Binary File Patching – Echo Command

Here is a single line Windows batch command which renames and patches a binary in order to avoid detection.

The Problem

Many detections that look for malicious or uncommon usage of built-in Windows tools/utilities (i.e. attackers living-of-the-land) depend on well-known file/process names (ex. powershell.exe). But, if defenders are also monitoring for the well known checksums of those utilities for detection, simply renaming the file (powershell.exe -> llehsrewop.exe) will not avoid detection.

The Solution

Here’s an example showing how to copy, patch (unique checksum), and rename powershell.exe, then call a Hello World powershell command all in one line.

copy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe %temp%\powershell.exe & echo 0 >> %temp%\powershell.exe & move %temp%\powershell.exe %temp%\llehsrewop.exe & start /b %temp%\llehsrewop.exe /NoP /NonI /w Hidden /enc VwByAGkAdABlAC0ASABvAHMAdAAgACIASABlAGwAbABvACAAVwBvAHIAbABkACIA

That’s it, nothing fancy. But, it is enough to defeat both name and checksum-based detections!

Limitations

• If the original file is signed, it will no longer be signed (checksum is different).
• Some EXEs may have internal integrity checks which will fail and fail to launch. I couldn’t find any common Windows utilities that “broke” after running this on it.
• I only performed limited AV testing, but it’s possible some AV vendors may alert on the “padded” files and/or the fact that they are “patched”. Some of my patches alerted on one or two AV vendors (tested against VT), while others did not alert on any.

For Blue

If your detections rely on well known names of files/processes to alert, you need to cover the scenarios when a well known utility is NOT named as expected:

• Using checksums to ID mis-named utilities is not a bad solution, but it’s only a partial solution. You will need to continually update the list of checksums for what is seen in your environment.
• Determine the “behavior” of the utility of interest (DLL imports, associated files, command line parameters, etc.) and flag on that instead of, or in addition to, what you are doing already.