05-01-2023, 10:07 AM
[*]Chapter 2: ANTI-VIRUS(AV)
[*]Alright, most of you probably are aware that Anti-Virus (AV) is not your friend, especially speaking from a cybercriminals perspective, since it will prevent most of you from executing random code on someone's computer or installing the malware you worked so hard to obtain either by coding it yourself or by purchasing it. In this chapter we're going to dive tits first into everything AV related, the inner workings of it, and how AV detects malicious behaviour and protects the people you plan on targeting with malware. We're not going to talk about every god damn AV product that's available out there because that's ridiculous but we're going to focus on the default ones that come preinstalled in Windows and macOS respectively. I'm thinking in the next 5-10 years these products will advance to a level that most, if not all, low level cybercriminals will struggle with when trying to infect fuck faces with malware. Time will tell. I think most people understand that all Anti-Viruses work in a similar fashion. People have a general understanding that when an unknown file is saved to the hard drive on your computer the AV will usually perform a "real time scan" either instantly or within a couple of minutes of that file being saved to the HD. If the unknown file is determined to be a suspected threat or malicious in nature then the file will be automatically quarantined, moved to a secure location pending further user instructions, or will simply be automatically deleted. There are a lot of AV companies out there for people to choose from. However, the majority of the world relies on the ones that are free and come already installed by default on their computer when they bought it. There are other people use other well-known third-party products. Every computer will vary on which AV they will have running on it but it's best to assume, at minimum, that Windows users will have Windows Defender (WD) and macOS users will have XProtect installed as their AV by default. This is the AVs you'll be up against at minimum and the ones below are just some other you'll be dodging around.
[*]Let's briefly learn about what an Anti-Virus is so everyone has the basics down solid. In general, most AV malware detection relies matching known malware code against the files on your computer which are referenced from signature lists of known malicious code stored in databases. Antivirus vendors use automated processes and reverse-engineering (RE) efforts to create these signatures, which are stored massive databases. While signature algorithms are an AV companies close held secret most of these products rely on MD5 or SHA-1 hashes of malicious files or on unique byte sequences within known malicious files. If a scanned file matches a known hash, or contains a malicious byte sequence, it is flagged as malicious. In addition to signature scanning some AV will perform heuristics or behavioral analysis that will simulate the execution of a scanned file. The file is executed in a sandboxed environment attempting to detect known malicious behavior. This approach relies on extremely sophisticated proprietary code and is much more time consuming and resource intensive than signature-based detection methods. The downfall of executing any type of malware within a sandboxed type environment is that the malware is executed only for a limited amount of time. Some malware develoeprs will add a time delay to their malware before actually executing their code to get around such defenses. The success rate of this approach varies widely from AV to AV. A new detection approach within the AV industry is leveraging cloud computing along with artificial intelligence to improve the speed and accuracy of detection by uploading unknown or questionable files to the cloud. The cloud with AI analysis of unknown files mannnnnnnn this is the future of malware prevention. Let's dig a little deeper. Detection Methods used by Anti-Viruses. In the past AVs were not as clever as they are today and it was much easier to get around them. Many AVs back in the day would almost totally rely on signature-based detection to determine if the file that was being executed was malicious or not. AVs would only start their scanning actions when a file was written to the disk or a new process was created. Now and days AVs are getting more smarter and the current detection methods include the following: Signature Based Detection This works by matching patterns/strings/signatures/hashes of already known malware from a database looking for a match on the computer. Almost all AV products detect malware by referencing a known malware signature list stored within the AV itself in a local file on your computer or in a massive online database for reference. You should already now that every file on a computer has a unique digital footprint to it which you can check for yourself by generating the MD5 hash of any file on your computer. It can be as simple as a malicious .exe or .dll with a known MD5 hash of that specific file being flagged as malicious and this is how the AV is picking it up during a scan. For simple terms, malware signature lists are compilations of known malicious code samples for the AV to compare those signatures against the digital signatures of the files on your computer. When an AV is using hashes to identify other pieces of malware they're usually generated by algorithms such as MD5 due to the fact that this is done generally fast and can be calculated many times per second without effecting the performance of a computer. These malware signatures are updated every day, sometimes multiple times a day, as new strains of malware are identified by an AV company or from the malware researcher community. AV companies are constantly searching, researching, and adding more and more known malicious code samples to their malware signature databases creating thousands and thousands of data set points to work with. Their goal is to detect malware and protect their customers. If the AV company came across a new piece of malware they detected in the wild then it will update the malware signatures list across their products so everyone running that AV will be protected from the latest malware in real time. If the AV finds a match it will flag that application as malware, prevent the file from running, quarantine the file, and delete it. This whole process is known as "signature based detection" in the AV industry. t's good to know about signature based detection since you can understand that AV can also search for a specific string or word within an already known piece of malware looking for the same string or word in XYZ program or source code. For example, if the word "HACKER" is somewhere in a known piece of malware source code AV will be scanning looking for that string all over the place. Sometimes bypassing AV can be as simple as changing the string that is being flagged to something different like "hacKEr" or removing that word completely from the source code. However, sometimes you're unable to remove certain strings or words from source code without the malware itself getting corrupted. It can be a tricky balance sometimes and usually is trial and error until you get it right. Most modern-day Anti-Virus products have evolved from comparing known digital signatures of malware against the files on a computer into now detecting malicious behavior in a program. More advanced AVs can detect the network traffic that some known piece of malware produces which is unique to itself and make a signature for it. For example, when the malware is communicating back to a Command and Control (C&C) server to retrieve commands or uploads data it produces unique network traffic. Even though some malware builders are polymorphic (different signature every build) which prevents AV from picking up a unique file signature on it but if the malware is always connecting back to the C&C in a specific way then a signature can be built from the network traffic it produces. Anything that is static in nature, or is always the same, can be used to build a signature to detect it one way or another depending on the AV installed. This all makes sense right? In fact some people purchase a crypter and crypt their malware thinking that this is the only thing needed to bypass an AV product but people forget the fact that even if you encrypt the file making it Fully Un-Detectable (FUD) doesn't mean that the network traffic that specific piece of malware produces or how the malwares behaves on a computer will be any different. You see? Getting past different types of AVs is not as easy as most people think in 2023 and you need to be aware that there's much more to making a file undetectable from one AV to the other than you initially think. There are a lot of things happening underneath the hood once you take a peek-a-boo behind the AV curtain. It's 2023 and the AV industry has matured quite a lot since its creation when I started out. John McAfee somehow became a household name and I mean just look how far he came?!
[*]Heuristic/Behavioral Based Detection Similar to signature based detection scanning, which detects threats by searching for specific strings or hashes, heuristic based detection looks for commands or instructions that would not be typically found in an application or application behavior that seems suspicious. AV searches for the events created by the program and references it to known malicious behaviour. For example, if a program like Microsoft Word is spawning cmd.exe, powershell.exe, etc. as a child process or if a program is calling a sequence of functions (OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread, etc.) this might indicate a malicious process or a potential process injection vector resulting in getting that program/application flagged as malicious. If it acts like a duck, looks like a duck, then it's probably a duck. Makes sense. Simple right? I mean why would the Microsoft word application be launching PowerShell in the background? 99.9% of the time this is malicious. Some AV products that use heuristic analysis will execute the script or program first within a specialized virtual environment that allows the AV to see what would happen if the suspicious file/program were to be executed while keeping the suspicious code/program isolated from the real-world computer. The AV will analyze the commands as they're executed and monitor for common virus type activities such as replication, file overwrites, and any attempts to hide the existence of the suspicious file. If one or more virus type actions are detected, the suspicious file is flagged as a potential virus, and the user alerted. Let's take a look at yet another example to understand how heuristics/behavioral detection works in simple terms. A new piece of ransomware is released into the wild and is trying to encrypt every file on a computer one by one. This piece of malware is currently un-detected by AV and is FUD at the time of creation. Someone has just been infected with it but the AV product notices the BEHAVIOR of the ransomware and flags it as potentially malicious stopping it from fully executing. How did the AV know the behaviour was malicious in the first place? Well, AV products that utilize heuristic/behavioral analysis will eventually pick up most malware out there just by analyzing the files that are running and referencing the behaviour to known malicious behaviour associated with XYZ malware. I mean what legitimate file would act in a way that is encrypting the files on a computer one by one as fast as possible anyways? Since that behaviour is deemed malicious, as it should be, it detects it and will flag that file as malicious even through it doesn't have a signature for that file to match it against something malicious. Here's a little story. When I was working on my own custom piece of ransomware it kept getting being detected as malicious and I couldn't for the fuck of me figure out what was going on. I eventually gave up on the encryption process and opted instead to move every "interesting" file into a hidden directory and then zipped up the whole folder with a hard coded password. I put a time delay on the process, so everything appeared somewhat normal. Voila! FUD. Now to be fair I wasn't using any encryption methods and was simply moving the files and zipping them up with a password but the point is there are many ways to make shit work. Was this ransomware? Well, kinda...I mean all the victim files were gone in their eyes and not accessible until they paid the ransom so they could get their files back so in a sense it was ransomware. Shitty version indeed. In the end it didn't matter since it achieved my goals and made me much monies before it again got detected and I decided to walk away with the profits made. I'll get more into my personally story later on but try to keep your mind open on what's possible. Some AVs take it to the next level and know what "normal" behavior is on a specific computer that it's installed on. An analogy for you. Picture your computer like an animal in a zoo. A wild fucking animal. Now, the AV product is monitoring the large cage that the animal is living in and over a period of time gets to know the animal and its habits. AV will understand how the animal will act, when the animal will sleep, what the animal eats, and so on. The AV will know "normal" behaviour of this particular animal and since it knows "normal" behaviour it can detect abnormal behaviour and flag it accordingly. If the animal starts to climb the cage and cause fuckery the AV product will be able to detect the abnormal behaviour and notify the handlers sometimes is wrong. This is where it's going with AI fuckery. Regardless of the detection method, it's much easier for any AV product to detect something when it's written to disk (IE: the file is saved to the HD). At least this was the case before AMSI (you'll learn about soon) came onto the scene. Before AMSI it was difficult for AV products to detect fileless malware. All fileless malware means is malware that doesn't touch the disk and completely executes in memory. The whole goal of most adversaries, ethical hackers, and red teamers is to not touch the HD or have anything saved to the HD. They want to reduce that as much as possible because it reduces the chances of being detected by AV and from other eyes. Aim for your malware to not touch the disk/HD of your target in question and only have it executed in memory, if possible.
