Antivirus Evasion Techniques,C2 Servers,how to protect your network

Listen to the article
Voiced by Amazon Polly

Introduction to Antivirus Evasion Techniques for Command and Control (C2) Servers

Hackers first goal is to control remotely on company network without any admin interruption, hackers can use Antivirus Evasion Techniques to hide c2 agent code inside legit program use for back door, Hackers second goal is to establish undetected secure connection to there Command and Control (C2) Servers.

This article explores the use of Command and Control (C2) servers in hacking efforts and details various methods for evading antivirus detection. what is the process of creating a C2 server? and how to obtaining a trusted SSL certificate for undetected reverse shell?, how hackers bypassing antivirus protection through DLL injection?

we will discusses popular techniques for hiding C2 agent code, such as using Office macro

topics we will be covered:

  • Creating a C2 server and trusted SSL certificate
  • Bypassing antivirus protection with hexadecimal and DLL injection
  • Hiding C2 agent code in Office macros
  • Virustotal malware analysis for bypassing Windows Defender Antivirus
  • Advanced techniques for hiding and controlling C2 agents
Command and Control (C2) Servers C2 Beaconing traffic
Command and Control (C2) C2 Beaconing

Defeating Windows Defender Antivirus with C2 Agent Code and AMSI Bypass

Furthermore, hiding a Command and Control (C2) agent and avoiding detection by antivirus software is considered a challenge because the type of antivirus is unknown to the attacker.

The Command and Control (C2) server we chose to use in our lab is based of PowerShell Empire framework , the agent code we created is based of PowerShell.

The Anti-virus in our lab is Windows Defender, however, be aware that the DLL injection techniques we use to bypass Windows Defender antivirus also work for many other antivirus programs such as McAfee and Crowdstrike.

any PowerShell script users try to run checks by Windows Defender Antivirus

The Operation system in our lab is windows 10 full update opened to the internet without any restriction

When a user opens the Powershell console, the file name AMSI.dll is loaded into memory and verifies that each Powershell script is free from malware.

antivirus AMS protection, scan powershell script
PowerShell scripts scanned by anti virus

Creating a Reverse Shell with a C2 Server and PowerShell Process

A technique for remotely controlling a victim’s machine using a reverse shell connection. The attacker establishes a command and control (C2) server, which they can use to remotely execute commands on the victim’s machine. The commands are transmitted over the network using PowerShell,

The attacker can use this technique to remotely access and control the victim’s machine, as well as exfiltrate data from the victim’s network.

git clone –recursive https://github.com/BC-SECURITY/Empire.git
cd empire
sudo ./setup/install.sh
sudo poetry install

Creating a Trusted SSL Certificate for Your C2 Server

sudo add-apt-repository ppa:certbot/certbotsudo apt-get updatesudo apt-get install certbotTo request a certificate, it is required to open Port 80sudo certbot certonly –standalone –preferred-challenges http https://xxx.westeurope.cloudapp.azure.com

Advanced Techniques steps for Hiding and Controlling C2 Agents

  1. Generate base64 agent
  2. check c2 agent against VirusTotal (optional)
  3. bypass AMSI (Anti-Malware Scan Interface) feature
    1. Injecting our dll file into PowerShell process
    2. Validate our bypass of AMSI anti-virus protection
  4. Convert c2 Agent Code to Hexadecimal
  5. Test again our new c2 agent code using Virustotal

Antivirus Evasion Techniques,Test c2 agent code against Virus Total

PowerShell empire provide option to create multiple agents, new agent code encode only with based64 encoder.

encode Base64, evade detection by Anti virus software
hide payloads using base64 encoding

Without any Antivirus Evasion Techniques, our new C2 agent code is detected as malware when we check it using VirusTotal.

detect powershell empire agent using virus total
Virus Total detect our Powershell empire c2 agent

to avoid detection by most antivirus software, the attacker can convert the C2 agent code to hexadecimal and then load it into memory using a variable.

