Serious Discussion Turtle‘s Enhanced Realworld Tests ( updated )

ShenguiTurmi

Level 3
Thread author
Well-known
Feb 28, 2023
126
This is the test I did in China security forum from January 18-23, and I'm carrying it over so that more people can see it.

In 2020 we tested mainstream security software using the Empire framework (not carried over, I'm just paraphrasing the original) and some of them were able to defend well, while others failed miserably.
Now, almost three years later, we are going to do it again, this time using the more advanced and popular CobaltStrike framework.

Our test will do the following:
1. download the payload to local machine
2. start the payload (may have a loader)
3. payload establish c2 connection (target server is public cloud server)
4. target machine online
5. screenshot the target machine and send to cobaltstrike teamserver
6. teamserver send a command to obtain a txt file in the c drive (simulated data theft)
If the security software blocks any step of the following process in any way (including static scanning/bb/firewall blocking c2, etc.), the defense is considered successful, and only after all steps are executed and still no action is considered a failure.

This time we prepared 10 samples for testing purposes, all using the CobaltStrike framework.
Sample 1: CobaltStrike HTA (VBA) Payload, which will call VBA to run Payload after execution.
Sample 2: CobaltStrike Powershell Payload, built using the self-contained phishing function, no file landing.
Sample 3: CobaltStrike Bitsadmin Payload, built with its own phishing function, after running, it uses Bitsadmin to download the malicious Payload and combine it into an exe.
Sample 4: CobaltStrike StageLess EXE, as the most basic form of CS backdoor, to examine the strength of security software features.
Sample 5: In sample 4 EXE based on the addition of Themida protection, to examine whether the detection capabilities of security software will be affected by protection.
Sample 6: Payload loaded by NIM generated loader on top of CobaltStrike C Payload, inject to notepad launch Payload.
Sample 7: Payload loaded by NIM generated loader on top of CobaltStrike C Payload, using 3DES encryption.
Sample 8: Payload loaded by Veil generated Go language loader on top of CobaltStrike Powershell Payload.
Sample 9: Payload loaded by Veil-generated Python language loader on top of CobaltStrike Powershell Payload, using DES encryption.
Sample 10: Payload loaded by Go language loader provided by TideSec on top of CobaltStrike C language Payload, using XOR encryption.

Although I am now the only one involved in the test in MalwareTips, it is right to leave their names:
Kafan Malware Test Group: @ShenguiTurmi
Kafan BangBangTuan: @隔山打空气 @呵呵大神001
Participants without team: @東雪蓮Official

Because the workload of carrying screenshots one by one from other forums is a bit too much, I will first publish the test results, if you want to see which security software test screenshots, please reply to tell me, I will carry the screenshots over.

Test result:

Huorong 🇨🇳:
√ × √ √ √ √ √ √ √ √
Failed(9/10)

Tencent PC Manager(China TAV ver. not BD engine global ver.) 🇨🇳:
√ × √ √ × × × √ × ×
Failed(4/10)

Qihoo 360(China ver. not 360TS) 🇨🇳:
√ √ √ √ × √ √ × × √
Failed(7/10)

WiseVector StopX 🇨🇳:
√ √ √ √ √ √ √ √ √ √
Approved

Kingsoft Duba(China ver. not Kingsoft IS Pro) 🇨🇳:
√ √ √ × × × × × √ ×
Failed(4/10)

Qi-AnXin TianShou 🇨🇳:
√ √ √ √ √ √ √ √ √ √
Approved

Rising V17 🇨🇳:
√ × √ √ × × × √ × ×
Failed(4/10)

HitmanPro.Alert 🇳🇱:
√ √ √ √ √ √ √ √ √ √
Approved

Microsoft Defender 🇺🇸:
√ × √ √ √ × × √ √ ×
Failed(6/10)

Avast One 🇨🇿:
√ √ √ √ √ √ √ √ √ √
Approved

Heimdal 🇩🇰:
× × √ √ √ √ √ √ √ √
Failed(8/10)