[*]Summary:
[*]Anti-Viruses mainly consist of signature based, heuristic, and behavioral detection methods.
[*]Signature based detection will look for malicious strings, hashes, words, etc. that it knows to be malicious and compares those to the files on your computer looking for a match. If a match is found AV will flag it as malicious and prompt the user for action or simply to notify them some fuckery is a foot.
[*]Heuristics/Behavioral detection usually isolates the file to see what it does FIRST before allowing it to execute on the computer giving the AV an opportunity to look for abnormal/malicious behavior. Based on the behaviour observed, the AV can decide if a file is malicious or not. Examples of a behavioral detection would be identifying the use of process hollowing or DLL injection techniques.
[*]AV is now submitting unknown samples back to their servers for AI analysis. This technology is advancing on the daily and will be the future direction of AV to protecting their customers. AV is always scanning your computer and specific files will be sent back for analysis from time to time. It's important to note that when you download other malicious programs those too are uploaded for analysis and eventually a signature made for it without you knowing. These are the basics to AV that you should know. Now let's build on that.
[*]Storing or creting malware on your computer
[*] Anti-Virus (AV) is not your friend when coding or dealing with any type of malware that is being stored on your computer. This includes when you want to see if the malware you purchased/coded functions properly along with determining if it's un-detected by whatever AV you're trying to bypass. It's 2023 so everyone imagine this shit for a second. There you are all curled up in bed. It's nighty time. Sleepy time. You're dreaming of how you're going to unleash your malware that you've spent soooo much time developing and then FUCK! You don't even know that the source code for your awesome shit has already been sent to AV behind your motherfucking back! FUCK THAT. But this is true. Great, just fucking beautiful. The AV you have running on your computer to protect yourself from other fuckfaces just like yourself has sent your source code back to the AV home base, scanned it, flagged it for analysis (maybe for more manual review if big operation) and stored it to either create a signature for it, review it, research it, etc. All of that could link that specific piece of malicious code to your computer from the AV installation/client installed on your computer. This makes sense? Right? The AV client installed on your computer would contain personal information it has collected on you when you purchased it or set it up which could range from when/where you installed the AV product, the email associated to the account, how the product was purchased (cash, credit card, etc.), places you connected to the Internet, logs, etc. which of course is all stored by the AV company. Logs, logs, and logs everywhere. AMIRITE? If you have good OPSec you would've used a fake email, paid for the AV software with cash or an anonymous cryptocurrency, setup your "work" computer on a hacked Wi-Fi using an anonymous email, etc. but even if you did all that you probably still revealed where you connected to the Internet since those AV servers are just gobbling information up which of course will show your location and/or online habits. Have you gone mad and made yourself such a big target worth tracking and capturing? Maybe. I dunno. If so I applaud you madam. EVERYTHING is watching you and in so many ways you don't even know about! For example, you're all spies. So am I. I'm watching you, watching me, watching you but we know we're watching each other like a bunch of fucking weirdos in a staring contest. The fucks your problem buddy? Let's get back on track because I'm getting all fucking paranoid about it all. Alright so you just spent a fuck ton of time developing your own banking trojan named ZeuS 9000 and you've unleashed that fucking wild animal all over the god damn Internet so obviously it grabs the attention of malware researchers, AV, police, governments, your mother, etc. Since you launched such a large cybercriminal operation they have obtained a sample of the malware being spread across the Interwebs which the AV company finds a matching sample that was uploaded by you, unbeknownst to you, a few months ago. Since you registered your Windows/macOS/AV product under your real name or purchased the AV software that is linked to you somehow all of this can come back on you. It's KA-FUCKING-BALOOIE time. Your game is over. Too bad so sad.
Intrusion Detection Systems (IDS)
[*] An Intrusion Detection System (IDS) is an application or system used to collect and analyse information that goes over the network from one computer to another. It's designed to collect, analyze, identify, and report on anything it finds suspicious (known malicious techniques, known malware network behaviours, etc.) to the IT administrator or the company owner so they can act on it. It's important to know that there are technologies out there meant to detect any kind of malicious behaviour on a computer or across a network. The average person won't have these products installed but if you're planning to target larger companies with ransomware or RATs then you need to be aware that you're up against monsters and should avoid these types of targets until your skill level improves. I always avoided larger companies and strictly stuck to targeting smaller to midsized businesses instead. Don't make it harder for yourself and pick appropriate/realistic targets for yourself. Don't hack Microsoft. It might be best suited to focus your efforts on smaller targets as well yes? These cyber defence systems can inspect every packet going across a network looking for anything malicious or questionable in nature and when it finds bullshit malicious behaviour it will flag it for review. All of that will result in detecting your malware and/or your presence on that computer/server. These IDS products are collecting all the malware being spammed out there today and making signatures for their behaviour and how the malware communicates with the C&C. Once they have a signature for known malware they update their rules protecting their customers from XYZ-fuck-face-malware.exe. Hooray! There are many ways a IDS can operate but they all function in a way that if they find something suspicious then an alert is sent to the administrator of that company or an IT team in real time. Usually companies that deploy such technologies are also employing IT team members on call or actually working 24/7 so they can prevent attacks happening in real time and act accordingly right away. IDS are classified into 5 types: 1. Network Intrusion Detection System (NIDS): Network intrusion detection systems (NIDS) are installed within a network to examine all incoming/outgoing traffic from all devices on the network. NIDS observe the passing traffic on the entire subnet and matches the traffic that is passed on the subnets to the collection of known attacks. Once an attack is identified or abnormal behavior is observed, an alert can be sent to the administrator for them to act. 2. Host Intrusion Detection System (HIDS): Host Intrusion Detection Systems (HIDS) run on the hosts or devices on a network. A HIDS monitors the incoming and outgoing packets from the device only and will alert the administrator if suspicious or malicious activity is detected. It takes a snapshot of existing system files and compares it with the previous snapshot. If the analytical system files were edited or deleted, an alert is sent to the administrator to investigate. 3. Protocol based Intrusion Detection System (PIDS): Protocol based Intrusion Detection System (PIDS) comprises a system that would be implemented at the front end of a server which controls and interprets the protocol between a user/device and the server.
[*]4. Application Protocol based Intrusion Detection System (APIDS): Application Protocol based Intrusion Detection System (APIDS) is a system that generally resides within a group of servers which identifies intrusions by monitoring and interpreting the communication on application specific protocols. For example, this would monitor the SQL protocol specific to an application as it interacts with a database on the web server and look for any abnormalities or known malicious SQL syntax that would be out of the norm for that application.
