Listen to the article
Introduction to Antivirus Evasion Techniques for Command and Control (C2) Servers
Hackers first goal is to control remotely on company network without any admin interruption, hackers can use Antivirus Evasion Techniques to hide c2 agent code inside legit program use for back door, Hackers second goal is to establish undetected secure connection to there Command and Control (C2) Servers.
This article explores the use of Command and Control (C2) servers in hacking efforts and details various methods for evading antivirus detection. what is the process of creating a C2 server? and how to obtaining a trusted SSL certificate for undetected reverse shell?, how hackers bypassing antivirus protection through DLL injection?
we will discusses popular techniques for hiding C2 agent code, such as using Office macro
topics we will be covered:
- Creating a C2 server and trusted SSL certificate
- Bypassing antivirus protection with hexadecimal and DLL injection
- Hiding C2 agent code in Office macros
- Virustotal malware analysis for bypassing Windows Defender Antivirus
- Advanced techniques for hiding and controlling C2 agents
Defeating Windows Defender Antivirus with C2 Agent Code and AMSI Bypass
Furthermore, hiding a Command and Control (C2) agent and avoiding detection by antivirus software is considered a challenge because the type of antivirus is unknown to the attacker.
The Command and Control (C2) server we chose to use in our lab is based of PowerShell Empire framework , the agent code we created is based of PowerShell.
The Anti-virus in our lab is Windows Defender, however, be aware that the DLL injection techniques we use to bypass Windows Defender antivirus also work for many other antivirus programs such as McAfee and Crowdstrike.
any PowerShell script users try to run checks by Windows Defender Antivirus
The Operation system in our lab is windows 10 full update opened to the internet without any restriction
When a user opens the Powershell console, the file name AMSI.dll is loaded into memory and verifies that each Powershell script is free from malware.
Creating a Reverse Shell with a C2 Server and PowerShell Process
A technique for remotely controlling a victim’s machine using a reverse shell connection. The attacker establishes a command and control (C2) server, which they can use to remotely execute commands on the victim’s machine. The commands are transmitted over the network using PowerShell,
The attacker can use this technique to remotely access and control the victim’s machine, as well as exfiltrate data from the victim’s network.
git clone –recursive https://github.com/BC-SECURITY/Empire.git cd empire sudo ./setup/install.sh sudo poetry install
Creating a Trusted SSL Certificate for Your C2 Server
sudo add-apt-repository ppa:certbot/certbotsudo apt-get updatesudo apt-get install certbotTo request a certificate, it is required to open Port 80sudo certbot certonly –standalone –preferred-challenges http https://xxx.westeurope.cloudapp.azure.com
Advanced Techniques steps for Hiding and Controlling C2 Agents
- Generate base64 agent
- check c2 agent against VirusTotal (optional)
- bypass AMSI (Anti-Malware Scan Interface) feature
- Injecting our dll file into PowerShell process
- Validate our bypass of AMSI anti-virus protection
- Convert c2 Agent Code to Hexadecimal
- Test again our new c2 agent code using Virustotal
Antivirus Evasion Techniques,Test c2 agent code against Virus Total
PowerShell empire provide option to create multiple agents, new agent code encode only with based64 encoder.
Without any Antivirus Evasion Techniques, our new C2 agent code is detected as malware when we check it using VirusTotal.
to avoid detection by most antivirus software, the attacker can convert the C2 agent code to hexadecimal and then load it into memory using a variable.
Antivirus Evasion Techniques and Virustotal malware analysis
for education purpose only!
to bypass almost any antivirus you can use this lines of code
To avoid detection by most of antivirus software, convert the c2 agent code to hex and then loaded it into memory using variable.
the hex code in memory can execute using powershell module invoke-expression, run the script will execute the c2 agent code start the reverse shell , this method called file less method,
Windows Defender Antivirus didn’t detect our new C2 agent code and now we control our windows protected machine 🙂
To be sure our new agent code is free from malware, we uploaded the file to VirusTotal, the file was approved as safe to use.
Advanced techniques for hiding and controlling C2 agents
The attacker can hide the payload in legitimate files, such as a PDF or Microsoft Office document, by embedding the payload in them.
the most used options to hide a payload:
- Office File with Macro
- object in an office file
- formula (DDA) for office file
- download file from link
- zero day on legit program
Hiding C2 agent code in Office macros
In our lab environment we chose to use an office file containing a Macro, we created PowerShell script containing all the necessary file required to bypass AMSI.dll.
to avoid anti-virus detection, we play with our new payload and put our PowerShell script inside EXE file using ps2exe module.
When the user runs the macro, a “safe” exe file will download to their device and then all necessary files will download automatically.
This technique is called split malware.
what is split malware technique? The attacker delivers the first part of the malware, which is usually a small and benign-looking file. Once this first part is executed, it downloads and installs the second part of the malware, which is the actual malicious payload.split malware technique use for Antivirus Evasion Techniques
After 5 seconds, the exe process will stop and delete itself. The c2 agent will run as a new PowerShell process, making reverse engineering happy 🙂
Command And Control (C2) Servers persistence and remote control
The c2 agent may be killed if the user restarts their PC or if an administrator intervenes. Therefore, it’s important to use a persistence method to keep the C2 agent alive.
A persistence method technique:
- Modifying the system boot process: The attacker can modify the victim’s boot process to ensure that the malware is executed each time the machine is booted.
- The attacker can add a shortcut to the malware in the victim’s startup folder, causing the malware to be automatically executed each time the machine is started.
- The attacker can modify the victim’s registry to ensure that the malware is executed whenever certain conditions are met, such as when a specific application is launched or when a user log in.
- Creating a scheduled task: The attacker can create a scheduled task that executes the malware at a specific time or on a regular basis.
By using persistence methods, attackers can ensure that their malware remains active on the victim’s machine and can continue to operate, even if the victim takes steps to remove the malware.
An attacker may exploit vulnerabilities and move laterally after gaining control of a network. We provided information on using a C2 server and discussed techniques for evading antivirus detection and hiding C2 agent code
to detect and protect your network from powershell empire c2 server, keep reading about our best practices for network protection