Refining The Art of Security

Many developers have likely encountered the frustration of having their code flagged as a virus or malware by Windows Defender, even when the code is legitimate and performing necessary functions like accessing system functions or making TCP connections. It becomes even more frustrating when threat actors are able to bypass this security.

To address these concerns, Windows 10 introduced the Anti-Malware Scan Interface (AMSI), which allows antivirus software to interact with the operating system and detect and respond to malicious code. AMSI is an essential tool for antivirus programs, offering more effective detection and blocking of malicious code, as well as providing detailed information about detected threats. It ultimately aims to protect users and create a safer computing environment.

Despite the presence of AMSI, threat actors have invested significant effort into developing techniques to bypass its detection. These techniques include encrypting and decrypting payload scripts in memory within PowerShell, splitting up and recombining payload scripts, using various PowerShell encoding techniques, and embedding the payload within another executable. Aware of these techniques, it is important to understand how attackers can evade AMSI detection.

Digging into the web on AMSI evasion research, there have been comprehensive resource on PowerShell obfuscation techniques published over the years. These findings suggest that AMSI currently struggles with detecting obfuscated PowerShell code.

While obfuscated code can be identified through profiling using tools like Yara, the issue runs deeper. Any code can be redesigned with different nuances, creating countless possibilities for creating payloads. Threat actors can exploit this to allow their PowerShell scripts to bypass detection.

The article also includes a proof of concept (POC) showcasing an obfuscated shell payload used to gain remote access in a custom lab environment, despite antivirus scans being enabled on the operating system.

Remediation Strategies

To mitigate the risk of malicious code bypassing AMSI, it is important to conduct security audits on APIs, strengthen network infrastructure, properly configure systems with good access control, conduct regular penetration tests to identify vulnerabilities, update antivirus software, and perform regular audits and patching of the network environment.

Pentesting Screenshots

Here is a simple POC of an obfuscated shell payload that was generated using a obfuscator tool built with variable obfuscation in mind. It is being used to gain remote access in a custom lab environment. Though the antivirus scans are turned on the target, the payloaded still executed without being detected.

and what the reverse shell looks like once launched.

My thoughts on remdiation strategies

Obfuscation techniques include randomizing variable names, padding with more logic and inserting wrapper logic around the executed scripts. Because of the small file size requirement for most payloads to fly undetected when logged, it is likely that the core execution steps are unchanged to keep things compact. Thus even if the variable lengths changes, the logical pattern of function calls, and assigning variable values are likely unchanged when additional information is padded on. Making it somewhat possible to flag by scanning the program for some core execution logic pattern.

I’ve tested the idea and wrote a very basic file monitor/scanner BlueWyvern Scanner to use Regex to catch obfuscated and some possibly malicious code that would require some deeper knowledge of yara to perform. This works for a few basic payloads, but this is just a basic idea and isn’t battle tested like Yara. This is just a concept for a possible way to remediate this issue and should never replace a qualified malware analyst or blue team expert.

This tool uses regex to detect code execution patterns, including suspects of malicious code, malicious URLs, IP addresses, file attachments, and hidden executable calls.

To signature multiple payloads and see if there’s common features, the tool uses a pattern identification algorithm commonly used in analysing common ancestor genetics to find common code execution patterns when given multiple sources to profile. The finite machine regex-based string search can detect multiple requirements in a single line sweep. It’ll also try to detect base64 encoding in files if that’s used to obscure the payload.

This tool can also run in file integrity monitor (FIM) mode, meaning it will scan and log updated files in the target directory. If provided with multiple rules as part of the arguements, it’ll scan for those as well.

Best Practices for Defense

To protect production and internal network systems, users should follow best practices such as employing strong passwords, avoiding suspicious links and downloads, and regularly checking server and operating system access logs. The technology team should also stay informed about the latest threats and tactics used by attackers to bypass security measures. Engaging in penetration tests, application security reviews, and adhering to DevSecOps best practices can minimize the risk of network intrusion.

Checking server and operating system access logs can help detect malicious activity, but it may be difficult to identify such activity depending on the type of malware used. Taking preventative measures like regular penetration tests, code review audits, and patching critical updates is crucial. Users should also practice online security best practices, including strong passwords and avoiding suspicious links and downloads.