Evading Antivirus With Better Meterpreter Payloads 2021
Evading antivirus is often an under appreciated art that can make or break a penetration test. Modern antivirus products can detect meterpreter payloads easily, and can leave a pentester falsely believing a system is not exploitable.
Evading Antivirus with Better Meterpreter Payloads
Several years ago it was very common for x64 binaries to fly by Windows Defender, however AV products have greatly improved recently and begun to detect x64 meterpreter payloads we tested. Very few encoders support x64 shellcode which further reduces our ability to create stealthy payloads. In our testing we find that building x86 payloads with the shikata_ga_nai have stood the longest test of time and are still able to evade most AV engines.
Antivirus evasion is a broad field that some people devote their entire work to. It is a large part of exploit development, and it is certainly useful when trying to bypass common defense mechanisms. One of the ways to obfuscate payloads is by generating custom shellcode. This method can be utilized when developing an exploit from scratch or when using an existing exploit to better hide from antivirus software.
We can generate shellcode without any options, although the odds of this payload bypassing any modern antivirus software are probably pretty low. Below, we can see the size of the generated payload, 78 bytes, followed by some other settings, and finally the raw shellcode.
Another useful technique for bypassing antivirus is encoding the payload with multiple passes. This essentially takes the generated shellcode and runs it through the encoder again with as many passes as defined. Use the -i flag to specify the number of iterations to encode the payload with.
Keep in mind, we can combine multiple options when generating shellcode in order to better our chances at evading antivirus detection. If we look closely, the default listen port for our bind shell is set to 4444. We can change that, and any other option for that matter, by using the -o flag followed by the variable and the value to set. Let's change the listen port to 1234.
Now the .dll can be checked with antivirus software, checking with Virustotal.com:Not detected by any (0/60) antivirus software at virustotal.com.Now, to test the exploit, we first would setup a meterpreter multi/handler to wait for the connection:And now we can run the payload from the exploit with following command on the command line:
Afterwards checking with virustotal.com, only Baidu noticed that it is a Trojan. Note to myself: Have to check why Baidu finds this.To test this, a multi/handler could be setup as in x03 DLL Method (note, different payload) and by simply executing the file. Same nagging from Windows defender and/or antivirus software apply to this also.
The first technique that we are going to discuss is using file splitting tools to identify the exact signature that is being detected by the antivirus application and modify it. This is one of the oldest ways to bypass AV tools. This technique is efficient if we can locate the exact signature that is being detected. However, there is a limitation with this technique. If we mess the functionality of the application, it becomes useless even if we bypass antivirus. So, as long as the functionality is not modified while we are changing the signatures, we are good to go.
Now that we have the padding in our base file, we can create our meterpreter shellcode. I find it easiest to create the shellcode with msfvenom. You can go ahead and create your shellcode using nearly the same command I am using here, just be sure to change your payload option values:
This method puts meterpreter into an .exe format. Meterpreter is capable of being delivered by injecting a dll into a process, but that was not the method of delivery in this article. I wanted to show how to create an executable that could be uploaded as a custom payload through Metasploit, or assuming you have upload access to a box, legitimately dropping it on a machine and executing it without detection.
Ive followed the tutorial as is, with the payload made here and other versions of my own payloads, in every case i test the payload and it works fine, but after i use Hyperion and test the encrypted payload it stops working, windows pops up a message about the program stopping to work and the meterpreter session is never established.
With this tool, you can create custom payloads tailored to specific targets and requirements. Furthermore, you can attach payloads with other files that make your payload less suspicious. You can also edit the codes of your payloads and change them to evade detection by the threat detection systems. You can see all the options available for msfvenom by typing in msfvenom -h.
The meterpreter session will start as soon as the Android device installs the apk file. This concludes how you can create payloads with the msfvenom tool. You can send this apk out and ask the victims to install it by social engineering or go install it yourself if you have physical access. Bear in mind that violation of privacy and system penetration without permission is illegal and we suggest you use these techniques ethically for learning purposes only.
In our journey to try and make our payload fly under the radar of antivirus software, we wondered if there was a simple way to encrypt all the strings in a binary, without breaking anything. We did not find any satisfying solution in the literature, and the project looked like a fun coding exercise so we decided it was worth a shot.
Disclaimer: our metsrv.x64.dll is patched with some goodies to evade other antivirus and with a custom reflective loader, but the signatures identified later on also cause detection in the original one, except there are even higher score artefacts that should be taken care of first.
tl;dr To interact with the Windows operating system, software often import functions from Dynamic Link Libraries (DLL). These functions are listed in clear-text in a table called Import Address Table and antivirus software tend to capitalise on that to infer malicious behavioural detection. We show ideas and implementation of an obfuscator that allows to refactor any C/C++ software to remove this footprint, with a focus on Meterpreter. The source code is available at
In this blog post, we showed how it is possible to accurately replace function calls in C/C++ code-bases without using regexes. All of that was realised to prevent antivirus software to statically collect behaviour information about Meterpreter or other software that we use during our pentesting engagements.
On the other hand, communicating about the risks associated with a vulnerability is really challenging in case the Proof-of-Concept to exploit it is itself blocked by an antivirus. While one can claim that it is always theoretically possible to bypass the detection  and leave it at that, actually doing it may add some strength to the argument.
After years of experience bypassing antivirus software, if there is any kind of insight that we could share with the community, it would be that a malware detection is almost always trivially based on strings, API hooks, or a combination of both.
Note: since the codebase is strongly Visual Studio dependent, Clang will fail to parse a large part of Metepreter. However, it was still possible to bypass the target antivirus with that half-success. And here we probably have the only advantage of source-to-source transformation over compile-time transformation: the latter requires the whole project to compile without any errors. The former is resilient to thousands of compilation errors; you just end up with an incomplete Abstract Syntax Tree, which is perfectly fine.
Winpayloads is installed, if you get any errors, please re-run the installation command. Now run the following command, and set your IP Address and Port number, After some time, it will generate a Metasploit payload with your configurations.
Keep it simple, shell-boy. I'm a minimalist when it comes to remote access. I just need enough to get in, disable antivirus (if the rules of engagement will allow it), and then move in with more full-featured tools. This approach requires less coding on my part and there is less of a chance that I will incorporate something that antivirus doesn't like.
Keep it simple, shell-boy. I\'m a minimalist when it comes to remote access. I just need enough to get in, disable antivirus (if the rules of engagement will allow it), and then move in with more full-featured tools. This approach requires less coding on my part and there is less of a chance that I will incorporate something that antivirus doesn\'t like.
Veil-Framework is a collection of tools that help with information gathering and post-exploitation. One such tool is Veil-Evasion which is used for creating payloads that can easily bypass Antivirus using known and documented techniques. This is done through an array of encoding schemes that change the signatures of files dramatically enough to avoid standard detection techniques. You can download the framework by visiting the Veil Framework Github.
A way to get around this is to use Veil-Evasion. This tool comes with thirty different payloads in C, C#, PowerShell, and Python languages. I almost always use the Python versions, simply because it was the only language in Veil-Evasion that supported Meterpreter reverse HTTPS connections (until recently). This is beneficial for shells because everything will be encrypted with SSL, preventing the commands and results from being transmitted in the clear and potentially being discovered by an IDS or IPS system. Another benefit of using Python is the ability to make contained payloads. This means that all the Meterpreter code needed for the reverse https connection is already included instead of only being a stager that downloads the rest of the code to run.
We help organizations defend against adversaries by being the best at simulating real-world, sophisticated adversaries with the products, services, and training we provide. We know how attackers think and operate, allowing us to help our customers better defend against the threats they face daily. 350c69d7ab