Can RedTeam exercises be done today only using open source tools and do they have 100% yield/success? Can I affirm that I can compete with the top solutions in a red team vs blue team engagement, blackbox or whitebox exercise, using only open source tools and having the same result as the enterprise solutions like: Canvas, Metasploit Pro, Open Core, Cobaltstrike ?

In the series that I will approach, I will present ways to compete with the top security research undertaken by companies focused on security products and how we can combine and customize multiple open source solutions for achieving the same result.

Contents

• Short Introduction
• What is AMSI?
• How do I make use of opensource
• Code Obfuscation
• Invoke Obfuscation

Short Introduction

Because it is less probable to encounter a Linux based system with a security solution in an enterprise environment, I have chosen to focus on how we can compromise a Windows based system up to date (11.04.2020 - the date I am writing this article) having all of the security modules enabled.

We can see a number of measures implemented in Microsoft’s operating system that have no role other than to provide a greater protection system for user protection:

• Windows Defender
• Antimalware Scan Interface (AMSI)
• Control flow guard
• Data Execution Prevention (DEP)
• Randomized memory allocations
• Arbitrary Code guard (ACG)
• Block child processes
• Simulated Execution (SimExec)
• Valid stack integrity (StackPivot)

I do not want to advertise Microsoft products but as I focus on proving we still can bypass their solutions, I can not say that they didn’t do a good job regarding thier security solutions (maybe they are intending to sell security services like many others if they already have not started). One security sollution from Microsoft I encountered more than I intended to, and I burned my arsenal in development or pentests before finding out what stopped me and why, I am pretty sure you encountered it too even if Windows Defender was not the main AV/AntiMalware solution from your target. I think you got about what i am speaking of :).

What is AMSI?

As you guessed, I was reffering at AMSI; before starting how to make use of the open source tools for a red team exercise, we have to bypass Microsoft’s security modules, this meaning we have to bypass AMSI too. Before getting into the methods of bypassing AMSI, we need to clarify a little about what AMSI is, under what principles AMSI works and how it has the ability to catch even the most exotic payloads.

AMSI is an interface that allows to the OS’s applications and services to integrate with any antimalware product that’s present on a machine. It supports a calling structure allowing for a file and memoy or stream scanning, content source URL/IP reputation checks and other techniques. It supports also the notion of a session so different antimalware vendors can correlate different scan requests, this being pretty bad for our stagers if they are catched by AMSI.

As we can see in the above image, AMSI is integrated by default in the following Windows’ components meaning that for example we have a powershell script containing some commands, they will be analyzed based on some string patterns and in case they something match, then Windows Defender/ Microsoft’s Sandbox will enter in action:

• User Account Control, or UAC (elevation of EXE, COM, MSI, or ActiveX installation)
• PowerShell (scripts, interactive use, and dynamic code evaluation)
• Windows Script Host (wscript.exe and cscript.exe)
• JavaScript and VBScript
• Office VBA macros

As things were not enough bad, Microsoft improve the logging capabilities of Windows Defender so we have the risk to alarm the whole network of our presence if there is a SOC team.

> Get-WinEvent ‘Microsoft-Windows-Windows Defender/Operational’ -MaxEvents 1 | Where-Object Id -eq 1116 | format-list

As we can see Windows Defender already logged our activity of trying to execute our payload in memory. As source of detection is menitoned AMSI. This can be easily automated in a SIEM to trigger an alert and all of our efforts of getting on the workstation would be useless.

AMSI may provide a result between 1 and 32767. The larger the result, the riskier it is to continue with the content. These values are provider specific, and may indicate a malware family or ID. Any return result equal to or larger than 32768 is considered malware, and the result is blocked. A list from Microsoft docs will explain each range of values what means:

• AMSI_RESULT_CLEAN - Known good. No detection found, and the result is likely not going to change after a future definition update.
• AMSI_RESULT_NOT_DETECTED - No detection found, but the result might change after a future definition update.
• AMSI_RESULT_BLOCKED_BY_ADMIN_START - Administrator policy blocked this content on this machine (beginning of range).
• AMSI_RESULT_BLOCKED_BY_ADMIN_END - Administrator policy blocked this content on this machine (end of range).
• AMSI_RESULT_DETECTED - Detection found. The content is considered malware and should be blocked.

