Bypass Windows Defender with A Simple Shell Loader

One of the most simplistic ways to get past Windows Defender is to roll your own shell code loader. There are hundreds of examples on GitHub, GitLab, and BitBucket but, this post is going to break it down and provide a simple framework that Red Teams and Penetration Testers alike can use.

Live exploitation

This tutorial does not result in a final “tool” although, it will have complete and compilable code. I know I know, C# is not compiled, it’s JIT, but for the sake a brevity, I’m calling it compiled.


Resources

Before jumping right in, here is a list of resources that will help answer questions and concerns you may have while reading this post (AKA: I won’t define/detail every aspect of the exploit and only highlight important and kick-ass things):


Current State

Here’s my system and build information for reference.

Exploit Information:

  • Language: C#
    • .NET Framework 4.0 (Cross compile to whatever you like)
    • Visual Studio 17 (community)
  • Build Architecture: x86
  • Shell Code: MSFVenom windows/exec
    • msfvenom -a x86 -p windows/exec cmd=calc.exe -f csharp

Victim Information:

  • Windows 10 Version 1809
    • Fully Patched and Updated (5/24/2019)
    • Defender Real-Time and Online protection Enabled
    • Firewall Enabled
All of Defenders services are turned on and updated

Testing

As of writing this (5/24/2019), Windows defender client Machine Learning system is able to easily detect stock Metasploit payloads. That’s not surprising. The question I asked myself was, to what extent do I need to go to to build a standalone binary that will execute a payload without the binary being flagged as malicious?

When I say to what extent, I am talking about coding techniques and byte code obfuscation. For example, would simply Base64 encoding a byte[] object work for us? The short answer is, No.

Initial testing consisted of generating a simple calc.exe execution payload where the shell code (C# byte Array) would be loaded and executed in memory using VirtualAlloc().

After building the x86 Release exe, moving the exe to the desktop, and executing it, Defender flagged it as malicious and promptly removed the executable from the system.

Defender MessageBox
Defender Event

Looking at Event 1116 from above, it looks like Defender is flagging on the known formatting of Metasploit. Defender is saying this is a Win32 Meterpreter payload which, it’s not. Microsoft doesn’t care as long as it catches a known Metasploit byte signature. The good news is we might just be able to encode or encrypt the payload to bypass Defender.


The Bypass

Video of the actual bypass
Metasploit Shell_Reverse_TCP Example

It’s helpful to understand what we are trying to defeat. We know, initially, we are trying to defeat the Windows Defender Client Side Machine Learning (Client ML) subsystem and most 3rd party EDR and AV products. Things we want to avoid are massive Base64 strings because of their large entropy values. This will be immediately flagged by most EDR/AV products.

Other things we want to avoid are immediate shellcode execution for Windows Defender heuristic reasons. Defender and some EDR/AV products will be smart enough to remove sleep functions from your code so, depending on your Client/Target, this may or may not be an anti-forensics technique you utilize. My first thought was to have an base64 decoding and AES256 decryption routine to get the payload ready for execution. This would also delay execution by a few hundred milliseconds.

It turns out, that’s all that was needed. I have an Encrypt() and Decrypt() function in my code that utilizes AES 256. A user can encrypt and encode their data with the Simple-Loader tool to get the final shellcode encrypted blob in Base64 encoding.

Simple-Loader.exe <path_to_metasploit_payload_txt>

Generate your paylaod
Encrypt Payload Example

GitHub Repository

The repository is a quick and dirty one as this is just a simple example. However, here is a breakdown on how to use it:

  • Open the Simple-Loader.sln in Visual Studio
  • Double click Program.cs
  • Goto Build –> Build Simple-Loader
    • A new Binary will be located in simple-loader/bin/
Build the loader
Build Simple-Loader.exe for Encryption
  • Generate a payload with msfvenom and save to text file.
    • msfvenom -p windows/exec cmd=calc.exe -f csharp -o payload.txt
  • Encrypt and Encode the payload with the Simple-Loader.exe binary.
    • Simple-Loader.exe <path_to_payload>
Encrypt the payload
Generate and Encrypt Payload
  • Take the output from Simple-Loader and replace the Sting hiphop with your new payload.
Add the encrypted payload
Change hiphop String
  • Re-Build the binary and you’re good to go!

Hopefully this helps shed some light on the simplicity of bypassing Windows Defender on a fully patched system!

Cheers!

No Comments

Post a Comment