F-Secure 🇫🇮:
√ √ √ √ √ √ √ √ √ √
Approved

Norton 360 🇺🇸:
√ √ √ √ √ √ √ √ √ √
Approved

Ikarus 🇦🇹:
√ × √ √ × √ √ √ × √
Failed(7/10)

Kaspersky IS 🇷🇺:
√ √ √ √ √ √ √ √ √ √
Approved

Avira 🇩🇪:
√ √ √ √ √ √ √ √ √ √
Approved

Bitdefender 🇷🇴:
√ √ √ √ √ √ √ √ √ √
Approved

Ahnlab V3 Lite 🇰🇷:
√ √ √ √ √ √ √ √ √ √
Approved

McAfee 🇺🇸:
√ √ √ √ √ × × √ √ ×
Failed(7/10)

Malwarebytes 🇺🇸:
√ × √ √ √ √ √ √ √ √
Failed(9/10)

Panda Dome 🇪🇸:
× × √ × × × × × × ×
Failed(1/10)

TrendMicro 🇺🇸:
√ √ √ √ √ × √ √ √ √
Failed(9/10)

ESET 🇸🇰:
√ √ √ √ √ √ √ √ √ √
Approved

QuickHeal 🇮🇳:
√ × √ √ × × × × × ×
Failed(3/10)

Webroot 🇺🇸:
× × √ √ × × × √ × ×
Failed(3/10)

ZoneAlarm Next-Gen 🇮🇱:
√ × √ √ √ √ √ √ √ ×
Failed(8/10)

Arconis 🇸🇬:
√ √ √ √ √ √ √ √ √ √
Approved

Cisco Immunet 🇺🇸:
× × × × × × × × × ×
Failed

Vibranium 🇮🇳:
× × √ √ √ √ √ √ √ ×
Failed(7/10)

Drweb AVDesk 🇷🇺:
√ √ √ √ √ √ √ √ √ √
Approved

K7 🇮🇳:
√ × √ √ √ √ √ √ √ √
Failed(9/10)

GDATA 🇩🇪:
√ √ √ √ √ √ √ √ √ √
Approved

Emsisoft 🇳🇿:
√ × √ √ √ √ √ √ √ √
Failed(9/10)

VIPRE 🇺🇸:
√ √ √ √ × √ √ √ √ √
Failed(9/10)

TotalDefense 🇺🇸:
√ √ √ √ × √ √ √ √ √
Failed(9/10)

eScan 🇮🇳:
√ × √ √ √ √ √ √ √ √
Failed(9/10)

Adaware Free 🇩🇪:
√ × √ √ × √ √ √ √ √
Failed(8/10)

Comodo IS Pro 🇺🇸:
? × ? ? ? ? ? ? ? ?
Failed(9/10)
NOTE: comodo did not detect any malicious behavior from start to finish, and the testing process was carried out completely, but comodo put 9 samples in a sandbox run automatically, so no screenshots or files of the real system were stolen (except sample 2).

Watchdog Anti-Malware 🇺🇸:
× × × × × × × × × ×
Failed

Zemana Anti-Malware 🇧🇬:
× × × × √ × × × × ×
Failed(1/10)

Zillya 🇺🇦:
× × × × × × × × × ×
Failed

Protegent 🇮🇳:
× × √ × × × × × × ×
Failed(1/10)

Bkav Free 🇻🇳:
× × × × × × × × × ×
Failed
NOTE: During testing, I found that the bkav free database has not been updated for a long time, and I'm not sure if they still maintain the free version.

MaxSecure 🇮🇳:
× × √ √ √ √ √ √ √ ×
Failed(7/10)

Catchpulse Lite 🇸🇬:
√ √ √ √ √ √ √ √ √ √
Failed(FP)
NOTE:catchpulse prevented the full attack, but it FP some normal files in my VM, which shouldn't have happened, so I counted it as a failure.

