, save out registry hives and extract hashes elsewhere
Instead of meterpreter (at first), use SSH, Remote Desktop, mRemote-NG, TeamViewer, etc.

In general, avoid fair fights (both against AV and in life)

16 of 24

Example of #1 Approach

17 of 24

Methods of Bypassing Antivirus

Make an unfair fight:

Run inside PowerShell version 2, which doesn’t support AMSI, even on Windows 10
Use API calls that aren’t intercepted
“Unhook” API calls so antivirus doesn’t have any visibility

Read https://github.com/NtRaiseHardError/Antimalware-Research/ for more on this!

Detect AV’s sandboxed environments and run differently there:

Encrypt the payload and only decrypt at runtime (Hyperion, bypasses static signatures and emulation)
Add extra strings (from legitimate software) to increase the “goodness” score
Add extra data to go above certain thresholds

Hyperion: https://github.com/nullsecuritynet/tools/tree/master/binary/hyperion/source

Detecting / bypassing hooks:

What you probably want is pe-sieve to start with: https://github.com/hasherezade/pe-sieve/releases

Then run it against something like a running Hello World.exe on a machine with AV installed, to see what ends up being hooked

I did Avast on Win7 64-bit as an example and found awshook.dll (32- and 64-bit) as the destination for most hooks

pe-sieve32.exe /pid 4000 /iat 2, swapping out the PID and pe-sieve bitness as necessary

That'll show you what's being hooked

There's lots of ways to "unhook" at that point, but understanding the beast is a good first step

Hello World.exe is non-malicious, just the default template binary that Visual Studio makes as a C++ GUI tool, to see what's getting hooked in all binaries

In summary, AV changes how binaries call built-in Windows functions, so the AV gets to see what function was called and the arguments, before AV (normally) passes the original call on to the Windows function. Kinda like MITM on the API call, if you will.

But since that hook is running under the process memory space, you can "unhook" those API calls (or do raw system calls yourself, which aren't normally hooked for stability reasons) before doing the malicious needful

There's some examples here: https://github.com/NtRaiseHardError/Antimalware-Research/tree/master/Generic/Userland%20Hooking

18 of 24

Methods of Bypassing Antivirus, Cont.

3. If necessary: Stack the odds in your favor before a fair fight through the following methodology:

Install the AV in your own isolated virtual machine

(which doesn’t report to vendor or client)
Free trials work great here!

Update AV signatures
Disconnect network adapter
Take a VM snapshot
Test malware
Modify malware and repeat as necessary
Revert to snapshot (no matter what)

19 of 24

Application Control

AV (stopping malicious software while allowing legitimate software) has a literally impossible job

There are infinite ways to accomplish a given task, whether it’s “Hello World”, meterpreter, Mimikatz, or ransomware
Determining whether software is “malicious” is definitely a harder problem than the Halting Problem, which was proven impossible to solve in 1936

Instead, focus on application control, only allowing known-good software, such as Microsoft-signed binaries, known vendor software, and internally-developed applications

20 of 24

Application Control: Bypasses

Allowing only signed Microsoft binaries isn’t 100% effective
Some signed binaries allow arbitrary code execution directly

Some refer to these as “LOLBINS” for Living Off the Land BINaries
Example: MSBuild.exe allows compiling applications and running arbitrary C# code
Many are documented at https://lolbas-project.github.io/ (Living Off the Land Binaries And Scripts)

21 of 24

A Better Approach with AV

Rely on detection in depth and rapid response, not solely preventive controls
Plug AV alerts into monitoring feeds for Security Operations Centers

Anecdote here about DC

React quickly to AV alerts including root cause analysis
Don’t pick products based on the Gartner Magic Quadrant, but factor it into your own evaluations

Anecdotally, Defender is the toughest to bypass

Spend effort on application control as well, with EDR and AV as additional layers

22 of 24

AV’s own attack surface

Some attributes of AV:

Highly privileged
Often not sandboxed
Evaluates untrusted inputs and code
Often not logged
Sometimes has poor software protections

23 of 24

Closing Statement

To prevent successful breaches, defenders need to detect and respond to attackers before they accomplish their goal. Therefore, defenders have two goals:

Lowering the time to detect and respond to an attacker
Making it take longer for an attacker to accomplish their goal

Prevention is ideal, but it’s impossible to prevent 100% of incidents. Therefore, focus on minimizing, detecting, and accelerating response to incidents.

24 of 24

Questions?

Slides are online at https://bit.ly/bypassingav

Recorded video from WWHF 2020 is here: https://www.youtube.com/watch?v=UO3PjJIiBIE

Follow up questions? jeff@roguevalleyinfosec.com