According to Microsoft docs “results within the range of AMSI_RESULT_BLOCKED_BY_ADMIN_START and AMSI_RESULT_BLOCKED_BY_ADMIN_END values (inclusive) are officially blocked by the admin specified policy. In these cases, the script in question will be blocked from executing. The range is large to accommodate future additions in functionality”.

This looks bad until now but courage, there is hope :).

How do I make use of open source?

As a penetration tester, I have to prioritize what I want to complete first for having a prepared arsenal for any penetration test. Because time is precious to every one of us, we have to move fast:

1. Get a working base code first from Empire, Metasploit, etc., would be ideally instead of reinventing the wheel (reinventing the wheel is a good thing if you are a malware developer - but this is a story for other article :) ).
2. Customize functions - change default parameters/functions names, delete comments, write the functionality in other way, etc.
3. Obfuscate code.
4. Test against AV - Make sure you disable the option for permitting to Microsoft to upload your sample in their cloud sandbox. This will just waste your precious payload.

So this being said, i have chosen to go on the BC SECURITY’s solution, the reborn Empire (epic music should be played on at this phrase).

Why Empire and not other solution?
At this moment Empire is a robust and mature framework for post-exploitation, the guys from BC-Security really did a good job after they forked the official unsupported project. I personally, when it comes to chose a platform, i prefer a solution that can be easily used by my team mates/ eventually colaborate all together on it through an API/ web interface. Empire has both API and web interface for multiple user colaboration.
Few pros why i have chosen Empire and you should go for it too, in case you are the clasic guy who works with classic tools:

• Encrypted C2 channels and multiple protocols/services supported for communications.
• Adaptable modules: .bat, .vbs, .ddl, etc.
• Alot of evasion capabilities enabled by default.

Even if a lot of research articles are mention that powershell for redteams is no longer used by APTs as main tool of exploitation, i do not see their point. Powershell for redteams is a great tool if you are using it just for a legit pentest and nothing more:

• Operated in memory.
• Installed by default on Windows systems
• Full .NET access.
• Direct access to Win32 API.
• Admins typically leave it enabled.

Below is a scheme of how Empire stager is deployed.

Okay so we completed the first step. I have chosen a base code to use as our main tool of attack. However default Empire will get me caught. It can not pass the AMSI protection of Windows system so obfuscation or changes are needed.

Code Obfuscation

Because we have chosen powershell as our main programming language for malware developing, I will present few ways of how can we can obfuscate our code.

1.Randomized Capitalization
Powershell is ignoring capitalization. Every antivirus/antimalware solution is heavily dependent upon signatures, this including signatures based on hashes.

Even if AMSI is ignoring capitalization, changing the payload’s hash is a good practice.

2.Concatenation
AMSI is still heavily dependent upon signatures, however simple concatenation can prevent most alerts. Microsoft has implemented a custom EICAR string ‘amsicontext’ for testing the AMSI’s detection capabilities.

3.Variable Insertion
Powershell recognizes $ as a special character in a string and will fetch the associated variable.

4.Format String
Powershell allows for the use of {} inside a string to allow for variable insertion. This is an reference to the format string function.

As you can see, AMSI is still not perfect in detecting all of above examples, maybe in time it will can. The list of obfuscation methods can continue from compressing the code to encrypting it, etc.
Also a good tip, is to break large section of code into smaller pieces and test them in part in order to determine what is being flagged in your stager when you develop the obfuscation.
However I promised that we will make use of multiple open source tools for achieving our goal and not losing to much time on development.