Source Test Link (chinese, maybe login require to show screenshot):【毒组x帮帮团】如果用攻击企业的方法攻击个人安全软件会怎么样呢? 第三期_国外杀毒软件_安全区 卡饭论坛 - 互助分享 - 大气谦和!
 
Last edited:

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,813
This is the test I did in China security forum from January 18-23, and I'm carrying it over so that more people can see it.

In 2020 we tested mainstream security software using the Empire framework (not carried over, I'm just paraphrasing the original) and some of them were able to defend well, while others failed miserably.
Now, almost three years later, we are going to do it again, this time using the more advanced and popular CobaltStrike framework.

Our test will do the following:
1. download the payload to local machine
2. start the payload (may have a loader)
3. payload establish c2 connection (target server is public cloud server)
4. target machine online
5. screenshot the target machine and send to cobaltstrike teamserver
6. teamserver send a command to obtain a txt file in the c drive (simulated data theft)
If the security software blocks any step of the following process in any way (including static scanning/bb/firewall blocking c2, etc.), the defense is considered successful, and only after all steps are executed and still no action is considered a failure.

This time we prepared 10 samples for testing purposes, all using the CobaltStrike framework.
Sample 1: CobaltStrike HTA (VBA) Payload, which will call VBA to run Payload after execution.
Sample 2: CobaltStrike Powershell Payload, built using the self-contained phishing function, no file landing.
Sample 3: CobaltStrike Bitsadmin Payload, built with its own phishing function, after running, it uses Bitsadmin to download the malicious Payload and combine it into an exe.
Sample 4: CobaltStrike StageLess EXE, as the most basic form of CS backdoor, to examine the strength of security software features.
Sample 5: In sample 4 EXE based on the addition of Themida protection, to examine whether the detection capabilities of security software will be affected by protection.
Sample 6: Payload loaded by NIM generated loader on top of CobaltStrike C Payload, inject to notepad launch Payload.
Sample 7: Payload loaded by NIM generated loader on top of CobaltStrike C Payload, using 3DES encryption.
Sample 8: Payload loaded by Veil generated Go language loader on top of CobaltStrike Powershell Payload.
Sample 9: Payload loaded by Veil-generated Python language loader on top of CobaltStrike Powershell Payload, using DES encryption.
Sample 10: Payload loaded by Go language loader provided by TideSec on top of CobaltStrike C language Payload, using XOR encryption.

Although I am now the only one involved in the test in MalwareTips, it is right to leave their names:
Kafan Malware Test Group: @ShenguiTurmi
Kafan BangBangTuan: @隔山打空气 @呵呵大神001
Participants without team: @東雪蓮Official

Because the workload of carrying screenshots one by one from other forums is a bit too much, I will first publish the test results, if you want to see which security software test screenshots, please reply to tell me, I will carry the screenshots over.

Test result:

Huorong 🇨🇳:
√ × √ √ √ √ √ √ √ √
Failed(9/10)

Tencent PC Manager(China TAV ver. not BD engine global ver.) 🇨🇳:
√ × √ √ × × × √ × ×
Failed(4/10)

Qihoo 360(China ver. not 360TS) 🇨🇳:
√ √ √ √ × √ √ × × √
Failed(7/10)

WiseVector StopX 🇨🇳:
√ √ √ √ √ √ √ √ √ √
Approved

Kingsoft Duba(China ver. not Kingsoft IS Pro) 🇨🇳:
√ √ √ × × × × × √ ×
Failed(4/10)

Qi-AnXin TianShou 🇨🇳:
√ √ √ √ √ √ √ √ √ √
Approved

Rising V17 🇨🇳:
√ × √ √ × × × √ × ×
Failed(4/10)

HitmanPro.Alert 🇳🇱:
√ √ √ √ √ √ √ √ √ √
Approved

Microsoft Defender 🇺🇸:
√ × √ √ √ × × √ √ ×
Failed(6/10)

Avast One 🇨🇿:
√ √ √ √ √ √ √ √ √ √
Approved

Heimdal 🇩🇰:
× × √ √ √ √ √ √ √ √
Failed(8/10)

