Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

JoeO_La
Staff
Staff

FortiGuard Labs at Blackhat Asia 2020

For those of you attending Black Hat Asia 2020, two members from FortiGuard Labs will be presenting on Friday, October 2nd.

Black Hat Asia 2020 (link to session abstract)

Invoke-AntiVM: A Powershell Module for VM Evasion

Location:  Station 2
Date: Friday, October 2 | 12:00pm-1:00pm

Recently, attackers have been using living off the land tools such as Powershell and the community has developed a large arsenal based on it such as - just to mention a few - PowerSploit, Invoke-Mimikatz, Powerup, Nishang,Powershell Empire, Invoke-Obfuscation and recently Covenant.

With so many options available to attackers Windows has introduced advanced Powershell logging capabilities and the AMSI interface. This is not enough however because the attackers have started to use VM detections within their payload to thwart analysis, one needs to remember that powershell script logging only de-obfuscate the functions that have been executed.

Therefore we wrote a powershell module with a set of functions that an attacker or a pentester can import in their powershell implant to decide whether the target is a sandbox VM or possibly a real target. In addition to the techniques used in Nishang (Check-VM) which are mostly based on signatures of specific registry keys and process names, we have used a more general – and behavioral – approach which includes all the information from the OS including for example how many programs are installed, what screenshot is used, what network cards are installed, what is the history usage of certain applications such as explorer or word etc. etc.


------------------------------
Joe
------------------------------
[FirstName]
0 REPLIES 0