Payload manipulation techniques for security system evasion

January 23, 2017

Authors:

  • Marco Di Brino;
  • Antonio Pirozzi;
  • Corrado Aaron Visaggio.

 

This work involves to provide a description and a comparison of few methods for the creation of some malicious payloads or shellcodes. These payloads must be used to create a remote connection between the victim’s machine and the attacker’s machine that wants to listen and, once connections is successful, to obtain sensitive information or make an attack to that user. Their creation was made using some free tools, running on a Kali Linux machine, that are:

  • Metasploit
  • Veil framework
  • TheFatRat

This comparison is made according to the payload capability to bypass default security systems available on Windows machines and antivirus systems on the market, looking for a way to obtain a payload that manages to be invisible simultaneously to several security systems. Security systems present by default on Windows that have been used and tested for this work are:

  • Windows Defender
  • Windows Firewall
  • Windows SmartScreen

Online scanners have been also used, which perform a check of created files using multiple antivirus engine simultaneously. Scanners then used in this work were:

  • OPSWAT Metadefender
  • Scan4you/Poison Scanner

In the following table are shown, for each of used tools, the best result obtained by malicious payload creation. Remember that to obtain a good result means being able to bypass Windows security systems (denoted as “Yes” or “No” in the table) and some online scanners (denoted in the table by the number of antivirus which recognize malicious payload on the total number of executed antivirus).

 

Schermata del 2017-01-23 14-53-09

 

(* – Windows SmartScreen can block malicious payload if it is downloaded from Internet; otherwise, Windows SmartScreen not considers it as malicious)

In this report, configured systems for payloads production and testing will be briefly introduced,as well as to show and to discuss the results from different methodologies trying to create a FUD (fully undetectable) backdoor.Schermata del 2017-01-20 17-41-03

 

To access the full document, click on the following link: Technical_Report_Evasion