Scribd
Upload
18 views35 pages

Cristian Cornea Bypassing Antivirus Using BadUSB

The document discusses techniques for bypassing antivirus protections using BadUSB and includes methods such as AMSI and Execution Policy bypasses, payload runner development, and post-exploitation persistence. It outlines a scenario where an attacker exploits a found USB device to gain access to a target computer, despite security measures in place. The document also emphasizes prevention strategies, including restricting PowerShell usage and training users on security awareness.

Uploaded by

sta.akpa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views35 pages

Cristian Cornea Bypassing Antivirus Using BadUSB

The document discusses techniques for bypassing antivirus protections using BadUSB and includes methods such as AMSI and Execution Policy bypasses, payload runner development, and post-exploitation persistence. It outlines a scenario where an attacker exploits a found USB device to gain access to a target computer, despite security measures in place. The document also emphasizes prevention strategies, including restricting PowerShell usage and training users on security awareness.

Uploaded by

sta.akpa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 35

Bypassing Anti-

Virus using BadUSB


About me
◎ OSCE | OSEP | OSWE | OSCP | CEH | CPTC | PenTest+ | eWPT | ECIH | CREST
◎ Founder @ Zerotak | President @ Romania Cyber Security Training Centre of Excellence
◎ Providing pentesting & security consultation for clients all over the world:
○ Australia, U.S., U.K., Middle East, Singapore, India, Central Africa, Europe.
◎ Trainer for U.S. Department of Defense, Slovenian National Bureau of Investigation, Polish
Military CERT
◎ Speaker @ BSides, CyberSecurity Congress, Defcamp, HEK.SI, RST Con, HackTheZone,
Unbreakable
◎ EC-Council Certified Ethical Hacker (CEH) Scheme Committee Member
◎ InfoSec Writer on Medium

2
AGENDA

◎ AMSI Bypass
◎ Execution Policy Bypass
◎ Payload Runner Development
◎ Deploying Attack using BadUSB
◎ Post-Exploitation Persistence
◎ DEMO
◎ Prevention

3
Scenario
Scenario

Bob found one USB device in the parking lot

5
Scenario

Bob went to its office and introduced the USB in PC

6
Scenario

Attacker is connected to Bob’s computer, however:


◎ Bob has Windows Defender enabled
◎ Bob is using a low privileged account
◎ Bob’s computer is not allowed to insert removable media storage

So what happened?

7
Scenario

Sequence of attacks:

1. AMSI Bypass (AV Evasion)

2. Execution Policy Bypass

3. Payload Runner -> Injected Shellcode in Memory

4. Post-Exploitation -> Migrated to another process

8
AMSI Bypass
AMSI - What is it and How it works?

◎ Anti-Malware Scanning Interface (AMSI)

◎ Works as a middle-man between Windows Defender (or 3rd Party


Anti-Virus) and User Input/Scripts (example: PowerShell)

◎ Uses AmsiScanBuffer() from Amsi.dll to scan for malicious


scripts

◎ What we will do:

○ Manipulate AmsiScanBuffer() to return same result every


10
AMSI - Bypass Flow

1. Define Windows API Functions (GetProcAddress(), LoadLibrary(), VirtualProtect()) and


translate them to PowerShell:

2. Load Amsi.dll library in memory:

11
AMSI - Bypass Flow

3. Getting AmsiScanBuffer() function location in memory & making it writeable:

4. Building the value that we will replace AmsiScanBuffer() function in memory with (mov
eax, 0x80070057, ret - Will explain later):

5. Doing the replacement:

12
AMSI - Why 0x80070057

Source: https://learn.microsoft.com/en-us/windows/win32/api/amsi/nf-amsi-
amsiscanbuffer

13
AMSI - Why 0x80070057

14
AMSI - (Almost) Final Payload

15
AMSI - Use Obfuscation!

16
Execution Policy Bypass
Execution Policy Bypass

◎ Security setting for running PowerShell scripts

◎ Requires administrator privileges to be changed… or does it?

◎ Bypass without UAC for low-privileged users:

○ Set-ExecutionPolicy Unrestricted --Scope CurrentUser

18
Payload Runner
Development
Payload Runner Development

1. Define LookupFunc() function -> We will use later to search for assembly references

20
Payload Runner Development

2. Define getDelegateType() function -> To set argument types (int, pointer, etc.) for functions that
we will invoke

21
Payload Runner Development

3. Allocate the writeable memory for our shellcode:

4. Generate the shellcode:

22
Payload Runner Development

5. Inject shellcode into the previously allocated memory:

6. Execute it!

23
Deploying Attack using
BadUSB
Introduction to BadUSB

◎ It’s a bird? No

◎ It’s a plane? No

◎ It’s a USB? Maybe…

◎ It’s a Mouse? Somehow…

◎ It’s a Keyboard? Commonly yes…Wait what?

25
BadUSB - Payload Development

1. DigiSpark Scripts 2. Ducky Scripts


◎ Arduino Programming ◎ User-friendly Syntax

◎ C++ knowledge needed ◎ Use online convertor for DuckyScripts ->


Arduino

26
BadUSB - Ducky Scripts Syntax
◎ STRING = what to type
◎ DELAY = sleep
◎ REM = comment
◎ REPEAT x = last command “x” times
◎ Special keys must be written as they are (ENTER, CTRL, TAB, etc.)
◎ GUI = Windows key
◎ MOUSE_MOVE X Y = move pointer to X Y coordinates
◎ LMOUSE, RMOUSE, MMOUSE = mouse’s buttons

27
Post-Exploitation
Persistence Tips
Post-Exploitation Persistence

◎ We need to find a process where to attach our instance

◎ What else than…explorer.exe? :)

◎ Metasploit helps us with that!

○ migrate - command

29
DEMO
Prevention
Prevention

◎ Disallow PowerShell for end-user accounts

◎ Access control list on USB ports

◎ Develop a budget for advanced endpoint protection


solutions

◎ Train, train, and train users

32
Research & Statistics
Research & Statistics

◎ Microsoft is not considering this worth their attention

◎ Tested on 20 AV vendors - free trial/version

◎ 7/20 Spawned a Meterpreter Reverse Shell

○ Which allowed Mimikatz to be loaded

◎ 9/20 Spawned a normal Reverse Shell

◎ 4/20 Blocked the attempt

34
Q&A
Thanks!
Cristian Cornea

35

You might also like