Windows defender flags the monkey as a malware

[VakarisZ]

Describe the bug

Monkey binaries are getting flagged on windows, which causes issues during the installation and run phases of the monkey.

To Reproduce

Steps to reproduce the behavior:

1. Build monkey agent
2. Run monkey agent on updated windows-10 machine
3. See error

Expected behavior

The binary shouldn't get flagged

Screenshots

If applicable, add screenshots to help explain your problem.

Machine version (please complete the following information):

• OS: Windows 10

[VakarisZ]

Possible solutions:

First and foremost we should consider creating an AV testing environment. So far the candidates:
- Opswat cloud with an API
- Creating a couple of VM's in VSphere and installing AV's there
- Creating a couple of instances in GCP and installing AV's there
- Dyncheck API costs 20$/month

Note that test infrastructure can't have access to the internet or else it might submit samples of monkey to vendors which will cause the monkey to get flagged.

Signing the monkey binaries:

The way both Microsoft and the other security vendors can tell your app from others is well known, it's by including a digital signature with your app that's produced from a code-signing certificate you've acquired from a reputable Certificate Authority which is part of the Microsoft Authenticode group of accepted certificate vendors.

Create a module for binary obfuscation:
Before the first monkey is run on a simulation, the island runs the obfuscation command which does these steps:

1. Dissasemble the previous monkey binary
2. Obfuscates the binary (Some obfuscation techniques I managed to find):
   • Change the strings (https://www.blackhillsinfosec.com/bypass-anti-virus-run-mimikatz/)
   • Add no-op assembler commands (https://www.pentestgeek.com/penetration-testing/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm)
3. Re-assembles the binary into a new binary which will be used
4. Obfuscated binary is sent out for running.

Short term solution:

Remove the files shellcode_obfuscator.py, test_shellcode_obfuscator.py and win_ms08_067.py or change the files enough to avoid the detection (without these file windows defender doesn't flag the 64bit binary as malware during the runtime).

[VakarisZ]

A list of potential tools to use:

• Invoke-Obfuscation
• AVET
• BeaEngine
• ShellterProject

[mssalvatore]

I think that impacket is the thing that defender most often flags. We can use other projects, like smbprotocol in order to avoid tripping defender.

[mssalvatore]

https://vanmieghem.io/blueprint-for-evading-edr-in-2022/

[mssalvatore]

Fixed in v2.2.0.

Note that some behaviors/plugins may still trigger Windows Defender, but this means it's doing its job. Installation is not impeded, which was the major issue.