F-Secure 🇫🇮:
√ √ √ √ √ √ √ √ √ √
Approved

Norton 360 🇺🇸:
√ √ √ √ √ √ √ √ √ √
Approved

Ikarus 🇦🇹:
√ × √ √ × √ √ √ × √
Failed(7/10)

Kaspersky IS 🇷🇺:
√ √ √ √ √ √ √ √ √ √
Approved

Avira 🇩🇪:
√ √ √ √ √ √ √ √ √ √
Approved

Bitdefender 🇷🇴:
√ √ √ √ √ √ √ √ √ √
Approved

Ahnlab V3 Lite 🇰🇷:
√ √ √ √ √ √ √ √ √ √
Approved

McAfee 🇺🇸:
√ √ √ √ √ × × √ √ ×
Failed(7/10)

Malwarebytes 🇺🇸:
√ × √ √ √ √ √ √ √ √
Failed(9/10)

Panda Dome 🇪🇸:
× × √ × × × × × × ×
Failed(1/10)

TrendMicro 🇺🇸:
√ √ √ √ √ × √ √ √ √
Failed(9/10)

ESET 🇸🇰:
√ √ √ √ √ √ √ √ √ √
Approved

QuickHeal 🇮🇳:
√ × √ √ × × × × × ×
Failed(3/10)

Webroot 🇺🇸:
× × √ √ × × × √ × ×
Failed(3/10)

ZoneAlarm Next-Gen 🇮🇱:
√ × √ √ √ √ √ √ √ ×
Failed(8/10)

Arconis 🇸🇬:
√ √ √ √ √ √ √ √ √ √
Approved

Cisco Immunet 🇺🇸:
× × × × × × × × × ×
Failed

Vibranium 🇮🇳:
× × √ √ √ √ √ √ √ ×
Failed(7/10)

Drweb AVDesk 🇷🇺:
√ √ √ √ √ √ √ √ √ √
Approved

K7 🇮🇳:
√ × √ √ √ √ √ √ √ √
Failed(9/10)

GDATA 🇩🇪:
√ √ √ √ √ √ √ √ √ √
Approved

Emsisoft 🇳🇿:
√ × √ √ √ √ √ √ √ √
Failed(9/10)

VIPRE 🇺🇸:
√ √ √ √ × √ √ √ √ √
Failed(9/10)

TotalDefense 🇺🇸:
√ √ √ √ × √ √ √ √ √
Failed(9/10)

eScan 🇮🇳:
√ × √ √ √ √ √ √ √ √
Failed(9/10)

Adaware Free 🇩🇪:
√ × √ √ × √ √ √ √ √
Failed(8/10)

Comodo IS Pro 🇺🇸:
? × ? ? ? ? ? ? ? ?
Failed(9/10)
NOTE: comodo did not detect any malicious behavior from start to finish, and the testing process was carried out completely, but comodo put 9 samples in a sandbox run automatically, so no screenshots or files of the real system were stolen (except sample 2).

Watchdog Anti-Malware 🇺🇸:
× × × × × × × × × ×
Failed

Zemana Anti-Malware 🇧🇬:
× × × × √ × × × × ×
Failed(1/10)

Zillya 🇺🇦:
× × × × × × × × × ×
Failed

Protegent 🇮🇳:
× × √ × × × × × × ×
Failed(1/10)

Bkav Free 🇻🇳:
× × × × × × × × × ×
Failed
NOTE: During testing, I found that the bkav free database has not been updated for a long time, and I'm not sure if they still maintain the free version.

MaxSecure 🇮🇳:
× × √ √ √ √ √ √ √ ×
Failed(7/10)

Catchpulse Lite 🇸🇬:
√ √ √ √ √ √ √ √ √ √
Failed(FP)
NOTE:catchpulse prevented the full attack, but it FP some normal files in my VM, which shouldn't have happened, so I counted it as a failure.

Source Test Link (chinese, maybe login require to show screenshot):【毒组x帮帮团】如果用攻击企业的方法攻击个人安全软件会怎么样呢? 第三期_国外杀毒软件_安全区 卡饭论坛 - 互助分享 - 大气谦和!

Well, no offense, please try to improve your presentation of testing results, all looks like a mess as probably just copy/paste including signs for passed or failed what looks almost illegible... Not to mention when browsing on mobile it's like scrolling down endless to read the full content of this thread.
The forum software offers the function of spoilers what should help to improve ;)
 

ShenguiTurmi

Level 3
Thread author
Well-known
Feb 28, 2023
126
Well, no offense, please try to improve your presentation of testing results, all looks like a mess as probably just copy/paste including signs for passed or failed what looks almost illegible... Not to mention when browsing on mobile it's like scrolling down endless to read the full content of this thread.
The forum software offers the function of spoilers what should help to improve ;)
Thank you very much. Next time I will try to make it more readable.
Because the original test results are basically shown in screenshots, and it is really difficult to move 450 pictures here at one time. I will learn the use of spoilers. xD
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,813
Because the workload of carrying screenshots one by one from other forums is a bit too much, I will first publish the test results, if you want to see which security software test screenshots, please reply to tell me, I will carry the screenshots over.

Test result:

Emsisoft 🇳🇿:
√ × √ √ √ √ √ √ √ √
Failed(9/10)
@ShenguiTurmi please could you share here the screenshot of Emsisoft test result? as far as I understood, Emsisoft failed on the sample 2, correct?
Most big players passed this test, so no need to ask even for other AV, at least from my interest... Let's wait for other people ;)

I'm sorry for forgot to mention on my first post #2 that watching from mobile phone and with MT forum dark theme makes it for me difficult to interpret all signs correct,
but now on my laptop, I see you probably added for each AV this info like: Failed(9/10)👍
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,816
I saw this test when it was published thanks to @Anthony Qian. This is a very well done realistic test that you won't see often, excluding professional lab tests.
Apart from the products that most of us expect to do well, quite a few AV vendors missed sample number 2 which is a fileless malware. It could mean that these products are overall less effective against fileless threats. Fileless threats are probably less of a worry for home users, but it's worth noting.
 

ShenguiTurmi

Level 3
Thread author
Well-known
Feb 28, 2023
126
@ShenguiTurmi please could you share here the screenshot of Emsisoft test result? as far as I understood, Emsisoft failed on the sample 2, correct?
Most big players passed this test, so no need to ask even for other AV, at least from my interest... Let's wait for other people ;)

I'm sorry for forgot to mention on my first post #2 that watching from mobile phone and with MT forum dark theme makes it for me difficult to interpret all signs correct,
but now on my laptop, I see you probably added for each AV this info like: Failed(9/10)👍

Here it is :)
33-1.png

33-2.png


33-3.png


33-4.png


33-5.png


33-6.png



33-7.png


33-8.png


33-9.png


33-10.png


btw, I tried spoiler, but I didn't seem to understand its usage QwQ
 

ShenguiTurmi

Level 3
Thread author
Well-known
Feb 28, 2023
126
Previous Tests:
EP1&2 are not released here
EP3: 45AVs VS CobaltStrike

Test result (√ means protection success, × means protection failure):
result-ep4.png


Test screenshots:

Three years ago in the first issue, we tested the effectiveness of the Empire framework against personal security software (not released here). and six months ago, we tested the effectiveness of the CobaltStrike framework against personal security software (EP3).
Recently, I learned that many red teams do not rely heavily on these open source loaders, but have some pre-configured commercial solutions, and I decided to give it a try.
It just so happens that there is a commercial AV Bypass tool author who is willing to sponsor me for this test, and I thank him for the Bypass tool.
At the same time, a team took over Empire, which had stopped updating, and I decided to add the new version of Empire to the test to see if any security software had done a better job of defending it after the previous test.
As an experimental group, we used almost all the personal security software on the market to test and keep the default completely.

Our test will do the following:
1. download the payload to local
2. start the payload (may have a loader)
3. sample establish c2 connection (target server is public cloud server)
4. target machine online
5. Screenshot of the command issued by C2
6. C2 sends a command to obtain a txt file of the c drive (simulated data theft)
If the security software in any step of the following process in any way (including static scanning / HEUR / firewall block c&c, etc.) to block, the defense is considered successful, only after all steps are executed still no action is considered a failure.

We prepared 10 samples for this test, divided into Scenario-A (CobaltStrike) and Scenario-B (Empire):
Scenario-A sample 1: based on CobaltStrike, using XOR encrypted payload, using direct syscalls to replace the original dependencies, packaged as .Net executable file.
Scenario-A sample 2: Based on CobaltStrike, using HEX to obfuscate the payload, using direct syscalls to replace the original dependencies, with a fake digital signature, packaged as a .Net executable file.
Scenario-A sample 3: CobaltStrike based, AES encrypted payload, ConfuserEX obfuscated, packaged as .Net executable file.
Scenario-A sample 4: CobaltStrike based, XOR encrypted payload with a forged digital signature, compiled into an executable using LLVM.
Scenario-A sample 5: CobaltStrike based, using XOR encrypted payload, using Shikata-Ga-Nai obfuscation, compiled to executable using LLVM
Scenario-B sample 1: Based on Empire, simulating Ducky/Teensy BadUSB, using keystrokes to execute Powershell payload, no binary landing
Scenario-B sample 2: Based on Empire, packaged as XSL file and executed by wmic with Powershell payload, no binary landing.
Scenario-B sample 3: Based on Empire, packaged as SCT script, Powershell payload executed by regsvr32, no binary landing.
Scenario-B sample 4: Based on Empire, packaged as VBS script, Powershell payload executed by scripthost, no binary landing
Scenario-B sample 5: Based on Empire, packaged as XML file, Powershell payload executed by msbuild, no binary landing.
 

ShenguiTurmi

Level 3
Thread author
Well-known
Feb 28, 2023
126
@Origami_Alpha tested several enterprise-level security solutions. Considering that the effectiveness of enterprise level depends on your setup, I will not include them in the report. It should be noted that these results come from his own policy and are not the default settings.
Crowdstrike(no EDR) 9/10
SentinelOne(no EDR, Sonicwall OEM Version) 9/10
Cylance(no EDR) 5/10
Cylance+EDR 10/10
Deepinstinct is not tested because the interception of dll loads and powershell command lines is bordering on insane if it turns on the full protection policy. I don't see the need for testing.
 

ShenguiTurmi

Level 3
Thread author
Well-known
Feb 28, 2023
126

Enhanced Realworld Test EP5 (2023.10)​


Previous Tests:
EP1&2 are not released here
EP3: 45AVs VS CobaltStrike
EP4: Discussion Thread - Turtle‘s Enhanced Realworld Test EP4 (2023.06)

Test result (√ means protection success, × means protection failure):
QQ截图20231021113909.png

QQ截图20231021113923.png

QQ截图20231021113937.png

QQ截图20231021113947.png


We've done similar tests 4 times before today, but we've used very popular penetration frameworks and have always focused on simulating the pre-penetration period.
Today I wanted to make a slight change, after referring to MITRE's testing methodology and slightly considering the ATT&CK matrix, let's lean back a bit on the simulation period
In the meantime, I've learned and used two niche attack frameworks that are used by very few people and may be able to simulate the effects of hackers' homebrew tools

The two penetration frameworks we will use in this test are Nimbo-C2 and PowerHub.
Nimbo-C2, as before, will take on the task of landing and gaining privileges in the first and middle stages of the infiltration, while the addition of PowerHub aims to simulate data theft and lateral movement in the middle and late stages.
Since the simulation of the whole infiltration cycle has been adjusted rather drastically, using the previous go-live success and performing a single task for scoring is obviously not appropriate
So in this test I redesigned the scoring method to 20 points, but considering that I'm a rookie simulation, it's impossible for me to compare my skills with a real APT organization, so the passing line is still a full point
Among them, Nimbo-C2 and PowerHub will generate 5 Payloads respectively, and 1 point will be deducted if each Payload is successfully executed and connected to C2, besides, I designed 5 infiltration purposes respectively, and 1 point will be deducted if the infiltration purpose is accomplished.

