Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
how everybody and welcome to episode Number 27 off the RCP Core's anti virals avoidance. My name is Alejandro Ggonna, and I'll be your instructor for today's session.
00:11
The rarely operatives is to understand the concept behind this technique and apply the concepts to actually implement this technique. So let's get down to business, shall we?
00:23
First of all,
00:26
anti virus databases contain most of the well known or known and bio signatures. For example, let me just create ah, reversal here with Halo. We're ready to use for a previous video for the MSF ban on video. To be more specific. Eyes,
00:44
uh, you know, files test that. Let me just give it another name that it probably has one name already. I don't know what to treat
00:52
that executed ble,
00:55
so let's blow that to, ah, well known virus. Total bios. Total Agra Gates many anti virus product on online's kind and giants to check for viruses that the user's our own anti virus might have missed
01:12
or to verify against, you know, any false positives.
01:17
Anti virus suffer benders can receive copies of files that were flagged by others kind but passed by their own enjoyment to help improve their sub word. And by extension, uh, virus, total own capability.
01:32
Users can also scan your else and, you know, search for form. I'll work. I don't know. Whatever. Well, let me just show it to you so you can see how it really works by was total.
01:44
So this is a really cool ah, user friendly interface. Just select file. Remember way Grady want to treat that execute herbal were bloated.
01:55
And again, the only thing that we did to actually try to bypass anti virus is two encoded with a really generic encoder, which is the sea katanga nine. Remember the command. We use the encoding here in Chicago. Nine. So this will, of course, will not help us improve or
02:15
anti virals abundance capabilities. Or at least the capabilities of this
02:19
execute herbal. Because at the end, it was kind of actually letting this the opera resisting known that we actually, uh a Robert again. Oh, my God. Uh, letting the operating system that we actually want to trow a reversal back to a system. So
02:37
this will be This was flagged by his 52 giants.
02:40
So pretty common. I mean, yeah, that was expected. So another tool that I really love online tool. By the way, these hybrid analysis hybrid. And now this is kind of a sign books, eh? So you can actually upload files in here. Let me just grab here
03:00
and
03:00
type. Wants a tree?
03:02
Nope. Sorry. No. Want to treat this? Execute herbal and gravity in here?
03:08
Minimized I and
03:12
Yeah, I consent. And I'm not a revote again. Oh, my gosh.
03:15
Basses does this Include Is that it's a bust. These bucking
03:22
thinks it is a a bus. Okay, it was a bus. You know you can slick, coppery system were to run this and it will run that. First of all, what I love about this is that you have the option to integrate this week. Crowd strike Falcon. I cannot stress this enough
03:39
crossed strike. One of the most amazing tools have ever seen
03:43
Thio. You know, when it comes thio like an ant exploit southward
03:49
because it is not. I don't know if he's classifies the next generation anti virus, but it's critical you can check. You could take a look about Well, it would take a welcome at the end. This is a free service. And it's, you know, you have to you know, Tuttle's missions spending. I have to wait for this ace missions to finished.
04:06
Ah, let me just stop it in here and just show you the results
04:11
at the end. This is the result. The final result.
04:14
You know, if you click here, it will take you to dispatch. And this you can get all the information from the virus you uploaded. You know, kind of reverse engineer capabilities of this. It will tell you the hash. It will tell you. I don't know more information that believe that we saw the shape be Solas stations. Right?
04:32
Uh, what it was supposed to do? What? The alliance are involved?
04:38
Um,
04:39
here.
04:40
We're the real deal. L starting form. I mean, a really detailed report off this buyer is so these two tools, I believe is you have to use it in your everyday usage, especially if you're part off secure security operation center for sock.
04:57
You have to use it differently. This to tools and other tools as well. But this one,
05:02
these ones are free, and they're really cool. So yeah, so back to our anti virus capabilities, uh, avoidance capabilities. Let me just go ahead and here, and we can put an extra layer to a virus.
05:18
We can use some pocket scriptures or encoders, for example. Hyperion. I love Hyperion.
05:25
Hyperion is just as it sounds. Are pocket crypt around in quarter Eyes is located in here. Let me just give you the location,
05:33
hoops
05:39
and a CZ. You can see it's an execute a ble. Fortunately, we can actually execute those extension in your column mission by using the wind tool I already downloaded and upgraded. Updated more or to be more precise. And I could just throw this. Let me just,
06:00
uh
06:01
So I put that in here.
