Chapter 8: Antivirus Evasion and Anti-Forensics

In the previous two chapters, you learned how to leverage the Metasploit Framework to generate custom payloads and launch advanced client-side attacks. However, the payloads that we generate will be of no use if they get detected and blocked by antivirus programs. In this chapter, we'll explore the various techniques to employ in order to make our payloads as undetectable as possible. You will also become familiar with various techniques to cover our tracks after a successful compromise.

In this chapter, we will cover the following topics:

  • Using encoders to avoid antivirus detection
  • Using the new evasion module
  • Using packagers and encrypters
  • Understanding what a sandbox is
  • Using Metasploit for anti-forensics

Technical requirements

The following software is required:

  • Kali Linux
  • The Metasploit Framework
  • 7-Zip

Using encoders to avoid antivirus detection

In Chapter 6, Client-Side Attacks with Metasploit, we saw how to use the msfvenom utility to generate various payloads. However, if these payloads are used as is, they will most likely be detected by antivirus programs. In order to avoid antivirus detection of our payload, we need to use encoders offered by the msfvenom utility.

To get started, we'll generate a simple payload in Remove the .exe format using the shikata_ga_nai encoder, as demonstrated in the following screenshot:

Figure 8.1 – Generating a payload using 'msfvenom'

Figure 8.1 – Generating a payload using 'msfvenom'

Once the payload has been generated, we upload it to htttp://www.virustotal.com for analysis.

Important Note:

The site http://www.virustotal.com runs multiple antivirus programs from across various vendors and scans the uploaded file with all the available antivirus programs.

When the analysis is completed, we can see that our file, apache-update.exe (containing a payload), was detected by 46 out of the 60 antivirus programs that were used. This is quite a high detection rate for our payload. Sending this payload as is to our victim is less likely to succeed due to its detection rate.

Now, we'll have to work on making it undetectable from as many antivirus programs as we can:

Figure 8.2 - Scanning a payload using 'virustotal'

Figure 8.2 – Scanning a payload using 'virustotal'

Simply encoding our payload with the shikata_ga_nai encoder once didn't work quite so well. The msfvenom utility also has an option to iterate the encoding process multiple times. Passing our payload through multiple iterations of an encoder might make it stealthier. Now, we'll try to generate the same payload. However, this time, we'll run the encoder 10 times in an attempt to make it stealthy, as in the following screenshot:

Figure 8.3 - Generating a payload using 'msfvenom'

Figure 8.3 – Generating a payload using 'msfvenom'

Now that the payload has been generated, we again submit it for analysis on http://www.virustotal.com.

As the following screenshot demonstrates, the analysis results show that this time, our payload was detected by 45 antivirus programs out of the 60. So, it's slightly better than our previous attempts; however, it's still not good enough:

Figure 8.4 - Scanning a payload using 'virustotal'

Figure 8.4 – Scanning a payload using 'virustotal'

Now, to further try and make our payload undetectable, this time we'll try changing the encoder from shikata_ga_nai (as used earlier) to a new encoder, named opt_sub, as in the following screenshot. We'll run the encoder on our payload for five iterations:

Figure 8.5 - Generating a payload using 'msfvenom'

Figure 8.5 – Generating a payload using 'msfvenom'

Once the payload has been generated, we will submit it to http://www.virustotal.com for analysis. This time, the results look much better!

Only 25 antivirus programs out of the 60 were able to detect our payload, as compared to 45 out of 60 earlier, as the following screenshot shows. This is certainly a significant improvement:

Figure 8.6 - Scanning a payload using 'virustotal'

Figure 8.6 – Scanning a payload using 'virustotal'

You have probably worked out that there is no single secret recipe that could make our payload completely undetectable. The process of making a payload undetectable involves a lot of trial and error, using various permutations, combinations, and iterations of different encoders. You have to simply keep trying until the payload detection rate goes down to an acceptable level.

However, it's also very important to note that at times, running multiple iterations of an encoder on a payload may even damage the original payload code. Hence, it's advisable to actually verify the payload by executing it on a test instance before it's sent to the target system.

Now, let's move on to the new evasion module introduced in Metasploit 5.0.

Using the new evasion module

In the previous section, we have seen how to make use of encoders to encode the payloads and make them stealthy. The latest Metasploit 5.0 Framework comes with a new evasion module.

The evasion module helps generate a Windows executable, EXE, which evades the Windows Defender antivirus. This is achieved using various techniques, such as metasm, anti-emulation, shellcode encryption, and source code obfuscation.

To use the evasion module, we'll first open up the msfconsole utility and then use the command use evasion/windows/windows_defender_exe, as in the following screenshot. We can then use the info command to get more information on the evasion module:

Figure 8.7 - Using the new evasion module

Figure 8.7 – Using the new evasion module

Using the show options command, as in the following screenshot, we can see the parameters required to run this module. We can set the required parameters accordingly.