Here is the exact distribution of the total 20 points for this test:
Execute Group-A:
01. Nimbo-C2 generated exe sample, I did not make any additional changes to the code except for modifying the AES-Key and IV, and customizing the path to the persistence target.
02. Nimbo-C2 generated exe sample, obfuscated by Codevirtual virtualization
03. Nimbo-C2 generated exe sample, mutated by VMP, without virtualization
04. Nimbo-C2 generated dll sample, designed to be executed directly by regsvr32, I didn't make any additional changes to the code except for modifying the AES-Key and IV, and customizing the path to the persistence target.
05. Nimbo-C2 generated dll sample, designed to be executed directly by regsvr32, obfuscated by Codevirtual virtualization.
for infiltration purposes:
06. Screenshot, get the screen display when the sample is running
07. Keylogging, after opening the simulated keylogging to obtain the password operation
08. UAC bypass, the use of Windows design flaws to obtain administrator privileges, in order to facilitate the further completion of the subsequent objectives
09. Patch AMSI, for group B (PowerHub) to create conditions for the operation of the fileless Payload
10. Dump LSASS, by Dumping the process of key credentials, to obtain more information, as well as to prepare for lateral movement
Execute Group-B:
11. PowerHub generated powershell sample, coded for direct use
12. PowerHub-generated powershell sample, using zc001's development obfuscate (with known flaws, clearly detectable)
13. PowerHub-generated powershell sample, encoded and then encrypted with DH algorithm to encrypt script content, but no obfuscation done
14. PowerHub-generated powershell sample, using am0nsec's development obfuscate
15. PowerHub-generated powershell sample, using Matt Graber's development obfuscate
Penetration purposes:
16. GSI, get some information about the system (mainly used here to confirm that the script ran successfully)
17. Code download, get the code for the post-penetration tool from the C2 server in preparation for lateral movement
18. Code execution, the execution of the code obtained in the previous step (this test does not include the simulation of the actual lateral movement, only run the lateral movement tool)
19. Steal Edge browser cryptographic library key
20. Steal Steam SSFN Cookie
 

ShenguiTurmi

Level 3
Thread author
Well-known
Feb 28, 2023
126
Hum... Free products <> Paid products <> Home products <> Corporate products <> some products with tweaked settings <> Some products with default settings? What the.... is this test???
Well, it's my problem, I didn't explain it well.

The testing wasn't done by me alone, for the Enterprise product I used the configuration that I and the other participants (who were provided with a license for the Enterprise product) use on a daily basis, and didn't intentionally set it to the highest or lowest.

Typically enterprise products don't have default settings (for example, Crowdstrike's default settings won't even enable Anti-Malware), so only a configuration that we use every day could be used.

As for the free versions, most of them have no difference in protection between the free version of the product's functionality and the paid version (something like Kaspersky Free has exactly the same functionality as the paid basic version in terms of protection), while others, such as CatchPulse, have a whitelisting policy for the paid version and have no possibility of testing it.

Regarding the settings of individual products, I usually leave them at default, unless it has default settings that would interfere with testing. For example TrendMicro will automatically switch to High Sensitivity after detecting multiple threats, which is not realistic so I would turn it off.
 

Shadowra

Level 36
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,539
Also, We don't allow malware video tests that are not in English, since it's the official language in the forum... We can't understand anything in those tests...

This I can confirm, I tried to watch a video hosted on BilliBilli (the Chinese YouTube) and I didn't really understand the site, nor the video :/.
I helped myself with the graph he posted to see the results of the different anti-virus programs
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top