Evading Anti-virus Detection with Metasploit

January 16, 2013

Organizations need to be able to understand and test their users' behavior without anti-virus programs stopping these tests in their tracks. A great way to explore that user behavior is by deploying social engineering programs during a pen test. In today's Whiteboard Wednesday, David Maloney explains several anti-virus evasion techniques you can employ for your Metasploit pen tests.

Video Transcript

Hello, my name is David Maloney. I am a Senior Software Engineer at Rapid7 working on the Metasploit line of products. In this week's Whiteboard Wednesday, we are going to talk about antivirus evasion techniques.

Show more Show less

When talking about payloads in Metasploit, there are two main parts. There is the actual shell code which executes instructions on the victim machine, and there is what's called the executable template. If the shell code isn't being executed directly from main memory, the shell code is embedded in an executable in the case of Windows and .exe files that loads that shell code into memory and executes it. Most times, this executable template is what is actually being detected by an antivirus. If that's what's being detected by the antivirus, then that's where we need to put the work in for evasion.

There are a number of different ways we can try to avoid antivirus. The first and most obvious way, is to just avoid using an executable at all. Try and execute your payload from directly in-memory through a corruption technique or use something like Power Shell. These scripting languages typically aren't actually, flagged by any antivirus provider. Another option is to use a custom executable template, preferably something that is known to be a valid .exe, such as the Windows Calculator Program. Certain antivirus programs will take a look at that template say: "Oh, this is Calculator. I know what this is. I really don't have to worry about this" and you can move on.

Beyond that, you can actually roll your own executable template. There are several different techniques you can use to help try and hide what you are doing from an antivirus solution. Antivirus products use a technique called sandboxing in a lot of cases. What this means is it creates a protected part of the operating system that it runs the executable in for a limited period of time to make sure that it is not doing anything malicious. In those cases, all we have to do is basically, beat the clock. We can continue to do harmless operations over and over again for a minute or two, usually less. The antivirus sandbox will say: "Well, there's nothing going on here, I am just going to let this program run." We can beat out the clock, continue on, and execute our payload.

We can try and detect the presence of a debugger. A lot of antivirus solutions can be picked up the same way you can pick up a debugger. So what you do is you have a couple of different techniques to detect whether a debugger is attached to the executing program. If it is, you just don't ever go to the routines that actually execute our payload. Instead, you just continue to do harmless things and antivirus will never flag it. Beyond that, we can also randomize our shell code. Basically, scrambling it up in memory so that if antivirus scans the memory of the running program, it won't see shell code that it recognizes. Right before we are ready to execute that shell code, we correct the order so that it is all back in a working order in memory, then execute it.

Within Metasploit Pro, we actually use several of these techniques and a new option for the PS exec module to dynamically generate these templates each time. Every time you run the PS exec module with this option, it dynamically writes new C code with harmless instructions mixed in. It randomizes our shell code, it detects the presence of debuggers, and each time this is run, it's completely different from any time before it. We have all these antivirus evasion techniques mixed in, but also, because the payload is never the same twice, antivirus providers cannot create a static signature to detect our payloads.

Thank you and see you next Wednesday.