A script will come in play in our aid when it comes obfuscation, so lets Invoke-Obfuscation!

Invoke-Obfuscation

If you have not already viewed Daniel Bohannon’s presentations about Invoke-Obfuscation , I invite you to take a look at the following presentation1 or presentation2 .

“ScriptPath” is setting the path for reading the content from a file, in my case will be “/tmp/test.ps1”, where test.ps1 is containing the following code:

Write-Host "I like WHmacmac's articles" -ForegroundColor Blue

Without entering in to many details about it, lets see a little about its obfuscation techniques:

1. Token obfuscation
The most used obfuscation method in our days is based on token, in special Empire is coming with Token/ALL obfuscation as default. If you chose to go for the Token/ALL, it will do a long set of changes like variable insertation, concatenation, comments removing, variable renaming, inserting random whitespace, etc. It is extremly useful for masking variable names to AMSI.

Example of output:

.("{0}{2}{1}" -f 'Wri','-Host','te') ("{3}{1}{2}{0}{4}"-f 'ti','voke-O','bfusca','In','on') -ForegroundColor ("{0}{1}"-f'Bl','ue')

However beucase it was extremely used in the last years, this will get you caught. It is recommended to run whitespace last (at least 2-3 times).

2. Abstract Syntax Tree (AST) obfuscation
An AbstractSyntaxTree (‘AST’) is a commonly used structure to represent and parse source code in both compiled and interepreted languages. PowerShell is unique in that it exposes the AST structure in a way that is friendly to developers and is documented extensively .

AST at base can easily find language elements. It is breaking the structure of the code and it is linking structures of code; AMSI will look at each structure of code in part and the token obfuscation will not help us to bypass it because they will be reduced at the basic form. AST contains all parsed content in Powershell code without having to dive into text parsing (we want to hide from this).

The AST obfuscation method will change the structure of AST.

3. Encoding Obfuscation
It is used to mask the payload by converting the format in Hex, ASCI, Binary, AES encrypted, etc. Beware because Powershell interpreter has a limit of 8191 characters so carefull how much encoding you do. This will works fine with the compressing method in case you apply multiple encoding methods recursively.

Example of output encrypt the entire command as SecureString (AES):

& ((VaRIAble '*mdr*').nAmE[3,11,2]-JOIN'')( ([RUNTimE.intEropservIcEs.MARsHaL]::PTrtOStrInGAuTo([RUNtImE.iNteROPSERvIceS.mARShAL]::sEcuREsTRInGToBsTr( $('76492d1116743f0423413b16050a5345MgB8AEwAcgA2AHcAZgBZAGEAVgBrAEUAWQBmADYAUQBtAHMARABZAFoAbgBPAEEAPQA9AHwAOAAxADYAYQAxADgAZABlADEANAAwAGIAZQBkAGEAYwAwADkAMgAxAGYANQA0ADEAZABmADYAYgBmAGEAMgA3ADIAMQAxADIANgBiADIAYQBmAGIANwBmADkAZAA4ADgAYwAxADYAMwBkADEAYgAzADUAMwBkAGIANwAzADcANABhADAANgAxAGMANgAxADQAYQA0ADcANAAyAGUAMABlADcAMgA0ADkAYgAyAGQAYwBhADMAZgBhAGUAYQBhADUAYgA3ADcANAA2ADQAMABmADYANgAxADYAOQBlADkAMQAyAGIAMgBiADEAOAA1ADUANgBmAGIANQAxADEANgA0ADkAMQBkAGQAZQA3ADUAMAA1ADUAMgAxADEAZAAyADcAMgA3ADEAZgA2ADQAYwAxADkANAA1ADUAOQBkAGMAZQA5AGMANQBkADQAMwBkADUAZQA0AGUAYQA2ADkAMABlAGEAZAA1AGIAZABlAGMAOQBiADIAZQA4ADAANQA0ADEAMgA5ADcANwA4ADMAZABkAGYANAA4AGUAZAAxAGMAMwA4AGEAMwAyADUAYwAzADQAMQBlAGMAYgA2ADMAYQA5AA==' |CoNverttO-SecuRestRinG  -keY  (100..69)) ) ) )

4. String Obfuscation
Obfuscated Powershell code as a string.
Breaks up the code with reversing techniques and concatenation.