Antivirus Evasion Techniques and Virustotal malware analysis

for education purpose only!

to bypass almost any antivirus you can use this lines of code

bypass antivirus with dll injection
Antivirus Evasion Techniques bypass AMSI protection

To avoid detection by most of antivirus software, convert the c2 agent code to hex and then loaded it into memory using variable.

the hex code in memory can execute using powershell module invoke-expression, run the script will execute the c2 agent code start the reverse shell , this method called file less method,

Windows Defender Antivirus didn’t detect our new C2 agent code and now we control our windows protected machine 🙂

To be sure our new agent code is free from malware, we uploaded the file to VirusTotal, the file was approved as safe to use.

Antivirus Evasion Techniques using different tools and techniques
Antivirus Evasion Techniques bypass multiple antivirus

Advanced techniques for hiding and controlling C2 agents

The attacker can hide the payload in legitimate files, such as a PDF or Microsoft Office document, by embedding the payload in them.

the most used options to hide a payload:

  • Office File with Macro
  • object in an office file
  • formula (DDA) for office file
  • download file from link
  • zero day on legit program

Hiding C2 agent code in Office macros

In our lab environment we chose to use an office file containing a Macro, we created PowerShell script containing all the necessary file required to bypass AMSI.dll.

to avoid anti-virus detection, we play with our new payload and put our PowerShell script inside EXE file using ps2exe module.

Antivirus Evasion using hidden exe in macro file

When the user runs the macro, a “safe” exe file will download to their device and then all necessary files will download automatically.

This technique is called split malware.

what is split malware technique? The attacker delivers the first part of the malware, which is usually a small and benign-looking file. Once this first part is executed, it downloads and installs the second part of the malware, which is the actual malicious payload.

split malware technique use for Antivirus Evasion Techniques

After 5 seconds, the exe process will stop and delete itself. The c2 agent will run as a new PowerShell process, making reverse engineering happy 🙂

Command And Control (C2) Servers persistence and remote control

The c2 agent may be killed if the user restarts their PC or if an administrator intervenes. Therefore, it’s important to use a persistence method to keep the C2 agent alive.

A persistence method technique:

  • Modifying the system boot process: The attacker can modify the victim’s boot process to ensure that the malware is executed each time the machine is booted.
  • The attacker can add a shortcut to the malware in the victim’s startup folder, causing the malware to be automatically executed each time the machine is started.
  • The attacker can modify the victim’s registry to ensure that the malware is executed whenever certain conditions are met, such as when a specific application is launched or when a user log in.
  • Creating a scheduled task: The attacker can create a scheduled task that executes the malware at a specific time or on a regular basis.

By using persistence methods, attackers can ensure that their malware remains active on the victim’s machine and can continue to operate, even if the victim takes steps to remove the malware.

powershell empire c2 server, modules and persistence and Antivirus Evasion Techniques
c2 server control windows 10 remotely

Summary

An attacker may exploit vulnerabilities and move laterally after gaining control of a network. We provided information on using a C2 server and discussed techniques for evading antivirus detection and hiding C2 agent code

to detect and protect your network from powershell empire c2 server, keep reading about our best practices for network protection

Like this article?

You may also enjoy these articles

SearchSploit: Guide to Exploit Database Search

Searchsploit is a command-line tool that allows users to search the Exploit Database, which is a repository of publicly disclosed vulnerabilities and exploitation techniques. It

fuzzing with ffuf tool

Guide to FFUF tool – Web Application Fuzzing

FFUF is a powerful and flexible open-source tool for performing web application fuzzing. Whether you’re a security professional looking to identify vulnerabilities or a developer

Guide to sqlmap tool – sql injection

SQLmap is an powerful open source tool used by hackers to detect and exploit SQL
injection flaws. SQLmap automates the process of detecting and

Hydra

Hydra tool make password cracking to easy task, hydra can brute Force multiple protocols and services like ftp irc ldap2[s] ldap3 mongodb mssql mysql

Scroll to Top