Treating Antivirus as “The Gold Standard”

Jordan Drysdale //

ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.

Sacred Cash Cow Tipping Webcast 2018 follow-up

The great Kaspersky Internet Security 2017 antivirus product lived up to and met all of my expectations in testing, so I cheated. At least it feels like cheating.

Kaspersky, LIKE ALL OTHER host-based AV and endpoint protection products can be bypassed on Windows 10 by using the Windows Bash Subsystem (WSL). Side-note – YESSSSSSS!!!!! This: 

Once we have the Bash Subsystem installed, it’s basically game on. The Windows host AV and EP products do not stand a chance as the subsystem is invisible to their shield. We really need our blue teamers to step up here and do the following:

  1. Egress Port Filtering
  2. Domain Categorization at a minimum
  3. Domain whitelisting FTW!

Otherwise, you end up with this, your adversary enabling the WSL, rebooting your system while you are away and pulling the file.

Did Kaspersky flag my attempt to retrieve this over the web? Heck yes it did! So clearly, the file can be detected as malicious easily…

Regardless of the tested product, shell via linux/reverse_tcp:

Yeah, fine, so we cheated and it feels dirty. I called John and said something like “the same things worked like last year, first try.” Let me just add here, this will work against ALL AV and HOST BASED EP PRODUCTS. Buried, nothing working and you need a shell out as a tester? Enable the subsystem, rock and roll. Anyway, John tells me to “Try Harder.”

Fine, we’ll treat this like a command and control test. So I threw literally everything at it:

  • Malicious web sites
  • Infected USBs
  • Meterpreter of all flavors
  • Custom Python
  • Shellter EXEs
  • Veil
  • Memory cradle PS invocations
  • Unicorn
  • Macros
  • HTAs

Anyway, everything failed, stuffed, caught in tracks, shutdown, kaputz, et cetera. Until I remembered the story of InfoSec’s newest hero and legend: “Trevor.” So this little guy, through no fault of his own, becomes a command and control inspiration.

Thus, at 1:30 AM, I discovered the second bypass technique.

Step 1: Server side TrevorC2 configuration:

Step 2: Client side TrevorC2 configuration:

Step 3: Validate AV Installation on victim

Step 4: Establish Connection

Step 5: Interaction with victim

There you have it! Antivirus bypassed in two different ways. #TrevorForget and Bash on Windows!

Thanks @HackingDave

Want to learn more mad skills from the person who wrote this blog?

Check out this class from Kent and Jordan:

Defending the Enterprise

Available live/virtual and on-demand!