Example of output concatenating the entire command:

iNVOkE-EXPressION( (('Write-Host {'+'0'+'}'+'Inv'+'o'+'ke-O'+'bf'+'u'+'sca'+'tion{0}'+' -F'+'or'+'egroundC'+'o'+'lor '+'B'+'l'+'ue')-f  [ChAR]34) )

5. Compress Obfuscation

Compress obfuscation can be used in conjunction with Encoding to reduce the overall size of the payload.

Example of output:

( new-oBjeCt  SYStEm.IO.strEamReaDer(( new-oBjeCt  SystEM.io.CompREsSIoN.DeFLAtestrEaM([SySTeM.iO.MEmorYSTREaM] [coNvert]::frOmbasE64StrING( 'Cy/KLEnV9cgvLlFQ8swry89O1fVPSistTk4syczPU1LQdcsvSk0vyi/NS3HOz8kvUnDKKU3lAgA=' ), [SYStEm.io.cOMprEssion.cOMprEssiONMoDe]::deCOMPrEsS ) ),[TeXt.eNCODiNG]::ASCii)).rEaDToEnd( ) |&( $pshOme[4]+$Pshome[30]+'X')

6. Obfuscate Command Args
Many pentesters are underestimated the Launcher obfuscation in their malware development phases. In the below image we can what methods of launcher obfuscation are available for us.

As we can see many of them are including “somethingbla IEX”. Microsoft learnt from the past and any input passed to the IEX command will be verified by the AMSI or Windows Defender. This can be problematic because it can ruin all of our obfuscation efforts. Below is a proof of AMSI detection of a malicious variable passed to IEX. I recommend using WMIC instead of IEX if it is possible.

Empire already includes a launcher based on IEX. At this moment the community/I do not know a replacement for IEX. Maybe there is but Microsoft did not document all of these little tricks because they do not wanna let the APTs to take advantage of it.

Example of output using wmic as launcher:

C:\wINdOws\sySTEm32\wBEm\WmIC prOcESS    "call"   'CREAte' "POwErShElL   Write-Host "\"Invoke-Obfuscation"\" -ForegroundColor Blue"

Conclusions
Empire has integrated Invoke Obfuscation in its stager’s console.
Mix them up to avoid detection.
Example:

1. Token\String\1,2
2. Whitespace\1
3. Encoding\1
4. Compress\1

Example of how to use multiple obfuscation methods in Empire:

set Obfuscate True
set ObfuscateCommand Token\String\1,1,2, Token\Variable\1, Token\Whitespace\1,1, Compress\1

In the next article, we will see how to apply all what we discussed to bypass Windows Defender, AMSI and get a reverse shell. We will approach few scenaries in what will follow.
Please let me know your feedback about it :).

References:
https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps
https://docs.microsoft.com/en-us/windows/win32/api/amsi/ne-amsi-amsi_result
https://www.bc-security.org/post/the-empire-3-0-strikes-back
https://github.com/BC-SECURITY/Empire
https://docs.microsoft.com/en-us/windows/win32/api/amsi/
https://threatvector.cylance.com/en_us/home/how-to-implement-anti-malware-scanning-interface-provider.html
https://blog.rapid7.com/2018/05/03/hiding-metasploit-shellcode-to-evade-windows-defender/
https://www.cyberark.com/threat-research-blog/amsi-bypass-patching-technique/
https://www.youtube.com/watch?v=F_BvtXzH4a4