[*]5. Hybrid Intrusion Detection System (HIDS): Hybrid Intrusion Detection Systems are a combination of two or more approaches to the intrusion detection system. In the hybrid intrusion detection system, host agent or system data is combined with network information to develop a complete view of the network system. As you can see you want to avoid companies with a large IT budget because we know that most likely we'll be up against these technologies. Knowing that not only AV is out there but numerous other cyber defences are at play will help you wrap your head around the fact that not everything will work %100 of the time and just because you have a piece of malware that is FUD doesn't always mean that shits going to work as expected. Pick easy prey only as this will be better for you! OK you should now have some of the basics down. Now let's talk about what AV most "average" computer users have installed on their computers. Default Anti-Viruses
[*]Windows users have a built in AV known as Windows Defender (WD) with Anti-Malware Scan Interface (AMSI), Windows SmartScreen, etc. whereas macOS users are protected by default by XProtect, Gatekeeper, Noterization, and then some (ASLR, MRT, SIP, etc.). In my opinion these Anti-Viruses have come along way by offering superior protection to their customer base and you can bet in the future these will dominant all other AV products out there since they're already integrated with the OS but what the fuck do I know.
[*]Windows Users - Windows Defender (WD) Microsoft Windows Defender (WD) is developed by Microsoft to protect the computers running Windows 8, Windows 10, and Windows 11, along with some versions of Windows Server. WD is installed by default and provides protection to your devices and all the shit you store in the cloud. WD brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect computers and gets updates regularly to help ensure that Windows computers have the latest technology to protect against the newest malware and latest attack techniques.You must ensure that whatever malware you have at your disposal can bypass WD, at minimum, when targeting Windows users or you'll be wasting your time and efforts.
[*] Windows Users - Anti-Malware Scan Interface (AMSI) The Anti-Malware Scan Interface (AMSI) is an interface that applications and services can use to scan the contents of scripts (PowerShell, JavaScript, etc.) looking for malicious content. It's a newish AV technology from Microsoft that scans for malicious activity in memory and can scan any script that is ran on a Windows computer. Microsoft's AMSI APIs can be used to scan code in memory which can also scans files, streams, and can provide content source URL/IP reputation checks. Windows Defender already uses AMSI by default. Obviously.
As cybercriminals we will often deliver malicious scripts through "fileless" methods (nothing touches disk and is only executed in memory) and utilize obfuscation techniques to avoid traditional AV scanning techniques that use signature-based detection. Scripts can be heavily obfuscated and can be executed in memory which may avoid some AVs out there but for the script to get executed by a scripting engine on the OS the malware must provide un-obfuscated final code to the scripting engine in the end. AMSI can intercept this code, which is sent to the scripting engine, and request a scan from WD before it's executed. AMSI is integrated into Microsoft's PowerShell, VBScript, JavaScript engines, VBA and as of lately was integrated into .NET with the introduction of the .NET framework 4.8. AMSI is not only restricted to be used in Powershell, Jscript, VBScript, VBA, etc. as anyone can integrate AMSI with their programs using the API calls provided by AMSI Interface. In a nutshell, when executing a command in those interpreters the commands are sent towards the AMSI interface first to be scanned for malicious activity. If an AV hooks into the AMSI interface, then the AV engine receives the executed commands via AMSI and can decide upon blocking or allowing a command while notifying the user about malicious activity. The fact that the runtime commands are sent allows AV products to gain visibility into un-obfuscated and in memory execution of any malicious code in addition to blocking malicious behavior in real time. Try and think of AMSI like a bridge that connects PowerShell (or whatever other script) to the AV. For example, every command or script that is run inside PowerShell gets fetched by AMSI and then sent to the AV for further inspection and analysis before executing. When someone executes a script or initiates PowerShell, or any other language, AMSI uses the AMSI.dll and injects into the memory space of that process. Just prior to the execution of a script the following two API's are used by the AV to scan the buffer and strings for signs of malware.
[*]AmsiScanBuffer()
[*]AmsiScanString() If a known malicious signature is identified then the script doesn't execute and a message will appear to the user that the script has been blocked by the AV software. The following picture below shows the process of AMSI scanning.
[*] In the screenshot below, is an example of an attacker downloading a script called shell.ps1 from the internet that when executed will connect to a remote server without the user knowing. The PowerShell script is old as fuck and contains known malicious code that AV already has a signature for. When attempting to execute the PowerShell script the AMSI will fetch the script and forward it to WD using signature based detection to identify the malicious activity and prevent it from being executed.
[*]Now that you've learned about AMSI you know that we need to make sure any scripts we're using are heavily obfuscated and free of known malicious signatures if we plan on utilizing those scripts as an attack method. Windows Users - SmartScreen Microsoft Defender SmartScreen protects against phishing, malicious websites or applications, and the downloading of potentially malicious files. If you're a Windows user then there's a good chance you have seen the warning messages shown in the screenshot below.
[*] Microsoft Defender SmartScreen determines whether a site is potentially malicious by:
[*]Analyzing the visited webpages looking for indications of suspicious behavior and if it's determined that a page is suspicious it will show a warning page advising caution to the user.
[*]It checks the websites you're visiting against a dynamic list of reported phishing and malicious websites and if a match is found then Microsoft Defender SmartScreen will show a warning to the user letting them know that the website might be malicious and advise caution.
[*] Microsoft Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious by:
[*]Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the website might be malicious.
[*]Checking downloaded files against a list of files that are already well known and downloaded by many Windows. If the file isn't on that list, Microsoft Defender SmartScreen shows a warning, advising caution to the user. If a warning is prompted to the user they can choose to report that specific website as unsafe and Microsoft can review it at a later time to determine what is what. People protecting other people. Windows SmartScreen is an early warning system against websites that might engage in phishing attacks or attempting to distribute malware through social engineering attacks. The benefits of Microsoft Defender SmartScreen are: Anti-phishing and anti-malware support. It helps to protect people from websites that are known to host phishing attacks or attempt to distribute malicious software. It also helps protect against deceptive advertisements, scam sites, and web drive-by attacks. Reputation based URL and app protection. It evaluates a website's URLs to determine if it's known to distribute malware or has hosted unsafe content in the past. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file to ensure everything is legit. If a URL, a file, an app, or a certificate has an established reputation, users won't be prompted with any type of warning. However, if there's no reputation, then it's marked as a higher risk and a warning is presented to the user. Operating system integration. It's integrated into Windows and can check any file an application attempts to download and run. Improved heuristics and diagnostic data. Microsoft Defender SmartScreen is constantly learning and keeping up to date so it can help protect its users against potentially malicious sites and files. Blocking URLs associated with potentially unwanted applications. In Microsoft Edge SmartScreen blocks URLs associated with potentially unwanted applications. We care about Windows SmartScreen because we need our victim to download our malware go as smooth as possible and not display a bunch of warnings about shit being malicious to the user. Social engineering or not those warnings are no good for our success. Hosting known malicious files is going to be an issue too since Windows SmartScreen will pick this up with ease and protect the target from being infected with our malware. It will also detect our domain being used and eventually flag it as malicious which is no fucking good for us. So, we know we need to be hosting our malware from a trusted domain/source and our file must be FUD at that moment OR we need to hide our malicious file preventing AV from looking inside. OK? Moving along now. Windows Commercial Users - Windows Defender 365 Windows Defender 365 formally known as Windows Defender Advanced Threat Protection (APT). In a nutshell, Microsoft gathers an absurd amount of telemetry from their customers globally with some analysts estimating over 8 trillion signals daily. This telemetry is made up of signals from across Microsoft's services such as Microsoft Defender 365, Microsoft Defender For Endpoint and data from Microsoft's cybersecurity teams, global law enforcement, etc. and calls this pool of data the "Microsoft Intelligent Security Graph". Microsoft runs world class machine learning, AI, and big data analytics across this telemetry. The volume of data being collected allows Microsoft to determine what patterns of behaviour are considered "normal" and what patterns of behaviour may indicate malicious activity such as malware or another type of attack. Insights from the Intelligent Security Graph power real time threat protection in Microsoft products and services which includes Windows Defender 365. Just so you can appreciate how much data is fed into the Intelligent Security Graph the following figures provided from Microsoft demonstrate how much insight Microsoft has into global activity and cyber threats:
[*]400,000,000,000 emails analysed
[*]100,000,000 + Windows devices updated
[*]700,000,000 Azure user accounts analysed
[*]450,000,000,000 monthly authentications analyses As companies experience cyberthreats worldwide this information gets fed back to Microsoft's cloud which learns which of these patterns of behaviour indicate a threat. Once a threat has been detected within an organisation it will scan the organisation's devices for the threat and will tell them:
[*]How the threat started
[*]What the threat is
[*]What the threat is likely to do Administrators can take action to remediate the threat and remove the problem. This can also get automated remediation performed by Windows Defender 365 in some instances. This is a big problem for individuals like you and me even when you're dealing with private malware or have coded shit yourself. Remember, not everything will be possible for you and this is just one of many technologies poised against you so select your targets carefully, with confidence, and avoid large companies who can afford these types of products. OK you should have a basic understanding of what you're up against when targeting Windows users in this day and age. Let's move onto macOS. macOS Apple operates a malware threat intelligence process to quickly identify and block malware. macOS malware defenses are structured into three layers:
When someone downloads and opens an App, plug-in, or an installer package from the internet Gatekeeper will verify the software is from an identified Apple developer, is notarized by Apple which means it's be free of known malicious content, and hasn't been altered. Gatekeeper also requests user approval before opening software that has been downloaded for the first time to make sure the user hasn't been tricked into running anything they believed to be something else. By default, Gatekeeper helps to ensure that all downloaded software has been signed by the App Store, signed by a registered developer, and notarized by Apple. You will learn about notarization shortly. Both the App Store review process and the notarization process are designed to ensure that apps contain no known malware. Therefore, by default all software in macOS is checked for known malicious content the first time it's opened, regardless of how it arrived on the Mac. When a macOS user downloads an Application from the Internet, either by the App Store or otherwise, they will be prompted with a warning when trying to open the Application for the first time as seen in the screenshots below. I'm sure most macOS users out there can agree that they've seen this before.