06:04
I will change the name, of course,
06:06
because at the end, I was tested this.
06:10
I know.
06:11
I went to tree Hyperion, Hyperion and 12 tree, which is the the executed we created, and ever I mean, all all it took me years to write. Ah, Hyperion. I mean, Thio a bucket. Um,
06:27
toe actually Call it a and tell it to use. This is an input and output. This now the problem we had, period, it's It uses a really, really generic. Uh, encoder. So the Cape detection capabilities were not improved? A swell as we wished.
06:46
So it probably decreased, like one or two. Or maybe tree
06:51
detection giants. I mean, maybe we will get up, like 50 or 51. I don't know. Or maybe we will now get an improvement improvement at all.
07:00
Sometimes I have seen that using Hyperion with the default or, you know,
07:06
I barely can use ah, custom and quarter. But, you know, for the purpose of this off, this session will use it to fall one. But Hyperion actually uses the default in quarter used by happier and sometimes increases the detection
07:24
rates off. Anti virus is at the end. It is, you know, flagging or sending all the alarms that the file or execute herbal wants to actually hide something. But, you know, let's give it a shop, see what the result is.
07:40
It will probably like 50 or 51. I mean, we get we got 52 the last time. So
07:46
anything now below 52 is kind of what improvement, I guess.
07:50
But fortunately for us, we can, you know, use another
07:57
crypt. Er oh, are encoded, which is called,
08:01
um priest P p e is scrambler. You know, p a scrambler
08:09
module provides similar functionalities of the Hyperion module, except he uses a different AFIS cation tool by default. So it may be improved a little bit more than hey, period. But, you know, at the end of the date, I don't know, maybe will stay the same at the end. Hyperion, the p a scrambler
08:28
are both use for, um,
08:31
encoding or encrypting if you if you allow me to use that word file so we can avoid anti virus. Okay, Foreign, I we decrease of least three positions.
08:43
Let me just use right now the pre a scrambler, by the way, Pre scrambler. You can download it from this page. Let me just give you the link.
08:52
I really did it, by the way. So I don't will not do it anymore. But you can download it from this weapon. Tch.
08:58
And ah, the
09:01
the syntax of the command is really simple. I will just wind about 64 now.
09:09
Ah, and I go to roots. Don't know. 10. I tell it to execute the scrambler. Ah, Dash e um,
09:18
for Or input,
09:20
which is one tree.
09:22
Ah, Hyperion. That X
09:24
and the output will be once a tree. Ah, Hyperion. And they a scrambler that execute herbal.
09:35
And that's all it takes. Ah, will be no creating me on your secure a ble. So I going here again? Let me just go back
09:46
and upload another. Get another virus to the bidders by was total here to see if he actually improved my antifreeze abidance capabilities. Most likely again. It will, like, increase
10:01
our numbers into maybe 23 onto virus and giants. But, you know, don't expect too much of far off improvement, because again, Kryptos sometimes used generic algorithms and kiss to actually office K the content or, you know, encrypted contact itself.
10:22
So, yeah, don't expect much of our improvement
10:24
with the Hyperion. Yeah. What did I really have got a little bit of improvement? But you know, not as much as we would like to
10:33
Ah, largely improved due. Largely include it improved his numbers. You can create your own custom payloads and explode with python. Or so I remember that we have seen have to use python to actually true our river shell back to us. Well, why not use that capability in that code,
10:52
for example, let me just
10:54
copy Paste in here. I just created court on a test, fightin
11:03
and just copy faced this paler. Which, by the way, I did not create. I did. Just did a little bit. Ah, a real quick Google search for reversal pie transcript or something like that. And it throw me this coat. I didn't change anything about this code.
11:20
Well, you can change the I pee. Yeah, well, you can change that. Be,
11:24
um,
11:28
on the port. Yeah, well, I would like to use for four for four,
11:33
but that's it. I mean, I'm not changing anything about it. I mean, it will throw a reversal we have or
11:39
test fighting here, and we can actually re largely improve our numbers. You can. We'll just to to be consistent in the form that I don't want to upload the Buyten. I just want to upload the execute herbal.
11:56
So you have to You can use a tool called P y installer.
12:01
Uh, you know, p y install and just type. I already did it, but let me just show you in here,
12:09
um, critique at
12:13
you stall,
12:15
be white installer
12:16
and That's it. Already having style it as I told you. Uh, yeah, You can just run the command
12:24
B y installer.
12:26
Uh, just be Why
12:30
installer? Ah, moustache
12:33
One files I want to use. I want to. I only went to Herbert one file, which is our test pipe and the pipe.
12:41
Uh, you know, it's going to come, bird that to an executed vel. And, you know, there. Let me just l s here. And we have some new folders created by this,
12:54
uh, b y installer, for example. Let me just,
12:58
um,
13:01
going here too.
13:03
The suspect,
13:05
this speck folder or what is it?
13:09
Let me just find any here. Hi. My hand files. This for example.
13:15
CD this
13:18
if I go here, I have a test five, uh, executable.
13:24
Ah, let me just go back one to go to the other location so you can see the locations that this will will create. We have the bills, for example. Citi field
13:35
hopes
13:37
and we have
13:39
some folders in here.
13:41
Uh,
13:43
test pie.
13:45
And we have more information about this. Ah,
13:48
again, uh,
13:50
more information. You know, just the usual. Here s o. Let's go to the this distribution here to upload. Actually upload this pied execute herbal tour or anti virus detection.
14:09
Uh, Bay JJ
14:11
ups. What did I do here
14:15
by this total?
14:18
Okay, uh, let me just wait for this load.
14:22
And remember, it was this to push in.
14:26
And I go here to reverse this pie. I'm sorry.
14:31
I often it
14:33
and I loaded
14:35
and let's see what the numbers are hung across fingers. You guys, let's hope that it goes at least below. I don't know, 3 35 Remember that very number we got with the other tool? Wes? What was it? 42?
14:54
Yeah, we're a lists before, below three. We can consider a win here or Well,
15:01
well, my get even. Way to better numbers. Okay. 14 and had shot out 14. In which you actually located that? Yeah, to enjoyments to virus. And giants actually flag this as militias.
15:16
The other 57 missed that one. So yeah, we would this be that we just help you prove all of the other antivirus capabilities detection capabilities? Because at the end of a virus total, What does again? As I told you the beginning, it will tell other anti virus vendors that there are spiders.
15:35
Missed
15:35
Summerlee malicious code that was actually trying Thio.
15:41
Well, you were in.
15:43
They were not flack in there by their enjoyment, but they were flagged. But other enjoyments. So we help improve security today, guys. So that's that's the magic off. You know, Antivirus abidance. Yeah, you can use Eun Eric, um,
15:58
tools to create your own payloads and including or encrypted as much as you want. But, you know, creating your own payloads will largely improved that those numbers. So I encouraged you to. Actually, when you're great and you're river sales created your own river shelf when your own code that will largely improve
16:17
the, um, your anti virus
16:21
detection capabilities
16:22
so you can go on notice when exploiting any system.
16:30
I'm sorry.
16:33
So what is achieved? But the Hyperion Hyperion tools? Well, it's a crypt. Err on an encoder that you can actually encode or office Kate tools or, you know, executed Val's or files.
16:45
This'll will improve your chances to go unnoticed by antibiotics, but just a little bit. If you're using generic tools, most likely you will get off your advisers Will, Will will, you know, catch your your
17:02
payload.
17:03
What is a virus total use for? Well, you can actually use a blowed, um,
17:11
files in and search for your else to see if they were flagged as malicious before by other onto virus vendors or by several anti virus vendors. And you can actually see if you have false positives or maybe sexually, something actually affecting your system.
17:26
In this video, we'll learn as the concepts of this technique, and we implemented sub tools and commands to execute this technique. And we saw how malicious it can be. Supplemental materials, as always. Ah,
17:40
the hacker playbook. Needless to say, you can actually go to that to ah, they wept. The main webpage off. It's, too. We're seeing in these videos to get more information, you know,
17:51
a supplying the technique itself or getting more concept or context on how to use this technique. The hacker playbook is an amazing source, and us always every possible source in Google and YouTube.
18:03
Well, in the next video, we'll start a new model showing you how to create a buffer overflow exploit from scratch. I mean, we'll try. Thio will understand how to identify
18:18
that something is actually before vulnerable to buffer overflow and we'll start. You know it will create our own payload will create
18:25
search. What's the return address? Remember, we saw that in a previous video. What? The return address for that and everything. We'll do that from a scratch and we'll create, I guess, our own first exploit by yourself. So that's it for today, folks. I hope you enjoyed the video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor