{"id":1103,"date":"2020-01-18T19:30:01","date_gmt":"2020-01-18T17:30:01","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=1103"},"modified":"2020-01-18T19:30:01","modified_gmt":"2020-01-18T17:30:01","slug":"red-teaming-series-antivirus-bypass","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/cyber-security-news\/red-teaming-series-antivirus-bypass\/","title":{"rendered":"RED TEAMING SERIES &#8211; ANTIVIRUS BYPASS"},"content":{"rendered":"<p style=\"text-align: justify\">Proviamo a creare un <strong>payload<\/strong> malevolo che possa bypassare la difesa di <strong>55 Antivirus<\/strong> (piattaforma <strong>Virustotal<\/strong>):<\/p>\n<p><img decoding=\"async\" class=\"size-full wp-image-1128 aligncenter\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/12-1.png\" alt=\"Virustotal\" width=\"1484\" height=\"814\" loading=\"lazy\" \/><\/p>\n<h2 style=\"text-align: justify\">Preparazione del LAB<\/h2>\n<ul>\n<li style=\"text-align: justify\"><strong>Windows 10<\/strong> &#8220;<span style=\"color: #339966\"><strong>vittima<\/strong><\/span>&#8221; (con <strong>Firewall e AntiVirus attivi<\/strong>)<\/li>\n<li style=\"text-align: justify\"><strong>Windows 10<\/strong> &#8220;<strong><span style=\"color: #ff0000\">attaccante<\/span><\/strong>&#8221; con framework <a href=\"https:\/\/github.com\/fireeye\/commando-vm\">CommandoVM<\/a>:<\/li>\n<\/ul>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/i2.wp.com\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/4.png?fit=750%2C226&amp;ssl=1\" alt=\"\" class=\"wp-image-1106\" loading=\"lazy\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Set-UP attacker:<\/h2>\n\n\n<p style=\"text-align: justify\">Abbiamo deciso di utilizzare uno script in Powershell (<strong>ReverseTCP Shell &#8211; <a href=\"https:\/\/github.com\/ZHacker13\/ReverseTCPShell\">link<\/a><\/strong>) per generare il <em>payload<\/em>:<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/5-1.png\" alt=\"\" class=\"wp-image-1108\" loading=\"lazy\" \/><\/figure>\n\n\n<p>Lo script genera 2 diversi output, sia <strong><em>Powershell<\/em> <\/strong>che comandi <strong><em>CMD<\/em><\/strong>:\u00ad<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/i2.wp.com\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/6-1.png?fit=750%2C481&amp;ssl=1\" alt=\"\" class=\"wp-image-1109\" loading=\"lazy\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><br>Esecuzione dell&#8217;attacco<\/h2>\n\n\n<p style=\"text-align: justify\">L&#8217;output generato pu\u00f2 essere inserito all&#8217;interno di un file &#8220;<strong>.vbs<\/strong>&#8221; o all&#8217;interno di documenti <strong>Microsoft Office<\/strong>. Vi sar\u00e0 capitato di ricevere delle email con allegati di questo tipo:<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/8.png\" alt=\"\" class=\"wp-image-1110\" loading=\"lazy\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><br>Inefficacia dell&#8217;Antivirus<\/h2>\n\n\n<p style=\"text-align: justify\">L&#8217;utente, anche lanciando una <strong>scansione Antivirus<\/strong>, non ottiene alcuna <strong>minaccia<\/strong> associata o <strong>allarme<\/strong>:<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/10.png\" alt=\"\" class=\"wp-image-1111\" loading=\"lazy\" \/><\/figure>\n\n\n<p style=\"text-align: justify\">Aperto il documento, l&#8217;<strong>attaccante ottiene il pieno controllo della postazione con i medesimi privilegi dell&#8217;utente colpito<\/strong>. Pu\u00f2 infatti caricare\/scaricare <em>file<\/em> presenti nel sistema target, effettuare screenshot, ecc.. :<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/9.png\" alt=\"\" class=\"wp-image-1112\" loading=\"lazy\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Persistenza <\/h2>\n\n\n<p style=\"text-align: justify\">Per <strong>mantenere l&#8217;accesso<\/strong> al sistema &#8220;vittima&#8221; \u00e8 necessario che il <strong>payload<\/strong> venga eseguito ad ogni avvio. Esistono diverse opzioni per poter raggiungere questo obiettivo. Una di queste \u00e8 l&#8217;inserimento di codice malevolo all&#8217;interno di <strong>chiavi di registro specifiche<\/strong>:<\/p>\n\n\n<figure class=\"wp-block-gallery columns-1 is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\"><ul class=\"blocks-gallery-grid\"><li class=\"blocks-gallery-item\"><figure><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/11-2.png\" alt=\"\" data-id=\"1114\" data-full-url=\"https:\/\/i1.wp.com\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/11-2.png?fit=859%2C641&amp;ssl=1\" data-link=\"https:\/\/fortgale.com\/news\/?attachment_id=1114\" class=\"wp-image-1114\" loading=\"lazy\" \/><\/figure><\/li><\/ul><\/figure>\n\n\n\n<p style=\"text-align: justify\">Sostituendo &#8220;calc.exe&#8221; con il comando generato in precedenza si ottiene il controllo della postazione ad ogni suo riavvio, senza generare alcun tipo di allarme.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Proviamo a creare un payload malevolo che possa bypassare la difesa di 55 Antivirus (piattaforma Virustotal): Preparazione del LAB Windows 10 &#8220;vittima&#8221; (con Firewall e AntiVirus attivi) Windows 10 &#8220;attaccante&#8221; con framework CommandoVM: Set-UP attacker: Abbiamo deciso di utilizzare uno script in Powershell (ReverseTCP Shell &#8211; link) per generare il payload: Lo script genera 2 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1139,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[29,45,208,272,290,294,371],"class_list":["post-1103","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-security-news","tag-antivirus-bypass","tag-backdoor","tag-macro","tag-powershell","tag-red-teaming","tag-reversetcp","tag-vbs"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=1103"}],"version-history":[{"count":0,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1103\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=1103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=1103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=1103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}