- Feb 28, 2023
- 53
This is the test I did in China security forum from January 18-23, and I'm carrying it over so that more people can see it.
In 2020 we tested mainstream security software using the Empire framework (not carried over, I'm just paraphrasing the original) and some of them were able to defend well, while others failed miserably.
Now, almost three years later, we are going to do it again, this time using the more advanced and popular CobaltStrike framework.
Our test will do the following:
1. download the payload to local machine
2. start the payload (may have a loader)
3. payload establish c2 connection (target server is public cloud server)
4. target machine online
5. screenshot the target machine and send to cobaltstrike teamserver
6. teamserver send a command to obtain a txt file in the c drive (simulated data theft)
If the security software blocks any step of the following process in any way (including static scanning/bb/firewall blocking c2, etc.), the defense is considered successful, and only after all steps are executed and still no action is considered a failure.
This time we prepared 10 samples for testing purposes, all using the CobaltStrike framework.
Sample 1: CobaltStrike HTA (VBA) Payload, which will call VBA to run Payload after execution.
Sample 2: CobaltStrike Powershell Payload, built using the self-contained phishing function, no file landing.
Sample 3: CobaltStrike Bitsadmin Payload, built with its own phishing function, after running, it uses Bitsadmin to download the malicious Payload and combine it into an exe.
Sample 4: CobaltStrike StageLess EXE, as the most basic form of CS backdoor, to examine the strength of security software features.
Sample 5: In sample 4 EXE based on the addition of Themida protection, to examine whether the detection capabilities of security software will be affected by protection.
Sample 6: Payload loaded by NIM generated loader on top of CobaltStrike C Payload, inject to notepad launch Payload.
Sample 7: Payload loaded by NIM generated loader on top of CobaltStrike C Payload, using 3DES encryption.
Sample 8: Payload loaded by Veil generated Go language loader on top of CobaltStrike Powershell Payload.
Sample 9: Payload loaded by Veil-generated Python language loader on top of CobaltStrike Powershell Payload, using DES encryption.
Sample 10: Payload loaded by Go language loader provided by TideSec on top of CobaltStrike C language Payload, using XOR encryption.
Although I am now the only one involved in the test in MalwareTips, it is right to leave their names:
Kafan Malware Test Group: @ShenguiTurmi
Kafan BangBangTuan: @隔山打空气 @呵呵大神001
Participants without team: @東雪蓮Official
Because the workload of carrying screenshots one by one from other forums is a bit too much, I will first publish the test results, if you want to see which security software test screenshots, please reply to tell me, I will carry the screenshots over.
Test result:
Huorong
:
√ × √ √ √ √ √ √ √ √
Failed(9/10)
Tencent PC Manager(China TAV ver. not BD engine global ver.):
√ × √ √ × × × √ × ×
Failed(4/10)
Qihoo 360(China ver. not 360TS):
√ √ √ √ × √ √ × × √
Failed(7/10)
WiseVector StopX:
√ √ √ √ √ √ √ √ √ √
Approved
Kingsoft Duba(China ver. not Kingsoft IS Pro):
√ √ √ × × × × × √ ×
Failed(4/10)
Qi-AnXin TianShou:
√ √ √ √ √ √ √ √ √ √
Approved
Rising V17:
√ × √ √ × × × √ × ×
Failed(4/10)
HitmanPro.Alert
:
√ √ √ √ √ √ √ √ √ √
Approved
Microsoft Defender
:
√ × √ √ √ × × √ √ ×
Failed(6/10)
Avast One
:
√ √ √ √ √ √ √ √ √ √
Approved
Heimdal
:
× × √ √ √ √ √ √ √ √
Failed(8/10)
F-Secure
:
√ √ √ √ √ √ √ √ √ √
Approved
Norton 360:
√ √ √ √ √ √ √ √ √ √
Approved
Ikarus
:
√ × √ √ × √ √ √ × √
Failed(7/10)
Kaspersky IS
:
√ √ √ √ √ √ √ √ √ √
Approved
Avira
:
√ √ √ √ √ √ √ √ √ √
Approved
Bitdefender
:
√ √ √ √ √ √ √ √ √ √
Approved
Ahnlab V3 Lite
:
√ √ √ √ √ √ √ √ √ √
Approved
McAfee:
√ √ √ √ √ × × √ √ ×
Failed(7/10)
Malwarebytes:
√ × √ √ √ √ √ √ √ √
Failed(9/10)
Panda Dome
:
× × √ × × × × × × ×
Failed(1/10)
TrendMicro:
√ √ √ √ √ × √ √ √ √
Failed(9/10)
ESET
:
√ √ √ √ √ √ √ √ √ √
Approved
QuickHeal
:
√ × √ √ × × × × × ×
Failed(3/10)
Webroot:
× × √ √ × × × √ × ×
Failed(3/10)
ZoneAlarm Next-Gen
:
√ × √ √ √ √ √ √ √ ×
Failed(8/10)
Arconis
:
√ √ √ √ √ √ √ √ √ √
Approved
Cisco Immunet:
× × × × × × × × × ×
Failed
Vibranium:
× × √ √ √ √ √ √ √ ×
Failed(7/10)
Drweb AVDesk:
√ √ √ √ √ √ √ √ √ √
Approved
K7:
√ × √ √ √ √ √ √ √ √
Failed(9/10)
GDATA:
√ √ √ √ √ √ √ √ √ √
Approved
Emsisoft
:
√ × √ √ √ √ √ √ √ √
Failed(9/10)
VIPRE:
√ √ √ √ × √ √ √ √ √
Failed(9/10)
TotalDefense:
√ √ √ √ × √ √ √ √ √
Failed(9/10)
eScan:
√ × √ √ √ √ √ √ √ √
Failed(9/10)
Adaware Free:
√ × √ √ × √ √ √ √ √
Failed(8/10)
Comodo IS Pro:
? × ? ? ? ? ? ? ? ?