As we can see from the preceding screenshot, the only parameter required to run this module is FILENAME. However, if not explicitly set, this will take a default value.

In addition to the FILENAME parameter, the evasion module also needs to be supplied with a payload in order to execute successfully. This can be set using the set PAYLOAD windows/meterpreter/reverse_https command, as in the following screenshot.

We also need to configure the LHOST parameter for the payload. The LHOST parameter will specify the IP address that the evasion payload will connect back to, once executed. Once the parameters have been configured, we can simply use the exploit command to run the module:

Figure 8.8 - Using the new evasion module

Figure 8.8 – Using the new evasion module

As the preceding screenshot shows, the LSO.exe file was generated in the location /root/.msf4/local/. This file can now be transferred to any of the Windows target systems for further exploitation. Meanwhile, we need to set the handler to receive an inbound connection. This can be done using the exploit/multi/handler command and by setting the value of the LHOST parameter accordingly.

We'll now move on to using packagers and encrypters to make our payloads even stealthier.

Using packagers and encrypters

In the previous section, we saw how to make use of various encoders in order to make our payload undetectable from antivirus programs. However, even after using different encoders and iterations, our payload was still detected by a few antivirus programs. In order to make our payload completely stealthy, we can make use of the encrypted self-extracting archive feature offered by a compression utility called 7-Zip.

To begin, we'll first upload a malicious PDF file (containing a payload) to the site http://www.virustotal.com, as in the following screenshot. The analysis shows that our PDF file was detected by 32 antivirus programs out of the 56 available, as in the following screenshot:

Figure 8.9 - Scanning a payload using 'virustotal'

Figure 8.9 – Scanning a payload using 'virustotal'

Now, using the 7-Zip utility, as in the following screenshot, we convert our malicious PDF file into a self-extracting archive:

Figure 8.10 - Using 7-Zip to create an SFX archive

Figure 8.10 – Using 7-Zip to create an SFX archive

The analysis results, as in the following screenshot, show that the PDF file that was converted into a self-extracting archive was detected by 21 antivirus programs out of the 59 available. This is much better than our previous attempt (32 out of 56).

Now, to make the payload even stealthier, we will convert it into a password-protected self-extracting archive. This can be done with the help of the 7-Zip utility, as in the following screenshot:

Figure 8.11 - Using 7-zip to create an SFX archive

Figure 8.11 – Using 7-zip to create an SFX archive

Now, we'll upload the password-encrypted payload to http://www.virustotal.com and check the result, as in the following screenshot. Interestingly, this time, none of the antivirus programs were able to detect our payload:

Figure 8.12 - Scanning a payload using 'virustotal'

Figure 8.12 – Scanning a payload using 'virustotal'

Now, our payload will go undetected throughout its transit journey until it reaches its target. However, the password protection adds another barrier for the end user (victim) executing the payload.

We'll now move on to understanding various concepts related to a sandbox.

Understanding what a sandbox is

Whenever we execute an application, be it legitimate or malicious, some of the events that occur are as follows:

  • The application directly interacts with the host operating system.
  • System calls are made.
  • Network connections are established.
  • Registry entries are modified.
  • Event logs are written out.
  • Temporary files are created or deleted.
  • New processes are spawned.
  • Configuration files are updated.

All the preceding events are persistent in nature and change the state of the target system. Now, there might be a scenario wherein we have to test a malicious program in a controlled manner, such that the state of the test system remains unchanged. This is exactly where a sandbox can play an important role.

Imagine that a sandbox is an isolated container or compartment. Anything that is executed within a sandbox stays within it and does not impact the outside world. Running a payload sample within a sandbox will help you analyze its behavior without impacting the host operating system.

There are a couple of open source and free sandbox frameworks available:

Sandboxie: https://www.sandboxie.com.

Cuckoo Sandbox: https://cuckoosandbox.org/.

Exploring the capabilities of these sandboxes is beyond the scope of this book. However, it's worth trying out these sandboxes for malicious payload analysis.

Now, we'll move on to understanding the anti-forensics capabilities of the Metasploit Framework.

Using Metasploit for anti-forensics

Over the past decade or so, there have been substantial improvements and advancements in digital forensic technologies. The forensic tools and techniques are well developed and matured to search, analyze, and preserve any digital evidence in case of a breach, fraud, or an incident.

We have seen, throughout this book, how Metasploit can be used to compromise a remote system. Meterpreter works using an in-memory dll injection and ensures that nothing is written onto the disk unless explicitly required. However, during a compromise, we often need to perform certain actions that modify, add, or delete files on the remote filesystem. This implies that our actions will be traced back if any sort of forensic investigation is undertaken on the compromised system.

