Antivirus Bypass Technique

A lot of users think having an antivirus is the silver bullet to all of their security problems.

Plot twist: It isn’t. 

There is a relatively simple way to bypass antivirus and execute code on a remote machine, and the whole process takes less than 30 minutes.

First, you need a Kali VM that has Veil installed, and use Veil to generate a payload that contains a reverse TCP handler to your Kali box. The slideshow below shows how I did it, but I won’t be providing specific instructions, with great power comes great responsibility! (I’ve been playing a lot of the new PS4 Spider-Man game)

This slideshow requires JavaScript.

Once you have the payload generated, load it into the Windows machine you want to attack, but don’t run it yet! I dropped it onto the desktop of a Windows 7 box. Start your Metasploit Handler and fire up the program from the desktop of your victim machine. In a real world penetration test, it would require some social engineering to get a user to run this program. My favorite is to pose as IT and weaponize a PDF with shellcode that executes when the user opens it.

kali2

At this point you can edit files and run commands in the context of the user that is logged in. I created a text file on the desktop of the victim machine to verify I had remote access.

host
Viewing the text file I created from the Kali box
kali3
Running commands as the logged in user

You can even jump straight into the command line of the victim machine and view files, initiate shutdowns, or anything else you can do from the command line.

More cool stuff:

Analyze

I ran this shellcode through my sandbox to see how it reacts and since the sandbox host couldn’t access the handler, it failed. I was thinking about spinning up another handler that was internet facing, but I’m pretty sure that violates the Computer Fraud and Abuse Act for setting up Command and Control servers…

Moral of the story:

There is no single solution for security. Take a defense-in-depth approach and have multiple strategies to secure your environment. Train your users, use sandboxing to test malicious files before opening them, and call me to help you set a more effective security posture within your organization.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s