Failed(9/10)
NOTE: comodo did not detect any malicious behavior from start to finish, and the testing process was carried out completely, but comodo put 9 samples in a sandbox run automatically, so no screenshots or files of the real system were stolen (except sample 2).
Watchdog Anti-Malware:
× × × × × × × × × ×
Failed
Zemana Anti-Malware
:
× × × × √ × × × × ×
Failed(1/10)
Zillya
:
× × × × × × × × × ×
Failed
Protegent:
× × √ × × × × × × ×
Failed(1/10)
Bkav Free
:
× × × × × × × × × ×
Failed
NOTE: During testing, I found that the bkav free database has not been updated for a long time, and I'm not sure if they still maintain the free version.
MaxSecure:
× × √ √ √ √ √ √ √ ×
Failed(7/10)
Catchpulse Lite:
√ √ √ √ √ √ √ √ √ √
Failed(FP)
NOTE:catchpulse prevented the full attack, but it FP some normal files in my VM, which shouldn't have happened, so I counted it as a failure.
Source Test Link (chinese, maybe login require to show screenshot):【毒组x帮帮团】如果用攻击企业的方法攻击个人安全软件会怎么样呢? 第三期_国外杀毒软件_安全区 卡饭论坛 - 互助分享 - 大气谦和!
In 2020 we tested mainstream security software using the Empire framework (not carried over, I'm just paraphrasing the original) and some of them were able to defend well, while others failed miserably.
Now, almost three years later, we are going to do it again, this time using the more advanced and popular CobaltStrike framework.
Our test will do the following:
1. download the payload to local machine
2. start the payload (may have a loader)
3. payload establish c2 connection (target server is public cloud server)
4. target machine online
5. screenshot the target machine and send to cobaltstrike teamserver
6. teamserver send a command to obtain a txt file in the c drive (simulated data theft)
If the security software blocks any step of the following process in any way (including static scanning/bb/firewall blocking c2, etc.), the defense is considered successful, and only after all steps are executed and still no action is considered a failure.
This time we prepared 10 samples for testing purposes, all using the CobaltStrike framework.
Sample 1: CobaltStrike HTA (VBA) Payload, which will call VBA to run Payload after execution.
Sample 2: CobaltStrike Powershell Payload, built using the self-contained phishing function, no file landing.
Sample 3: CobaltStrike Bitsadmin Payload, built with its own phishing function, after running, it uses Bitsadmin to download the malicious Payload and combine it into an exe.
Sample 4: CobaltStrike StageLess EXE, as the most basic form of CS backdoor, to examine the strength of security software features.
Sample 5: In sample 4 EXE based on the addition of Themida protection, to examine whether the detection capabilities of security software will be affected by protection.
Sample 6: Payload loaded by NIM generated loader on top of CobaltStrike C Payload, inject to notepad launch Payload.
Sample 7: Payload loaded by NIM generated loader on top of CobaltStrike C Payload, using 3DES encryption.
Sample 8: Payload loaded by Veil generated Go language loader on top of CobaltStrike Powershell Payload.
Sample 9: Payload loaded by Veil-generated Python language loader on top of CobaltStrike Powershell Payload, using DES encryption.
Sample 10: Payload loaded by Go language loader provided by TideSec on top of CobaltStrike C language Payload, using XOR encryption.
Although I am now the only one involved in the test in MalwareTips, it is right to leave their names:
Kafan Malware Test Group: @ShenguiTurmi
Kafan BangBangTuan: @隔山打空气 @呵呵大神001
Participants without team: @東雪蓮Official
Because the workload of carrying screenshots one by one from other forums is a bit too much, I will first publish the test results, if you want to see which security software test screenshots, please reply to tell me, I will carry the screenshots over.
