By POST's CyberForensic & Offensive Security Team.
1. Payload crafting
Prior any actions, we focused on the payload crafting that will be used with our attack scenarios. We decided to go for PowerShell stageless reverse HTTPS payload that will be delivered using HTA dropper and then executed on the target machine. To do so, we first need to have a working payload that will bypass EDR and AV solutions.
PowerShell payloads are more and more difficult to evade due to AMSI protection that will analyze content in memory, meaning that encryption will have no effect. Then AmsiScanBuffer() will verify our decrypted script content for known threats. Knowing that PowerShell version 2 that does not support AMSI may not be installed onto our target machine and that latest AMSI bypass exploit are known and detected, we had to build a payload that would bypass detection.
We decided focused on Sophos Antivirus bypass as they implemented their own AMSI engine and support Windows AMSI.
(Ref. for AMSI support per AV/EDR solution: https://github.com/subat0mik/whoamsi)
To craft our payload, we used Cobalt Strike with our customized template on which we modified most common detected strings and calls (bye VirtualAlloc() !). In addition, we created a custom Cobalt Strike profile on our team server, that will be used with custom “prepend” and “strrep” headers (among many others) in order to remove/add specific strings from our generated payload. These settings will also be used by Cobalt Strike payload generation during post-exploitation phase for persistence and lateral movement purpose.