monkey icon indicating copy to clipboard operation
monkey copied to clipboard
verified publisher icon guardicore

Windows defender flags the monkey as a malware

Open VakarisZ opened this issue 4 years ago • 4 comments

Describe the bug

Monkey binaries are getting flagged on windows, which causes issues during the installation and run phases of the monkey.

To Reproduce

Steps to reproduce the behavior:

  1. Build monkey agent
  2. Run monkey agent on updated windows-10 machine
  3. See error

image

Expected behavior

The binary shouldn't get flagged

Screenshots

If applicable, add screenshots to help explain your problem.

Machine version (please complete the following information):

  • OS: Windows 10

VakarisZ avatar Jul 01 '21 08:07 VakarisZ

Possible solutions:

First and foremost we should consider creating an AV testing environment. So far the candidates: - Opswat cloud with an API - Creating a couple of VM's in VSphere and installing AV's there - Creating a couple of instances in GCP and installing AV's there - Dyncheck API costs 20$/month

Note that test infrastructure can't have access to the internet or else it might submit samples of monkey to vendors which will cause the monkey to get flagged.

Signing the monkey binaries:

The way both Microsoft and the other security vendors can tell your app from others is well known, it's by including a digital signature with your app that's produced from a code-signing certificate you've acquired from a reputable Certificate Authority which is part of the Microsoft Authenticode group of accepted certificate vendors.

Create a module for binary obfuscation: Before the first monkey is run on a simulation, the island runs the obfuscation command which does these steps:

  1. Dissasemble the previous monkey binary
  2. Obfuscates the binary (Some obfuscation techniques I managed to find):
    • Change the strings (https://www.blackhillsinfosec.com/bypass-anti-virus-run-mimikatz/)
    • Add no-op assembler commands (https://www.pentestgeek.com/penetration-testing/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm)
  3. Re-assembles the binary into a new binary which will be used
  4. Obfuscated binary is sent out for running.

Short term solution:

Remove the files shellcode_obfuscator.py, test_shellcode_obfuscator.py and win_ms08_067.py or change the files enough to avoid the detection (without these file windows defender doesn't flag the 64bit binary as malware during the runtime).

VakarisZ avatar Jul 01 '21 08:07 VakarisZ

A list of potential tools to use:

VakarisZ avatar Jul 02 '21 07:07 VakarisZ

I think that impacket is the thing that defender most often flags. We can use other projects, like smbprotocol in order to avoid tripping defender.

mssalvatore avatar Mar 24 '22 15:03 mssalvatore

https://vanmieghem.io/blueprint-for-evading-edr-in-2022/

mssalvatore avatar Apr 19 '22 15:04 mssalvatore

Fixed in v2.2.0.

Note that some behaviors/plugins may still trigger Windows Defender, but this means it's doing its job. Installation is not impeded, which was the major issue.

mssalvatore avatar Jun 05 '23 16:06 mssalvatore