Test result:
Huorong
:√ × √ √ √ √ √ √ √ √
Failed(9/10)
Tencent PC Manager(China TAV ver. not BD engine global ver.)
:√ × √ √ × × × √ × ×
Failed(4/10)
Qihoo 360(China ver. not 360TS)
:√ √ √ √ × √ √ × × √
Failed(7/10)
WiseVector StopX
:√ √ √ √ √ √ √ √ √ √
Approved
Kingsoft Duba(China ver. not Kingsoft IS Pro)
:√ √ √ × × × × × √ ×
Failed(4/10)
Qi-AnXin TianShou
:√ √ √ √ √ √ √ √ √ √
Approved
Rising V17
:√ × √ √ × × × √ × ×
Failed(4/10)
HitmanPro.Alert
:√ √ √ √ √ √ √ √ √ √
Approved
Microsoft Defender
:√ × √ √ √ × × √ √ ×
Failed(6/10)
Avast One
:√ √ √ √ √ √ √ √ √ √
Approved
Heimdal
:× × √ √ √ √ √ √ √ √
Failed(8/10)
F-Secure
:√ √ √ √ √ √ √ √ √ √
Approved
Norton 360
:√ √ √ √ √ √ √ √ √ √
Approved
Ikarus
:√ × √ √ × √ √ √ × √
Failed(7/10)
Kaspersky IS
:√ √ √ √ √ √ √ √ √ √
Approved
Avira
:√ √ √ √ √ √ √ √ √ √
Approved
Bitdefender
:√ √ √ √ √ √ √ √ √ √
Approved
Ahnlab V3 Lite
:√ √ √ √ √ √ √ √ √ √
Approved
McAfee
:√ √ √ √ √ × × √ √ ×
Failed(7/10)
Malwarebytes
:√ × √ √ √ √ √ √ √ √
Failed(9/10)
Panda Dome
:× × √ × × × × × × ×
Failed(1/10)
TrendMicro
:√ √ √ √ √ × √ √ √ √
Failed(9/10)
ESET
:√ √ √ √ √ √ √ √ √ √
Approved
QuickHeal
:√ × √ √ × × × × × ×
Failed(3/10)
Webroot
:× × √ √ × × × √ × ×
Failed(3/10)
ZoneAlarm Next-Gen
:√ × √ √ √ √ √ √ √ ×
Failed(8/10)
Arconis
:√ √ √ √ √ √ √ √ √ √
Approved
Cisco Immunet
:× × × × × × × × × ×
Failed
Vibranium
:× × √ √ √ √ √ √ √ ×
Failed(7/10)
Drweb AVDesk
:√ √ √ √ √ √ √ √ √ √
Approved
K7
:√ × √ √ √ √ √ √ √ √
Failed(9/10)
GDATA
:√ √ √ √ √ √ √ √ √ √
Approved
Emsisoft
:√ × √ √ √ √ √ √ √ √
Failed(9/10)
VIPRE
:√ √ √ √ × √ √ √ √ √
Failed(9/10)
TotalDefense
:√ √ √ √ × √ √ √ √ √
Failed(9/10)
eScan
:√ × √ √ √ √ √ √ √ √
Failed(9/10)
Adaware Free
:√ × √ √ × √ √ √ √ √
Failed(8/10)
Comodo IS Pro
:? × ? ? ? ? ? ? ? ?
Failed(9/10)
NOTE: comodo did not detect any malicious behavior from start to finish, and the testing process was carried out completely, but comodo put 9 samples in a sandbox run automatically, so no screenshots or files of the real system were stolen (except sample 2).
Watchdog Anti-Malware
:× × × × × × × × × ×
Failed
Zemana Anti-Malware
:× × × × √ × × × × ×
Failed(1/10)
Zillya
:× × × × × × × × × ×
Failed
Protegent
:× × √ × × × × × × ×
Failed(1/10)
Bkav Free
:× × × × × × × × × ×
Failed
NOTE: During testing, I found that the bkav free database has not been updated for a long time, and I'm not sure if they still maintain the free version.
MaxSecure
:× × √ √ √ √ √ √ √ ×
Failed(7/10)
Catchpulse Lite
:√ √ √ √ √ √ √ √ √ √
Failed(FP)
NOTE:catchpulse prevented the full attack, but it FP some normal files in my VM, which shouldn't have happened, so I counted it as a failure.
Source Test Link (chinese, maybe login require to show screenshot):【毒组x帮帮团】如果用攻击企业的方法攻击个人安全软件会怎么样呢? 第三期_国外杀毒软件_安全区 卡饭论坛 - 互助分享 - 大气谦和!
Last edited:
