Bypassing Anti- Virus using BadUSB

Bypassing Anti-

Virus using BadUSB

About me

◎ Founder @ Zerotak | President @ Romania Cyber Security Training Centre of Excellence

◎ Providing pentesting & security consultation for clients all over the world:

○ Australia, U.S., U.K., Middle East, Singapore, India, Central Africa, Europe.

◎ Trainer for U.S. Department of Defense, Slovenian National Bureau of Investigation, Polish

Military CERT

◎ Speaker @ BSides, CyberSecurity Congress, Defcamp, HEK.SI, RST Con, HackTheZone,

Unbreakable

◎ EC-Council Certified Ethical Hacker (CEH) Scheme Committee Member

◎ InfoSec Writer on Medium

AGENDA

◎ AMSI Bypass

◎ Execution Policy Bypass

◎ Payload Runner Development

◎ Deploying Attack using BadUSB

◎ Post-Exploitation Persistence

◎ DEMO

◎ Prevention

Scenario

Bob found one USB device in the parking lot

Scenario

Bob went to its office and introduced the USB in PC

Scenario

Attacker is connected to Bob’s computer, however:

◎

Bob has Windows Defender enabled

◎

Bob is using a low privileged account

◎

Bob’s computer is not allowed to insert removable media storage

So what happened?

Scenario

Sequence of attacks:

1. AMSI Bypass (AV Evasion)

2. Execution Policy Bypass

3. Payload Runner -> Injected Shellcode in Memory

4. Post-Exploitation -> Migrated to another process

AMSI Bypass

AMSI - What is it and How it works?

◎ Anti-Malware Scanning Interface (AMSI)

◎ Works as a middle-man between Windows Defender (or 3rd Party

Anti-Virus) and User Input/Scripts (example: PowerShell)

◎ Uses

AmsiScanBuffer()

from

Amsi.dll

to scan for malicious

scripts

◎ What we will do:

○ Manipulate

AmsiScanBuffer()

to return same result every

time a script is scanned

AMSI - Bypass Flow

1. Define Windows API Functions (GetProcAddress(), LoadLibrary(), VirtualProtect()) and

translate them to PowerShell:

2. Load

Amsi.dll

library in memory:

AMSI - Bypass Flow

3. Getting

AmsiScanBuffer()

function location in memory & making it writeable:

4. Building the value that we will replace

AmsiScanBuffer()

function in memory with (

mov

eax, 0x80070057, ret

- Will explain later):

5. Doing the replacement:

AMSI - Why 0x80070057

Source: https://learn.microsoft.com/en-us/windows/win32/api/amsi/nf-amsi-

amsiscanbuffer

AMSI - Why 0x80070057

AMSI - (Almost) Final Payload

AMSI - Use Obfuscation!

Execution Policy Bypass

◎ Security setting for running PowerShell scripts

◎ Requires administrator privileges to be changed… or does it?

◎ Bypass without UAC for low-privileged users:

○

Set-ExecutionPolicy Unrestricted --Scope CurrentUser

Payload Runner

Development

Payload Runner Development

1. Define

LookupFunc()

function -> We will use later to search for assembly references

Payload Runner Development

2. Define

getDelegateType()

function -> To set argument types (int, pointer, etc.) for functions that

we will invoke

Payload Runner Development

3. Allocate the writeable memory for our shellcode:

4. Generate the shellcode:

Payload Runner Development

5. Inject shellcode into the previously allocated memory:

6. Execute it!

Deploying Attack using

BadUSB

Introduction to BadUSB

◎ It’s a bird? No

◎ It’s a plane? No

◎ It’s a USB? Maybe…

◎ It’s a Mouse? Somehow…

◎ It’s a Keyboard? Commonly yes…Wait what?

BadUSB - Payload Development

1. DigiSpark Scripts

◎ Arduino Programming

◎ C++ knowledge needed

2. Ducky Scripts

◎ User-friendly Syntax

◎ Use online convertor for DuckyScripts ->

Arduino

BadUSB - Ducky Scripts Syntax

◎ STRING = what to type

◎ DELAY = sleep

◎ REM = comment

◎ REPEAT x = last command “x” times

◎ Special keys must be written as they are (ENTER, CTRL, TAB, etc.)

◎ GUI = Windows key

◎ MOUSE_MOVE X Y = move pointer to X Y coordinates

◎ LMOUSE, RMOUSE, MMOUSE = mouse’s buttons

Post-Exploitation

Persistence Tips

Post-Exploitation Persistence

◎ We need to find a process where to attach our instance

◎ What else than…explorer.exe? :)

◎ Metasploit helps us with that!

○

migrate

- command

DEMO

Prevention

◎ Disallow PowerShell for end-user accounts

◎ Access control list on USB ports

◎ Develop a budget for advanced endpoint protection

solutions

◎ Train, train, and train users

Research & Statistics

◎ Microsoft is not considering this worth their attention

◎ Tested on 20 AV vendors - free trial/version

◎ 7/20 Spawned a Meterpreter Reverse Shell

○ Which allowed Mimikatz to be loaded

◎ 9/20 Spawned a normal Reverse Shell

◎ 4/20 Blocked the attempt

Thanks!

Q&A

Cristian Cornea