![]() ![]() As you can see in my project's documentation, I've chosen to try to hit 0 detections on scanners like Kleenscan or VirusTotal. Something worth noting when it comes to becoming undetected is where you are trying to achieve that. If you'd like I can explain those in more detail but I'll glaze over that for the time being. Remote Code Oxidation (linked above) does that in two different ways - process hollowing and process migration. With all of that said, it can be easier to evade detection by writing some code that helps obfuscate the shellcode of a payload-generator like msfvenom and runs it this gives you finer control over what gets done and where. That said, the decryption function(s) can be fingerprinted just as easily as decoding function(s), so your success may be limited there. A more effective way to get around code signatures is to encrypt the payload, as it removes the first of the two aforementioned reasons an altered payload might get caught. In order to use an encoded payload, you need to have a way to decode it at runtime, and the decoding function(s) can be indicative of malicious behavior, so the decoding function itself is often fingerprinted as a signature. Encoding isn't the same as encrypting, and can be undone without any special knowledge, so the AV could still just see the original pattern. This is almost always detected for two reasons: 1. One (usually ineffective) way to solve for this is to encode the output. If every msfvenom-created executable has a particular pattern of bytes in it that are very rare in other executables, AVs can assume that if they ever see that pattern, it is a malicious executable. Signatures: This one is the easiest way for an AV to catch a cookie-cutter payload like those created by msfvenom. One way that you could possibly get closer to undetected is to pop the payload into the config of a project I've been working on,, and compile, but let me walk through a the main thing that will be troublesome when it comes to avoiding detection. ![]() We teach you how to do it, use it at your own risk. - See upcoming events and writeups from past CTFs.- Privilege escalation over SSH, web exploitation.- Learn-as-you-go web exploitation game made by a redditor.- Interactive privilege escalation with browser-based bash shells (and much more). ![]()
0 Comments
Leave a Reply. |