Advanced adversary tactics and defense evasion: Lab and walkthrough

February 20, 2023 by

Bianca Gonzalez

Learn how advanced persistent threat groups use defense evasion to remain undetected in this walkthrough with Infosec Principal Security Researcher Keatron Evans.

What is defense evasion?

Learn how cybercriminals pull off defense evasion through tactics like disabling antivirus software in this episode of Cyber Work Applied.

Cyber Work listeners get free cybersecurity training resources. Click below to get your free courses and other materials.

Free Cybersecurity Training

Defense evasion examples and walkthrough

Below is the edited transcript of Keatron’s defense evasion walkthrough, along with a portion of the code he uses.

Overview of defense invasion lab

(0:00- 0:54) Hello, I'm Keatron Evans, and I'm going to show you advanced adversary tactics with defense evasion. Now, this lab is very cool. It’s got a lot of learning points to it because you'll be modifying PAM modules to allow for backdoor passwords to be done.

You'll also be attacking and disabling antivirus so that you can avoid detection while you're planning malware. Now, I want to introduce you to this lab with the hope that you will jump into the Advanced Adversary Tactics Cyber Range yourself right now and take a look at it and work through it.

So let's jump right into it. One of the things I do want to remind you about is all of our labs are mapped to the MITRE ATT&CK framework. And this one maps to evasion and several other things that are related or fall into one of the categories in the MITRE ATT&CK framework.

Taking down a server for defense evasion

(0:55-1:47) So first is the introduction:

In this lab, we'll look at a few assorted methods for defense evasion. The first method presented here is exploitation for defense evasion — that is, exploiting a service to either take it down or take control of it to avoid being detected. Our target server is located at 172.20.0.7. To get started, open the terminal and start Metasploit by running the following command:

msfconsole

Another thing I want to point out is these also map to the NICE Framework nicely, no pun intended. It allows you to make sure that you're getting the knowledge, skills and abilities that you need to map up to specific job roles. So we're going to go ahead and start up Metasploit here.

Starting up Metasploit

(1:48- 2:23) I'm just copying and pasting the command.

root@ip-172-20-3-13:/# msfconsole

As you can see, it gives us a green checkmark, which means we did it successfully. Now we're waiting for the terminal to show us that Metasploit has successfully started. And there it is.

As you can see, this is a full environment. It's not a fake automation of the environment because you can control the environment variables and things like you would in a real environment. So that's one of the things that we like about the way we put this together.

Loading an exploit in Metasploit

(2:24-3:04) The next step is to load an exploit. So here you're just loading this ClamAV exploit in Metasploit. And we do that by using the use command and Metasploit.

msf6 > use auxiliary/scanner/misc/clamav_control

Now we've loaded that exploit. Think of picking an exploit as like picking a missile that's a specific form factor — because it's going to penetrate or break into a machine or a service because of its form. So this missile that we just loaded here, this ClamAV missile is constructed specifically to exploit a specific service or specific type of operating system.

Set the target for the exploit

(3:05- 4:44) Next, we're going to set the target by setting the RHOST. Step two says that you can get the IP of the target by inspecting the contents of the etc/hosts file. To read that you can open another terminal and read it, or you can literally type it from right here:

Msf6 > auxiliary(scanner/misc/clamav_control) > cat /etchosts

You can read it right from the Metasploit terminal. You don't have to go out and open another one. It says here that we're looking for the target. So we look at the IP addresses here, and we can see the target is 172.20.25.108.

Alright, so before running the exploit for real, we’ll want to make sure the ClamAV is actually running on the remote server. You can do that by setting the action to version and running the exploit. Now, what we're going to do is set the RHOST. Now it says target IP, which means that we have to set RHOST and then we put in what we have listed here as our target IP, which is 172.20.25.108.

Msf6 > auxiliary(scanner/misc/clamav_control) > set RHOST 172.20.25.108

Okay, so we've set that variable properly, and then it tells us to go ahead and set the action to version, so I'll copy and paste that.

Msf6 > auxiliary(scanner/misc/clamav_control) > set ACTION VERSION

I'm showing you here that you have the option to get practice with your chops: you can type the commands out. Or if you're just trying to get through and get the learning objective done, you can copy and paste most of the commands in this environment.

Prepping the exploit

(4:45-5:54) We're then going to go ahead and run the exploit.

Msf6 > auxiliary(scanner/misc/clamav_control) > run

It says it's 100% complete. To move on to the next step, we need to write the version to the temp version file. We ran the exploit, but we didn't actually exploit anything. We just did a command that checks the exploit to collect the version of the ClamAV it's running. It says to get that we need to echo the version information to a temp file. So we're going to write the version information in there now. We get that version information from right here. So that's going to be 0.103.2, and we write that to the /tmp/version file.

Msf6 > auxiliary(scanner/misc/clamav_control) > echo “ClamAV 0.103.2” > /tmp/version

As you can see, once we’re successful, it gives us the green checkmark, and then we can move on to the next step.

Shutting down the antivirus

(5:55- 7:32) Now this next step says:

Great! We've confirmed that ClamAV is running and vulnerable. Next, let's take down the ClamAV service, set the action to SHUTDOWN and run the exploit again. Lastly, switch the action back to VERSION to confirm the ClamAV service is no longer responding.

So now we can set the action to shut down because we know the version. We verified that, and now we're trying to attack the AV and do something to it. Remember, the whole goal here is to shut the antivirus down so that if we were to deploy some malware or something like that, there's nothing there to detect that. So now we go ahead and run the exploit again:

Msf6 > auxiliary(scanner/misc/clamav_control) > run

And it says it looks like it successfully shut it down. We want to verify it's not lying to us. So now we could do a couple of things. One is we could set the action back to version.

Msf6 > auxiliary(scanner/misc/clamav_control) > set ACTION VERSION

By setting it back to version, we can see if it's still running. If it's running, it'll give us a version for now, but if it's not running, it won't respond to that version request anymore. So we set it back to version, and we run it again.

Msf6 > auxiliary(scanner/misc/clamav_control) > run

We can see that it does not give us a version back, which tells us that it's probably not running. If you want to verify this, we can run this Nmap command and again, you can run Nmap right from within the terminal in Kali here. You don't need to go out and open another terminal.

Msf6 > auxiliary(scanner/misc/clamav_control) > nmap -p- target -oN /root/nmap.out

We run that, and you can see that the ClamAV port is no longer open.

Evasion in pentesting

(7:33-8:21) So now you've set yourself up to where you could drop anything you wanted on that victim. And all the anti-malware, the ClamAV that they're using, will not be able to detect your malware because it's not running. This is one of the key ways that we in the pentesting world and the APTs do evasion.

So I'm going to stop it right there, but I want you to jump into this lab and see if you can do what I just did. Go on and see if you can do the other exercises as well. They're just as fun and just as rewarding as what you saw me do there. Hopefully, you enjoyed this session. So do me a favor, head on over to our free cybersecurity training resources page and create your free account so you can do exactly what you just saw me do in the Advanced Adversary Tactics Cyber Range. Thanks for watching.

Free Cybersecurity Training