Add new evasion module type plus a couple of modules

[wchen-r7]

A little DerbyCon surprise.

This pull request adds a new module type to Framework, called "evasion". The purpose of the evasion module type is to allow developers to build executables specifically to evade antivirus, and hopefully this creates a better pentesting experience for the users.

The PR also comes with two modules that serve as examples. The first one generates an EXE that utilities these techniques: shellcode encryption, code randomization, and a little anti-emulation. For more information about techniques, please check Framework Uncyclo. The second module uses a JS.Net script that's embedded in a HTA file, which gets compiled and executed on the target machine.

Here's a demonstration:

[busterb]

It's not clear if we need this for an evasion module, since we're not trying to pair it with an exploit.

[wchen-r7]

Good catch there. Evasion works best with encrypted payloads and I forgot to actually use this method. Should work now. Thanks.

[busterb]

Nice work @wchen-r7 ! A comment we got while demoing evasion modules was that it would be nice to be able to enable it on regular payloads, like with 'set evasion windows_defender' and it would use the module to modify the payload, similar to an encoder. Not really a blocker here, but something to think about for later.

[h00die]

I thought a/v evasion was one of the big reasons to buy msfpro, Am i confusing something?

[bcoles]

@h00die quick, merge it before r7 realizes it's public.

[wchen-r7]

I thought a/v evasion was one of the big reasons to buy msfpro, Am i confusing something?

We'd like to improve the experience for all Metasploit users, this includes commercial and framework users.

A comment we got while demoing evasion modules was that it would be nice to be able to enable it on regular payloads

That could be on the road map. Thanks for the feedback.

[h00die]

Ninja merge incoming since @bcoles (kind of) approved it!!!

(Kidding, also apologies for the insensitive comment. While meant in jest, it was insensitive especially considering the climate in the states. Sorry to anyone who was offended, it wasn't cool or professional in any way shape or form.)

[0x27]

Suggestion/Query: could this be leveraged by exploit modules that drop an executable file to disc and then execute them? (thinking Command Stager ones) to avoid getting wrecked by AV during exploitation?

[busterb]

I wanted to give this a bit of time for review, but don't worry, it's not going away. Feel free to provide any constructive feedback @h00die, and thanks for the interest.

You can see some more info on this talk at the Metasploit Town Hall 0x4 at Derbycon today: https://youtu.be/4JZlhIj002k?t=1202

[wchen-r7]

Suggestion/Query: could this be leveraged by exploit modules that drop an executable file to disc and then execute them? (thinking Command Stager ones) to avoid getting wrecked by AV during exploitation?

Yes, it could do that, just not now. As a matter of fact, this has been reminded a couple of times so sounds like it's definitely valuable to implement something like that. Thanks for the feedback.

[Green-m]

I am glad to see this big surprise!
Since there are many antivirus tools, such as AVET, Veil, now we could integrate these into evasion modules, that's very convenient and could keep update for best performance of antivirus.

I love this PR, and I think I could do more contributions for new modules.
Thank you very much @wchen-r7!

[bcoles]

+1 for implementing evasion as part of msfvenom / metapsloit-payloads so the remainder of the framework benefits.

[busterb]

I'm going to land this now, so people can start playing with it in master. Thanks for all of the comments!

Thanks @space-r7 and @wchen-r7 !

[busterb]

Release Notes

This adds a new "evasion" module type to Metasploit Framework, allowing developers to build executables specifically to evade antivirus, and two initial evasion modules using different techniques of evasion. The framework allows users to more easily integrate external tools and write their own evasion modules as well.

[ccondon-r7]

@h00die - The new module type is the culmination of months of research on evasion techniques and results, and a whole bunch of teams across Rapid7 have been engaged and supportive throughout the process. This isn't a rogue move! As Wei noted, the goal here was to improve evasion for all Metasploit users, including Metasploit Pro customers. The engineering output (i.e., the new module type) looks different in Framework because there was so much emphasis on extensibility. As always, we want the Framework community to be able to build on top of and bring their own perspective to the work the Metasploit engineering team does...which I know you know already, so I'll stop talking and let folks get back to experimenting with the new module type!

[pussinboots1992]

@wchen-r7, did you customize the metsrv.dll ? I see you had warnings...The module currently doesn't evade an up to date Defender. Which components must be further customized to avoid being caught...The meterpreter_loader.rb, using a custom encoder/stub/loader ? Any tips ?

[Sonya2010]

With which version of msf that evasion module is shiping I have 4.17.26-dev on kali but there is not any module like evasion ?? Can you point out exactly?

[pussinboots1992]

You need v5 (dev version)

[Sonya2010]

You need v5 (dev version)

I googled for while but couldn't find it, How am I supposed to download and install it in kali linux 2018 rolling ?

[david-shearwater]

You need v5 (dev version)

I googled for while but couldn't find it, How am I supposed to download and install it in kali linux 2018 rolling ?

git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework
bundle install 

[docsewell]

I've tried this, and it is already being caught by Windows Defender and Trend Micro.

[Sonya2010]

@docsewell I can also confirm that it is not detected by Norton 360 but caught by 360 Total Security, quite interesting I pay for Norton 360 but 360 Total Security is free.