Making a successful compromise of our target system is one essential part, while making sure that our compromise remains unnoticed and undetected, even from a forensic perspective, is the other. Fortunately, the Metasploit Framework offers tools and utilities that help us clear our tracks and ensure that little or no evidence of our compromise is left on the system.

We will start with the first utility, Timestomp, in the next section.

Timestomp

Each and every file and folder located on the filesystem, irrespective of the type of operating system, has metadata associated with it. Metadata is nothing but properties of a particular file or folder, which contains information such as the time and date that it was created, accessed, and modified, its size on the disk, its ownership information, and some other attributes, such as whether it's marked as read-only or hidden. In case of any fraud or incident, this metadata can reveal a lot of useful information that can trace back the attack.

Apart from the metadata concern, there are also certain security programs, known as file integrity monitors, that keep on monitoring files for any changes. Now, when we compromise a system and get a Meterpreter shell on it, we might be required to access existing files on this system, create new files, or modify existing files.

When we make such changes, it will obviously reflect in the metadata in the form of changed timestamps. This could certainly raise an alarm or give away a lead during an incident investigation. To avoid leaving our traces through metadata, we would want to overwrite the metadata information (especially timestamps) for each file and folder that we accessed or created during our compromise. Meterpreter offers a very useful utility called Timestomp, with which you can overwrite the timestamp values of any file or folder with one of your choosing.

The following screenshot shows the help menu of the timestomp utility once we have got the meterpreter shell on the compromised system:

Figure 8.13 - Exploiting the target

Figure 8.13 – Exploiting the target

The following screenshot shows the timestamps for the Confidential.txt file before using timestomp:

Figure 8.14 - Checking file properties using the timestamp

Figure 8.14 – Checking file properties using the timestamp

Now, we will compromise our target system using the SMB MS08_67_netapi vulnerability and then use the timestomp utility to modify timestamps of the Confidential.txt file, as in the following screenshot:

Figure 8.15 - Exploiting the target

Figure 8.15 – Exploiting the target

After using the timestomp utility to modify the file timestamps, we can see the changed timestamp values for the Confidential.txt file, as demonstrated in the following screenshot:

Figure 8.16 - Checking file properties using the timestamp

Figure 8.16 – Checking file properties using the timestamp

We now move to the next utility, clearev, which will help clear tracks on the target system.

Clearev

Whenever we interact with a Windows system, all the actions get recorded in the form of event logs. The event logs are classified into three categories:

  • Application logs: Contains application events, such as startup, and shutdown
  • Security logs: Contains security events, such as login failures
  • System logs: Contains system events, such as startup, reboot, and updates

In the case of a system failure or security compromise, event logs are most likely to be seen first by the investigator/administrator.

Let's consider a scenario wherein we compromised a Windows host using some vulnerability. Then, we used Meterpreter to upload new files to the compromised system. We also escalated privileges and tried to add a new user. Now, these actions would get captured in the event logs. After all the efforts we put into the compromise, we would certainly not want our actions to get detected. This is when we can use a meterpreter script, known as clearev, to wipe out all the logs and clear our activity trails.

The following screenshot shows the Windows Event Viewer application, which stores and displays all event logs:

Figure 8.17 - Checking Windows Event Logs

Figure 8.17 – Checking the Windows event logs

Now, we compromise our target Windows system using the SMB MS08_67_netapi vulnerability and get meterpreter access. We type in the clearev command on the meterpreter shell (as in the following screenshot), and it simply wipes out all the event logs on the compromised system:

Figure 8.18 - Exploiting the target

Figure 8.18 – Exploiting the target

Back on our compromised Windows system, we check the Event Viewer and find that all the logs have been cleared out, as demonstrated in the following screenshot:

Figure 8.19 - Checking the Windows event logs

Figure 8.19 – Checking the Windows event logs

Hence, by using clearev within Meterpreter, we were successfully able to clear the events on the target system, as in the preceding screenshot.

Summary

We started this chapter with an overview of various encoders to obfuscate payloads, and then we learned how to use 7-zip to create encrypted payload archives. We then looked at the latest evasion module. We concluded the chapter with the Metasploit anti-forensics capabilities, including timestomp and clearev.

Moving on to the next chapter, we'll deep dive into a cyber attack management tool called Armitage, which uses Metasploit at the backend and facilitates more complex penetration testing tasks.

Exercises

You can try the following exercises:

  • Use the msfvenom utility to generate a payload, and then try using various encoders to make it less detectable using the site https://www.virustotal.com. Use a tool called Hyperion for making the payload undetectable.
  • Try using any of the sandbox applications to analyze the behavior of the payload generated using the msfvenom utility.
  • Use the evasion module to generate a payload executable and scan it using Virustotal to see how many antivirus programs are able to detect it.

Further reading

Further information on antivirus evasion using Metasploit can be found at https://blog.rapid7.com/2018/05/03/hiding-metasploit-shellcode-to-evade-windows-defender/.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset