By Staff Writer at LMG Security   /   Jul 18th, 2017

Antivirus Evasion

A common mistake made during internal penetration tests is getting tripped up by basic antivirus software. During the privilege escalation phase of the engagement, it is often necessary to run an executable payload using a compromised user account. Most forms of antivirus can detect and block basic payloads, but many antivirus programs in use today can be evaded with a little effort.

 

Antivirus serves as a layer of defense against malicious actors who are privileged enough to execute a payload on the system. This means that the malicious actor has already obtained login credentials or another form of entry, and that a previous defensive layer has already failed. This is considered the ‘initial foothold’ stage of the attack, allowing the malicious actor to start attacking more highly privileged accounts and other computers on the network.

 

To effectively escalate privileges, many malicious actors use a Meterpreter payload whenever a payload is required. Meterpreter is a full-featured payload that provides everything a malicious actor can ask for, including keylogging, the ability to dump cleartext passwords from memory and web browsers, uploading and downloading files, screenshots of the desktop or webcam, and even remote control of the user’s mouse and keyboard. The catch is that Meterpreter payloads can be extremely noisy in system memory and are not designed out-of-the-box to evade antivirus programs.

Coding language

Caption(s): Veil Payload Menu
Source(s): Screenshot created by LMG

One solution to this problem is to use a payload obfuscator to make Meterpreter harder to detect. Veil is an excellent open-source tool designed for this. Using several techniques such as compiling the payload in obscure formats, Veil can generate a fully functional Meterpreter payload that can’t easily be recognized by common antivirus solutions. Swap in a payload created with Veil and you’ll have a much better chance of success of remaining undetected.

 

To remain as stealthy as possible on the compromised machine, it may be more appropriate to use the most minimalistic payload possible that accomplishes the intended goal. If the goal is to pull cleartext passwords from Windows memory, sending over a payload that does exactly and only that would have the smallest footprint and surface area for an antivirus to detect. For this reason, consider tools such as SMBExec or CrackMapExec when choosing your payload. These tools can be used to quickly and easily run tight, stealthy and neatly packaged payloads.

 

Whether you are attacking or defending, ensure you know the strengths and weaknesses of antivirus software. Antivirus is one of the last lines of defense and it is generally not effective at fully stopping determined malicious actors.

 

If you have any questions or comments about what you can do to strengthen your layered security approach, feel free to contact us at [email protected].

CONTACT US