macOS - Notarization Notarization is a malware scanning service provided by Apple and is required if you plan on creating an App to be sold on the App Store or otherwise. Developers who want to distribute apps for macOS outside the App Store must submit their apps for scanning as part of the distribution process. Apple scans the software for known malware and, if none is found, issues a notarization ticket. Usually, developers attach this ticket to their app within XCode so Gatekeeper can verify and launch the app, even when the user is offline. Apple can also issue a revocation ticket for apps known to be malicious even if they've been previously notarized. macOS regularly checks for new revocation tickets so that Gatekeeper has the latest information and can block the launch of such files. This process can very quickly block malicious apps because updates happen in the background much more frequently than even the background updates that push new XProtect signatures. You can notarize several different types of software such as:
[*]macOS apps
[*]Non-app bundles, such as kernel extensions
[*]Disk images (UDIF format)
[*]Flat installer packages Interesting to note that scripts and standalone binaries are not subject to Notarization and are left to GateKeeper and XProtect to sort out on their own. I learned this when I was working on my own macOS ransomware and came across some interesting things that left macOS users with a false sense of security. FYI! Now to be clear, notarization is not a full review of the App in question which is a separate process on its own. All notarization is doing is a performing a quick scan looking for already known malware, known malicious code, code signing issues, etc. which is an automated process that is done fairly quickly. If the software passes Apple's malware scan the details are added to Apple's database of "safe" or to the "allowed" software column. Then the notary service generates a digital "ticket" to attach to the App in question along with publishing it for GateKeeper to find it. When you first run an App that is notarized that digital certificate will tell GateKeeper that Apple has notarized the App and will give the user a choice whether to launch the App or not. If an App is not signed from an identified developer If you have your macOS setup to allow Apps from the App Store and identified developers when you try to launch an App that isn't signed by an identified developer you will be prompted with the following warning as seen in the screenshots below.
[*]An app is first launched
[*]An app has been changed (in the file system)
[*]XProtect signatures are updated When XProtect detects known malware it's blocked and the user is given an option to move the software to the Trash. XProtect will scan all Applications and files on the computer looking for malware using the malware definitions stored locally on the computer which, again, Apple updates pretty much daily. These malware definition updates are done through Apple's normal software update process which is enabled by default. Almost all these updates are done silently without any notifications presented to the main user. Apple downloads the new malware information and adds it to the malware definition file already on the computer so macOS users don't have to wait for the latest patches or updates to be protected. XProtect is always updating and on the hunt for the newest malware 24/7 365 days a year. You can check this by clicking on "System Preferences" - "Software Update" - then click on the "Advanced..." tab and you'll be presented the following window as seen in the screenshot below.
[*]Any associated Developer ID certificates are revoked.
[*]Notarization revocation tickets are issued for all files (apps and associated files).
[*]XProtect signatures are developed and released.
[*]MRT signatures are developed and released. Ultimately, once new malware is detected a series of events happen over the next seconds, minutes, hours, and days that follow to propagate the best protections possible to macOS users by receiving the newest malware definition updates. So I know that was a lot of bullshit to read but in summary:
[*]Notarization is a process to ensure the App is free of malware or malicious code and is issued to Developers through a Developer ID linked to their account.
[*]Gatekeeper is designed to ensure that only trusted notarized software runs on a user's Mac.
[*]XProtect is the built in AV for macOS and functions very similar to any other AV product.
[*]Malware Removal Tool (MRT) removes detected malware from a Mac and reports it to Apple. Pretty straight forward right? Ok so we've touched on the basics of Anti-Viruses and what you'll be up against at minimum when targeting individuals or companies with malware. Let's take a second to review the important take home points. null
[*]Chapter take away points -- Windows and macOS targets will have AV installed by default. -- AV uses signature, heuristic, and behavioral detection methods. -- Unknown files (malware included) are scanned locally and uploaded to the cloud for further analysis. -- Default AV settings will use cloud protection services and upload malware samples silently behind your back. -- It's much better to have malware executed in memory than have it executed on the HD. -- Bypassing AV is a cat and mouse game that requires work, re-coding, re-crypting, etc. -- Almost all malware gets detected eventually so perform short malware campaigns with specific targets in mind. Long term is no good at our cybercriminal level.
[*]Resources to read
Offensive Security - PEN300 (Evasion Techniques and Breaching Defenses) - MEDIUM/HARD https://beta.hide01.ir/pen300-osep Before moving on it's assumed you've read the recommend textbook and gone through the PEN300 AV course. Time to push on.
[*]Alright, most of you probably are aware that Anti-Virus (AV) is not your friend, especially speaking from a cybercriminals perspective, since it will prevent most of you from executing random code on someone's computer or installing the malware you worked so hard to obtain either by coding it yourself or by purchasing it. In this chapter we're going to dive tits first into everything AV related, the inner workings of it, and how AV detects malicious behaviour and protects the people you plan on targeting with malware. We're not going to talk about every god damn AV product that's available out there because that's ridiculous but we're going to focus on the default ones that come preinstalled in Windows and macOS respectively. I'm thinking in the next 5-10 years these products will advance to a level that most, if not all, low level cybercriminals will struggle with when trying to infect fuck faces with malware. Time will tell. I think most people understand that all Anti-Viruses work in a similar fashion. People have a general understanding that when an unknown file is saved to the hard drive on your computer the AV will usually perform a "real time scan" either instantly or within a couple of minutes of that file being saved to the HD. If the unknown file is determined to be a suspected threat or malicious in nature then the file will be automatically quarantined, moved to a secure location pending further user instructions, or will simply be automatically deleted. There are a lot of AV companies out there for people to choose from. However, the majority of the world relies on the ones that are free and come already installed by default on their computer when they bought it. There are other people use other well-known third-party products. Every computer will vary on which AV they will have running on it but it's best to assume, at minimum, that Windows users will have Windows Defender (WD) and macOS users will have XProtect installed as their AV by default. This is the AVs you'll be up against at minimum and the ones below are just some other you'll be dodging around.
