This information is provided exclusively for the purposes of legitimate penetration testing, education, and further security research. The only way to improve security is by testing it. It's only once we acknowledge a problem (e.g. in a security solution) that we can take steps towards fixing it. Being aware of a potential false sense of security is equally important.
Perfect use case: HTML Smuggling🔗
Image courtesy Microsoft Threat Intelligence.
Email attachments from sources external to an organization are often stripped. Hence why a website, with a link in the email, is usually used to deliver a payload in the first place. Most large email providers like Gmail or Outlook also always strip attachments with troubling extensions.
Above are the detections of one such HTML smuggling project: EmbedInHTML. In practice, a NGFW's detection for this type of payload would be much higher. The antiviruses on VirusTotal aren't as geared towards detecting this type of threat. Even still, we have lots of unwanted detections.
Flying under the radar...🔗
So, the defenders made a move. Now it's the attacker's turn: How might an attacker become fully undetectable (at least... for now)?
Simple, just paste your payload into obfuscator.io then click the "Obfuscate" button!
Pro tip: If you're HTML smuggling a binary file (like an EXE or DLL) then definitely make sure to select the
RC4 encryption option under
String Array Encoding. This is necessary to remove any last bits of data that NGFWs might use to signal on. Detecting the structure of any executable file (with its
Florian Roth (@cyb3rops), a well-known detection engineer in the security space, acknowledged this hole in detection two days after this post went live.
Okay, I just checked and so far we have postet 96,387,836 comments on @Virustotal— Florian Roth (@cyb3rops) August 17, 2023
A few years ago, when I first came across this method for evading detection, the original output from obfuscator.io did indeed get caught by VirusTotal. However, after applying my "pro tip" the sample was fully undetected.
Trying this method out again today, I wondered why my sample was fully undetected by VirusTotal even without my "pro tip". After all, detection is supposed to get better over time, not worse! I'm glad to have this question answered now.
Detection software (such as antivirus, endpoint detection and response, and next-generation firewalls) should only be used as part of a more holisitc defense-in-depth security strategy. This is primarily because security through detection is a cat-and-mouse game. If 'real' security is what you want then have a look at my binary exploitation or Qubes OS content (upcoming).