Bypass AV with Chimera (PowerShell Obfuscator)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone and in this video I wanted to go over this tool that I found called chamira now uh this is a Powershell obfuscator script that's designed to bypass antivirus by using techniques such as string substitutions and variable concatenations um so I'm going to be demonstrating this in this video by using a simple reverse shell script uh that you can find on something like reverse shell generator and they have a section here for Powershell scripts and specifically we'll just be using the second version another tool I'll be using is this reverse shell generator called H shell and the output or the payload that it creates we'll be putting that into chimira to offcat it even more um I'll be demonstrating what the detection rates are before and after so you get a sense of what um if you can run it with antivirus still enabled or not or if it will get detected basically all right so let's get started by First downloading this on our Cali machine we can do that by just copying paste in this section right here I already did that and I'm left with a folder like this which has my chimer executable we can test this out by running the dash for help and see what kind of arguments we can put into this I already have a write up for what arguments I use and you can also find that in their usage guide and it explains what each of these are in more depth so the reverse shell we'll be using is from this website here like I mentioned and we can do that by first specifying the IP address and Port we want to use and also um The Listener that we want set up in this case I'm just going to be using neap and 8080 this is our payload here and what we'll do first just to test everything out is save this to a pohs file hold on I think I'm missing a ke there put this on our desktop we'll just call it test PS1 and right away we can see on the bottom right window detected it flagged it from being malicious uh temporarily we'll just disable this for now and then we'll turn it on after when we try to run chimer itself mainly because I want to try and upload this to virus [Music] toal all right so we got 22 detections just off of that script and it also disappeared uh so let me see if I can save again here now here we go all right so what we'll have to do is get this onto our Cali machine so we can use Chimera uh simply what we can do here is let's go into the shells folder and then make or just past the payload straight into here we'll call this power shell gu one and just paste this into there there we go exit out of that so if you cut that out there's our script all right so let's go back into the folder before this and then start to use chir on this file miror uh so let me go over the arguments we'll be using df2 specif the file this is in our shells folder and it was p uh pw. shell this one and then also the- L argument is for the level uh in this case we'll just be using level three but it can go up to four for how much you want to off escate it after that I like to use the- a argument for all or most of the techniques use and then lastly the output of the payload I'll just stick it into our temp folder and do power shell offc look over the here we go I think maybe the uh let me just fix this part right here it's dot there we go all because I didn't have the period right in front of it all right so that is the payload already there but I already outputed it to this folder and here's the simplest way I know how to get onto my virtual machine CD into the temp folder and there it is and then from there I'm just going to run a simple python server on 480 and download the payload from here directly see what this file looks like now and it's all this bunch of mess right here so let's throw that into Fire's total now and see what it looks like one detection so far two okay go two so not perfect uh but I'm pretty sure if I enable antivirus now and try to run it I'll be able to be I'll be able to get a reverse shell so that's antivirus turned on and let's try to run it make sure net cat is listening first we don't need this python HTP server anymore uh let's now run the net cat listen all I did was just put it on for 8080 we'll do ncat thatl BNP listening and let's just run this did not work why let's try to run it from here then oh I see it says it's not digitally signed uh you cannot run scripts on this system uh so we'll have to try to get past this somehow by changing the executable policies or I think another way we pass it is checking this unblock try one more time n looks like we'll still need to allow the scripts to run on the system so what we're going to need to do is run this set execution policy uh to bypass and then let's try to run this one more time oh no we get that that the script is malicious that's not good so that's the downside of this these uh reverse shells that you get right off the internet even though you try to mask it or hide it using Chima it can get detected um I'm not too sure why it's not running now but last time I did this it ran um even was antivirus still on we can try a different payload or go more into this but let's just skip right into the next uh tool for creating our own payloads using H shell okay so let's get H shell installed now on our C Machine I already have it installed and here's the python executable uh but if you wanted to install it here is their GitHub and it's just a simple git clone along with insalling the requirements through pip okay so let's run this now see what kind of arguments we can pass through it what we'll need to do is specify the raw payload so we can use that to put it into chier for us we can also use something like mro to capture the the payload on a secure tunnel we'll do n gr and then we'll try d-r the raw payload okay and here it is so let's put this into a f file now so we can put this and run it through Chim okay that's in there now so TR to cut that out what it looks like all right now let's try to run chier on this you see I already tried doing this before and the new file we created has the one at the end here we'll be using level three and the same as the previous Comm but I'll up the level on the highest one level four see if we can get exactly zero detections doing that or not the output is the HS off skated in the temp folder and it didn't run let's see why oh that's right the uh payload is in the pill file go perfect let's go into that temp folder and start up that python service we get that onto our pick the machine now antivirus is still on refresh this we'll see this is our file here so we did get a detection on antivirus [Music] here but let's see if we can run it okay and we got our call back and let's try to list the stuff in the downloads folder there we go try to run a command like Cal and there you go calcul calculator is opening up on the victim machiney got a reverse shell pass antivirus even though it did get warned uh the file still ran okay thanks for watching guys and catch you on the next one have a good one
Info
Channel: InfoSec Abdul
Views: 1,478
Rating: undefined out of 5
Keywords: Cybersecurity Command, Powershell, Antivirus Bypass, Reverse Shell, Malware Detection, Chimira, HShell, Reverse Shell Generator, Powershell Obfuscator, Security Tools, Tutorial, HowTo, Demonstration, InfoSec Tutorial, Coding, Scripting, Powershell Script, Netcat, Listener, Penetration Testing, Payload Testing, Malware Analysis, Kali Linux, Linux Security, Security Awareness, Secure Your System
Id: mUxBldesvAI
Channel Id: undefined
Length: 16min 39sec (999 seconds)
Published: Mon Nov 13 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.