[*]Let's briefly learn about what an Anti-Virus is so everyone has the basics down solid. In general, most AV malware detection relies matching known malware code against the files on your computer which are referenced from signature lists of known malicious code stored in databases. Antivirus vendors use automated processes and reverse-engineering (RE) efforts to create these signatures, which are stored massive databases. While signature algorithms are an AV companies close held secret most of these products rely on MD5 or SHA-1 hashes of malicious files or on unique byte sequences within known malicious files. If a scanned file matches a known hash, or contains a malicious byte sequence, it is flagged as malicious. In addition to signature scanning some AV will perform heuristics or behavioral analysis that will simulate the execution of a scanned file. The file is executed in a sandboxed environment attempting to detect known malicious behavior. This approach relies on extremely sophisticated proprietary code and is much more time consuming and resource intensive than signature-based detection methods. The downfall of executing any type of malware within a sandboxed type environment is that the malware is executed only for a limited amount of time. Some malware develoeprs will add a time delay to their malware before actually executing their code to get around such defenses. The success rate of this approach varies widely from AV to AV. A new detection approach within the AV industry is leveraging cloud computing along with artificial intelligence to improve the speed and accuracy of detection by uploading unknown or questionable files to the cloud. The cloud with AI analysis of unknown files mannnnnnnn this is the future of malware prevention. Let's dig a little deeper. Detection Methods used by Anti-Viruses. In the past AVs were not as clever as they are today and it was much easier to get around them. Many AVs back in the day would almost totally rely on signature-based detection to determine if the file that was being executed was malicious or not. AVs would only start their scanning actions when a file was written to the disk or a new process was created. Now and days AVs are getting more smarter and the current detection methods include the following: Signature Based Detection This works by matching patterns/strings/signatures/hashes of already known malware from a database looking for a match on the computer. Almost all AV products detect malware by referencing a known malware signature list stored within the AV itself in a local file on your computer or in a massive online database for reference. You should already now that every file on a computer has a unique digital footprint to it which you can check for yourself by generating the MD5 hash of any file on your computer. It can be as simple as a malicious .exe or .dll with a known MD5 hash of that specific file being flagged as malicious and this is how the AV is picking it up during a scan. For simple terms, malware signature lists are compilations of known malicious code samples for the AV to compare those signatures against the digital signatures of the files on your computer. When an AV is using hashes to identify other pieces of malware they're usually generated by algorithms such as MD5 due to the fact that this is done generally fast and can be calculated many times per second without effecting the performance of a computer. These malware signatures are updated every day, sometimes multiple times a day, as new strains of malware are identified by an AV company or from the malware researcher community. AV companies are constantly searching, researching, and adding more and more known malicious code samples to their malware signature databases creating thousands and thousands of data set points to work with. Their goal is to detect malware and protect their customers. If the AV company came across a new piece of malware they detected in the wild then it will update the malware signatures list across their products so everyone running that AV will be protected from the latest malware in real time. If the AV finds a match it will flag that application as malware, prevent the file from running, quarantine the file, and delete it. This whole process is known as "signature based detection" in the AV industry. t's good to know about signature based detection since you can understand that AV can also search for a specific string or word within an already known piece of malware looking for the same string or word in XYZ program or source code. For example, if the word "HACKER" is somewhere in a known piece of malware source code AV will be scanning looking for that string all over the place. Sometimes bypassing AV can be as simple as changing the string that is being flagged to something different like "hacKEr" or removing that word completely from the source code. However, sometimes you're unable to remove certain strings or words from source code without the malware itself getting corrupted. It can be a tricky balance sometimes and usually is trial and error until you get it right. Most modern-day Anti-Virus products have evolved from comparing known digital signatures of malware against the files on a computer into now detecting malicious behavior in a program. More advanced AVs can detect the network traffic that some known piece of malware produces which is unique to itself and make a signature for it. For example, when the malware is communicating back to a Command and Control (C&C) server to retrieve commands or uploads data it produces unique network traffic. Even though some malware builders are polymorphic (different signature every build) which prevents AV from picking up a unique file signature on it but if the malware is always connecting back to the C&C in a specific way then a signature can be built from the network traffic it produces. Anything that is static in nature, or is always the same, can be used to build a signature to detect it one way or another depending on the AV installed. This all makes sense right? In fact some people purchase a crypter and crypt their malware thinking that this is the only thing needed to bypass an AV product but people forget the fact that even if you encrypt the file making it Fully Un-Detectable (FUD) doesn't mean that the network traffic that specific piece of malware produces or how the malwares behaves on a computer will be any different. You see? Getting past different types of AVs is not as easy as most people think in 2023 and you need to be aware that there's much more to making a file undetectable from one AV to the other than you initially think. There are a lot of things happening underneath the hood once you take a peek-a-boo behind the AV curtain. It's 2023 and the AV industry has matured quite a lot since its creation when I started out. John McAfee somehow became a household name and I mean just look how far he came?!
[*]Heuristic/Behavioral Based Detection Similar to signature based detection scanning, which detects threats by searching for specific strings or hashes, heuristic based detection looks for commands or instructions that would not be typically found in an application or application behavior that seems suspicious. AV searches for the events created by the program and references it to known malicious behaviour. For example, if a program like Microsoft Word is spawning cmd.exe, powershell.exe, etc. as a child process or if a program is calling a sequence of functions (OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread, etc.) this might indicate a malicious process or a potential process injection vector resulting in getting that program/application flagged as malicious. If it acts like a duck, looks like a duck, then it's probably a duck. Makes sense. Simple right? I mean why would the Microsoft word application be launching PowerShell in the background? 99.9% of the time this is malicious. Some AV products that use heuristic analysis will execute the script or program first within a specialized virtual environment that allows the AV to see what would happen if the suspicious file/program were to be executed while keeping the suspicious code/program isolated from the real-world computer. The AV will analyze the commands as they're executed and monitor for common virus type activities such as replication, file overwrites, and any attempts to hide the existence of the suspicious file. If one or more virus type actions are detected, the suspicious file is flagged as a potential virus, and the user alerted. Let's take a look at yet another example to understand how heuristics/behavioral detection works in simple terms. A new piece of ransomware is released into the wild and is trying to encrypt every file on a computer one by one. This piece of malware is currently un-detected by AV and is FUD at the time of creation. Someone has just been infected with it but the AV product notices the BEHAVIOR of the ransomware and flags it as potentially malicious stopping it from fully executing. How did the AV know the behaviour was malicious in the first place? Well, AV products that utilize heuristic/behavioral analysis will eventually pick up most malware out there just by analyzing the files that are running and referencing the behaviour to known malicious behaviour associated with XYZ malware. I mean what legitimate file would act in a way that is encrypting the files on a computer one by one as fast as possible anyways? Since that behaviour is deemed malicious, as it should be, it detects it and will flag that file as malicious even through it doesn't have a signature for that file to match it against something malicious. Here's a little story. When I was working on my own custom piece of ransomware it kept getting being detected as malicious and I couldn't for the fuck of me figure out what was going on. I eventually gave up on the encryption process and opted instead to move every "interesting" file into a hidden directory and then zipped up the whole folder with a hard coded password. I put a time delay on the process, so everything appeared somewhat normal. Voila! FUD. Now to be fair I wasn't using any encryption methods and was simply moving the files and zipping them up with a password but the point is there are many ways to make shit work. Was this ransomware? Well, kinda...I mean all the victim files were gone in their eyes and not accessible until they paid the ransom so they could get their files back so in a sense it was ransomware. Shitty version indeed. In the end it didn't matter since it achieved my goals and made me much monies before it again got detected and I decided to walk away with the profits made. I'll get more into my personally story later on but try to keep your mind open on what's possible. Some AVs take it to the next level and know what "normal" behavior is on a specific computer that it's installed on. An analogy for you. Picture your computer like an animal in a zoo. A wild fucking animal. Now, the AV product is monitoring the large cage that the animal is living in and over a period of time gets to know the animal and its habits. AV will understand how the animal will act, when the animal will sleep, what the animal eats, and so on. The AV will know "normal" behaviour of this particular animal and since it knows "normal" behaviour it can detect abnormal behaviour and flag it accordingly. If the animal starts to climb the cage and cause fuckery the AV product will be able to detect the abnormal behaviour and notify the handlers sometimes is wrong. This is where it's going with AI fuckery. Regardless of the detection method, it's much easier for any AV product to detect something when it's written to disk (IE: the file is saved to the HD). At least this was the case before AMSI (you'll learn about soon) came onto the scene. Before AMSI it was difficult for AV products to detect fileless malware. All fileless malware means is malware that doesn't touch the disk and completely executes in memory. The whole goal of most adversaries, ethical hackers, and red teamers is to not touch the HD or have anything saved to the HD. They want to reduce that as much as possible because it reduces the chances of being detected by AV and from other eyes. Aim for your malware to not touch the disk/HD of your target in question and only have it executed in memory, if possible.
[*]Summary:
[*]Anti-Viruses mainly consist of signature based, heuristic, and behavioral detection methods.
[*]Signature based detection will look for malicious strings, hashes, words, etc. that it knows to be malicious and compares those to the files on your computer looking for a match. If a match is found AV will flag it as malicious and prompt the user for action or simply to notify them some fuckery is a foot.
[*]Heuristics/Behavioral detection usually isolates the file to see what it does FIRST before allowing it to execute on the computer giving the AV an opportunity to look for abnormal/malicious behavior. Based on the behaviour observed, the AV can decide if a file is malicious or not. Examples of a behavioral detection would be identifying the use of process hollowing or DLL injection techniques.
[*]AV is now submitting unknown samples back to their servers for AI analysis. This technology is advancing on the daily and will be the future direction of AV to protecting their customers. AV is always scanning your computer and specific files will be sent back for analysis from time to time. It's important to note that when you download other malicious programs those too are uploaded for analysis and eventually a signature made for it without you knowing. These are the basics to AV that you should know. Now let's build on that.
[*]Storing or creting malware on your computer
[*] Anti-Virus (AV) is not your friend when coding or dealing with any type of malware that is being stored on your computer. This includes when you want to see if the malware you purchased/coded functions properly along with determining if it's un-detected by whatever AV you're trying to bypass. It's 2023 so everyone imagine this shit for a second. There you are all curled up in bed. It's nighty time. Sleepy time. You're dreaming of how you're going to unleash your malware that you've spent soooo much time developing and then FUCK! You don't even know that the source code for your awesome shit has already been sent to AV behind your motherfucking back! FUCK THAT. But this is true. Great, just fucking beautiful. The AV you have running on your computer to protect yourself from other fuckfaces just like yourself has sent your source code back to the AV home base, scanned it, flagged it for analysis (maybe for more manual review if big operation) and stored it to either create a signature for it, review it, research it, etc. All of that could link that specific piece of malicious code to your computer from the AV installation/client installed on your computer. This makes sense? Right? The AV client installed on your computer would contain personal information it has collected on you when you purchased it or set it up which could range from when/where you installed the AV product, the email associated to the account, how the product was purchased (cash, credit card, etc.), places you connected to the Internet, logs, etc. which of course is all stored by the AV company. Logs, logs, and logs everywhere. AMIRITE? If you have good OPSec you would've used a fake email, paid for the AV software with cash or an anonymous cryptocurrency, setup your "work" computer on a hacked Wi-Fi using an anonymous email, etc. but even if you did all that you probably still revealed where you connected to the Internet since those AV servers are just gobbling information up which of course will show your location and/or online habits. Have you gone mad and made yourself such a big target worth tracking and capturing? Maybe. I dunno. If so I applaud you madam. EVERYTHING is watching you and in so many ways you don't even know about! For example, you're all spies. So am I. I'm watching you, watching me, watching you but we know we're watching each other like a bunch of fucking weirdos in a staring contest. The fucks your problem buddy? Let's get back on track because I'm getting all fucking paranoid about it all. Alright so you just spent a fuck ton of time developing your own banking trojan named ZeuS 9000 and you've unleashed that fucking wild animal all over the god damn Internet so obviously it grabs the attention of malware researchers, AV, police, governments, your mother, etc. Since you launched such a large cybercriminal operation they have obtained a sample of the malware being spread across the Interwebs which the AV company finds a matching sample that was uploaded by you, unbeknownst to you, a few months ago. Since you registered your Windows/macOS/AV product under your real name or purchased the AV software that is linked to you somehow all of this can come back on you. It's KA-FUCKING-BALOOIE time. Your game is over. Too bad so sad.
Intrusion Detection Systems (IDS)
[*] An Intrusion Detection System (IDS) is an application or system used to collect and analyse information that goes over the network from one computer to another. It's designed to collect, analyze, identify, and report on anything it finds suspicious (known malicious techniques, known malware network behaviours, etc.) to the IT administrator or the company owner so they can act on it. It's important to know that there are technologies out there meant to detect any kind of malicious behaviour on a computer or across a network. The average person won't have these products installed but if you're planning to target larger companies with ransomware or RATs then you need to be aware that you're up against monsters and should avoid these types of targets until your skill level improves. I always avoided larger companies and strictly stuck to targeting smaller to midsized businesses instead. Don't make it harder for yourself and pick appropriate/realistic targets for yourself. Don't hack Microsoft. It might be best suited to focus your efforts on smaller targets as well yes? These cyber defence systems can inspect every packet going across a network looking for anything malicious or questionable in nature and when it finds bullshit malicious behaviour it will flag it for review. All of that will result in detecting your malware and/or your presence on that computer/server. These IDS products are collecting all the malware being spammed out there today and making signatures for their behaviour and how the malware communicates with the C&C. Once they have a signature for known malware they update their rules protecting their customers from XYZ-fuck-face-malware.exe. Hooray! There are many ways a IDS can operate but they all function in a way that if they find something suspicious then an alert is sent to the administrator of that company or an IT team in real time. Usually companies that deploy such technologies are also employing IT team members on call or actually working 24/7 so they can prevent attacks happening in real time and act accordingly right away. IDS are classified into 5 types: 1. Network Intrusion Detection System (NIDS): Network intrusion detection systems (NIDS) are installed within a network to examine all incoming/outgoing traffic from all devices on the network. NIDS observe the passing traffic on the entire subnet and matches the traffic that is passed on the subnets to the collection of known attacks. Once an attack is identified or abnormal behavior is observed, an alert can be sent to the administrator for them to act. 2. Host Intrusion Detection System (HIDS): Host Intrusion Detection Systems (HIDS) run on the hosts or devices on a network. A HIDS monitors the incoming and outgoing packets from the device only and will alert the administrator if suspicious or malicious activity is detected. It takes a snapshot of existing system files and compares it with the previous snapshot. If the analytical system files were edited or deleted, an alert is sent to the administrator to investigate. 3. Protocol based Intrusion Detection System (PIDS): Protocol based Intrusion Detection System (PIDS) comprises a system that would be implemented at the front end of a server which controls and interprets the protocol between a user/device and the server.
[*]4. Application Protocol based Intrusion Detection System (APIDS): Application Protocol based Intrusion Detection System (APIDS) is a system that generally resides within a group of servers which identifies intrusions by monitoring and interpreting the communication on application specific protocols. For example, this would monitor the SQL protocol specific to an application as it interacts with a database on the web server and look for any abnormalities or known malicious SQL syntax that would be out of the norm for that application.
[*]5. Hybrid Intrusion Detection System (HIDS): Hybrid Intrusion Detection Systems are a combination of two or more approaches to the intrusion detection system. In the hybrid intrusion detection system, host agent or system data is combined with network information to develop a complete view of the network system. As you can see you want to avoid companies with a large IT budget because we know that most likely we'll be up against these technologies. Knowing that not only AV is out there but numerous other cyber defences are at play will help you wrap your head around the fact that not everything will work %100 of the time and just because you have a piece of malware that is FUD doesn't always mean that shits going to work as expected. Pick easy prey only as this will be better for you! OK you should now have some of the basics down. Now let's talk about what AV most "average" computer users have installed on their computers. Default Anti-Viruses
[*]Windows users have a built in AV known as Windows Defender (WD) with Anti-Malware Scan Interface (AMSI), Windows SmartScreen, etc. whereas macOS users are protected by default by XProtect, Gatekeeper, Noterization, and then some (ASLR, MRT, SIP, etc.). In my opinion these Anti-Viruses have come along way by offering superior protection to their customer base and you can bet in the future these will dominant all other AV products out there since they're already integrated with the OS but what the fuck do I know.
[*]Windows Users - Windows Defender (WD) Microsoft Windows Defender (WD) is developed by Microsoft to protect the computers running Windows 8, Windows 10, and Windows 11, along with some versions of Windows Server. WD is installed by default and provides protection to your devices and all the shit you store in the cloud. WD brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect computers and gets updates regularly to help ensure that Windows computers have the latest technology to protect against the newest malware and latest attack techniques.You must ensure that whatever malware you have at your disposal can bypass WD, at minimum, when targeting Windows users or you'll be wasting your time and efforts.
[*] Windows Users - Anti-Malware Scan Interface (AMSI) The Anti-Malware Scan Interface (AMSI) is an interface that applications and services can use to scan the contents of scripts (PowerShell, JavaScript, etc.) looking for malicious content. It's a newish AV technology from Microsoft that scans for malicious activity in memory and can scan any script that is ran on a Windows computer. Microsoft's AMSI APIs can be used to scan code in memory which can also scans files, streams, and can provide content source URL/IP reputation checks. Windows Defender already uses AMSI by default. Obviously.
As cybercriminals we will often deliver malicious scripts through "fileless" methods (nothing touches disk and is only executed in memory) and utilize obfuscation techniques to avoid traditional AV scanning techniques that use signature-based detection. Scripts can be heavily obfuscated and can be executed in memory which may avoid some AVs out there but for the script to get executed by a scripting engine on the OS the malware must provide un-obfuscated final code to the scripting engine in the end. AMSI can intercept this code, which is sent to the scripting engine, and request a scan from WD before it's executed. AMSI is integrated into Microsoft's PowerShell, VBScript, JavaScript engines, VBA and as of lately was integrated into .NET with the introduction of the .NET framework 4.8. AMSI is not only restricted to be used in Powershell, Jscript, VBScript, VBA, etc. as anyone can integrate AMSI with their programs using the API calls provided by AMSI Interface. In a nutshell, when executing a command in those interpreters the commands are sent towards the AMSI interface first to be scanned for malicious activity. If an AV hooks into the AMSI interface, then the AV engine receives the executed commands via AMSI and can decide upon blocking or allowing a command while notifying the user about malicious activity. The fact that the runtime commands are sent allows AV products to gain visibility into un-obfuscated and in memory execution of any malicious code in addition to blocking malicious behavior in real time. Try and think of AMSI like a bridge that connects PowerShell (or whatever other script) to the AV. For example, every command or script that is run inside PowerShell gets fetched by AMSI and then sent to the AV for further inspection and analysis before executing. When someone executes a script or initiates PowerShell, or any other language, AMSI uses the AMSI.dll and injects into the memory space of that process. Just prior to the execution of a script the following two API's are used by the AV to scan the buffer and strings for signs of malware.
[*]AmsiScanBuffer()
[*]AmsiScanString() If a known malicious signature is identified then the script doesn't execute and a message will appear to the user that the script has been blocked by the AV software. The following picture below shows the process of AMSI scanning.
[*] In the screenshot below, is an example of an attacker downloading a script called shell.ps1 from the internet that when executed will connect to a remote server without the user knowing. The PowerShell script is old as fuck and contains known malicious code that AV already has a signature for. When attempting to execute the PowerShell script the AMSI will fetch the script and forward it to WD using signature based detection to identify the malicious activity and prevent it from being executed.
[*]Now that you've learned about AMSI you know that we need to make sure any scripts we're using are heavily obfuscated and free of known malicious signatures if we plan on utilizing those scripts as an attack method. Windows Users - SmartScreen Microsoft Defender SmartScreen protects against phishing, malicious websites or applications, and the downloading of potentially malicious files. If you're a Windows user then there's a good chance you have seen the warning messages shown in the screenshot below.
[*] Microsoft Defender SmartScreen determines whether a site is potentially malicious by:
[*]Analyzing the visited webpages looking for indications of suspicious behavior and if it's determined that a page is suspicious it will show a warning page advising caution to the user.
[*]It checks the websites you're visiting against a dynamic list of reported phishing and malicious websites and if a match is found then Microsoft Defender SmartScreen will show a warning to the user letting them know that the website might be malicious and advise caution.
[*] Microsoft Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious by:
[*]Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the website might be malicious.
[*]Checking downloaded files against a list of files that are already well known and downloaded by many Windows. If the file isn't on that list, Microsoft Defender SmartScreen shows a warning, advising caution to the user. If a warning is prompted to the user they can choose to report that specific website as unsafe and Microsoft can review it at a later time to determine what is what. People protecting other people. Windows SmartScreen is an early warning system against websites that might engage in phishing attacks or attempting to distribute malware through social engineering attacks. The benefits of Microsoft Defender SmartScreen are: Anti-phishing and anti-malware support. It helps to protect people from websites that are known to host phishing attacks or attempt to distribute malicious software. It also helps protect against deceptive advertisements, scam sites, and web drive-by attacks. Reputation based URL and app protection. It evaluates a website's URLs to determine if it's known to distribute malware or has hosted unsafe content in the past. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file to ensure everything is legit. If a URL, a file, an app, or a certificate has an established reputation, users won't be prompted with any type of warning. However, if there's no reputation, then it's marked as a higher risk and a warning is presented to the user. Operating system integration. It's integrated into Windows and can check any file an application attempts to download and run. Improved heuristics and diagnostic data. Microsoft Defender SmartScreen is constantly learning and keeping up to date so it can help protect its users against potentially malicious sites and files. Blocking URLs associated with potentially unwanted applications. In Microsoft Edge SmartScreen blocks URLs associated with potentially unwanted applications. We care about Windows SmartScreen because we need our victim to download our malware go as smooth as possible and not display a bunch of warnings about shit being malicious to the user. Social engineering or not those warnings are no good for our success. Hosting known malicious files is going to be an issue too since Windows SmartScreen will pick this up with ease and protect the target from being infected with our malware. It will also detect our domain being used and eventually flag it as malicious which is no fucking good for us. So, we know we need to be hosting our malware from a trusted domain/source and our file must be FUD at that moment OR we need to hide our malicious file preventing AV from looking inside. OK? Moving along now. Windows Commercial Users - Windows Defender 365 Windows Defender 365 formally known as Windows Defender Advanced Threat Protection (APT). In a nutshell, Microsoft gathers an absurd amount of telemetry from their customers globally with some analysts estimating over 8 trillion signals daily. This telemetry is made up of signals from across Microsoft's services such as Microsoft Defender 365, Microsoft Defender For Endpoint and data from Microsoft's cybersecurity teams, global law enforcement, etc. and calls this pool of data the "Microsoft Intelligent Security Graph". Microsoft runs world class machine learning, AI, and big data analytics across this telemetry. The volume of data being collected allows Microsoft to determine what patterns of behaviour are considered "normal" and what patterns of behaviour may indicate malicious activity such as malware or another type of attack. Insights from the Intelligent Security Graph power real time threat protection in Microsoft products and services which includes Windows Defender 365. Just so you can appreciate how much data is fed into the Intelligent Security Graph the following figures provided from Microsoft demonstrate how much insight Microsoft has into global activity and cyber threats:
[*]400,000,000,000 emails analysed
[*]100,000,000 + Windows devices updated
[*]700,000,000 Azure user accounts analysed
[*]450,000,000,000 monthly authentications analyses As companies experience cyberthreats worldwide this information gets fed back to Microsoft's cloud which learns which of these patterns of behaviour indicate a threat. Once a threat has been detected within an organisation it will scan the organisation's devices for the threat and will tell them:
[*]How the threat started
[*]What the threat is
[*]What the threat is likely to do Administrators can take action to remediate the threat and remove the problem. This can also get automated remediation performed by Windows Defender 365 in some instances. This is a big problem for individuals like you and me even when you're dealing with private malware or have coded shit yourself. Remember, not everything will be possible for you and this is just one of many technologies poised against you so select your targets carefully, with confidence, and avoid large companies who can afford these types of products. OK you should have a basic understanding of what you're up against when targeting Windows users in this day and age. Let's move onto macOS. macOS Apple operates a malware threat intelligence process to quickly identify and block malware. macOS malware defenses are structured into three layers:
- 1. Prevent the launch or execution of malware: App Store or Gatekeeper and Notarization
- 2. Block malware from running on customer systems: Gatekeeper, Notarization, and XProtect
- 3. Remediate malware that has executed: Malware Removal Tool (MRT)
When someone downloads and opens an App, plug-in, or an installer package from the internet Gatekeeper will verify the software is from an identified Apple developer, is notarized by Apple which means it's be free of known malicious content, and hasn't been altered. Gatekeeper also requests user approval before opening software that has been downloaded for the first time to make sure the user hasn't been tricked into running anything they believed to be something else. By default, Gatekeeper helps to ensure that all downloaded software has been signed by the App Store, signed by a registered developer, and notarized by Apple. You will learn about notarization shortly. Both the App Store review process and the notarization process are designed to ensure that apps contain no known malware. Therefore, by default all software in macOS is checked for known malicious content the first time it's opened, regardless of how it arrived on the Mac. When a macOS user downloads an Application from the Internet, either by the App Store or otherwise, they will be prompted with a warning when trying to open the Application for the first time as seen in the screenshots below. I'm sure most macOS users out there can agree that they've seen this before.
null
null
" All apps distributed outside the App Store must be signed by a developer using an Apple issued Developer ID certificate (combined with a private key) and notarized by Apple to run under the default Gatekeeper settings. Apps developed in house should also be signed with an Apple issued Developer ID so that users can validate their integrity. In macOS, code signing and notarization work independently and can be performed by different actors for different goals. Code signing is performed by the developer using their Developer ID certificate (issued by Apple), and verification of this signature proves to the user that a developer's software hasn't been tampered with since the developer built and signed it. Notarization can be performed by anyone in the software distribution chain and proves that Apple has been provided a copy of the code to check for malware and no known malware was found. The output of Notarization is a ticket, which is stored on Apple servers and can be optionally stapled to the app (by anyone) without invalidating the signature of the developer. To safely support internet downloading, macOS layers additional controls. First, by default in macOS 10.15 or later, all Mac apps need to be notarized by Apple to launch. This requirement helps to ensure that these apps are free of known malware without requiring that the apps be provided through the App Store. " In a nutshell you're not going to be creating any kind of malicious App thinking that you can send it to any of your victims via the App Store. Right? We know that GateKeeper is there to ensure that no random App is downloaded and executed on a macOS computer without it being vetted (notarized) first. In fact, if an App is found to be malicious the developer will have their developer ID certificate revoked and their App removed along with possible legal consequences as well. Gatekeeper is making sure the App you've downloaded is notarized and has already gone through a checking process to see if it contains known malware or not. If an App is not notarized then Gatekeeper will prompt you with a warning and not easily allow execution of that App in question. Hammering home the point the purpose of GateKeeper is to ensure that only "trusted" software is being run on a Mac. It's that simple. Does this mean that everyone is playing by the same rules and no rogue developers are out there pushing bullshit Apps onto people? Well...no. But it does mean that it's much harder for the average cybercriminal to get their App onto the App store without it being noticed, developer ID certificate getting yanked, and potentially legal action taking place against them. There's a whole process to go through in order to get a Developer ID but it's not impossible to obtain. I never went down this avenue so I'm truly unsure if this is a viable option. Remember, Apple reviews each app in the App Store before it gets accepted and digitally signs it to ensure that it hasn't been tampered with or altered in any way. If there's an issue with an app then Apple will quickly remove it from the App store. So even if you pay for a Developer ID and try to push out your own malware App that shit will get shutdown before you know it and you'll be wasting dollars and putting yourself in a risky position depending on the malware you're pushing out. Nah.macOS - Notarization Notarization is a malware scanning service provided by Apple and is required if you plan on creating an App to be sold on the App Store or otherwise. Developers who want to distribute apps for macOS outside the App Store must submit their apps for scanning as part of the distribution process. Apple scans the software for known malware and, if none is found, issues a notarization ticket. Usually, developers attach this ticket to their app within XCode so Gatekeeper can verify and launch the app, even when the user is offline. Apple can also issue a revocation ticket for apps known to be malicious even if they've been previously notarized. macOS regularly checks for new revocation tickets so that Gatekeeper has the latest information and can block the launch of such files. This process can very quickly block malicious apps because updates happen in the background much more frequently than even the background updates that push new XProtect signatures. You can notarize several different types of software such as:
[*]macOS apps
[*]Non-app bundles, such as kernel extensions
[*]Disk images (UDIF format)
[*]Flat installer packages Interesting to note that scripts and standalone binaries are not subject to Notarization and are left to GateKeeper and XProtect to sort out on their own. I learned this when I was working on my own macOS ransomware and came across some interesting things that left macOS users with a false sense of security. FYI! Now to be clear, notarization is not a full review of the App in question which is a separate process on its own. All notarization is doing is a performing a quick scan looking for already known malware, known malicious code, code signing issues, etc. which is an automated process that is done fairly quickly. If the software passes Apple's malware scan the details are added to Apple's database of "safe" or to the "allowed" software column. Then the notary service generates a digital "ticket" to attach to the App in question along with publishing it for GateKeeper to find it. When you first run an App that is notarized that digital certificate will tell GateKeeper that Apple has notarized the App and will give the user a choice whether to launch the App or not. If an App is not signed from an identified developer If you have your macOS setup to allow Apps from the App Store and identified developers when you try to launch an App that isn't signed by an identified developer you will be prompted with the following warning as seen in the screenshots below.
null
null
If you are prompted with the warning as seen in the screenshot above that means the App is not notarized and Apple could not scan the app for known malicious software resulting in the App not launching. Most well versed macOS users know that you can open an App that is not notarized by going into "System Preferences" - "Security & Privacy" and then manually allowing the App to run by clicking "Open Anyway".null
Once a user clicks on "Open Anyway" that App is saved as an exception and now the user can open the App anytime after that without any future warnings. To sum it up. All Notarization is doing is helping to identify malicious software prior to it being distributed to the masses via the App Store. It's checking already known malware signatures against the new Apps. It gives people the confidence that all of the Apps on the App Store have been scanned for malware and given the thumbs up to download and install them. An extra step to ensure that the App is deemed safe and is not full of malware. One step of many. macOS - XProtect Apple has their own proprietary AV software called XProtect that comes pre-installed that is built into their Apple products which is a signature based detection type of AV product. The system uses YARA signatures, a tool used to conduct signature-based detection of malware, which Apple updates on the regular. Apple monitors for new malware infections and strains, and updates signatures automatically, independent from system updates, to help defend macOS from being infected with malware. Since about 2009 Apple has shipped all their products (MacBook's and iMacs) with XProtect installed by default. Most macOS users aren't even aware that XProtect is protecting them as they never see anything on their computer related to XProtect and most macOS users would't be familiar with it, let alone know that it's installed by default on their computer. XProtect just works silently in the background like a creep never notifying their users of anything it's doing! XProtect automatically detects and blocks the execution of known malware. In macOS 10.15 or later, XProtect checks for known malicious content whenever:[*]An app is first launched
[*]An app has been changed (in the file system)
[*]XProtect signatures are updated When XProtect detects known malware it's blocked and the user is given an option to move the software to the Trash. XProtect will scan all Applications and files on the computer looking for malware using the malware definitions stored locally on the computer which, again, Apple updates pretty much daily. These malware definition updates are done through Apple's normal software update process which is enabled by default. Almost all these updates are done silently without any notifications presented to the main user. Apple downloads the new malware information and adds it to the malware definition file already on the computer so macOS users don't have to wait for the latest patches or updates to be protected. XProtect is always updating and on the hunt for the newest malware 24/7 365 days a year. You can check this by clicking on "System Preferences" - "Software Update" - then click on the "Advanced..." tab and you'll be presented the following window as seen in the screenshot below.
null
What this means is anytime a new malware family/strain is found by Apple it will push out an update silently to update the XProtect malware definition file stored locally on the computer protecting all its users in real time. Always updating. Always watching. AV is just a bunch of fucking creeps man. XProtect will automatically quarantine suspicious files and Applications so they cannot be accessed or executed. Again, all enabled by default without any user interaction. All Applications downloaded from the Internet are put into "File Quarantine" before being able to be opened/executed by a user. Before the Application/file is able to run XProtect will check it against it's database of malicious apps/files to determine if it's safe and allowed to run. Depending on which macOS people are using will dictate where this XProtect malware definition file can be found. Since we're not talking about old shit we'll use the recent macOS, which is Monterey, and its file structure. You can find the XProtect malware definition file at: "/Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.meta.plist". People who are using an older macOS should refer to Google to locate where this file is as it has changed locations a few times over the years. Open the Terminal.app on your macOS (Monterey) and type: cat /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.meta.plist If you ran the command above you would see the list of malicious applications macOS is checking for when you open downloaded application files from the Internets for the first time. Once you've downloaded an application the File Quarantine checks to see if it matches any of the malware definitions listed in the malware definition file and if it finds a match you'll receive a warning stating that the file will damage your computer and to report the malware back to Apple. You can see this in the screenshot below.null
Safety in numbers. As you can imagine XProtect is not foolproof and may identify legitimate programs as malware from time to time but overall it does an excellent job protecting most macOS users and is a thorn in the side for any new cybercriminal out there trying to get their hands on 9000 infected macOS computers. macOS - Malware Removal Tool (MRT) Should any malware make its way onto a Mac, macOS also includes technology to remediate infections. The Malware Removal Tool (MRT) is an engine in macOS that remediates infections based on updates automatically delivered from Apple (as part of automatic updates of system data files and security updates). MRT removes malware upon receiving updated information and it continues to check for infections on restart and login. When new malware is discovered a number of steps may be performed:[*]Any associated Developer ID certificates are revoked.
[*]Notarization revocation tickets are issued for all files (apps and associated files).
[*]XProtect signatures are developed and released.
[*]MRT signatures are developed and released. Ultimately, once new malware is detected a series of events happen over the next seconds, minutes, hours, and days that follow to propagate the best protections possible to macOS users by receiving the newest malware definition updates. So I know that was a lot of bullshit to read but in summary:
[*]Notarization is a process to ensure the App is free of malware or malicious code and is issued to Developers through a Developer ID linked to their account.
[*]Gatekeeper is designed to ensure that only trusted notarized software runs on a user's Mac.
[*]XProtect is the built in AV for macOS and functions very similar to any other AV product.
[*]Malware Removal Tool (MRT) removes detected malware from a Mac and reports it to Apple. Pretty straight forward right? Ok so we've touched on the basics of Anti-Viruses and what you'll be up against at minimum when targeting individuals or companies with malware. Let's take a second to review the important take home points. null
[*]Chapter take away points -- Windows and macOS targets will have AV installed by default. -- AV uses signature, heuristic, and behavioral detection methods. -- Unknown files (malware included) are scanned locally and uploaded to the cloud for further analysis. -- Default AV settings will use cloud protection services and upload malware samples silently behind your back. -- It's much better to have malware executed in memory than have it executed on the HD. -- Bypassing AV is a cat and mouse game that requires work, re-coding, re-crypting, etc. -- Almost all malware gets detected eventually so perform short malware campaigns with specific targets in mind. Long term is no good at our cybercriminal level.
[*]Resources to read
Offensive Security - PEN300 (Evasion Techniques and Breaching Defenses) - MEDIUM/HARD https://beta.hide01.ir/pen300-osep Before moving on it's assumed you've read the recommend textbook and gone through the PEN300 AV course. Time to push on.